PRIVACY POLICY

Last Updated: April 1, 2024

Moon Valley Nurseries, including its parent, affiliated, and subsidiary companies, (collectively, “MVN,” “our,” “we” or “us”), is a leading provider of retail tree and plant products at our various locations in the United States. We respect your privacy. We created this Privacy Policy to help you become familiar with how we collect, use, disclose, share, and protect Personal Data (defined below) and otherwise comply with applicable consumer privacy laws, including the choices we offer with respect to your Personal Data. We encourage you to read this Privacy Policy in full before using https://www.moonvalleynurseries.com/, or any other MVN website (collectively, the “Website” or “Websites”), or any other online service (e.g., mobile apps) that posts a link to this Privacy Policy, opening our e-mails or otherwise submitting Personal Data to us (collectively, the “Service” or our “Services”). Should you have any questions or requests you may contact us at dataprivacy@mvncorp.com. See the section titled “Contact Us” at https://www.moonvalleynurseries.com/contact-us for further contact information.

This Privacy Policy together with our posted Terms of Use at https://www.moonvalleynurseries.com/terms-and-conditions explains how we collect, use, and safeguard information in the course of providing and operating the Service. By visiting or otherwise using the Service, you agree to the Service’s Terms of Use https://www.moonvalleynurseries.com/terms-and-conditions.

This Privacy Policy does not apply to applicants seeking employment with us, our current or past employees, contractors, or interns. To receive a copy of our employee privacy notice, please contact us.

Your State Privacy Rights: Residents of California have certain privacy rights detailed below. To the extent there is a conflict between this Privacy Policy and the State Privacy Notice section, the State Privacy Notice section will control.

I. WHAT INFORMATION WE COLLECT

A. Information About You That You Provide.

We and/or our Service Providers (defined below) may, from time to time, request that you provide us with Personal Data when you request a proposal from us, place orders with us, establish an account with us, request information, interact with our customer service, participate in a marketing campaign, complete surveys, or use our Websites.  In some instances, we may need to supplement the information you provided with certain Personal Data about you obtained from third parties to process your online transaction.  In addition, when you interact with Third-Party Services (defined below), you may be able to provide information to those third parties and those Third Parties, in turn, may provide information to us.

We, our Service Providers and/or Third-Party Services may collect your “Personal Data,” including:

• Contact Information: Name, title, addresses, email addresses, telephone numbers, facsimile number, and IP address.
• Transaction Information: Payment card information, financial account information, purchases, special requests, delivery details, and communications you have with us.
• Preference Information: Preferences you indicate to us or that we have observed such as your marketing preferences, areas of interest, and subscriptions to MVN resources.
• Legal Information: Transaction fraud checks or flags, payment card refusals, and information or copies of documents you provide where the law requires you to prove your identity.
• Voluntary Information: Other information you voluntarily give us such as feedback, complaints, and survey responses.
• Observed Information: Information we collect about you while you use our Websites such as the pages, services, or areas of our Websites that you visit, your location, or which link has brought you to our Website. This information may be identifiable to you if you register at our Website.

B. Information Collected Automatically

We, our Service Providers and/or Third-Party Services may also automatically collect certain information about you when you access or use the Services (“Usage Information”).  Usage Information may include IP address, device identifier, browser type, operating system, information about your use of the Service, the device you use, the web page you visited before coming to our sites, and identifiers associated with your devices and you (depending on their settings) may also transmit location information to the Service.

The methods that may be used on the Services to collect Usage Information include cookies, web beacons (also known as “tracking pixels”), embedded scripts, location-identifying technologies, device recognition technologies, in-app tracking methods, device and activity monitoring and other tracking technologies now and hereafter developed (“Tracking Technologies”) may be used to collect information about interactions with the Website or e-mails, including information about your browsing and purchasing behavior. Such Tracking Technologies may include:

• Cookies: We use “cookies” to store specific information about you. A “cookie” is a small text file that is sent to your browser and stored on your device, such as session ID cookies or tracking cookies. Tracking cookies remain longer and help in understanding how you use the Services and enhance your user experience. Cookies may remain on your hard drive for an extended period of time. If you use your browser’s method of blocking or removing cookies, some but not all types of cookies may be deleted and/or blocked and as a result, some features, and functionalities of the Services may not work.
• Web Beacons (“Tracking Pixels”): Web beacons are small graphic images, also known as “Internet tags” or “clear gifs,” embedded in web pages and e-mail messages. Web beacons may be used, without limitation, to count the number of visitors to the Service, to monitor how users navigate the Service, and to count content views.
• Embedded Scripts: An embedded script is programming code designed to collect information about your interactions with the Service. They are temporarily downloaded onto your computer from MVN’s web server, or from a third party with which MVN works and are active only while you are connected to the Service and deleted or deactivated thereafter.
• Device Recognition Technologies: Device Recognition Technologies, including application of statistical probability to data sets, as well as linking a common unique identifier to different device use (e.g., Facebook ID), attempt to recognize or make assumptions about users and devices to identify a user across devices (e.g., that a user of multiple devices is the same user or household) (“Cross-device Data”).
• Device and Activity Monitoring: Such technologies may monitor, and may record, certain interactions with the Service, including without limitation, keystrokes, and/or collect and analyze information from your device, such as, without limitation, your operating system, plug-ins, system fonts, and other data, for purposes such as identification, security, fraud prevention, troubleshooting, tracking and/or improving the Services and customizing or optimizing your experience on the Services.

