Common use of Privacy and Security Clause in Contracts

Privacy and Security. (a) The Company and each Subsidiary have, at all times, complied with applicable privacy and data security Laws and regulations, including all privacy and security rules of the Health Insurance Portability and Accountability Act of 1996, as amended (collectively, “Privacy Laws”) and their respective internal privacy policies, except where any such noncompliance would not be material to the Company and its Subsidiaries taken as a whole. The Company and each Subsidiary have been and are in material compliance with all of the terms of all Contracts to which the Company or any Subsidiary is a party relating to the use, collection, storage, disclosure and transfer of any personally identifiable information collected, accessed or obtained by the Company or any Subsidiary or by third parties having authorized access to the records of the Company or any Subsidiary, except where any such noncompliance would not be material to the Company and its Subsidiaries taken as a whole. Each of the Websites owned or operated by the Company or any Subsidiary has in the past three years maintained a publicly posted privacy policy that describes the Company’s practices with respect to the collection, use and disclosure of personally identifiable information collected by such Websites, the disclosures in which privacy policy are accurate and not misleading. Neither the Company nor any Subsidiary has in the past three years received a written complaint regarding actual, alleged or suspected violation of any Privacy Law by the Company, any of its Subsidiaries, any of their customers or any users of any Company Product. To the Knowledge of the Company, the use, collection, storage, disclosure and transfer of any personally identifiable information collected, accessed or obtained by third parties having authorized access to the records of the Company or any Subsidiary has, at all times, complied with such privacy policies and Privacy Laws, except where any such noncompliance would not be material to the Company and its Subsidiaries taken as a whole.

Privacy and Security. (a) The All information or data collected by the Company and each Subsidiary haveor any of its Subsidiaries from consumers, at all times, complied with applicable privacy and data security Laws and regulationsor acquired by the Company or any of its Subsidiaries about consumers, including all privacy personally identifiable information and security rules of the Health Insurance Portability and Accountability Act of 1996, as amended aggregate or anonymous information (collectively, “Privacy LawsPII”) ), has been collected, has been and their respective internal privacy policies, except where is being used and has been and is being held in compliance with all Laws and Orders of any such noncompliance would not be material to the Company and its Subsidiaries taken as a wholeGovernmental or Regulatory Authority. The Company and each Subsidiary have been and are in material compliance with of its Subsidiaries has at all of the terms of all Contracts times presented a privacy policy (“Privacy Policy”) to which the Company or any Subsidiary is a party relating consumers prior to the use, collection, storage, disclosure and transfer collection of any personally identifiable information collectedPII. The Privacy Policy, accessed or obtained by and any other representations, marketing materials, and advertisements that address privacy issues and the Company or any Subsidiary or by third parties having authorized access to the records treatment of the Company or any SubsidiaryPII, except where any such noncompliance would not be material to the Company accurately and its Subsidiaries taken as a whole. Each of the Websites owned or operated by the Company or any Subsidiary has in the past three years maintained a publicly posted privacy policy that describes completely describe the Company’s or such Subsidiary’s information practices with respect in regard to PII that it collects, maintains, stores, accesses, transfers, processes, uses or discloses (collectively, “Processing”). The Company and each of its Subsidiaries has given all notices, made all disclosures, and obtained all necessary consents related to the collectionProcessing of PII required by the Privacy Policy, use applicable laws, and disclosure of personally identifiable information collected by Contracts and no such Websitesnotices, the disclosures in which privacy policy are accurate and not misleadingor consent requests have been inaccurate, misleading or deceptive. Neither the Company nor any Subsidiary of its Subsidiaries has in collected any information online from children under the past three years received a written complaint regarding actual, alleged age of 13 without verifiable parental consent or suspected violation of any Privacy Law by the Company, directed any of its Subsidiarieswebsites to children under the age of 13 through which such information could be obtained. The Company and each of its Subsidiaries has stored and maintained PII in a secure manner, any of their customers or any users of any Company Product. To using commercially reasonable technical measures, to assure the Knowledge integrity and security of the Companydata and to prevent loss, the usealteration, collectioncorruption, storage, disclosure misuse and transfer of any personally identifiable information collected, accessed or obtained by third parties having authorized unauthorized access to the records PII. The Company and each of its Subsidiaries destroyed or otherwise rendered irretrievable any records, whether electronic or paper-based, containing PII that the Company or any such Subsidiary hassought to dispose of in the ordinary course of business. All third party access to PII has been subject to written confidentiality requirements. There has been no unauthorized access to or disclosure of PII. The transfer of PII hereunder complies with all applicable Laws and Orders relating to such transfer and with the Privacy Policy, at all times, complied with such privacy policies Contracts and Privacy Laws, except where any such noncompliance would not be material other obligations in regard to PII. Neither the Company and nor any of its Subsidiaries taken as a wholehas received any claims, notices or complaints regarding its information practices and Processing of PII.

