Privacy Policy

Last Revised November 15, 2023

Protecting your privacy is fundamental to the way Agency Within, LLC dba WITHIN (“we”, “us”, or “our”) conduct business. This Privacy Policy explains how we may collect, use and disclose your personal information. You can jump to particular topics by going to the headings below:

How We Collect or Receive Personal Information
Disclosure of Personal Information
Your Choices
Data Security
How We Retain Your Personal Information
Other Important Information
Contact Information
Other Jurisdictions

We collect personal information in the course of providing services to our business customers and, sometimes, to you directly. Here are the types of information we gather: We collect personal information in the course of providing services to our business customers and, sometimes, to you directly. Here are the types of information we gather:

Context	Types of Data	Primary Purpose for Collection and Use of Data
Client Information	We collect the name, usernames, and contact information, of our clients and their employees with whom we may interact	We have a legitimate interest in contacting our clients and communicating with them concerning normal business administration such as projects, services, and billing.
Client User Account information	We collect personal data from our clients when they create an account to access and use the services or request certain free services from our website. This information could include business contact information such as name, email address, title, company information, and password for our services.	We have a legitimate interest in providing account-related functionalities to our users, monitoring account log-ins, and detecting potential fraudulent logins or account misuse. Additionally, we use this information to fulfill our contract to provide you with services
Cookies and first party tracking	We use cookies and clear GIFs. “Cookies” are small pieces of information that a website sends to a computer’s hard drive while a website is viewed. See our Cookie Policy for more information.	We have a legitimate interest in making our website operate efficiently.
Cookies and Third-Party Tracking	We participate in behavior-based advertising, this means that a third party uses technology (e.g., a cookie) to collect information about your use of our website so that they can provide advertising about products and services tailored to your interests on our website, or on other websites. See our Cookie Preference Center for more information.	We have a legitimate interest in engaging in behavior-based advertising and capturing website analytics.
Demographic Information	We collect personal information, such as your age or location.	We have a legitimate interest in understanding our users and providing tailored services.
Email Interconnectivity	If you receive an email from us, we use certain tools to capture data related to when you open our message, click on any links or banners it contains and make purchases.	We have a legitimate interest in understanding how you interact with our communications to you.
Employment	If you apply for a job posting or become an employee, we collect the information necessary to process your application or to retain you as an employee. This may include, among other things, your Social Security Number. Providing this information is required for employment	We use information about current employees to perform our contract of employment or the anticipation of a contract of employment with you. In some contexts, we are also required by law to collect information about our employees. We also have a legitimate interest in using your information to have efficient staffing and workforce operations.
Feedback / Support	We collect personal data from you contained in any inquiry you submit to us regarding our sites or services, such as completing our online forms, calling, or emailing for the purposes of general inquiries, support requests, or to report an issue. When you communicate with us over the phone, your calls may be recorded and analyzed for training, quality control and for sales and marketing purposes. During such calls, we will notify you of the recording via either voice prompt or script.	We have a legitimate interest in receiving and acting upon, your feedback, issues, or inquiries.
Mailing List	When you sign up for one of our mailing lists we collect your email address or postal address.	We share information about our products and services with individuals that consent to receive such information. We also have a legitimate interest in sharing information about our products or services.
Surveys	When you participate in a survey we collect information that you provide through the survey. If the survey is provided by a third-party service provider, the third party’s privacy policy applies to the collection, use, and disclosure of your information.	We have a legitimate interest in understanding your opinions and collecting information relevant to our organization.
Website interactions	We use technology to monitor how you interact with our website. This may include which links you click on, or information that you type into our online forms. This may also include information about your device or browser.	We have a legitimate interest in understanding how you interact with our website to better improve it, and to understand your preferences and interests in order to select offerings that you might find most useful. We also have a legitimate interest in detecting and preventing fraud.
Web logs	We collect information, including your browser type, operating system, Internet Protocol (IP) address (a number that is automatically assigned to a computer when the Internet is used), domain name, click-activity, referring website, and/or a date/time stamp for visitors.	We have a legitimate interest in monitoring our networks and visitors to our websites. Among other things, it helps us understand which of our services is the most popular.

