This California Privacy Disclosure ("Disclosure") is provided by Nathan But Net LLC, a Texas limited liability company ("we," "us," or "our"), to residents of the State of California. This Disclosure supplements our general Privacy Policy and is intended to satisfy the notice requirements imposed on businesses by the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, the "CCPA/CPRA"), and all related regulations promulgated by the California Privacy Protection Agency (CPPA).

This Disclosure applies to all California residents whose personal information Nathan But Net LLC collects, processes, uses, retains, or discloses in the course of operating nathanbut.net, including visitors to our website, customers who create an account, individuals who place orders, and anyone who contacts our customer support team.

Words defined in the CCPA/CPRA have the same meaning when used in this Disclosure. The term "personal information" as used here means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked — directly or indirectly — with a particular California consumer or household, as defined in California Civil Code Section 1798.140(v).

The following California laws govern the privacy rights described in this Disclosure. We are committed to full compliance with each of these statutes and the regulations issued under them.

• California Consumer Privacy Act (CCPA) — California Civil Code §§ 1798.100–1798.199.100. Enacted January 1, 2020. Grants California residents rights to know, delete, and opt out of the sale of their personal information.
• California Privacy Rights Act (CPRA) — Proposition 24, approved November 3, 2020. Effective January 1, 2023. Amends and expands the CCPA, adds rights to correct, limit use of sensitive personal information, and opt out of sharing for behavioral advertising. Established the California Privacy Protection Agency (CPPA).
• Shine the Light Law — California Civil Code § 1798.83. Requires businesses that share personal information with third parties for their direct marketing purposes to disclose certain information upon request to California customers.
• California Online Privacy Protection Act (CalOPPA) — Business and Professions Code §§ 22575–22579. Requires operators of commercial websites that collect personally identifiable information from California consumers to conspicuously post a privacy policy.
• California Eraser Law — Business and Professions Code § 22581. Protects the privacy of minors by allowing them to remove content they have posted online.

The CCPA/CPRA requires businesses to disclose the categories of personal information they collect, as defined by California Civil Code Section 1798.140. The table below sets out each category of personal information we collect or have collected in the preceding 12 months, including specific examples of the types of data within each category.

The CCPA/CPRA requires us to identify the categories of sources from which we collect personal information. We collect personal information about California consumers from the following categories of sources.

• Directly from You — Information you provide voluntarily when you create an account on nathanbut.net, place an order, complete a checkout form, contact our customer support team, subscribe to communications, or otherwise interact with our website. This is our primary source of personal information.
• Automatically from Your Device — Information collected automatically when you visit nathanbut.net through cookies, web beacons, pixel tags, log files, and similar tracking technologies. This includes your IP address, browser type, operating system, pages visited, and session behavior. See Section 13 of our Cookie Policy for full details.
• From Our E-Commerce Platform — Shopify Inc., our e-commerce platform provider, collects certain information on our behalf as part of hosting and operating our online store. Shopify's data collection is governed by its own privacy policies and the data processing agreement between Shopify and Nathan But Net LLC.
• From Payment Processors — Our PCI DSS-compliant payment processors provide us with transaction confirmation data, including payment method type, last four digits, and transaction status, after processing your payment. We do not receive or store your full payment card number.
• From Shipping Carriers — Shipping carriers may provide us with delivery status updates and shipping confirmations that contain personal information such as delivery address and delivery timestamps.
• From Third-Party Analytics Providers — Analytics tools we use to understand website traffic and improve our site may provide us with aggregated and anonymized data derived from your browsing activity on our website. We do not receive individual-level personally identifiable information from these providers.

The CCPA/CPRA requires us to disclose the business or commercial purposes for which we collect personal information. We collect and use personal information solely for the following business and commercial purposes.

