DAMASCUS BAKERY OPCO, LLC. PRIVACY POLICY

Last Updated: March 1, 2026

PLEASE READ THIS POLICY CAREFULLY TO UNDERSTAND HOW WE TREAT YOUR PERSONAL INFORMATION AS WELL AS YOUR CHOICES AND RIGHTS. IF YOU DO NOT AGREE WITH THE TERMS OF THIS POLICY, YOU SHOULD NOT ACCESS OR USE THE SITE OR OTHERWISE INTERFACE WITH US. BY USING OR ACCESSING OUR SITES, REGISTERING OR SUBMITTING YOUR INFORMATION, OR INTERACTING WITH DAMASCUS, YOU CONSENT TO THIS POLICY AND TO OUR COLLECTION AND SHARING OF YOUR INFORMATION IN ACCORDANCE WITH THE TERMS OF THIS PRIVACY POLICY, SUBJECT FURTHER TO DISPUTE RESOLUTION TERMS IN SECTION 11.

ALL CLAIMS SHALL BE RESOLVED BY WAY OF BINDING ARBITRATION, UNLESS PROHIBITED BY LAW OR YOU EXPRESSLY OPT OUT OF ARBITRATION AS DESCRIBED IN SECTION 11.2 (DISPUTE RESOLUTION).

For California residents: Additional information regarding our privacy practices under the California Privacy Laws, including “Notice at Collection” is available here.

For New Jersey, Texas, or Nebraska residents: Additional information regarding our privacy practices under these state-specific privacy laws is available here.

1 Introduction

2 Information We may Collect

3 How We May Use Your Information

4 How We May Disclose or Make Available Your Information

5 How Long We Retain Your Information

6 How to Protect Your Personal Information

7 Cookies and Similar Technologies

8 Your Choices to Control Your Information

9 Third-Party Sites or Technologies

10 Children or Teens

11 Updates; Changes; Dispute Resolution

12 Contact Us

13 US State-Specific Privacy Addendum

Scope of this Policy

Damascus Bakery Opco, LLC, together with its affiliates and subsidiaries (collectively, “Damascus”, “we,” “our”, or “us”) specializes in producing artisanal bread products, including pita, lavash roll-ups, and unique offerings under the “Damascus” and “Brooklyn Bred” brands. This Policy provides information about how we treat the data we collect and process, and your choices and rights under applicable laws.

When does this Policy apply? This privacy policy (“Policy”) describes our practices for the Personal Information collected by and on our behalf as a core part of our business operations, including:

✓ Our “Sites”, which refers to our websites (including, without limitation, https://damascusbakery.com and https://brooklynbred.com/), mobile applications, platforms, and other online solutions, features, subdomains, and/or content made available by Damascus, which include a link to this Policy.

✓ Your “General Interactions” with Damascus, which refers to your interactions with Damascus when you request information from or make general inquiries to Damascus, receive products and services from Damascus, conduct business-to-business engagements with Damascus, provide services to Damascus on behalf of their employers, attend in-person or virtual conferences hosted by Damascus, request or receive our marketing information, and access Damascus’ business premises as a visitor, among others.

This Policy does not apply to:

✖ Third-Party Websites. Our Sites may contain links to websites operated and maintained by third parties, over which we have no control. Privacy policies on such linked websites may be different from this Policy. You access such linked websites at your own risk. You should always read the privacy policy of a linked website before disclosing any of your information on such a website.

✖ HR- or Personnel-related Operations. This Policy does not apply to our HR-related data collection practices, where you act as our job applicant, employee, independent contractor, or corporate officer. A separate HR-related privacy policy will be made available to you in that case.

1. INTRODUCTION

What is “Personal Information”? “Personal Information” means information that can be used to identify you, directly or indirectly, alone or together with other information. This includes, without limitation, your full name, contact information, email address, phone number, device IDs, certain cookie and network identifiers, and other categories described below.

We may de-identify, aggregate and/or anonymize your Personal Information by excluding and removing data components (such as your name, email address, or linkable tracking ID) through obfuscation, or through other means so that the resulting dataset is no longer personally identifiable to you (such resulting dataset is known as “Aggregated Data”). When we de-identify Personal Information to become Aggregated Data, we will not attempt to re-identify the data except to confirm that it is de-identified. Our use of Aggregated Data is not subject to this Policy.