Privacy and Security. (a) The Neither Company and each Subsidiary have, at all times, complied with applicable privacy and data security Laws and regulations, including all privacy and security rules nor any of its Subsidiaries has collected any personally identifiable information from any third parties except as described on Schedule 3.14 of the Health Insurance Portability and Accountability Act of 1996, as amended (collectively, “Privacy Laws”) and their respective internal privacy policies, except where any such noncompliance would not be material to the Company Disclosure Letter. Company and its Subsidiaries taken as a whole. The Company and each Subsidiary have been and are in material compliance complied with all Applicable Laws and its internal privacy policies relating to (a) the privacy of the terms users of Company Products and Services and all Contracts to which the Internet websites owned, maintained or operated by Company or any Subsidiary is a party relating to of its Subsidiaries (the use, “Company Websites”) and (b) the collection, storage, disclosure storage and transfer of any personally identifiable information collectedcollected by Company, accessed or obtained by the Company or any Subsidiary its Subsidiaries or by third parties having authorized access to all Company Websites and all software, hardware, networks, databases and records used in the records provision of the Company Products and Services (“Systems”). The execution, delivery and performance of this Agreement and the Company Ancillary Agreements materially comply with all Applicable Laws relating to privacy and with Company’s privacy policies. Copies of all current and prior privacy policies of Company or its Subsidiaries, including the privacy policies included in the Company Websites, are attached as Schedule 3.14 of the Company Disclosure Letter. To Company’s knowledge, neither Company nor any Subsidiaryof its Subsidiaries has received a complaint regarding the Company’s collection, except where any such noncompliance would not be material to the use or disclosure of personally identifiable information. Company and its Subsidiaries have taken as a whole. Each all necessary actions to protect the confidentiality, integrity and security of the Websites owned Systems (and all information and transactions stored or operated by contained therein or transmitted thereby) against any unauthorized use, access, interruption, modification or corruption in material compliance with all Applicable Law and in material conformance with all contractual commitments and reputable industry practice, including but not limited to (i) the Company or any Subsidiary has use of adequate strength encryption technology and (ii) the implementation of a commercially reasonable and industry standard security plan that (x) identifies internal and external risks to the security, integrity and performance of the Systems, (y) implements, monitors and improves effective administrative, electronic and physical safeguards to control those risks, and (z) maintains notification procedures and redundant Systems in the past three years maintained a publicly posted privacy policy that describes the Company’s practices with respect to the collection, use and disclosure of personally identifiable information collected by such Websites, the disclosures in which privacy policy are accurate and not misleading. Neither the Company nor any Subsidiary has in the past three years received a written complaint regarding actual, alleged or suspected violation case of any Privacy Law by the Company, any breach of its Subsidiaries, any of their customers security or any users of any Company Product. To the Knowledge of the Company, the use, collection, storage, disclosure and transfer of any personally identifiable information collected, accessed or obtained by third parties having authorized access to the records of the Company or any Subsidiary has, at all times, complied with such privacy policies and Privacy Laws, except where any such noncompliance would not be material to the Company and its Subsidiaries taken as a wholeattack.

