Grailed, LLC ("Grailed", "us","we", and "our") provides this Supplemental U.S. State Privacy Notice (the "Supplemental State Privacy Notice") for visitors, users, and others who reside in U.S. States that have enacted applicable and enforceable data privacy legislation. The Supplemental State Privacy Notice supplements the information contained in the Privacy Notice and applies solely to visitors, users, and others who reside in the States that have enacted applicable and enforceable data privacy legislation (as of January 2025, California, Colorado, Connecticut, Nevada, Utah, Virginia, Montana, Oregon, Florida, Texas, Delaware, Iowa, Nebraska, New Hampshire, and New Jersey, together, the "Applicable States"). To the extent any provision in this Supplemental State Privacy Notice conflicts with a provision of the Privacy Notice, this Supplemental State Privacy Notice shall govern with respect to visitors, users, and others who reside in the Applicable States.

For the purposes of the Supplemental State Privacy Notice, personal information does not include publicly available information or de-identified, aggregated or anonymized information that is maintained in a form that is not capable of being associated with or linked to you.

Your Privacy Choices

Depending on your state of residency, you may be able to exercise the following rights in relation to the personal information about you that we have collected (subject to certain limitations at law):

The Right to Know. The right to confirm whether we are processing personal data about you and, under California law only, to obtain certain personalized details about the personal data we have collected about you in the last 12 months, including:

• The categories of personal data collected;
• The categories of sources of the personal data;
• The purposes for which the personal data were collected;
• The categories of personal data disclosed to third parties (if any), and the categories of recipients to whom the personal data were disclosed;
• The categories of personal data shared for cross-context behavioral advertising purposes (if any), and the categories of recipients to whom the personal data were disclosed for those purposes; and
• The categories of personal data sold (if any), and the categories of third parties to whom the personal data were sold.

The Right to Access and Portability. The right to obtain access to the personal data we have collected about you and, where required by law, the right to obtain a copy of the personal data in a portable and, to the extent technically feasible, readily usable format that allows you to transmit the data to another entity without hindrance.

The Right to Request Deletion. You have the right to request the deletion of personal information that we have collected from you, subject to certain exceptions.

The Right to Correction. You have the right to request that any inaccuracies in your personal information be corrected, taking into account the nature of the personal information and the purposes of the processing of your personal information.

The Right to Control over Automated Decision-Making/Profiling. You have the right to direct us not to use automated decision-making or profiling for certain purposes.

The Right to Control over Sensitive Information. You have the right to exercise control over our collection and processing of certain sensitive information.

The Right to Opt Out of Sales or Sharing for Targeted Advertising. You have the right to direct us not to “sell” personal information we have collected about you to third parties for monetary or other valuable consideration, or “share” your personal information to third parties for cross-context behavioral advertising purposes.

Depending on your state of residency, you may also have the right to not receive retaliatory or discriminatory treatment in connection with a request to exercise the above rights. However, the exercise of the rights described above may result in a different price, rate or quality level of product or service where that difference is reasonably related to the impact the right has on our relationship or is otherwise permitted by law.

To exercise the right to opt out of the sale of your personal information or the sharing of your personal information for targeted advertising in certain jurisdictions, you may click on the "Your Privacy Choices" link.

How to Exercise Your Privacy Rights

To submit a request to exercise one of the privacy rights identified above, please submit a request by:

• Emailing help@grailed.com with the subject line "Consumer Rights Request;" or
• Completing the contact form here.

We may need to verify your identity before processing your request, which may require us to request additional personal information from you or require you to log in to your account, if you have one. We will only use personal information provided in connection with a Consumer Rights Request to review and comply with such request.

In certain circumstances, we may decline a request to exercise the rights described above, including where we are unable to verify your identity or locate your information in our systems. If we are unable to comply with all or a portion of your request, we will explain the reasons for declining to comply with the request.

You do not need to create an account with us to exercise your rights. However, we may ask you to provide additional personal information so that we can properly identify you to track compliance with your request. If you choose not to provide this information, we may only be able to process your request to the extent we are able to identify you in our systems.

Authorized Agents

In certain circumstances, you are permitted to use an authorized agent (as that term is defined by the applicable U.S. state privacy law) to submit requests on your behalf through the designated methods set forth in this Supplemental State Privacy Notice where we can verify the authorized agent's authority to act on your behalf.

For requests to know, delete, or correct personal information, we require the following for verification purposes:

1. a power of attorney valid under the laws of the relevant jurisdiction from you or your authorized agent; or
2. sufficient evidence to show that you have:
   1. provided the authorized agent signed permission to act on your behalf; and
   2. verified your own identity directly with us pursuant to the instructions set forth in this Supplemental State Privacy Notice; or directly confirmed with us that you provided the authorized agent permission to submit the request on your behalf.

For requests to opt out of personal information “sales” or “sharing”, we require a signed permission demonstrating your authorized agent has been authorized by you to act on your behalf.

Appealing Privacy Rights Decisions

Depending on your state of residency, you may be able to appeal a decision we have made in connection with your Consumer Rights Request. All appeal requests should be submitted via email at help@grailed.com or by submitting a request through the contact form here.