In addition to the information that we collect from you directly, we may also receive information about you from other sources, including third parties, business partners, our affiliates, or publicly available sources. For example, if you submit a job application, or become an employee, we may conduct a background check

How We Use Personal Information

We use the personal information we collect from you to fulfill the purpose for which it was provided to us, such as contacting you about our services, evaluating your employment application. We may also use your personal information: (1) to provide you with information, products or services that you request from us; (2) to provide you with email alerts, event registrations and other notices concerning our products or services, or events or news, that may be of interest to you; (3) to improve our website and present its contents to you; (4) for testing, research, analysis and product development; and (5) for any other purpose with your consent.

Although the sections above describe our primary purpose in collecting your information, in many situations we have more than one purpose. For example, if you sign up for services, we may collect your information to complete that transaction, but we also collect your information as we have a legitimate interest in maintaining your information after your transaction is complete so that we can quickly and easily respond to any questions about your services. As a result, our collection and processing of your information are based in different contexts upon your consent, our need to perform a contract, our obligations under the law, and/or our legitimate interest in conducting our business.

Disclosure of Personal Information

In addition to the specific situations discussed elsewhere in this policy, we may disclose personal information we collect from you: (1) if we believe disclosure is necessary or appropriate to protect the rights, property or safety of us, our clients or others (2) to contractors, service providers, and other third parties we use to support our business; (3) to fulfill the purpose for which you provide it; (4) to a buyer or other successor in the event of a sale, merger, reorganization or transfer of some or all of our business or assets; (5) for any other purpose disclosed by us when you provide the information; (6) to comply with any court order, law or legal process, including responding to any government or regulatory request; (7) to carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including for billing and collections; or (8) with your consent. We do not sell or otherwise share personal information with third parties for direct marketing purposes.

Your Choices.

You can make the following choices regarding your personal information:

Access To Your Personal Information. You may request access to your personal information by contacting us at the address described below. If required by law, upon request, we will grant you reasonable access to the personal information that we have about you.
Right to Data Portability. You may have the right to obtain a copy of the Personal Data that you previously provided. We will provide this information in a portable format, to the extent technically feasible, readily usable format that allows you to transmit your Personal Data to another controller without hindrance, where the processing is carried out by automated means. Note that California residents may be entitled to ask us for a notice describing what categories of personal information (if any) we share with third parties or affiliates for direct marketing.
Changes To Your Personal Information. We rely on you to update and correct your personal information. Most of our websites allow you to modify or delete your account profile. If our website does not permit you to update or correct certain information,
you contact us at the address described below in order to request that your information be modified. Note that we may keep historical information in our backup files as permitted by law.
Deletion Of Your Personal Information. Typically we retain your personal information for the period necessary to fulfill the purposes outlined in this policy, unless a longer retention period is required or permitted by law. You may, however, request information about how long we keep a specific type of information, or request that we delete your personal information by contacting us at the address described below. If required by law we will grant a request to delete information, but you should note that in many situations we must keep your personal information to comply with our legal obligations, resolve disputes, enforce our agreements, or for another one of our business purposes.
Objection to Certain Processing. You may object to our use or disclosure of your personal information by contacting us at the address described below.
Online Tracking. We do not currently recognize automated browser signals regarding tracking mechanisms, which may include “Do Not Track” instructions.
Promotional Emails. You may choose to provide us with your email address for the purpose of allowing us to send free newsletters, surveys, offers, and other promotional materials to you, as well as targeted offers from third parties. You can
stop receiving promotional emails by following the unsubscribe instructions in the e-mails that you receive. If you decide not to receive promotional emails, we may still send you service-related communications.
Promotional Text Messages. If you receive a text message from us that contains promotional information you can opt-out of receiving future text messages by replying “STOP.”
Revocation Of Consent. If you revoke your consent for the processing of personal information then we may no longer be able to provide you services. In some cases, we may limit or deny your request to revoke consent if the law permits or requires
us to do so, or if we are unable to adequately verify your identity. You may revoke consent to processing (where such processing is based upon consent) by contacting us at the address described below.