Some information about your use of the Service and certain other online websites may be collected using Tracking Technologies across time and Services and used by us and third parties for purposes such as to associate different devices you use and deliver relevant ads and/or other content to you on the Website and certain other online websites, in accordance with applicable data protection laws.

C. Information We Collect from Other Sources

We may also obtain information about you from other sources, including Service Providers and Third-Party Services. We are not responsible or liable for the accuracy of the information provided by third parties or for third party policies and practices.

D. Limitations

To the extent non-Personal Data, or Personal Data collected outside of the Service or by Third-Party Services, is combined by or on behalf of us with Personal Data we collect directly from you on the Service (“MVN-Collected Personal Data”), we will treat it in accordance with this Privacy Policy. Notwithstanding the foregoing or anything to the contrary, unless required by applicable law, this Privacy Policy is not intended to limit our activities regarding information that does not personally identify you such that it does not constitute Personal Data, including Personal Data that has been “De-identified” (i.e., the removal or modification of the personally identifiable elements, or the extraction of non-personally identifiable elements), and non-MVN Collected Personal Data (including third-party-sourced, or non-Service-sourced, information) that is not combined with MVN Collected Personal Data.

II. WHY WE COLLECT INFORMATION

We may use information about you for any purposes not inconsistent with our statements under this Privacy Policy, or otherwise made by us in writing at the point of collection, and not prohibited by applicable law, including, without limitation, for the following purposes:

• To Deliver Our Services:
• • To deliver the Services you have requested.
  • To process your order, including credit evaluation, payment authorization, and collection of sums owed.
  • To give you Service notices and deal with any customer care issues you may have.
  • To manage registered accounts you have with us.
  • To create and secure an on-line account in our rewards program, if you choose to establish one.
  • To notify you of any changes to our Services.
  • To provide services and fulfill our obligations to you, event organizers, venues, and hotels in connection with events you participate in including, without limitation, through the use of non-personal anonymous, aggregate, and statistical information.

• Marketing:
• • To communicate with you regarding an upcoming service or installation appointment or schedule.
  • To offer services or products.
  • To promote relevant offerings and suggestions related to your areas of interest or based on previously conducted business through a genuine understanding from us that there is a legitimate interest for that contact to take place.
  • To deliver information you request and communicate about us and other MVN brand offerings from our affiliates, and recent developments that may be of interest to you.
  • To advertise our products and services to you if they are relevant and appropriate to you.
  • To maintain a profile of our ongoing relationship that allows us to better serve you and tailor our offers so that they are more likely to be of interest to you.

• Research and Development:
• • To obtain your feedback, provide customer service, and track our performance.
  • To ensure that our online content that you access (whether as part of a Service or not) is presented in the most effective manner for you.
  • To operate our websites more effectively and to promote our Services on our website.
  • To manage, conduct research, and improve how we operate and promote our Services including, without limitation, using non-personal anonymous, aggregate, and statistical information.

• Analysis and Profiling:
• • To analyze your responses to our marketing communications (e.g., whether you open communications and/or how you interact).
  • To analyze your browsing and purchasing activity.
  • To use the analyses mentioned above, together with other demographic data, to contact you with information on products and offers relevant to you.
  • To analyze customer choices in respect of our services to understand our target audience for the purposes of selecting similar customers for advertising purposes.

• Legal Requirements:
• • To pursue legal claims, prevent crime, and detect and prevent fraud and related matters.
  • To verify your identity when necessary and/or appropriate.
  • To address issues relating to your personal safety and the safety of others.
  • To comply with applicable law, to respond to requests from government authorities, enforce our rights and protect property, and to satisfy our record keeping, regulatory, and legal obligations.

III. DISCLOSING YOUR INFORMATION

Generally, we may share information about you for any purpose not inconsistent with our statements under this Privacy Policy, or statements otherwise made by us in writing at the point of collection, and not prohibited by applicable law, including, without limitation:

• With our agents, vendors, consultants, and other service providers (collectively “Service Providers”) in connection with their work on our behalf, including assisting in the provision of the Service. These parties may provide services including authentication, billing and collections, payment processing, customer support, or data storage.
• With other third parties to meet legal, regulatory, insurance, audit, and other similar administrative needs.

Third parties are permitted to use your personal data only to assist us in providing our Services to you or to offer complementary goods and/or services that we have good reason to believe may be of particular interest to you and to the extent permissible under applicable law.

• Corporate Transactions: Finally, in the event we go through a merger, sale, bankruptcy, or other business transition, we reserve the right to transfer or assign your information that we have collected as part of any business transition in accordance with applicable law. In some cases, such as bankruptcy, we may not be able to control how your personal data is used.

All parties we share information with are required to treat your information confidentially and show that they have appropriate data protection and security controls, and that they protect personal data consistent with the principles articulated in this Privacy Policy. Wherever it is possible and reasonable, we will disclose only the minimum information necessary to complete and process an order.

IV. THIRD-PARTY CONTENT, THIRD-PARTY SERVICES, ADVERTISING AND ANALYTICS

The Service may include or link to Third-Party Services, apps, locations, platforms, code (e.g., plug-ins, application programming interfaces, and software development kits (“SDKs”)), or other websites (collectively, “Third-Party Service(s)”). These Third-Party Services may use their own cookies, web beacons, and other Tracking Technologies to independently collect information about you and may solicit Personal Data from you. 

Certain functionalities on the Service permit interactions that you initiate between the Service and Third-Party Services.  Examples of such interactions include connecting the Service to a Third-Party Service (e.g., to pull or push information to or from the Service). If you enable such interactions, both we and the third party may have access to certain information about you and your use of the Service and any Third-Party Service.