2. INFORMATION WE MAY COLLECT

The information we collect depends upon the nature of our relationship, the method you communicate with us, and the purposes of your interaction with us, among others. We may collect the following types of Personal Information for the purposes listed below.

2.1 Categories of Personal Information We May Collect:

Within the preceding 12 months, we may have collected Personal Information:

Category	Description
Identifiers	Contact Information: If you contact us, we may collect your name, mailing address, email address, phone number, professional title, and/or affiliated distributor name(s). Account Information: When you choose to create an account with us to use certain features, order products, register your products, or receive certain offers, among others, in addition to your Contact Information, we collect your username or account ID and your password. Communications and Inquiries: If you contact us, sign up for one or more of our mailing lists, submit a question, review, or comments, fill out online web forms or surveys, send us a message or email, or otherwise inquire about our products or services, in addition to your Contact Information, we will receive the subject matter of your message and any comments, content, records about interests in our products, services, or other information that you choose to provide. Identification Information. If you win a prize in one of our Promotions (as defined in Section 2.3 below), we may collect your Social Security Number or other tax ID number for compliance purposes and/or your photo ID to verify your identity.
Demographic Information (including certain protected characteristics under certain state or federal laws)	We may collect information such as your gender, birth date, and age.
Commercial Information	Purchase History and Preference Information: If you make a purchase from us directly, we collect information about your purchase history, shipping instructions, and product preferences. We may also receive your shipping details and purchase histories, in addition to your Contact Information. Note that we do not store your credit card information (credit card number, name on card, security code, expiration date, and CVV). Only payment processors may store your payment card information to facilitate payment.
Biometric Information	n/a
Internet or other similar activities	Device Identifiers; Usage Information: A “Device Identifier” includes a number that is assigned to your device when you access a website or its servers, and we may identify your device by its Device Identifier. When you visit the Sites, certain Device Identifiers may be automatically collected from your browser and/or your device(s), including the date and time of access; information about what pages you visit and how you navigate the Sites; and your location, Internet Protocol (IP) address, device identifier (UDID, IDFA or GAID), mobile advertising ID (MAID), device type, operating system, browser type, among others. Social Media Information: In addition, we may collect your profile information in connection with your social media account that we may collect if you connect with us through third-party websites, such as Meta, X, or LinkedIn. For additional details, please refer to Cookie Policy identified in Section 7.
Geolocation Data	Such as region, country, state, Zip or postal code, or information collected via Cookies and other similar tracking technologies as described in Section 7.
Audio, Visual, or Similar Information	Such as photos and videos you submit to us, including in connection with sweepstakes, contests, or other Promotions (as defined in Section 2.3 below) or product complaints. If you place a customer support call, we may record that call. At certain of our properties, we may collect photos and video footage using cameras for surveillance and security purposes.
Professional Information	Such as your occupation, industry, professional profile that you display publicly or that you voluntarily provide to Damascus at trade shows or any online or offline corporate events.
Non-public education information	n/a
Inference drawn from any of the personal and usage information	Business Information: If you enter or seek to enter a business or contractual relationship with us, we may collect your Contact Information and other information necessary for such engagement. Marketing Preference: In addition, if you participate in our marketing efforts, we may also process your marketing preference for receiving communications about our activities, events, and publications, and details about how you engage with our communications. Information collected by Cookies and Similar Technologies: For more details around Personal Information collected through Cookies or other similar technologies, please refer to Cookie Policy.

Further, we may receive your Personal Information that you voluntarily share with us when you access, use, or interact with Damascus (including a Promotion, use any “Chat” features online, among others). Information you submit or send may fall into one or more of the other categories noted above. We will use such data in accordance with this Policy, as otherwise disclosed at the time of collection, in accordance with our agreement, or to the extent necessary for providing the services or products.

Sensitive Information. Some of the information described above may be considered “sensitive” under the laws of certain jurisdictions (including government ID numbers, SSN, etc.) (“Sensitive Information”). Whether information is Sensitive Information will depend on the laws of your jurisdiction. Our use or disclosure of such data is reasonably necessary and proportionate for those legitimate business purposes as contemplated in applicable state privacy laws.