Please address written requests and questions about your rights to questions.privacy.within@within.co or call us at 1-800-682-1707.

Note that, as required by law, we will require you to prove your identity. We may verify your identity by a phone call or email. Depending on your request, we will ask for information such as your name or other account information. We may also ask you to provide a signed declaration confirming your identity. Following a request, we will use reasonable efforts to supply, correct or delete personal information about you in our files.

In some circumstances, you may designate an authorized agent to submit requests to exercise certain privacy rights on your behalf. We will require verification that you provided the authorized agent permission to make a request on your behalf. You must provide us with a copy of the signed permission you have given to the authorized agent to submit the request on your behalf and verify your own identity directly with us. If you are an authorized agent submitting a request on behalf of an individual you must attach a copy of the following information to the request:

A completed notarized statement executed by you and the consumer indicating that you have the authorization to act on the consumer’s behalf.
If you are a business, proof that you are registered with the Secretary of State to conduct business in California.

If we do not receive both pieces of information, the request will be denied.

Data Security

We have implemented measures designed to secure your personal information from accidental loss and from unauthorized access and disclosure. The use of, and access to, your personal information by us is restricted to employees and contractors who need to know that information to provide services to you. We maintain physical, electronic and procedural safeguards to limit access to your nonpublic personal information.

Unfortunately, no method of transmission of information via the internet or electronic storage is completely secure. Although we use reasonable efforts to protect your personal information, we cannot guarantee the security of your personal information transmitted to us through our website or other electronic means. Any electronic transmission of personal information is at your own risk. In the event that we are required by law to inform you of a breach of your personal information we may notify you electronically, in writing, or by telephone, if permitted to do so by law.

Generally, we will hold your personal information for as long as you are a customer and use our Services to ensure accuracy and to help maintain quality of service or if we are obliged to retain such information for legal, regulatory, fraud prevention and legitimate business purposes.

The precise periods for which we keep your personal information vary depending on the nature of the information and why we need it. To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use and/or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances we may anonymize your personal information (so that it can no longer be associated with you) for research, statistical or other business purposes. We may use this aggregated, anonymized, or de-personalized information indefinitely without further notice. We may retain personal information for a commercially reasonable time for backup, archival, audit purposes, and/or to comply with legal obligations, resolve disputes and enforce

agreements. You can request further details of retention periods for different aspects of your personal information by contacting us.

We are a global business, with our primary location in the US. The personal information (or personal data) which we collect from you may be transferred to, and stored at, a destination outside the European Economic Area (“EEA”), including the US, Switzerland, India, and the Philippines. You acknowledge the transfer to, and storing, or processing outside of the EEA or UK of your personal data as set out in this Privacy Policy, and in the Other jurisdictions section below.

International Data Transfers. WITHIN is located in the United States. Our service providers and other third parties you may interact with in connection with our services may be located in the United States and other countries around the world. As a result, your information may be processed in a foreign country where privacy laws may be less stringent than the laws in your country. Nonetheless, where possible we take steps to treat personal information using the same privacy principles that apply pursuant to the law of the country in which we first received your information. By submitting your personal information to us you agree to the transfer, storage and processing of your information in a country other than your country of residence including, but not necessarily limited to, the United States. To the extent personal information is collected and subsequently transferred out of the European Economic Area (“EEA”) or the United Kingdom (“UK”), you acknowledge the transfer to, and storing, or processing outside of the EEA or UK of your personal data as set out in this Privacy Policy, and in the Other jurisdictions section below. If you would like more information concerning our attempts to apply the privacy principles applicable in one jurisdiction to data when it goes to another jurisdiction you can contact us using the contact information below.