We may engage and work with Service Providers, Third-Party Services, and other third parties to serve advertisements on the Website and/or on other online websites.  Some of these ads may be tailored to your interest based on your browsing of the Website and elsewhere on the Internet, which may include use of precise location and/or cross-device data, sometimes referred to as “interest-based advertising” and “online behavioral advertising” (“Interest-based Advertising”) (where permitted under applicable law), which may include sending you an ad on another online website after you have left the Website (i.e., “retargeting”). 

We are not responsible for, and make no representations regarding, the policies or business practices of any third parties, including, without limitation, analytics Service Providers and Third-Party Services associated with the Website, and encourage you to familiarize yourself with and consult their privacy policies and terms of use. 

V. CHILDREN’S PRIVACY

We do not knowingly collect any Personal Data from children under the age of 13 through our Services. If you are under 13, please do not give us any Personal Data. We encourage parents and legal guardians to monitor their children’s Internet usage and to help enforce our Privacy Policy by instructing their children never to provide Personal Data to us without their permission. If you have reason to believe that a child under the age of 16 has provided Personal Data to us, please contact us at dataprivacy@mvncorp.com and we will endeavor to delete that Personal Data from our databases.

VI. ACCESSING AND CHANGING INFORMATION

To the extent required by applicable law, we may provide web pages or other mechanisms allowing you to delete, correct, or update some of your information that we have collected and retained, and potentially certain other information about you (e.g., profile and account information). Further, except to the extent prohibited by applicable law, we reserve the right to retain data: (a) as required by applicable law; and (b) for so long as reasonably necessary to fulfill the purposes for which the data was collected.

VII. HOW WE SAFEGUARD YOUR INFORMATION

The security of your Personal Data is important to us. We employ reasonable technical and organizational measures to protect against the loss of, or unauthorized access to, the information under our control. Although we take reasonable and appropriate measures to protect your information, we cannot guarantee that your information will always remain secure.

VIII. CHOICES: TRACKING AND COMMUNICATIONS OPTIONS

A. Tracking Technologies Generally

Regular cookies may generally be disabled or removed by tools available as part of most commercial browsers, and in some instances blocked in the future by selecting certain settings.  Browsers offer different functionalities and options, so you may need to set them separately.  Also, tools from browsers may not be effective with regard to certain Tracking Technologies. Please be aware that if you disable or remove these technologies, some parts of the Services may not work and when you revisit the Services your ability to limit browser-based Tracking Technologies is subject to your browser settings and limitations.

Your browser settings may allow you to automatically transmit a “Do Not Track” signal to online websites you visit.  Like many online websites, we currently do not alter our practices when we receive a “Do Not Track” signal from a visitor’s browser.

B. Analytics and Advertising Tracking Technologies

You may choose whether to receive some Interest-based Advertising by submitting opt-outs. Some of the advertisers and Service Providers that perform advertising-related services for us and third parties may participate in the Digital Advertising Alliance’s (“DAA”) Self-Regulatory Program for Online Behavioral Advertising. To learn more about how you can exercise certain choices regarding Interest-based Advertising, including use of Cross-device Data for serving ads, visit http://www.aboutads.info/choices/, and http://www.aboutads.info/appchoices for information on the DAA’s opt-out program specifically for mobile apps (including use of precise location for third party ads). Some of these companies may also be members of the Network Advertising Initiative (“NAI”). To learn more about the NAI and your opt-out options for their members, see http://www.networkadvertising.org/choices/. Please be aware that, even if you are able to opt out of certain kinds of Interest-based Advertising, you may continue to receive other types of ads. Opting out only means that those selected members should no longer deliver certain Interest-based Advertising to you but does not mean you will no longer receive any targeted content and/or ads (e.g., from other ad networks). Also, if your browsers are configured to reject cookies when you visit these opt-out webpages, or you subsequently erase your cookies, use a different device or web browser or use a non-browser-based method of access (e.g., mobile app), your NAI / DAA browser-based opt-out may not, or may no longer, be effective.

You may exercise choices regarding the use of cookies from Google Analytics by going to https://tools.google.com/dlpage/gaoptout or downloading the Google Analytics Opt-out Browser Add-on. We may also use Microsoft Advertising Websites. To learn about the data Microsoft collects and how your data is used by it and to opt-out of certain Microsoft browser Interest-based Advertising, please visit here.

We are not responsible for effectiveness of, or compliance with, any third-parties’ opt-out options or programs or the accuracy of their statements regarding their programs.

C. Communications

You can opt out of receiving certain promotional communications from us at any time by: (i) for promotional e-mails, following the instructions provided in emails to click on the unsubscribe link, or if available by changing your communication preferences by logging onto your account; (ii) for text messages, following the instructions provided in text messages from us to text the word, “STOP”; and (iii) for app push notifications turn off push notifications on the settings of your device and/or the app, as applicable. Please note that your opt-out is limited to the e-mail address or phone number used and will not affect subsequent subscriptions. If you opt-out of only certain communications, other subscription communications may continue. Even if you opt out of receiving promotional communications, we may, subject to applicable law, continue to send you non-promotional communications, such as those about your account, transactions, servicing, or our ongoing business relations.

