Inc.5000 Nerium International
rank500

Canada Privacy Policy

The protection of personal information is very important to Nerium Canada Ltd. (“the Company”). Privacy protection is, and always will be, critical to our business. The Company is committed to protecting the privacy of our Independent Brand Partners (“Brand Partners”) and customers. The purpose of this Privacy Policy is to inform you about our data collection practices; what information may be collected from you when you become a Brand Partner or when making inquiries or purchasing product from the Company as a customer; the purposes for which we collect such personal information;

how we protect your personal information; and how such information will be used by the Company and/or other persons or entities with whom such information may be shared. It also explains your choices regarding the collection, use, and disclosure of personal information; your ability to edit, update, correct, or delete personal information; and the security procedures that we have implemented to protect your privacy.

Scope of Application. This Privacy Policy applies to the Company’s collection, use, and disclosure of the personal information of its Canadian-based Brand Partners and customers within Canada.

Collection of Information. The Company collects personal information from its Brand Partners so that they can participate in the relationship marketing opportunities offered by the Company. In order to enroll you in the Brand Partner program, we collect contact information such as name, address, telephone number, and email address. When you order product from us as a Brand Partner, our third-party service provider that provides a certified payment system will collect payment information such as credit-card information. We may also collect your date of birth and social insurance number if we require that information for compensation purposes, including payment of commissions.

The Company collects personal information from customers who visit our website and/or our Brand Partners’ websites to make enquiries and/or purchase Company products. We collect your name and contact information (e.g., your first and last name, mailing address, city, province/territory, postal code, telephone number, and email address) in order to connect you with one of our Brand Partners from whom you can order our products. Our third-party service provider that provides
a certified payment system may also obtain from you payment information such as credit-card information, so that we
can fulfill your order. We may also collect your name, contact information, and payment information if you contact us by telephone for returns or other customer service purposes. All of this information allows us to conduct our business, provide customer service, communicate offers on products that may be of interest to you, and fulfill your order. You may volunteer to provide personal information to us. If you do not want to disclose your personal information to us, please do not

submit it.

We may also collect non-personally identifiable information from you when you visit the Company’s website and/or our Brand Partners’ websites, such as your IP address, browser type, domain name, etc. This information is collected and analyzed in the aggregate in order to improve the function and content of our website. The collection of this non-personally identifying information is further described in the section below pertaining to “Cookies.”

Use, Transfer, and Disclosure of Information. Personal information provided to us by Brand Partners is used as described above to enroll Brand Partners in our relationship marketing programs, to process payment for products ordered by Brand Partners, to provide Brand Partners with regular information regarding our products and promotions, and to process payments made to Brand Partners as compensation. Our information practices regarding Brand Partners are further described within our Terms of Agreement entered into between the Company and its Brand Partners.

Personal information provided to us by customers through our website, our Brand Partners’ websites, or via email or telephone is used for a variety of purposes described above, such as processing, confirming, and fulfilling your order and to process returns. When you provide your personal information to us, we will disclose aspects of that personal information (in particular, your name and contact information) to one or more of our Brand Partners, so as to allow a Brand Partner to contact you to process your order. While Brand Partners are fully independent from the Company, our Terms of Agreement contractually obligate Brand Partners to protect customers’ personal information that we share with Brand Partners in order to respond to product inquiries and process orders.

When customer payment information is submitted via our website or the website of one of our Brand Partners, neither the Company nor our independent Brand Partners have access to your payment information, as that information is processed by a third-party service provider that provides a certified payment system for online transactions.

Page 1 of 4

The Company does not sell or otherwise disclose your personal information to third parties other than as described
in this Privacy Policy; however, we may transfer your personal information to various vendors and service providers who perform functions on our behalf. Examples may include fulfilling orders, delivering packages, email administrative functions, processing credit-card payments, and providing customer service. Company vendors and service providers are contractually obligated to use your personal information only for those purposes for which they are hired and to take adequate security measures to ensure a comparable level of protection for your personal information. Our vendors and service providers may be located outside of the territory of Canada with the effect that your personal information may be sent to another jurisdiction for processing and while in another jurisdiction, may be accessible to foreign courts, law enforcement, and national security authorities.