2.2 Sources of Personal Information We May Collect

(a) Personal Information You Provide Directly to Us. We may collect information about you when you provide it to us directly, including account registration, customer support, product complaints, surveys, questionnaires, or other webforms, or otherwise directly interaction with us with questions, feedback, or business transactions.

(b) Personal Information We Obtain, Derive, or Generate. We may collect Personal Information about you through Cookies and other similar tracking technologies when you access our Sites. Based on your interactions with our Sites, and we may associate that information with your account or device IDs. If you choose to disable such tracking technologies, some areas and features of our Sites may not work properly. The information we collect from you may also depend on the settings of your device(s) and/or browser(s). We recommend checking the polices and instructions of your device manufacturer(s) or browser provider(s) to learn what information they make available to us.

(c) Personal Information We Collect from Other Sources. We may collect your Personal Information from the following sources:

Public records;
Vendors that we engage to collect data on our behalf, including without limitation, website hosting provider, CRM providers, or payment processors, etc.
Advertising Partners, who assist us with marketing or promotional services related to how you interact with our Sites;
Retailers and Distribution Partners, who may provide us with Personal Information when we provide them with our products. In most instances, we are limited in using the datasets from these partners to provide the products or services requested by these partners.
Linked Social Media Platforms, if you choose to interact with us through your social media accounts. We may include content, pixels, tags, buttons, or other tools that link to another company’s service(s) and/or platform(s) (“Plugins”). If you use a portion of our Sites that contains Plugins, information can be transferred directly from your device to a third-party provider of service(s) and/or platform(s). We may not control the data collected by Plugins. If you are logged in to a social network, the social network may be able to link your use of our Sites to their service(s) and/or platform(s).

2.3 Sweepstakes, Contests, and Promotions

We may offer sweepstakes, contests, and promotions (each, a “Promotion”), including any Promotion jointly or solely sponsored or offered by other parties, which may require submitting your Personal Information to such third parties (and the processing of your Personal Information may also be subject to each such third party’s privacy policy as disclosed in the Promotion’s official rules). If you voluntarily choose to enter a Promotion, your Personal Information may be disclosed to, or shared with, Promotion co-sponsors or administrators, our service providers, social media sites (e.g., Instagram), and/or other third parties. For example, if you are notified by us that you are a winner of our Promotion(s), we will ask you to provide us with your full name and contact information. This information is required for us to fulfill your prize (as applicable) and for our legal compliance and recordkeeping purposes.

By participating in one or more Promotions we sponsor, you are agreeing to the official rules that govern that Promotion, which may include consent to additional or differing privacy practices from those contained in this Policy. Please review those official rules carefully.

3. HOW WE MAY USE YOUR INFORMATION

Except as otherwise specified in the table above, within the preceding 12 months, we may use your Personal Information for the following business or commercial purposes:

Sites and Business Operations, such as:

providing you with, maintaining, and/or modifying the Sites, and/or completing the transaction for which we collect the Personal Information.
maintaining accounting records, analyzing financial results, complying with internal audit requirements, maintaining our databases and back-ups, obtaining or maintaining insurance coverage; managing risks, or obtaining professional advice, and/or other activities in connection with our business operations.
Service Delivery, such as using your Personal Information to provide Damascus’ services, products, and other offerings, and serving you the content and functionalities you request upon your request.
Customer Care, such as communications with you about your use of the Sites or other interactions with Damascus, retention of communication records, response to your comments and inquiries, managing our relationships with you as existing or potential customers, and for other customer care purposes.
General Marketing Initiatives, such as administration of promotions, contests, surveys, and other general customer engagement communications with you about the information that may interest you
User Interests and Personalization, including communications via email, LinkedIn, mail, or other marketing channels, understand and analyze how you use the Sites, or enhance your experience on the Sites with a more personalized and interactive experience, including suggesting and offering you relevant content and recommendations. We may also use your zip code or other information relating your general location for finding products and distribution partners near you.
Data Analytics, which helps improve our tools, surveys, benchmarking, or other related business purposes, including the creation of Aggregated Data and development of industry research.
Product and Services Improvement, such as evaluation, analysis, improvement, and development of our products, services, or other offerings, including the Sites, performance of security and quality controls of the Sites, research and development, offering location customization, and personalized help and instructions.
Legal Requirements, including the enforcement of our terms and conditions or protecting our business or our customers, fulfillment of our contractual obligations, and compliance with our obligations under applicable laws and regulations, among others.
Security and Fraud Prevention, including using your Personal Information to:
- Protect, investigate, mitigate, and deter against fraudulent, malicious, unauthorized, infringing, or illegal activities relating to our business operations, assets, or products or to monitor and ensure the safety and security of our premises, property, employees, and visitors; and/or
- Verify your identity and/or confirm that individuals are authorized to access, use, or share information related to our products or services.
Corporate Activities. We may use your Personal Information in connection with evaluating, conducting or implementing a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which Personal Information held by us is among the assets transferred.
Due Diligence for Business Contacts. If you are a business contact, we use information you provide to conduct due diligence regarding a product or service your company may offer. We may also use information in the context of providing or receiving a product or service to or from you and your company.
Verification of Privacy Requests. We will use certain pieces of Personal Information, such as Contact Information, to verify your identity if you make requests pursuant to this Privacy Notice. The verification steps and the pieces of Personal Information that we request may vary depending on the sensitivity and nature of your request.
Sensitive Information. We use Sensitive Information for necessary or reasonably expected purposes—specifically, to provide you with products and services (i.e., to fulfill purchases, distribution of prizes following one or more Promotions, and allow account login), for tax purposes, and/or other purposes as authorized by law.