• Order Processing and Fulfillment — To receive, process, and fulfill your orders, including charging your payment method, arranging shipment to your address, and sending order confirmations and shipping notifications. (Categories A, B, D)
• Account Creation and Management — To create and maintain your customer account on nathanbut.net, authenticate your identity when you log in, and allow you to access your order history and account settings. (Categories A, B)
• Customer Support — To respond to inquiries, resolve disputes, process return and refund requests, and provide assistance with your orders and account. (Categories A, B, D)
• Legal Compliance and Tax Obligations — To comply with applicable federal, state, and local laws, including tax reporting obligations, consumer protection requirements, anti-fraud regulations, and law enforcement requests. (Categories A, B, D)
• Security and Fraud Prevention — To detect, investigate, and prevent fraudulent transactions, unauthorized access to accounts, and other potentially harmful or illegal activity on our website. (Categories A, F)
• Website Analytics and Improvement — To understand how visitors use our website, identify technical issues, measure the performance of our pages, and make improvements to our website's design, content, and usability. (Categories F, G, K)
• Transactional Communications — To send you transactional emails and notifications that are directly related to your order or account, such as order confirmation, shipping updates, delivery confirmation, and return processing notifications. (Category A)
• Internal Business Operations — To conduct internal research, audit our business processes, train our staff, and manage our business operations in accordance with our legal and contractual obligations. (All applicable categories)

The CCPA/CPRA requires us to disclose the categories of personal information we have disclosed for a business purpose and the categories of third parties to whom it was disclosed in the preceding 12 months. The table below provides this disclosure.

Under the CPRA, "sharing" means disclosing personal information to a third party for cross-context behavioral advertising, whether or not money is exchanged. "Selling" means disclosing personal information to a third party for monetary or other valuable consideration. Neither of these practices occur at Nathan But Net LLC.

Despite the fact that we do not sell or share personal information, California law requires us to provide you with the right to opt out of any such sale or sharing, and to provide a clear and conspicuous "Do Not Sell or Share My Personal Information" link. You may exercise your opt-out right at any time through the following link and through the request form in Section 10 of this Disclosure.

The categories of personal information that would be subject to an opt-out request if we were to sell or share are: Identifiers (Category A), Commercial Information (Category D), Internet Activity (Category F), and Inferences (Category K).

The CPRA introduced a new category of "sensitive personal information" and grants California consumers the right to limit the use and disclosure of sensitive personal information to what is necessary to perform the services requested. Sensitive personal information includes, but is not limited to, the following categories as defined in California Civil Code § 1798.140(ae):

• Social security numbers, driver's license numbers, state identification card numbers, or passport numbers
• Account log-in credentials such as usernames, passwords, or security questions when combined with required security credentials
• Precise geolocation data
• Racial or ethnic origin, religious beliefs, or union membership
• Contents of mail, email, or text messages unless the business is the intended recipient
• Genetic data and biometric information used for the purpose of uniquely identifying a consumer
• Personal information collected and analyzed about a consumer's health, sex life, or sexual orientation

The only credential data we collect is the email address and password you use to create an account on nathanbut.net. This credential information is stored in encrypted form and is used solely to authenticate your identity when you log into your account. It is not shared with any third party and is not used for any other purpose.

As a California resident, you have the following rights under the CCPA/CPRA. These rights are enforceable against Nathan But Net LLC and are subject only to the exceptions expressly permitted by applicable law.

You may submit a California privacy rights request using any of the following methods. We honor all CCPA/CPRA requests at no charge up to twice per 12-month period for requests to know, and without limitation for all other request types.

• Online Form — Complete the California Privacy Request Form below on this page. This is the fastest and preferred method.
• Email — Send your request to contact@nathanbut.net with the subject line "California Privacy Request — CCPA/CPRA." Please include your full name, email address, California ZIP code, and the type of request you are submitting.
• Phone — Call our toll-free privacy line at +1 830-481-7667, Monday through Friday, 9:00 AM to 6:00 PM Central Standard Time.
• Do Not Sell Page — To submit an opt-out of sale or sharing request specifically, you may visit our dedicated Do Not Sell or Share My Personal Information page.

Under California Civil Code § 1798.100(c), we are only required to respond to "verifiable consumer requests." We must establish a reasonable method to verify that the person submitting the request is the consumer whose personal information is the subject of the request, or an authorized agent of that consumer.

California Civil Code § 1798.83, also known as the "Shine the Light" law, requires businesses that share personal information of California customers with third parties for those third parties' direct marketing purposes to disclose, upon request, the categories of personal information shared and the identities of those third parties.

If our practices change and we begin sharing personal information with third parties for their direct marketing purposes, we will update this Disclosure and notify California customers as required by law before doing so.

California Business and Professions Code § 22581, commonly referred to as the "Eraser Law" or the "Minor's Right to Erase," provides additional privacy protections for California residents who are under 18 years of age at the time they registered to use our website or submitted content to us.