We may disclose the personal information that we collect about you when we have reason to believe that it is necessary to identify, contact, or bring legal action against persons or entities that may be causing injury to you, to us, or to others. We may also disclose personal information when we believe the law requires it. We reserve the right to transfer any personal information we have about you in the event that we merge with or are acquired by a third party.

Protection of Minors. The Company website is not designed for or targeted at children. We do not knowingly collect, use, or disseminate any personally identifiable information from children under the age of 18. If, however, we become aware that personally identifiable information regarding a child under the age of 18 has been collected at the Company site, we will delete all such information.

Cookies. Through the Company’s website and the websites of its Brand Partners, the Company may collect non- personally identifiable information in order to analyze trends and statistics, and therefore enhance the operation of the site. Cookies are small pieces of information that are stored on computer hard drives. We may use cookies to recognize you when you return to the Company’s website or our Brand Partners’ websites in order to provide you with a better user experience. Our cookies do not contain any personally identifying information, such as your name, or sensitive information such as your credit-card number. Web browsers often allow you to erase existing cookies from your hard drive, block the use of cookies and/or be notified when cookies are encountered. If you elect to block cookies, please note that you may not be able to take full advantage of the features and functions of the Company’s website or those of our Brand Partners, though you will still be able to use all basic features.

Third-Party Links. The Company’s website and/or its Brand Partner websites may contain links to websites operated and maintained by third parties over which we have absolutely no control. Any information you provide to third-party websites will be governed under the terms of each website’s privacy policy, and we encourage you to investigate and ask questions before disclosing any information to the operators of third-party websites. We have no responsibility or liability whatsoever for the content, actions, or policies of third-party websites. The inclusion of third-party websites on our site in no way constitutes an endorsement of such websites’ content, actions, or policies.

Security. As technology continues to enhance and expand the collection of information of all kinds, we are committed to using our physical, organizational, and technological resources in an effort to ensure that our Brand Partners, Customers, and Users receive the kind of privacy protection that will make them confident and secure. Personal information is
only accessible to the persons in our organization who require it to carry out the purposes above. We retain personal information at Addison, TX. We shall not be responsible, however, for harm that you or any person may suffer as a result of a breach of confidentiality due to your use of the Internet.

Modifications to Policy. This Privacy Policy is effective as of January 2014. The Company reserves the right to change this Privacy Policy at any time. Any changes to this Privacy Policy will be effective immediately upon notice, which may be provided to you via email or by posting the latest version on our website. Your use of the site after such Notice will be deemed acceptance of such changes. Be sure to review this Privacy Policy periodically to ensure familiarity with its most current version. You can easily confirm whether any revisions have been posted since your last visit by checking the date on which the Policy was last revised, which is set forth at the bottom of this Policy. If you disagree with the changes in our policy, please do not use the site after the posting of such changes online. By using the Company website following the posting of changes to this Privacy Policy, you agree to and approve of all such changes.

Accessing Your Personal Information and Withdrawing Consent. You have the right to ask in writing whether we hold any personal information about you and to request access to your information. We may not be able to provide you with all the information you request, depending on the circumstances, and there may be a reasonable charge for any copy of personal information requested.

If you believe any of the information we have collected about you is incorrect or incomplete, you have the right to ask us to change it, or you may contact us to update your personal information in our records. You may withdraw your consent to

Page 2 of 4

our use of your personal information at any time, subject to legal or contractual restrictions. However, if you withdraw your consent for us to use your personal information, we may be unable to provide a product or deal that you request.

Consent. The Company collects personal information about you only when you voluntarily provide it or otherwise only with your consent as required by PIPEDA or by other applicable law. By visiting and using this website, the visitor agrees to the Privacy Policy and the terms of use. If you do not agree to the Privacy Policy, do not use this website or provide personal information to the Company. We will not, as a condition of the supply of our service, require you to consent to the collection, use, or disclosure of information beyond what is required to fulfill the explicitly specified and legitimate purposes for which the information is being provided. Upon giving the Company reasonable notice, a user may withdraw consent to use

his or her personal information at any time, subject to any legal or contractual restrictions. If you wish to withdraw your consent, please contact the Privacy Officer of the Company as described below. We will inform you of the implications of withdrawing consent.