IX. STATE PRIVACY NOTICE

This State Privacy Notice applies to “Consumers” as defined under the California Consumer Privacy Act, including as amended by the California Privacy Rights Act (“CPRA”) (together, the “CCPA”), Chapter 603A of the Nevada Revised Statutes, and all laws implementing, supplementing or amending the foregoing, including regulations promulgated thereunder (collectively, “U.S. Privacy Laws”). This State Privacy Notice is a supplement to our other privacy policies or notices, including the remainder of this Privacy Policy. In the event of a conflict between any of our other policies, statements, or notices and this State Privacy Notice, this State Privacy Notice will prevail as to Consumers and their rights under the applicable state law, unless stated otherwise. This State Privacy Notice is designed to meet our obligations under the U.S Privacy Laws. Capitalized terms not defined herein shall have the meaning ascribed to them under the applicable U.S. Privacy Law.

Scope of PI: There may be additional information that we collect that meets the definition of personal information (also referred to herein as “PI”) under the CCPA but is not reflected by a category in the table that follows, in which case we will treat it as PI as required but will not include it when we describe our practices by category of PI. We reserve the right, to the extent permitted by the CCPA and other applicable California privacy laws, not to treat the following as PI: deidentified, aggregated data or publicly available information. We reserve the right, as allowable, to convert, or permit others to convert, your PI into deidentified or aggregate Consumer information.

Non-Applicability, Human Resources:  This California Privacy Notice does not apply to applicants seeking employment with us, our current and past employees, contractors, or interns (“Personnel”) and human resources PI (“HR PI”) however, our California Personnel may obtain a separate privacy notice that is applicable to them by contacting our Human Resources Department.

A. PI Collection, Use, and Disclosures, by Category

The description of our data practices in this Notice covers only the twelve (12) months prior to the Effective Date (“Reporting Period”) and will be updated at least annually.  Our data practices may differ between updates, however, if materially different from this California Privacy Notice, we will provide pre-collection notice of the current practices, which may include references to other privacy policies, notices or statements posted or referenced on the Service that reflect current practices.

Generally, we collect, retain, use, and disclose your PI in order to provide you services and as otherwise related to the operation of our business. The table immediately below describes the categories of PI we collect, in the left column. The right column states the categories of third parties that receive such PI as part of disclosures, by us to them, for what the CCPA refers to as “Business Purposes" as well as disclosures which may be considered a “sale” or “sharing” as defined under CCPA. “Business Purposes” include:

• Managing Interactions and Transactions
• Security
• Debugging
• Performing Services
• Providing Advertising & Marketing Services
• Quality Assurance
• Processing Interactions and Transactions
• Research and Development

Additional Business Purposes include disclosing PI to other parties in a context that is not a regulated “Sale” or “Sharing” under the CCPA, such as to our Service Providers or Contractors that perform services for us (“Vendors”), to the Consumer or to other parties at the Consumer’s direction or through the Consumer’s action, for the additional purposes explained at the time of collection (such as in the applicable privacy policy or notice), as required or permitted by applicable law, to the government or private parties to comply with law or legal process, and to assignees as part of an acquisition, merger, asset sale, or other transaction where another party assumes control over all or part of our business (“Additional Business Purposes”). Subject to restrictions and obligations under the CCPA, our Vendors may also use your PI for Business Purposes, including Additional Business Purposes, and may engage their own Service Providers or Contractors to enable them to perform services for us.

The collection of PI by some third-party cookies, such as by some interest-based advertising cookie operators, may be considered a “Commercial Purpose” and a “Sale” under the CCPA and potentially other state laws, and our Processing of PI for certain advertising purposes may be a “Sharing.” See the next subsection for more detail.

Category Of PICategories of PI Recipients – Business Purposes (“BP”) and Sale / SharingRetention Period

1) Identifiers and Contact Information (such as name, phone number, address, email address, mobile identification number, IP address, cookie ID)

BP: Service Providers, such as cloud vendors, analytics companies, social media networks, advertising providers

Sale/Share: N/A

Generally between 1 and 3 years, or as otherwise stated below.

2) Personal Records (such as payment information, identification number)

BP: Service Providers, such as cloud vendors and financial services companies; Government Entities (e.g., related to compliance obligations)

Sale/Sharing: N/A

Generally between 1 and 3 years, or as otherwise stated below.

3) Personal Characteristics or Traits (e.g., Age, Gender)

BP: Service Providers such as cloud vendors, analytics companies, advertising providers, and social media networks; Government Entities (e.g., related to compliance obligations)

Sale/Sharing: N/A

Generally between 1 and 3 years, or as otherwise stated below.

4) Customer Account Details / Commercial Information (e.g., your purchase history)

BP: Service Providers such as analytics companies, advertising providers, cloud vendors, financial services companies,; Government Entities (e.g., related to compliance obligations)

Sale/Sharing: N/A

Generally between 1 and 3 years, or as otherwise stated below.

5) Internet Usage Information (such as search or browsing history on the Service)

BP: Service Providers such as cloud providers, analytics companies, advertising providers, and social media networks; Affiliates and Related Entities; Government Entities

Sale/Share: Cookie operators,

Generally between 1 and 3 years, or as otherwise stated below.

6) Location Data (such as where you enable location-based features on your device)

BP: Service Providers such as analytics companies, advertising providers, and social media networks; Affiliates and Related Entities; Government entities

Sale/Sharing: N/A

Generally between 1 and 3 years, or as otherwise stated below.

7) Audiovisual and Similar Information (such as security camera footage, customer service call recordings)

BP: Service Providers such as customer service providers, call center operators, and security companies; Affiliates and Related Entities; Government Entities

Sale/Sharing: N/A

Generally between 1 and 3 years, or as otherwise stated below.