Privacy and Security. (a) The Company and each Subsidiary haveSince January 1, at all times2014, complied with applicable privacy and data security Laws and regulations, including all privacy and security rules of the Health Insurance Portability and Accountability Act of 1996, as amended (collectively, “Privacy Laws”) and their respective internal privacy policies, except where any such noncompliance would not be material to the Company and its Subsidiaries taken as a whole. The Company and each Subsidiary have been and are complied in all material compliance respects with all of applicable Laws, practices standard to their industry (including the terms of all Contracts to which Xxxxx-Xxxxx-Xxxxxx Act and the Company or any Subsidiary is a party relating to the usePCI DSS), collectionand their own published, storage, disclosure posted and transfer of any personally identifiable information collected, accessed or obtained by the Company or any Subsidiary or by third parties having authorized access to the records of the Company or any Subsidiary, except where any such noncompliance would not be material to the Company internal agreements and its Subsidiaries taken as a whole. Each of the Websites owned or operated by the Company or any Subsidiary has in the past three years maintained a publicly posted privacy policy that describes the Company’s practices policies with respect to the collection, use use, disclosure, storage and disclosure destruction of personally identifiable information collected Personal Information of individuals who visit any of the Company’s or any of its Subsidiaries’ websites or who otherwise communicate with the Company or any of its Subsidiaries about the Company or any of its Subsidiaries, whether any of same is accessed or used by the Company or any of its Subsidiaries or business partners (“Privacy Obligations”). No claims have been asserted and, to the knowledge of Seller, no claim is threatened against the Company or any of its Subsidiaries by any Person alleging a violation of any Privacy Obligations by the Company or any of its Subsidiaries and, to the knowledge of Seller, there is no basis for any such Websitesclaim nor is any such claim expected. (b) Other than as specified by the Company’s privacy statements or as prohibited by Privacy Obligations, the disclosures Company and its Subsidiaries are not restricted in which privacy policy their collection, use, distribution disclosure, storage or destruction of Personal Information. (c) The Company and its Subsidiaries have established and are accurate in compliance with a written information security program that (i) includes administrative, technical and physical measures designed to safeguard their software and systems and the information and transactions stored therein or processed or transmitted thereby, (ii) is designed to protect against unauthorized access to their systems and data, and (iii) satisfies the requirements of applicable Law and the PCI DSS. The Company and its Subsidiaries have implemented commercially reasonable written business continuity and disaster recovery plans and procedures with respect to the Company’s and its Subsidiaries’ software and systems and information and transactions stored therein or processed or transmitted thereby. Except as set forth on Schedule 2.20(c), the Company and its Subsidiaries have not misleadingbeen notified by any third Person of, nor 24 does Seller have any knowledge of, any material data security, information security or other technological deficiency with respect to the Company’s and its Subsidiaries’ or its subcontractors’ or agents’ software, systems and all information and transactions stored or contained therein or transmitted thereby that present a risk of unauthorized disclosure, use, access, corruption or loss of any Personal Information. For purposes of the preceding sentence, and notwithstanding anything to the contrary in this Agreement, the term “knowledge” means the actual or deemed knowledge of the persons listed in Section 8.12(iiii); an individual will be deemed to have knowledge of a particular fact, circumstance, event or other matter if such knowledge would have been obtained as a result of inquiry that would reasonably be expected from an individual who has the duties and responsibilities of such individual in the customary performance of such duties and responsibilities. The Company’s and its Subsidiaries’ software and systems are (x) adequate for the conduct of the respective businesses of the Company and its Subsidiaries as currently conducted and (y) in all material respects, in good working order and condition. Except as set forth on Schedule 2.20(c), neither the Company nor any of its Subsidiaries has experienced any disruption to, or interruption in, its systems, or the services provided by the Company or its Subsidiaries through the use of the systems that has had a material adverse effect on the business of the Company and its Subsidiaries. (d) Neither the Company nor any Subsidiary has in of its Subsidiaries, nor to the past three years received a written complaint regarding actual, alleged knowledge of Seller any subcontractor or suspected violation agent of any Privacy Law by the Company, Company or any of its Subsidiaries, any has suffered a security breach with respect to its data or systems that has had a material adverse effect on the business of their customers or any users of any Company Product. To the Knowledge of the Company, the use, collection, storage, disclosure and transfer of any personally identifiable information collected, accessed or obtained by third parties having authorized access to the records of the Company or any Subsidiary has, at all times, complied with such privacy policies and Privacy Laws, except where any such noncompliance would not be material to the Company and its Subsidiaries taken as a whole.Subsidiaries. Section 2.21