Other Important Information

Third-Party Providers. Some applications and services embedded within, or linked from, our website, such as maps and social media platforms, are controlled by third-party providers. These third parties may use cookies, alone or in conjunction with other tracking technologies, to collect information about you when you use our website or navigate away from our website. These third parties may also have privacy policies that differ from ours. For example, they may collect personal information about your online activities over time and across different websites, and other online services, and may use this information to provide you with interest-based (behavioral) advertising or other targeted content. We do not control these third-parties or their privacy practices, and this Privacy Policy does not apply to any third-party website or service you may access through our website. If you have any questions about a third-party provider’s privacy policies or advertising, you should contact the responsible provider directly.
Non-Personal Information. This Privacy Policy does not restrict our collection, use or disclosure of any aggregated information or information that does not identify, or cannot be reasonably linked to, any individual.
Accessibility. If you are visually impaired, you may access this notice through your browser’s audio reader.

Changes to Our Privacy Policy. We will post any changes we make to this Privacy Policy on our website. If we make material changes to how we treat personal information we collect from you, we may notify you by email or through a notice on our website homepage. The date this Privacy Policy was last revised is identified above. You are responsible for ensuring we have an up-to-date active and deliverable email address for you, and for periodically visiting this Privacy Policy on our website to check for any changes.

Contact Information

If you have questions or comments about this Privacy Policy, please call or email us at questions.privacy.within@within.co or (800) 279-1810‬.

Children’s Policy

Because we care about the safety and privacy of children online, we comply with the Children’s Online Privacy Protection Act of 1998 (COPPA). COPPA and its accompanying FTC regulation establish United States federal law that protects the privacy of children using the Internet. In addition, other state laws protect the privacy of children. We therefore do not knowingly contact or collect personal information from children under 16. Our website is not intended to solicit information of any kind from children under 16. It is possible that by fraud or deception we may receive information pertaining to children under 16. If we are notified of this, as soon as we verify the information, we will immediately obtain parental consent or otherwise delete the information from our servers. If you want to notify us of our receipt of information by children under 16, please do so by emailing us at questions.privacy.within@within.co.

Other jurisdictions Personal information that you submit through the Services may be transferred to other States or countries other than where you live. Your personal information may be transferred to other States countries that do not have the same data protection laws as the country in which you initially provided the information. The following provisions may apply to you depending on where you are located. If you chose to access services from somewhere other than your home country or state, you are responsible for compliance with local laws.

Australia. If you are an Australian resident, and you are dissatisfied with our handling of any complaint you raise under this Privacy Policy, you may wish to contact the Office of the Australian Information Commissioner.

Canada. Personal information maintained and processed by our affiliates and third-party service providers in the U.S. and other foreign jurisdictions may be subject to disclosure pursuant to a lawful access request by U.S. or foreign courts or government authorities. We will not provide your information to third parties for marketing purposes without your prior consent. For more information about our privacy practices; to access, update or correct inaccuracies in your personal information; or if you have a question or complaint about the manner in which we or our service providers treat your personal information, please contact us as set forth in the Contact us section of this Privacy Policy.

European Economic Area (EEA) and the United Kingdom (UK). If you are located in the EEA, the UK we comply with applicable laws to provide an adequate level of data protection for the transfer of your personal data to the US.