8) Professional or Employment Information (such as employment history)

BP: Service Providers such as cloud service providers, analytics companies, advertising providers, and social media networks; Affiliates and Related Entities; Government Entities

Sale/Sharing: N/A

Generally between 1 and 3 years, or as otherwise stated below.

9) Inferences from PI Collected

BP: Service Providers such as analytics companies, advertising providers, and social media networks; Affiliates and Related Entities; Government Entities

Sale/Sharing: N/A

Generally between 1 and 3 years, or as otherwise stated below.

Retention Details: As required by California law, we note our general PI retention rules by category of PI in the chart above. Because there are so many different types of PI in each category, and so many purposes and use cases for different PI, we provide general retention ranges above. However, actual retention periods will depend upon how long we have a legitimate purpose for the retention consistent with the collection purposes and applicable law. For instance, we may maintain business records for so long as relevant to our business, and may have a legal obligation to hold PI for so long as potentially relevant to prospective or actual litigation or government investigation. We apply the same criteria for determining if we have a legitimate purpose for retaining your PI that you ask us to delete. If you make a deletion request, we will conduct a review of your PI to confirm if legitimate ongoing retention purposes exist, will limit the retention to such purposes for so long as the purpose continues, and will respond to you with information on any retention purposes on which we rely for not deleting your PI.

B. PI Collection, Use, and Disclosure – By Processing Purpose

We collect, use, and disclose PI for the processing purposes described below.

Processing Purpose(s)

Examples(s) of Processing Purpose

Categories of PI Processed

Categories of Recipients

Performing Services

To provide our Services to you or communicate about our Services: to provide you with info or services, to send you electronic newsletters and push notifications (if you have elected to receive such), to communicate with you about your use of the Services, to provide you with special offers or promotions

Enable additional features of our sites: to enable you to participate in a variety of our site’s features, including marketing campaigns, complete surveys, or use our Websites

Process Transactions: to process or fulfill a transaction

Contact You: to contact you about your use of our Services and, in our discretion, changes to our Services or our Service’s policies

Account management: to process your registration with our Services, verify your info is active and valid, manage your account

Customer Service: to respond to any questions, comments, or requests you have for us or for other customer service purposes

Payment and other purchase-related purposes: to facilitate a purchase made using our Services, including payment

• Identifiers
• Personal Records
• Personal Characteristics or Traits
• Customer Account Details
• Internet Usage Information
• Location Data
• Audiovisual and Similar Information
• Professional or Employment Information
• Inferences from PI Collected
• Sensitive PI

• Service Providers (e.g., cloud vendors, financial payment vendors, analytics companies, social media networks, advertising providers);
• Selected marketing partners;
• Other members of our corporate group;
• Public authorities/governmental bodies (making requests pursuant to legal or regulatory process);
• Other parties within the limits of Additional Business Purposes; and/or
• Third-Party Digital Businesses (as defined below).

Managing Interactions and Transactions

Auditing: related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with user interaction or transaction specifications and standards (e.g., ecommerce activities)

• Identifiers
• Personal Records
• Personal Characteristics or Traits
• Customer Account Details
• Internet Usage Information

• Service Providers (e.g., cloud vendors, financial payment vendors, analytics companies, social media networks, advertising providers);
• Other members of our corporate group;
• Other parties within the limits of Additional Business Purposes; and/or
• Third-Party Digital Businesses.

Security and fraud prevention

Security/fraud prevention: to protect the security of Company, our Services, or its users and to prevent and address fraud

• Identifiers
• Personal Records
• Personal Characteristics or Traits
• Customer Account Details
• Internet Usage Information
• Location Data
• Audiovisual and Similar Information
• Professional or Employment Information
• Inferences from PI Collected
• Sensitive PI

• Service Providers (e.g., cloud vendors, financial payment vendors, analytics companies, social media networks, advertising providers);
• Fraud prevention and security providers)
• Other members of our corporate group;
• Public authorities/governmental bodies (making requests pursuant to legal or regulatory process); and/or
• Other parties within the limits of Additional Business Purposes); and/or
• Third-Party Digital Businesses.

Debugging

Repairs: identify and repair errors that impair existing intended functionality of our Services

• Identifiers
• Personal Records
• Personal Characteristics or Traits
• Customer Account Details
• Internet Usage Information
• Location Data
• Audiovisual and Similar Information
• Professional or Employment Information
• Inferences from PI Collected
• Sensitive PI

• Service Providers that help identify and repair errors on our Services;
• Other members of our corporate group; and/or
• Other parties within the limits of Additional Business Purposes.

Advertising & Marketing (excluding Cross-Context Behavioral Advertising and Targeted Advertising)

Content and offers customization: to customize your experience on our websites, apps, or other Services, or to serve you specific content and offers that are relevant to/customized for you (e.g., pricing and discounts based on your profile, location, or shopping history)Advertising, marketing, and promotions: to assist us in determining relevant advertising and the success of our advertising campaigns; to help us determine where to place our ads, including on other websites; for promotional activities such as running sweepstakes, contests, and other promotions.

• Identifiers
• Personal Records
• Personal Characteristics or Traits
• Customer Account Details
• Internet Usage Information
• Location Data
• Audiovisual and Similar Information
• Professional or Employment Information
• Inferences from PI Collected
• Sensitive PI

• Service Providers (e.g., cloud vendors, financial payment vendors, analytics companies, social media networks, advertising providers);
• Selected marketing partners;
• Other members of our corporate group;
• Other parties within the limits of Additional Business Purposes; and/or
• Third-Party Digital Businesses.