4. HOW WE MAY DISCLOSE OR MAKE AVAILABLE YOUR INFORMATION

We may disclose or make available your Personal Information outlined above to the following categories of recipients:

Category	Description
Corporate Affiliates	We may share each category of Personal Information with our subsidiaries and affiliates and with their respective officers, directors, employees, and agents.
Business Transferee	We may disclose any or all category of Personal Information in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of our company or some or all of our assets. If our business is acquired by or merged with another company, your information may be transferred to the new owners.
Retailers / Distribution Partners	We may share with our trusted distribution partner(s) certain Personal Information to provide you with product information, promotions, and other offers, including Contact Information Purchase and preference Information When you contact us for our products or services; Where you are located to match you with a distribution partner within that area. Some of the distribution partners may co-sponsor or participate in our Promotions as described in Section 2.3 (Sweepstakes, Contests, and Promotion). These may be “powered by” partners or our partners on co-branded sites.
Professional Advisors	We may share your information with our insurers and other professional advisors, including attorneys and accountants, who may need access to your information to provide operational or other support services on our behalf.
Law enforcement; government authorities	We may disclose information in response to subpoenas, warrants, court orders, or other legal process, or to comply with relevant laws, including to meet national security or law enforcement requirements. We may also share information in order to establish or exercise our legal rights or claims; to defend against a legal claim; and to investigate, prevent, or take action regarding possible illegal activities, suspected fraud, safety of person or property, or a violation of our contracts or terms. We may also disclose Personal Information as needed to protect vital interests.
Service Providers / Vendors	We may share information with contractors, consultants, vendors, and other service providers who carry out tasks or services on our behalf, including, without limitation, marketing, sales, consulting, communications, software maintenance and support, analytics, internet service providers, cloud hosting platform(s), customer services, social media, cybersecurity, user verification, and payment processing, among others.
Other Entities with Your Consent	We may ask if you would like us to share your Personal Information with unaffiliated third parties not described elsewhere in this Policy. We will only disclose your Personal Information in this context with your consent.
Advertising Partners and Data Analytics Providers	We may share your “Internet or other similar activities”, “geolocation data”, and “Inference drawn from your Personal Information”, with advertisers (such as advertising agencies, networks, and exchanges), third-party data suppliers or analytics suppliers), and other entities that help us to create, deliver, and assess our advertising and marketing campaigns and learn more about you and other users of our Sites. In some cases these parties may combine your personal information with their own records (and/or records available from other sources) for their own purposes, including for their own and other third-party marketing.

We do not make data available to third parties in exchange for money – we don’t do that. Instead, certain U.S. state privacy laws broadly define “sale” as disclosing or making available Personal Information to a third party in exchange for monetary or other valuable consideration. The term “sharing” includes disclosing or making available Personal Information to a third party for purposes of cross-context behavioral advertising, and constitutes a form of “sale”. Further, to our knowledge, we do not “sell” personal information of consumers under the age of 16 years old, as defined in applicable privacy laws. You have the right to opt-out as described below by using the settings on the Cookie Banner or by broadcasting an opt-out preference signal (such as Global Privacy Control, https://globalprivacycontrol.org/).