Retention of Personal Information. Personal information that does not have a specific purpose or that no longer fulfills its intended purpose will be destroyed in a secured fashion. The Company will only retain personal information for the duration of its intended use or as otherwise required by law.

Commercial Electronic Messages. You must have the express or implied consent of the recipient to send commercial electronic messages, including email messages, or other electronic communications such as text messages. For consent to be valid, it must be knowledgeable, meaning that the individual must know the purpose for which their contact information may be used.

a) Obtaining Express Consent: Canada’s anti-spam law (CASL) requires the disclosure of the following information
when seeking consent to send commercial electronic messages: i) the purpose of the request (e.g., sending commercial electronic messages); ii) the name of the person/entity seeking the consent and, if different, the person/entity on whose behalf consent is sought, and which party is seeking consent on the other’s behalf; iii) the mailing address and one or more of a phone number, email address, or web address for one of those persons; and iv) that consent may be withdrawn.

b) Obtaining Implied Consent: Implied consent will only exist in the case of an “existing business relationship.” “Existing business relationship” is a defined term in the law. Such a relationship will only exist where i) the recipient of the message has made a purchase from the person who sends the message (or causes it to be sent) within the two years prior to the message; ii) the recipient of the message has accepted a business or investment opportunity from the person who sends the message (or causes it to be sent) within the two years prior to the message; iii) there is a written contract between the recipient of the message and the person who sends the message (or causes it to be sent) that does not relate to an item set out in i) or ii) above and that is either currently in existence, or that expired in the two years prior to the message; or iv) the recipient of the message made an inquiry or application of the person who sends the message (or causes it to be sent) regarding a purchase of business opportunity in the six months prior to the message.

c) The “Transactional or Relationship” Exception: CASL provides an exemption from its consent requirement for messages the sole purpose of which is to: i) facilitate, complete, or confirm a commercial transaction into which the recipient
had previously agreed to enter; ii) provide information about warranty, recall, or safety information about a product the recipient has purchased or used; iii) provide notice regarding a subscription, membership, account, loan, or other ongoing relationship with the sender; iv) provide information directly related to an employment relationship or benefit plan in which the recipient is currently involved; v) deliver goods or service, including product updates or upgrades, that the person to whom the message is sent is entitled to receive under a transaction they previously entered. Note: this exception does not apply to the disclosure and unsubscribe requirements below, or to the prohibitions against fraud and false or misleading headers. Neither the consent or message content requirements apply to a response to a request, inquiry, complaint, or other solicitation from the recipient of the message.

d) Unsubscribe Mechanism: Commercial electronic messages must give the recipient the opportunity to opt out of all (or any class of) future commercial electronic messages. An unsubscribe request must be given effect within 10 business days.

The unsubscriber request must function through the same electronic means used to send the communication, and must specify an electronic address or link to a webpage to which the request can be sent. For an email, including only a mailing address for an unsubscribe mechanism would not be sufficient.

e) Required Information: Each commercial electronic message must contain i) the name under which the sender carries on business and, if different, the name under which person on whose behalf the message was sent carries on business. If the message is being sent on behalf of more than one person, (i.e., there is more than one beneficial sender), each of them must be identified; ii) a valid “physical” mailing address for the sender or the person on whose behalf the message was

Page 3 of 4

sent; and iii) one of more of an email address, telephone number, or web address for either the sender or the person on whose behalf the message was sent. All of this information must be set out clearly and prominently.

f ) Penalties: CASL provides for very stringent penalties, including an administrative monetary penalty of up to $10 million, and as of July 1, 2017, a private right of action for $200 per offence, not to exceed $1million on any day on which an offence occurred.
Questions, Comments and Complaints. If you have questions or comments about this Privacy Policy for Nerium Canada Ltd., please contact the Nerium Support Center by email at support@nerium.com, or call 888-304-6046 during normal business hours.

You may register a privacy-related complaint by contacting the Company’s Privacy Officer at the above contact or by writing to 4004 Belt Line Road, Suite 112, Addison, TX 75006. We will explain our complaint procedure to you and investigate all complaints. If a complaint is justified, we will take all appropriate steps to set the situation right, including changing our policies and practices if necessary. We will also let you know what other complaint procedures may be available to you.