Quality Assurance

Ensuring the Quality and Safety of Service: undertaking activities to verify or maintain the quality or safety of our Services, and to improve, upgrade, or enhance our Services

• Identifiers
• Personal Records
• Personal Characteristics or Traits
• Customer Account Details
• Internet Usage Information
• Location Data
• Audiovisual and Similar Information
• Professional or Employment Information
• Inferences from PI Collected
• Sensitive PI

• Service Providers that help improve the quality of our Services;
• Other members of our corporate group; and/or
• Other parties within the limits of Additional Business Purposes

Processing Interactions and Transactions

Short-term, transient use: including, but not limited to, non-personalized advertising shown as part of a Consumer’s current interaction with Company and use of our Services’ features and functionality (e.g., completing e-commerce transactions)

• Identifiers
• Personal Records
• Personal Characteristics or Traits
• Customer Account Details
• Internet Usage Information
• Location Data
• Audiovisual and Similar Information
• Professional or Employment Information
• Inferences from PI Collected
• Sensitive PI

• Service Providers (e.g., cloud vendors, financial payment vendors, analytics companies, social media networks, advertising providers);
• Other members of our corporate group; and/or
• Other parties within the limits of Additional Business Purposes.

Research and Development

Research and analytics: to better understand how users access and use our Services, both on an aggregated and individualized basis, to improve our Services and respond to user preferences, and for other research and analytical purposes.

Market research and customer satisfaction surveys: to administer surveys and questionnaires, such as for market research or customer satisfaction purposes.

• Identifiers
• Personal Records
• Personal Characteristics or Traits
• Customer Account Details/Commercial Information
• Internet Usage Information
• Geolocation Data
• Inferences from PI Collected

• Service Providers (e.g., cloud vendors, financial payment vendors, analytics companies, social media networks, advertising providers);
• Other members of our corporate group;
• Public authorities/governmental bodies (making requests pursuant to legal or regulatory process); and/or
• Other parties within the limits of Additional Business Purposes.
• Third-Party Digital Businesses.

Additional Business Purposes

Compliance with legal obligations: to comply with legal obligations, as part of our general business operations, and for other business administration purposes

Prevention of illegal activities, fraud, injury to others, or violation of our terms and policies: to investigate, prevent or take action if someone may be using info for illegal activities, fraud, or in ways that may threaten someone’s safety or violate of our terms or this Notice

Purposes disclosed at PI collection: We may provide additional disclosures at the time of PI collection, such as on a checkout page

Related or compatible purposes: for purposes that are related to and/or compatible with any of the foregoing purposes

• Identifiers
• Personal Records
• Personal Characteristics or Traits
• Customer Account Details/Commercial Information
• Internet Usage Information
• Geolocation Data
• Sensory Data
• Inferences from PI Collected
• Government Issued Identification Numbers
• Financial Data
• Sensitive Personal Characteristics

• Service Providers (e.g., cloud vendors, financial payment vendors, analytics companies, social media networks, advertising providers);
• Selected marketing partners;
• Other members of our corporate group;
• Public authorities/governmental bodies (making requests pursuant to legal or regulatory process); and/or
• Other parties within the limits of Additional Business Purposes.

Commercial Purposes

Cross-context Behavioral Advertising

Targeted Advertising

Strategic partnerships with select marketing partners that offer services to our customers, such as credit card issuers

• Identifiers
• Internet Usage Information

• Service Providers (e.g., cloud vendors, financial payment vendors, analytics companies, social media networks, advertising providers);
• Selected marketing partners; and/or
• Third-Party Digital Businesses.

C. Your Consumer Rights and How to Exercise Them

As described more below, subject to meeting the requirements for a Verifiable Consumer Request (defined below) under U.S. Privacy Laws, MVN provides Consumers the privacy rights described in this section as required by U.S. Privacy Laws. For residents of states without consumer privacy rights we will consider requests but will apply our discretion in how we process such requests except as required by applicable law. We will also consider applying state law rights prior to the effective date of such laws but will do so in our discretion.

• Right to Limit Use and Disclosure of Sensitive PI

With regard to PI that qualifies as Sensitive PI under applicable the U.S. Privacy Laws, as of January 1, 2023 we will provide you with a pre-collection notice informing you of the categories of Sensitive PI to be collected and the purposes for which such categories are collected or used, whether that information is Sold or Shared and our retention practices as to that Sensitive PI. If you elect to provide us with that Sensitive PI you will have consented to such Processing. However, residents of California can opt-out of certain types of Sensitive PI Processing.

• Right to Know/Access

Residents of California are entitled to access PI up to twice in a 12-month period.

• Categories (available for California Residents Only)

California residents have a right to submit a request for any of the following for the twelve (12) month period prior to the request date:

• The categories of PI we have collected about you.
• The categories of sources from which we collected your PI.
• The Business Purposes or Commercial Purposes (as the terms are defined under the CCPA) for our collecting or Selling your PI.
• The categories of third parties to whom we have shared your PI.
• A list of the categories of PI disclosed for a Business Purpose in the prior 12 months and, for each, the categories of recipients, or that no disclosure occurred.
• A list of the categories of PI sold about you in the prior 12 months and, for each, the categories of recipients, or that no sale occurred.

We offer this right only to California residents. To exercise such rights follow the instructions, see below.