In the preceding 12 months, we may have exchanged with our advertising providers (as identified above) certain personal information classified as “Internet and Other Similar Activity”, “Geolocation Data”, and “Inferences drawn from other PI” as defined in Section 2.1 of this Policy. As broadly defined under California Privacy Laws, these data exchanges may constitute a “sale” or “sharing” of Personal Information. For example, as a result of your interactions with our Sites, we may collect technical device data and other identifiers for business or commercial purposes described in Section 3 (How We may Use Your Information) and Section 4 (How we may Disclose or Make Available Your Information) of the Policy, including general marketing initiatives, user interests and personalization, and assessment of our advertising and marketing campaigns.

5. HOW LONG DO WE RETAIN YOUR INFORMATION?

We will keep your information for as long as it is necessary to fulfill the purposes for which it was collected, to comply with our business requirements and legal obligations, to provide the services or products, to resolve disputes, to protect our assets, to operate our business, and to enforce our agreements.

We take reasonable steps to delete the Personal Information we collect when (1) we have a legal obligation to do so, (2) we no longer have a purpose for retaining the information, and/or (3) if you ask us to delete your information, unless we determine that doing so would violate our existing, legal, dispute resolution, contractual, or similar obligations. We may also decide to delete your Personal Information if we believe it is incomplete, inaccurate, or that our continued storage of your Personal Information is contrary to our legal obligations or business objectives. When we delete data, it will be removed from our active servers and databases, but it may remain in our archives when it is not practical or possible to delete it.

We may retain and use Aggregated Data for as long as is permitted under applicable laws.

6. HOW TO PROTECT YOUR PERSONAL INFORMATION?

We endeavor to use and maintain commercially reasonable physical, technical, and organizational security measures designed to protect the Personal Information under our control. From time to time, we review our security procedures and consider new technologies and methods.

However, despite our efforts to store and protect Personal Information in a secure environment, no security system is perfect, and no data transmission is 100% secure. We cannot guarantee or warrant the security of any information transmitted to or from the Sites. Your use of the Sites is at your own risk. We cannot guarantee that your data will remain secure in all circumstances.

The safety and security of your Personal Information also depends upon you. When you use a password to access restricted parts of our Sites, you are responsible for keeping your password confidential. Do not share your password with anyone.

7. COOKIES AND SIMILAR TECHNOLOGIES

We also use cookies (small text files stored by your web browser when you use websites) as well as related technologies, such as pixels and beacons (collectively “Cookies”), to collect and store information when you use our applications. To learn more, see our Cookie Policy.

8. YOUR CHOICES TO CONTROL YOUR INFORMATION

Cookie Opt-Out. To disable certain optional cookies, including advertising and analytics cookies or other tracking technologies, please review Cookie Policy, which provides options available to you, including adjusting the Cookie Banner’s settings.

Email Preferences. We may send you emails about our Sites, products, and services. If you do not want to continue receiving emails from us, you may opt-out by clicking the “unsubscribe” button at the bottom of our emails. Please note that certain Email Communications that are transactional in nature (for example, emails about your order, or a change in terms and features of your account) may not contain an unsubscribe link or opt-out instructions.

Accuracy and Updating Your Personal Information. Our goal is to keep your Personal Information accurate, current, and complete. If any of the Personal Information you have provided to us changes, please update it in your user/account profile, or let us know via the “Contact Us” details provided in Section 12. We are not responsible for any losses arising from any inaccurate, inauthentic, deficient, or incomplete Personal Information that you provide to us.

Complaints. If you believe your rights relating to your Personal Information have been violated, please contact us via the “Contact Us” details provided in Section 12.

California Shine the Light. Under California Civil Code Section 1798.83, California residents who provide Personal Information in obtaining products or services for personal, family, or household use may be entitled to request and obtain from us once a calendar year information about the information we shared, if any, with other businesses for direct marketing uses. Please be aware that not all information sharing is covered by the “Shine the Light” requirements and only information on covered sharing, if any, will be included in our response. As part of the California Online Privacy Protection Act, all users of our Sites may make any changes to their information at any time by contacting us at Privacy@DamascusBakery.com

“Do Not Track” Signals. Some browsers transmit “Do-Not-Track” (“DNT”) signals, which inform websites that you do not want to be tracked. We currently do not support or take actions in response to the DNT signals. To the extent required by applicable laws for your browser or device, we will respond to opt-out preference signals (such as Global Privacy Control, https://globalprivacycontrol.org/).

