Privacy Rights Addendum

MJH Life Sciences, LLC

Privacy Rights Addendum

This Privacy Rights Addendum (this “Addendum”), dated as of the date last signed below, is incorporated into and forms a part of the services agreement(s) (individually and collectively the “Services Agreement”) entered into by and between MJH Life Sciences, LLC (“MJH”) and the entity identified in the signature block (“Customer”) (hereinafter, MJH and Customer are, at times, jointly referred to as the “Parties”). This Addendum sets forth terms and conditions relating to the Parties’ compliance with the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act of 2020) (collectively, the “CPRA”),the Colorado Privacy Act (SB 21-190), the Connecticut Data Privacy Act (P.A. No. 22-15), the Utah Consumer Privacy Act (S.B. 227),  and the Virginia Consumer Data Protection Act (VA Code § 59.1-575) collectively, the “Privacy Regulations”). In the event of a conflict between this Addendum and the Services Agreement, this Addendum will control as necessary to comply with the Privacy Regulations. For purposes of this Addendum, MJH is acting as the Service Provider of the Customer. Capitalized terms used, but not defined, in this Addendum shall have the same meaning given to them in the CPRA or comparable provision or term in another Privacy Regulation as the context requires or as applicable, and except as otherwise indicated. The Parties agree as follows:

 

  1. Purposes of Disclosure of Personal Information. Customer shall disclose Personal Information to MJH solely for the purpose of MJH providing the “Services” as that term is defined in the Services Agreement.

 

  1. MJH Prohibitions. For avoidance of doubt, MJH is a “service provider” and not a “third party” as described in the CPRA. MJH shall not do any of the following:

 

a. sell or share the Personal Information it receives from, or on behalf of, Customer, except as otherwise set forth herein or as permitted by the Privacy Regulations;

 

b. retain, use, or disclose the Personal Information received from, or on behalf of, Customer for any purpose other than the following: (i) the business purposes specified in the Services Agreement, including in the servicing of a different business, unless expressly permitted by the Privacy Regulations; (ii) to retain and employ another entity as a subcontractor, where the subcontractor meets the requirements for a Service Provider under the CPRA; (iii) for internal use by MJH to build or improve the quality of its services, provided that MJH does not use the Personal Information to perform services on behalf of another person; (iv) to detect data security incidents and protect against malicious, deceptive, fraudulent, or illegal activity; and (v) the purposes enumerated in California Civil Code section 1798.145, subdivisions (a)(1) through (a)(7) or the other Privacy Regulations;

 

c. retain, use, or disclose the Personal Information for a Commercial Purpose;

 

d. retain, use, or disclose the Personal Information outside of the direct business relationship between MJH and Customer, unless expressly permitted by the Privacy Regulations;

 

e. combine the Personal Information that MJH receives from, or on behalf of, Customer with Personal Information that it receives from, or on behalf of, another person or persons, or collects from its own interaction with the Consumer, provided that MJH may combine Personal Information to perform any Business Purpose as defined in the CPRA; or

 

f. utilize the services of a subcontractor without the express written permission of Customer. All such approved subcontractors must be contractually required to abide by the terms of this Addendum and the Privacy Regulations.

 

  1. Obligations of MJH. MJH shall do all of the following:

 

a. comply with all applicable obligations under the Privacy Regulations and provide the same level of privacy protection as is required by businesses subject to the Privacy Regulations to the Personal Information it maintains, including cooperating with Customer in responding to and complying with Consumers’ requests made pursuant to the Privacy Regulations and implementing reasonable security procedures and practices appropriate to the nature of the Personal Information received from, or on behalf of, Customer to protect the Personal Information from unauthorized or illegal access, destruction, use, modification, or disclosure;

 

b. provide assistance to Customer in responding to a verifiable consumer request and fulfill obligations as necessary to effectuate any approved consumer request;

 

c. notify Customer no later than five (5) business days after MJH makes a determination that it can no longer meet its obligations under the Privacy Regulations;

 

d. utilize the shared data only for the purpose of complying with the requirements of this Addendum and the Services Agreement;

 

e. abstain from using sensitive shared data after Customer notifies MJH that such use is no longer allowed;

 

f. notify Customer no later than five (5) business days after MJH receives a direct consumer request under the Privacy Regulations;

 

g. comply with the durational limitation of processing and use rights according to Customer’s data retention policy;

 

h. return or delete data within ten (10) business days upon request of Customer; and

 

i. cooperate with reasonable assessments by Customer to ensure compliance with this Addendum and the Privacy Regulations.

 

  1. Obligations of Customer. Customer shall do all of the following:

 

a. provide to Consumers all notices and privacy policies required by the Privacy Regulations and ensure that such notices and privacy policies permit the performance of the Services and Customer’s disclosure of Personal Information to MJH;

 

b. inform MJH of any consumer request made pursuant to the Privacy Regulations that MJH must comply with, and provide to MJH the information necessary for MJH to comply with the request; and

 

c. process and retain Consumer data only in accordance with Customer’s data retention policy and other privacy policies.

 

  1. Rights of Customer. Customer shall have the right to do the following:

 

a. take reasonable and appropriate steps to help ensure that MJH uses the Personal Information that it received from, or on behalf of, Customer in a manner consistent with Customer’s obligations under the Privacy Regulations and this Addendum;

 

b. take reasonable and appropriate steps, upon notice, to stop and remediate MJH’s unauthorized use of Personal Information; and

 

c. make changes to this Addendum as may be necessary for Customer to comply with the Privacy Regulations.

 

MJH certifies that it understands its obligations under this Addendum and the Privacy Regulations and will comply with them. Notwithstanding anything in the Services Agreement or other document, the Parties acknowledge and agree that Customer’s provision of access to Personal Information is not part of and is explicitly excluded from the exchange of consideration, or any other thing of value, between the Parties.

 

IN WITNESS WHEREOF, and intending to be legally bound, the Parties have caused this Addendum to be executed by their duly authorized representatives.

 

CUSTOMER                                                              MJH LIFE SCIENCES, LCC

[___________________]                                             

 

By:                                                                               By:                                                      

 

Name:                                                                          Name:                                                 

 

Title:  ________________________                              Title:  ________________________

 

Dated:  __________________, 2023                              Dated:  _________________, 2023