• Colorado Residents: If your appeal is denied, you may contact the Colorado Attorney General to address your concerns here.
• Connecticut Residents: If your appeal is denied, you may contact the Connecticut Attorney General to submit a complaint here.
• Virginia Residents: If your appeal is denied, you may contact the Virginia Attorney General to submit a complaint here.
• Texas Residents: If your appeal is denied, you may contact the Texas Attorney General to submit a complaint here.
• Nevada Residents: If your appeal is denied, you may contact the Nevada Attorney General here.
• Montana Residents: If your appeal is denied, you may contact the Montana Attorney General here.
• Oregon Residents: If your appeal is denied, you may contact the Oregon Attorney General here.
• Delaware Residents: If your appeal is denied, you may contact the Department of Justice to submit a complaint at privacy@delaware.gov.
• Iowa Residents: If your appeal is denied, you may contact the Iowa Attorney General to submit a complaint here.
• Nebraska Residents: If your appeal is denied, you may contact the Nebraska Attorney General to submit a complaint here.
• New Hampshire Residents: If your appeal is denied, you may contact the New Hampshire Attorney General to submit a complaint here.
• New Jersey Residents: If your appeal is denied, you may contact the New Jersey Division of Consumer Affairs in the Department of Law and Public Safety to submit a complaint here.

CALIFORNIA-SPECIFIC DISCLOSURES

The following disclosures only apply to residents of the State of California.

1. Collection of Personal Information:

In the last 12 months, we may have collected the following categories of personal information:

1. Identifiers, such as real name, alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, or other similar identifiers.
2. Categories of personal information described in Cal. Civ. Code § 1798.80(e), such as name, signature, gender, physical characteristics or description, address, or telephone number.
3. Commercial information, such as records of products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
4. Internet or other electronic network activity information, such as browsing history, search history, and information regarding a consumer's interaction with a website, app, or advertisement.
5. Inferences drawn from other personal information to create a profile about a consumer reflecting a consumer's preferences, characteristics, and trends.

For more information about our collection of personal information, the sources of personal information, and how we use this information, please see What Information Do We Collect From You? and How Do We Use Information About You? sections of our Privacy Notice.

In the last 12 months, we have collected the following categories of sensitive personal information:

• Account log-in information in combination with any required security or access code, password, or credentials allowing access to an account.
• Tax identification information required by applicable laws and regulations.

Grailed does not use or disclose sensitive personal information for any purpose other than for performing services you have requested and complying with applicable laws and regulations. Please noteGrailed uses a third-party service provider to automatically hash passwords, collect and store tax identification information and payment information required by applicable laws and regulations, and uses Stripe and PayPal as its third-party payment processors to process financial account information, including payment card information. Grailed does not have access to the payment information collected by Stripe and PayPal. Please see the What Information Do We Collect From You?section of the Privacy Notice for more information about the sources of sensitive personal information we collect.

2. Disclosure of Personal Information:

In the last 12 months we may have disclosed all of the categories of information we collect with third parties for a business purpose, as described in the How Do We Share Information? section of the Privacy Notice. The categories of third parties to whom we disclose your personal information for a business purpose include:

• Service providers and advisors that perform services for us on our behalf, which may include providing website development and other related services, app development, hosting, maintenance, data analytics, customer support, payment processing, shipping, fraud detection and remediation, advertising, and other services for us.
• Other users, such as if you submit a product review, share or interact with the Services in a manner that is then publicly displayed on the Services, or post content in a public area of our Services, or where necessary to complete your transaction with a buyer or seller, or where required by applicable laws and regulations.
• Ad networks and advertising partners, including social networks, to deliver advertising and personalized content to you on other sites and services you may use, and across other devices you may use, as well as to provide advertising-related services such as reporting, attribution, analytics, and market research.
• Contests and promotions providers that assist us with delivering our contests, sweepstakes, or survey offerings and processing the responses.
• Affiliates, including other companies owned or controlled byGrailed, and other companies owned by or under common ownership as Grailed, which also includes our subsidiaries (i.e., any organization we own or control) or our ultimate holding company (i.e., any organization that owns or controls us) and any subsidiaries it owns, particularly when we collaborate in providing the Services.
• We may also disclose personal information to other third parties at your direction or upon your request, or to comply with legal process or contractual obligations, or in the event of a corporate transaction, as described in our Privacy Notice.

3. Sale of Personal Information and Sharing for Targeted Advertising:

In the previous 12 months, we have sold or shared the following categories of personal information to third parties, subject to your settings and preferences and your right to opt out:

• Identifiers
• Commercial Information
• Internet / Network Information

In addition, please see the Third-Party Data Collection and Online Advertising section of the Privacy Notice and our Cookie Policy to learn more about how third-party advertising networks, social media companies and other third party businesses collect and disclose your personal information directly from your browser or device through cookies or tracking technologies when you visit or interact with our website, use our app or otherwise engage with us.

"Shine the Light"

California law permits California residents to request certain details about how their information is shared with third parties for direct marketing purposes. If you are a California resident and would like to make such a request, please contact us at help@grailed.com.

Minors

We do not sell the personal information and do not have actual knowledge that we sell the personal information of minors under 16 years of age. We do not allow user accounts for users under 16 years of age. Please contact us at help@grailed.com to inform us if you, or your minor child, are under the age of 16.

If you are a California resident under the age of 18 and you want to remove your name or comments from our website or publicly displayed content, please contact us directly at help@grailed.com with a detailed description of the specific content or information. Be aware that we may not be able to modify or delete your information in all circumstances.

If you wish to submit a privacy request on behalf of your minor child in accordance with applicable jurisdictional laws, you must provide sufficient information to allow us to reasonably verify your child is the person about whom we collected personal information and you are authorized to submit the request on your child's behalf (i.e., you are the child's legal guardian or authorized representative).