Privacy and Security. (a) The Company and each Subsidiary have, at all times, complied with applicable privacy and data security Laws and regulations, including all privacy and security rules Except as set forth on Schedule 3.21(a) of the Health Insurance Portability and Accountability Act of 1996Disclosure Schedules, as amended (collectively, “Privacy Laws”) and their respective internal privacy policies, except where any such noncompliance would not be material to the Company and its Subsidiaries taken are, and have been since January 1, 2014, in compliance in all material respects with (i) all Laws regarding the collection, storage, use, and disclosure of Personal Data; (ii) the privacy policies and other Contracts (or portions thereof) in effect between the Company or any of its Subsidiaries and end users of any products and services of the foregoing (collectively, the “Privacy Policies”), and (iii) Contracts (or portions thereof) between the Company and its Subsidiaries, on the one hand, and vendors, marketing affiliates, and other business partners, on the other hand, in each case in clauses (ii) and (iii), that are applicable to the Company’s and its Subsidiaries’ use and disclosure of Personal Data (such Privacy Policies and Contracts being hereinafter referred to as a whole“Privacy Agreements”). The Company and each Subsidiary its Subsidiaries have been delivered or made available to the Buyer accurate and are in material compliance with complete copies of all of the terms of Privacy Policies. The Company and its Subsidiaries have taken commercially reasonable steps to ensure that all Contracts to which vendors or other Persons whose relationship with the Company or any Subsidiary is a party relating to and its Subsidiaries involves the collection, use, collectiondisclosure, storage, disclosure or processing of Personal Data on behalf of the Company and transfer its Subsidiaries protect such Personal Data in a manner consistent with the Company’s and its Subsidiaries’ obligations in the Privacy Agreements and in compliance with applicable Laws. Neither the execution, delivery or performance of this Agreement, nor the consummation of any personally identifiable information collected, accessed or obtained of the transactions contemplated by the Company this Agreement will result in any violation of any Privacy Policies or any Subsidiary Law pertaining to privacy or Personal Data. The Company and its Subsidiaries have in place commercially reasonable safeguards consistent with industry standards to protect the confidentiality, integrity and security of Personal Data in their possession or control from unauthorized access by third parties having authorized access parties, including the Company’s and its Subsidiaries’ employees and contractors. Except as set forth on Schedule 3.21(a) of the Disclosure Schedules, to the records Knowledge of the Seller, during the period from January 1, 2014 to the date of this Agreement, no Person has made any illegal or unauthorized use of Personal Data that is in the possession or control of the Company or any Subsidiary, except where any such noncompliance would not be material to the Company and its Subsidiaries taken as a whole. Each of the Websites owned or operated by the Company or any Subsidiary has in the past three years maintained a publicly posted privacy policy that describes the Company’s practices with respect to the collection, use and disclosure of personally identifiable information collected by such Websites, the disclosures in which privacy policy are accurate and not misleading. Neither the Company nor any Subsidiary has in the past three years received a written complaint regarding actual, alleged or suspected violation of any Privacy Law by the Company, any of its Subsidiaries. As of the date of this Agreement, any of their customers or any users of any Company Product. To there is no pending Action, and, to the Knowledge of the CompanySeller, no Person has threatened to commence any Action alleging that any Person has made any illegal or unauthorized use of Personal Data that is in the use, collection, storage, disclosure and transfer of any personally identifiable information collected, accessed possession or obtained by third parties having authorized access to the records control of the Company or any Subsidiary has, at all times, complied with such privacy policies and Privacy Laws, except where any such noncompliance would not be material to the Company and of its Subsidiaries taken as a wholeSubsidiaries.