Transfers outside the EEA and UK. Where applicable law requires that a data transfer have legal mechanism, we use one or more of the following: Standard Contractual Clauses with a data recipient outside the EEA or the UK (or additionally, in the case of the UK, the International Data Transfer Agreement (IDTA) or Addendum to the Standard Contractual Clauses issued by the ICO), verification that the recipient has implemented Binding Corporate Rules, or other legal method available to us under applicable law. Complaints. If you are a resident of the EEA, and believe we process your information in scope of the General Data Protection Regulation (GDPR), you may direct your questions or complaints to the Office of the Data Protection Commissioner. If you are a resident of the UK, you may direct your questions or concerns to the UK Information Commissioner’s Office. To exercise your privacy rights set forth in this Privacy Policy, you may contact us as set forth in the Contact us section.

United States Privacy Laws

This Section describes our additional information practices related to your Personal Information under applicable state laws. This Section DOES NOT cover information that is exempted, including information that is protected by the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA).

California. See our California Privacy Rights page.

Connecticut (Effective July 1, 2023). Under the Connecticut Data Protection Act (“CTDPA”), Connecticut residents have the right to receive certain disclosures regarding a business’ processing of “Personal Data,” as defined under the CTDPA, as well as certain rights with respect to our processing of such Personal Data. To the extent you are a Connecticut resident, and we collect Personal Data subject to applicable Connecticut law, in addition to those rights outlined in Your Choices section above, you also have the following applies.

Right to Opt-Out of Sale, Targeted Advertising, and Profiling: For purposes of the CTDPA, a “sale” includes disclosing Personal Data to a third party in exchange for monetary compensation or other valuable consideration. We do not “sell” Personal Information under this definition. Connecticut residents have the right to opt out of the processing of your Personal Data by us for decisions that produce legal or similarly significant effects concerning you. We do not process Personal Data for such profiling. To opt out of targeted marketing, where applicable, please click on the Opt-Out Link on the bottom of the website homepage.
Right to Appeal: If we decline to take action regarding your request, you have the right to appeal. We will notify you providing our reasons and instructions for how you can appeal the decision. If the appeal is denied, we will provide a way for you contact the Attorney General to submit a complaint.

Nevada. This notice is provided to you pursuant to state law. Nevada state privacy laws permit us to make marketing calls to existing customers, but if you prefer not to receive marketing calls, you may be placed on our internal opt-out list by emailing us at questions.privacy.within@within.co or you may also contact the Nevada Bureau of Consumer Protection, Office of the Nevada Attorney General, 555 E. Washington St., Ste 3900, Las Vegas, NV 89101; telephone 702-486-3132; email: AGCinfo@ag.nv.gov.

Texas. If you have a complaint, first contact us by visiting our Website athttps://within.co/privacy-policy and emailing us at questions.privacy.within@within.co . If you still have an unresolved complaint regarding the company’s money transmission or currency exchange activity, please direct your complaint to the Texas Department of Banking: 2601 North Lamar Boulevard, Austin, TX 78705-4294; 1-877-276-5554 (toll free); www.dob.texas.gov.
Utah (Effective December 31, 2023). Under the Utah Consumer Privacy Act (“UCPA”), Utah residents have the right to receive certain disclosures regarding a business’ processing of “Personal Data,” as defined under UCPA, as well as certain rights with respect to our processing of such Personal Data. To the extent you are a resident of Utah, and we collect Personal Data subject to applicable Utah law, in addition to those rights outlined in Your Choices section above, you also have the following rights:
- Right to Opt-Out of Sale, Targeted Advertising, and Profiling: For purposes of UCPA, a “sale” includes disclosing Personal Data to a third party in exchange for monetary compensation. We do not “sell” Personal Information under this definition. Utah residents have the right to opt out of the processing of your Personal Data by us for decisions that produce legal or similarly significant effects concerning you. We do not process Personal Data for such profiling. To opt out of targeted marketing, where applicable, please click on the Opt-Out Link on the bottom of the website homepage.
Vermont. In accordance with Vermont law, we will not share information we collect about you with companies outside of WITHIN except as required or permitted by law. For example, we may share information to service your accounts, complete requested transactions, or to provide rewards or benefits to which you are entitled.
Virginia (Effective January 1, 2023). Under the Virginia Consumer Data Protection Act (“VCDPA”), Virginia residents have the right to receive certain disclosures regarding a business’ processing of “Personal Data,” as defined under the VCDPA, as well as certain rights with respect to our processing of such Personal Data. To the extent you are a resident of Virginia and we collect Personal Data subject to applicable Virginia law, in addition to those rights outlined in Your Choices section above, you also have the following rights:
- Right to Opt-Out of Sale: Under the VCDPA, a “sale” includes disclosing or making available Personal Information to a third party in exchange for money. We do not “sell” Personal Information under this definition.
- Right to Opt-Out of Targeted Ads and Significant Profiling: You may have the right to opt out of the processing of your Personal Data by us for decisions that produce legal or similarly significant effects concerning you. We do not process Personal Data for such profiling. To opt out of targeted marketing, where applicable, please click on the Opt-Out Link on the bottom of the website homepage.
- Right to Appeal: If we decline to take action regarding your request, you have the right to appeal. We will notify you providing our reasons and instructions for how you can appeal the decision. If the appeal is denied, we will provide a way for you contact the Attorney General to submit a complaint.