• Specific Pieces

You may request to confirm if we are Processing your PI and request to obtain a transportable copy of your PI that we have collected and are maintaining, subject to applicable request limits. We will apply the heightened verification standards set forth below to your specific pieces of information request, as required by the CCPA. We have no obligation to re-identify information or to keep PI longer than we need it or are required to by applicable law to retain it to comply with access requests. We will apply our discretion in how we process requests from Consumers residing in states that do not have laws granting consumers this right except as required by applicable law.

• Do Not Sell / Share / Target

Under the various U.S. Privacy Laws there are broad and differing concepts of “Selling” PI for which an opt-out is required. California also has an opt-out from “Sharing” for Cross-Context Behavioral Advertising (use of PI from different businesses or services to target advertisements). Other states have an opt-out of “Targeted Advertising” (defined differently but also addressing tracking, profiling, and targeting of advertisements). We may Sell or Share your PI and/or use your PI for Targeted Advertising, as these terms apply under U.S. Privacy Laws. However, we provide U.S. Consumers an opt out of Sale/Sharing/Targeting that is intended to combine all of these state opt-outs into a single opt-out available regardless of state of residency.

Third-Party digital businesses (“Third-Party Digital Businesses”) may associate cookies and other tracking technologies that Collect PI about you on our Services, or otherwise Collect and Process PI that we make available about you, including digital activity information. We understand that giving access to PI on our Services, or otherwise, to Third-Party Digital Businesses could be deemed a Sale and/or Share under some state laws and thus we will treat such PI (e.g., cookie ID, IP address, and other online IDs and internet or other electronic activity information) collected by Third-Party Digital Businesses, where not limited to acting as our Service Provider (or Contractor or Processor), as a Sale and/or Share and subject to a Do Not Sell/Share/Target opt-out request. We will not Sell your PI, Share your PI for Cross-Context Behavioral Advertising, or Process your PI for Targeted Advertising if you make a Do Not Sell/Share/Target opt-out request.

Opt-out for non-cookie PI: If you want to limit our Processing of your non-cookie PI (e.g., your email address) for Targeted Advertising, or opt-out of the Sale/Sharing of such data, make an opt-out request at dataprivacy@mvncorp.com.

Opt-out for cookie PI: If you want to limit our Processing of your cookie-related PI for Targeted Advertising, or opt-out of the Sale/Sharing of such PI, please contact us at dataprivacy@mvncorp.com.

We do not knowingly Sell or Share the PI of Consumers under 16, unless we receive affirmative authorization (“opt-in”) from either the Consumer who is between 13 and 16 years old, or the parent or guardian of a Consumer who is less than 13 years old. If you think we may have unknowingly collected PI of a Consumer under 16 years old, please contact us at dataprivacy@mvncorp.com.

We may disclose your PI for the following purposes, which are not a Sale or Sharing: (i) if you direct us to disclose PI; (ii) to comply with a Consumer rights request you submit to us; (iii) disclosures amongst the entities that constitute MVN as defined above, or as part of a merger or asset sale; and (iv) as otherwise required or permitted by applicable law.

• Right to Delete

Except to the extent we have a basis for retention under applicable law, you may request that we delete your PI. Our retention rights include, without limitation:

• to complete transactions and services you have requested;
• for security purposes;
• for legitimate internal Business Purposes (e.g., maintaining business records);
• to comply with law and to cooperate with law enforcement; and
• to exercise or defend legal claims.

Please also be aware that making a deletion request does not ensure complete or comprehensive removal or deletion of PI or content you may have posted.

Note also that, depending on where you reside (e.g., California), we may not be required to delete your PI that we did not collect directly from you. For residents of U.S. states that do not have laws granting Consumers this right we will consider deletion requests but will apply our discretion in how we process such requests except as required by applicable law.

• Your PI

Consumers may bring any inaccuracies they find in their PI that we maintain to our attention, and we will act upon such a complaint consistent with applicable law. You can also make changes to your online account in the account settings section of the account. That will not, however, change your information that exists in other places.

• Automated Decision Making/Profiling

We do not engage in Automated Decision Making or Profiling.

• How to Exercise Your Consumer Privacy Rights

To submit a request to exercise your Consumer privacy rights, or to submit a request as an authorized agent, please follow the instructions at dataprivacy@mvncorp.com and respond to any follow-up inquiries we make. Please be aware that we do not accept or process requests through other means (example, via fax, chats, social media etc.).

• Your Request Must be a Verifiable Consumer Request

As permitted by the CCPA, any request you submit to us must be a “Verifiable Consumer Request,” meaning when you make a request, we may ask you to provide verifying information, such as your name, e-mail address, phone number and/or account information. We will review the information provided and may request additional information (e.g., confirmation of recent transaction(s)) via e-mail or other means to ensure we are interacting with the correct individual. We will not fulfill your Right to Know (Categories), Right to Know (Specific Pieces), Right to Delete, or Right to Correction request unless you have provided sufficient information for us to reasonably verify you are the Consumer about whom we collected PI. We do not verify opt-outs of Sell/Share/Target or Limitation of SPI requests unless we suspect fraud.

We will use PI provided in a Verifiable Consumer Request only to verify your identity or authority to make the request and to track and document request responses, unless you also gave it to us for another purpose. If we suspect fraudulent or malicious activity on or from the password-protected account, we may decline a request or request that you provide further verifying information.