If you are a California resident under 18 years of age and you have registered for an account on nathanbut.net or submitted content (including reviews, photos, or other user-generated content), you may request removal of content or information you have publicly posted by contacting us at contact@nathanbut.net with the subject line "Minor Eraser Request."

We will make the content invisible to other users and the general public upon receiving a verified request. Please note that we cannot guarantee complete removal of content from all systems or from copies cached or stored by third parties such as search engines. Removal of content from third-party caches is not within our control.

If you believe we have inadvertently collected personal information from a minor under 16 without the appropriate consent, please contact us immediately at contact@nathanbut.net so we can promptly delete the information.

Specifically, as required by California Civil Code § 1798.125(a)(1), Nathan But Net LLC will not take any of the following actions against you as a result of your exercising any right under the CCPA/CPRA:

• Deny you goods or services available on nathanbut.net.
• Charge you a different price or rate for goods or services, including through the use of discounts or other benefits, or the imposition of penalties.
• Provide you with a different level or quality of goods or services.
• Suggest that you will receive a different price or rate for goods or services or a different level or quality of goods or services if you exercise your privacy rights.
• Retaliate against you as an employee, applicant for employment, or independent contractor for exercising any right under the CCPA/CPRA.

As permitted under California Civil Code § 1798.125(b), we may offer financial incentives, including payments to consumers as compensation, for the collection, sale, or deletion of personal information. Any such incentive program must be reasonably related to the value of the consumer's data. We do not currently operate any such incentive program, and if we introduce one in the future, we will update this Disclosure and provide you with a clear description of the program and your right to opt in and opt out at any time.

Under California Civil Code § 1798.135(a)(2), a California consumer may designate an authorized agent to submit a request to know, delete, correct, or opt out on the consumer's behalf. An authorized agent is a natural person or a business entity registered with the California Secretary of State that has been authorized by a consumer to act on their behalf.

To use an authorized agent, the following documentation must be provided to us at the time the request is submitted:

• Written Authorization — A signed written authorization from the consumer granting the agent permission to submit the specific type of privacy request. The authorization must clearly identify the consumer, the agent, the scope of authority granted, and the date of authorization.
• Power of Attorney — Alternatively, an agent may provide proof of a valid power of attorney granted by the consumer in accordance with California Probate Code §§ 4000–4465.
• Agent's Identity — The authorized agent must identify themselves, provide their contact information, and indicate the nature of their relationship to the consumer in the request submission.

Even when a request is submitted through an authorized agent, we may still contact the consumer directly to verify their identity and confirm that they authorized the agent to submit the request, as permitted by the CCPA/CPRA regulations. Authorized agents may submit requests by emailing contact@nathanbut.net with the subject line "Authorized Agent — California Privacy Request" and attaching all required documentation.

The Global Privacy Control (GPC) is a browser-level signal that allows California consumers to automatically notify websites of their opt-out preference for the sale and sharing of personal information, as described in California Civil Code § 1798.135(e) and the CPRA regulations promulgated by the California Privacy Protection Agency.

Nathan But Net LLC recognizes and honors the GPC signal. If your web browser or browser extension sends a GPC signal (a Sec-GPC: 1 HTTP header) when you visit nathanbut.net, we will treat it as a valid opt-out of the sale and sharing of your personal information under the CPRA, with the same legal effect as submitting a manual opt-out request through the form in Section 10.

Please note that honoring the GPC signal applies only to the sale or sharing of personal information. It does not operate as a request to delete your personal information or a request to opt out of all data collection. If you wish to exercise additional rights, please submit the appropriate request using the form in Section 10 or by contacting us directly.

The CPRA regulations require certain businesses to disclose metrics related to consumer privacy requests received and processed during the preceding calendar year. This section provides our annual metrics disclosure.

These metrics will be updated annually. The metrics above represent data from our first year of operation (January 1, 2024 through December 31, 2024). We will publish updated metrics for each subsequent calendar year no later than January 31 of the following year.

If you have any questions about this California Privacy Disclosure, your rights under the CCPA/CPRA, or how Nathan But Net LLC handles your personal information, please contact us using any of the methods below. We are committed to responding to all privacy inquiries promptly, accurately, and transparently.