Within California Privacy Notice

Last Updated: November 15, 2023

Scope of Notice

This California Privacy Policy (the “CA Notice”) supplements the information contained in our Privacy Policy and applies solely to individual residents of the State of California (“consumers” or “you”). This CA Notice describes how we collect, use, disclose, and otherwise process personal information of individual residents of the State of California, either online or offline, within the scope of the California Consumer Privacy Act of 2018 (“CCPA”) as amended by the California Privacy Rights Act (“CPRA”) (collectively “CA Privacy Laws”).

Unless otherwise expressly stated, all terms in this CA Notice have the same meaning as defined in our Privacy Policy or as otherwise defined in the CA Privacy Laws.

When we use the term “personal information” in this CA Notice, we mean information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual, consumer or household. This CA Notice does not apply to personal information we collect when we are acting as a service provider to process information on behalf of our clients to whom we provide legal services. For the purposes of this CA Notice, personal information does not include:

Publicly available information from government records.
Deidentified, aggregated or anonymized information that is maintained in a form that is not capable of being associated with or linked to a consumer.
Information excluded from the CA Privacy Laws’ scope, such as:
- Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data;
- Information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994.
Information relating to our job applicants, employees, contractors and other Within personnel.

Collection and Use of Personal Information

We collect personal information from and about consumers for a variety of purposes. To learn more about the types of personal information we collect, the sources from which we collect or receive personal information, and the purposes for which we use this information, please refer to the How We Collect or Receive Personal Information and Disclosure of Personal Information sections of our Privacy Policy.

Selling or Sharing for Targeted Advertising.

We do not “sell” personal information as most people would typically understand that term. However, we do allow certain third-party partners and providers to collect information about consumers directly through our Services for purposes of analyzing and optimizing our Services and advertisements (ads), providing content and ads that are more relevant, measuring statistics and the success of ad campaigns, and detecting and reporting fraud. To the extent this practice is interpreted to constitute a “sale” under the CCPA, please see our Cookies Policy for more information including how to exercise your rights to opt-out of cookies, analytics and personalized advertising.

Rights and choices for California Residents.

As a California resident, in addition to those privacy rights described in “Your Choices”, you may have the following additional privacy rights:

Personal information sales rights. You have the right to direct us not to sell your personal information.
Non-discrimination right. You have the right not to be discriminated against when you exercise any of the rights under the CA Privacy Laws Unless permitted by the CA Privacy Laws, we will not deny you goods or Services or actually charge, or suggest we charge you different prices or rates, or provide different levels of quality for goods and Services.