We verify each request as follows:

• Right to Know (Categories) (available for California residents only): If you do not have a password-protected account, we verify your Request to Know Categories of PI to a reasonable degree of certainty, which may include matching at least two data points provided by you with data points maintained by us, which we have determined to be reliable for the purpose of verifying you. If we cannot do so, we will refer you to this Notice for a general description of our data practices.
• Right to Know (Specific Pieces): If you do not have a password-protected account, we verify your Request To Know Specific Pieces of PI to a reasonably high degree of certainty, which may include matching at least three data points provided by you with data points maintained by us, which we have determined to be reliable for the purpose of verifying you together with a signed declaration under penalty of perjury that you are the Consumer whose PI is the subject of the request. If you fail to provide the data points we will be unable to verify you sufficiently to honor your request, but we will then treat it as a Right to Know Categories Request if you are a California resident.
• Do Not Sell/Share/Target Limit SPI: No specific verification required unless we suspect fraud.
• Right to Delete: If you do not have a password-protected account, we verify your Request to Delete to a reasonable degree of certainty, which may include matching at least two data points provided by you with data points maintained by us, or to a reasonably high degree of certainty, which may include matching at least three data points provided by you with data points maintained by us, depending on the sensitivity of the PI and the risk of harm to the Consumer posed by unauthorized deletion.
• Correction: If you do not have a password-protected account, we verify your Request to Correct PI to a reasonable degree of certainty, which may include matching at least two data points provided by you with data points maintained by us, or to a reasonably high degree of certainty, which may include matching at least three data points provided by you with data points maintained by us, depending on the sensitivity of the PI and the risk of harm to the Consumer posed by unauthorized correction.

To protect Consumers, if we are unable to verify you sufficiently, we will be unable to honor your request. We will use PI provided in a Verifiable Consumer Request only to verify your identity or authority to make the request and to track and document request responses, unless you also gave it to us for another purpose.

• Agent Requests

You may use an authorized agent to make a request for you, subject to our verification of the agent, the agent’s authority to submit requests on your behalf, and of you. Once your agent’s authority is confirmed, they may exercise rights on your behalf subject to the agency requirements of the CCPA.

• Appeals

Residesnts of California may appeal our decision regarding a request by sending us an e-mail at dataprivacy@mvncorp.com.

• Our Responses

Some PI we maintain about Consumers is not sufficiently associated with enough PI about the Consumer for us to be able to verify that it is a particular Consumer’s PI when a Consumer request that requires verification is submitted to us (e.g., clickstream data tied only to a pseudonymous browser ID). We do not include that PI in response to those requests. If we cannot comply with a request, we will explain the reasons in our response.

We will make commercially reasonable efforts to identify Consumer PI that we Process to respond to your Consumer privacy rights request(s). In some cases, particularly with voluminous and/or typically irrelevant data, we may suggest that you receive the most recent or a summary of your PI and give you the opportunity to elect whether you want the rest or not. We reserve the right to direct you to where you may access and copy responsive PI yourself. We will typically not charge a fee to fully respond to your requests; provided, however, that we may charge a reasonable fee, or refuse to act upon a request, if your request is excessive, repetitive, unfounded, or overly burdensome. If we determine that the request warrants a fee, or that we may refuse it, we will give you notice explaining why we made that decision. You will be provided a cost estimate and the opportunity to accept such fees before we will charge you for responding to your request.

Consistent with the CCPA and our interest in the security of your PI, we will not deliver to you your Social Security number, driver’s license number, or other government-issued ID number, financial account number, any health information or medical identification number, an account password, security questions or answers, or unique Biometric Information generated from measurements or technical analysis of human response to a Consumer privacy rights request; however, you may be able to access some of this information yourself through your account if you have an active account with us.

• Non-Discrimination / Non-Retaliation

We will not discriminate against you in a manner prohibited by the U.S. Privacy Laws for your exercise of your Consumer privacy rights. We may charge a different price or rate or offer a different level or quality of good or service, to the extent that doing so is reasonably related to the value of the applicable data.

• Our Rights and the Rights of Others

Notwithstanding anything to the contrary, we may collect, use, and disclose your PI as required or permitted by applicable law and this may override your rights under the CCPA. In addition, we are not required to honor your requests to the extent that doing so would infringe upon our or another person’s or party’s rights or conflict with applicable law.

• Shine the Light

California residents may request a list of all third parties to which we have disclosed certain personal information (as defined by California’s Shine the Light law), collected via our online Service, during the preceding year, for those third parties’ own direct marketing purposes, unless we have obtained your consent or given you an opportunity to opt-out. This is different than, and in addition to, CCPA rights, and must be requested separately. If you are a California resident and want such a list, please contact us dataprivacy@mvncorp.com For Shine the Light requests, you must put the statement “Shine the Light Request” in the body of your correspondence. In your request, please attest to the fact that you are a California resident and provide a current California address for your response. Please note that we will not accept Shine the Light requests by telephone or by fax, and we are not responsible for notices that are not labeled or sent properly, or that do not have complete information.

X. CONTACT US

To contact us with any requests concerning your information, questions regarding this Privacy Policy, or any related matter, please contact us:

E-mail: dataprivacy@mvncorp.com

Post: Moon Valley Nurseries
Attention: General Counsel
14000 N. Pima Rd., Suite 150
Scottsdale, Arizona 85260

XI. CHANGES TO OUR PRIVACY POLICY

We will occasionally update this Privacy Policy to reflect your feedback, to implement changes required by applicable law, or as we may otherwise deem necessary or appropriate.  If there are material changes to this Privacy Policy or in how we use your Personal Data, we will prominently post such changes to the Website prior to implementing the change.  We encourage you to periodically review this Privacy Policy to be informed of how we are using and protecting your information.