How to Exercise Your Privacy Rights

To exercise your rights please submit your request to questions.privacy.within@within.co As mandated by CA Privacy Laws, we will acknowledge receipt of your request within 10 days and will respond within 45 days of receipt of your request, but if we require more time (up to an additional 45 days) we will let you know. In some cases, you may designate an authorized agent to submit requests to exercise certain privacy rights on your behalf. We will require verification that you provided the authorized agent permission to make a request on your behalf. You must provide us with a copy of the signed permission you have given to the authorized agent to submit the request on your behalf and verify your own identity directly with us. If you are an authorized agent submitting a request on behalf of an individual, you must attach a copy of: (a) A completed written notice indicating that you have authorization to act on the consumer’s behalf signed by you and the consumer; and (b) if you are a business, proof that you are registered with the appropriate Secretary of State to conduct business in California. If we do not receive both pieces of information, the request will be denied.

Right to Know Disclosures. In the last 12 months, we have collected the following categories of personal information:

Categories of Personal Information That We Collect	To Whom We Disclose Personal Information for Business Purpose
Identifiers – this may include name, postal address, phone number, unique personal identifier, online identifier, internet protocol (IP) address, device ID, email address, account name, signature, social security number, driver’s license number, passport number, or other similar identifiers.	Advertising networks Affiliates or subsidiaries Business partners Data analytics providers Government entities Internet service providers Operating systems and platforms Other Service Providers Payment processors and banks Product and service fulfillment companies Social media platforms & networks
Financial information – this may include bank account number, credit or debit card number, or other financial information.	Government entities Internet service providers Operating systems and platforms Other Service Providers Payment processors and banks Service fulfillment companies
Medical / health insurance information – this may include information from a healthcare provider regarding an individual’s medical history, mental or physical condition, or treatment; an individual’s insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in the individual’s application and claims history.	Affiliates or subsidiaries Government entities Operating systems and platforms Other Service Providers
Protected characteristics – this may include race, gender, physical or mental disability, and religion.	Affiliates or subsidiaries Government entities Other Service Providers
Commercial information – this may include information about products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies	Advertising networks Affiliates or subsidiaries Business partners Data analytics providers Government entities Internet service providers Operating systems and platforms Other Service Providers Payment processors and banks Product and service fulfillment companies Social media platforms & networks
Geolocation data – this may include precise physical location.	Data analytics providers Internet service providers Other Service Providers
Electronic and sensory data – this may include audio, electronic, visual, thermal, olfactory, or similar information (e.g., pictures, a recording of a customer service call, security video surveillance footage).	Government entities Other Service Providers
Professional / employment information – this may include occupation and professional references.	Government entities Other Service Providers
Education information – such as information contained in education records.	Government entities Other Service Providers

Contact Us

If you have any questions or requests in connection with this CA Notice or other privacy-related matters, please send an email questions.privacy.within@within.co

Cookie	Duration	Description
__hssrc	session	This cookie is set by Hubspot whenever it changes the session cookie. The __hssrc cookie set to 1 indicates that the user has restarted the browser, and if the cookie does not exist, it is assumed to be a new session.
checkForPermission	10 minutes	This cookie is set by Beeswax to determine whether the user has accepted the cookie consent box.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
elementor	never	This cookie is used by the website's WordPress theme. It allows the website owner to implement or change the website's content in real-time.
JSESSIONID	session	The JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
__hssc	30 minutes	HubSpot sets this cookie to keep track of sessions and to determine if HubSpot should increment the session number and timestamps in the __hstc cookie.
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	2 years	LinkedIn sets this cookie to store performed actions on the website.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Cookie	Duration	Description
_uetsid	1 day	Bing Ads sets this cookie to engage with a user that has previously visited the website.
_uetvid	1 year 24 days	Bing Ads sets this cookie to engage with a user that has previously visited the website.

Cookie	Duration	Description
__hstc	1 year 24 days	This is the main cookie set by Hubspot, for tracking visitors. It contains the domain, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
__lotl	5 months 27 days	This cookie is set by Lucky Orange to identify the traffic source URL of the visitor's orginal referrer, if any.
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gd_session	4 hours	This cookie is used for collecting information on users visit to the website. It collects data such as total number of visits, average time spent on the website and the pages loaded.
_gd_svisitor	2 years	This cookie is set by the Google Analytics. This cookie is used for tracking the signup commissions via affiliate program.
_gd_visitor	2 years	This cookie is used for collecting information on the users visit such as number of visits, average time spent on the website and the pages loaded for displaying targeted ads.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_hjAbsoluteSessionInProgress	30 minutes	Hotjar sets this cookie to detect the first pageview session of a user. This is a True/False flag set by the cookie.
_hjFirstSeen	30 minutes	Hotjar sets this cookie to identify a new user’s first session. It stores a true/false value, indicating whether it was the first time Hotjar saw this user.
_hjIncludedInPageviewSample	2 minutes	Hotjar sets this cookie to know whether a user is included in the data sampling defined by the site's pageview limit.
_lo_uid	2 years	This cookie is set by Lucky Orange as a unique identifier for the visitor.
_lo_v	1 year	This cookie is set by Lucky Orange to show the total number of visitor's visits.
_lorid	10 minutes	This cookie is set by Lucky Orange to identify the ID of the visitors current recording.
hubspotutk	1 year 24 days	HubSpot sets this cookie to keep track of the visitors to the website. This cookie is passed to HubSpot on form submission and used when deduplicating contacts.
IR_gbd	session	Impact Radius sets this cookie to store a unique ID which is used to identify the user's device, when they return to the websites that used the same network.

Cookie	Duration	Description
__qca	1 year 26 days	The __qca cookie is associated with Quantcast. This anonymous data helps us to better understand users' needs and customize the website accordingly.
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
_mkto_trk	2 years	This cookie, provided by Marketo, has information (such as a unique user ID) that is used to track the user's site usage. The cookies set by Marketo are readable only by Marketo.
B	1 year	This Cookie is used by Yahoo to anonymously store data related to user's visits, such as the number of visits, average time spent on the website and what pages have been loaded. This data helps to customize website content to enhance user experience.
bito	1 year 1 month	This cookie is set by Beeswax for advertisement purposes.
bitoIsSecure	1 year 1 month	Beeswax sets this cookie for targeting and advertising. The cookie is used to serve the user with relevant advertisements based on real time bidding.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
mc	1 year 1 month	Quantserve sets the mc cookie to anonymously track user behaviour on the website.
MUID	1 year 24 days	Bing sets this cookie to recognize unique web browsers visiting Microsoft sites. This cookie is used for advertising, site analytics, and other operations.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
tuuid	2 years	The tuuid cookie, set by BidSwitch, stores an unique ID to determine what adverts the users have seen if they have visited any of the advertiser's websites. The information is used to decide when and how often users will see a certain banner.
tuuid_lu	2 years	This cookie, set by BidSwitch, stores a unique ID to determine what adverts the users have seen while visiting an advertiser's website. This information is then used to understand when and how often users will see a certain banner.

Cookie	Duration	Description
__pdst	1 year	No description available.
_an_uid	7 days	No description available.
_dc_gtm_UA-61749619-1	1 minute	No description
_dlt	1 day	No description
_hjSession_1771567	30 minutes	No description
_hjSessionUser_1771567	1 year	No description
_nx-nocache	session	No description available.
6suuid	2 years	No description available.
A3	1 year	No description
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/	session	No description
AnalyticsSyncHistory	1 month	No description
BIGipServerab44web-nginx-app_https	session	No description
bounceClientVisit3783c	30 minutes	No description
bounceClientVisit3783v	30 minutes	No description
dgzsdl08v4	10 minutes	No description
IR_11658	session	No description
li_gc	2 years	No description
tableau_locale	session	No description available.
tableau_public_negotiated_locale	session	No description available.
test	1 year	No description available.