9. THIRD-PARTY SITES OR TECHNOLOGIES

The Sites may contain links to websites or mobile applications operated and maintained by third parties and subject to their own privacy policies. If you follow any links that direct you away from the Sites, including links to social media sites, this Policy will not apply to your activities on those external sites you visit. Because of the dynamic media capabilities of the Sites, it may not be clear to you whether certain webpages or applications are linked to the Sites or connected to external, third-party websites. If you click on an embedded third-party link, you will be redirected away from the Sites to the external third-party website. You can check the URL to confirm if you are no longer accessing our Sites.

While these third-party websites and applications are selected with care, we are not responsible for the use and collection of your information by these third-party sites and cannot guarantee the adequacy of these third-party sites’ privacy and security practices. A link to a third party’s website should not be construed as an endorsement.

10. CHILDREN OR TEENS

Our Sites are not directed to children under the age of 16, and we do not knowingly collect information from anyone under 16 years of age. If we learn that we have collected or received Personal Information from a child under the age of 16 without a parent’s or legal guardian’s consent, we will take steps to stop collecting that information and to delete it. If you believe we have received information from a child under the age of 16, please contact us using the “Contact Us” details provided in Section 12.

For more information about the Children’s Online Privacy Protection Act, please visit the Federal Trade Commission’s website at: https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/childrens-online-privacy-protection-rule.

11. UPDATES; CHANGES; DISPUTE RESOLUTION

11.1 Updates and Changes.

We may update this Policy from time to time. If we change this Policy, we will post the revised version on our Sites. Any changes, updates, and modifications will be effective immediately upon posting. If we make material changes, we may also notify you through a notice on the Sites’ homepage, and/or we may send you an email regarding the updates.

You are expected to, and you acknowledge and agree that it is your responsibility to carefully review (and monitor changes to) this Policy prior to accessing our Sites or using our products or services, so that you are aware of any changes. Your continued use of the Sites after the “Last Updated” date will constitute your acceptance of the changes and your continued consent to our processing of your Personal Information according to the terms of the then-current Policy. If at any point you do not consent to any portion of this Policy, then you should immediately stop using the Sites. Because this Policy contains legal obligations, we encourage you to review it carefully.

11.2 Dispute Resolution

(i) Governing Law: To the fullest extent permitted by law, these Terms and any claim or dispute arising out of or related to these Terms will be governed by and construed in accordance with the laws of New Jersey without regard to its choice of laws or principles.

(ii) Limitation on Time to File Claims: TO THE MAXIMUM EXTENT PERMITTED BY LAWS, YOU AGREE THAT ANY LEGAL ACTION OR PROCEEDING YOU MAY HAVE AGAINST US ARISING OUT OF OR RELATING TO THESE TERMS OR THE SITES WILL BE COMMENCED WITHIN TWO YEARS AFTER THE CLAIM OR CAUSE OF ACTION ARISES.

(iii) Arbitration. For any dispute you have with Damascus, you agree to first contact us and make a good faith attempt to resolve it with us informally. Following that, if you still intend to initiate arbitration, you must first send Damascus a written Notice of Dispute (“Notice”). A Notice from you to us must be emailed to Privacy@DamascusBakery.com (the “Notice Address”). Any Notice must include (i) the claimant’s name, address, and email address; (ii) a description of the nature and basis of the claim or dispute; (iii) any relevant facts regarding your use of the services; (iv) a description of the nature and basis of the specific relief sought, including the damages sought, if any; and (v) a personally signed statement by the claimant verifying the accuracy of the contents of the Notice. The Notice must be individualized, meaning it can concern only your specific dispute. Upon receipt of a completed Notice, the parties shall engage in a good faith effort to resolve the dispute for a period of 60 days. If the parties cannot reach an agreement to resolve the issues identified in the Notice within 60 days after the completed Notice is received, a party may commence an arbitration proceeding. Compliance with the Notice requirement discussed in this paragraph is a condition precedent to initiating arbitration.

Unless resolved by mutual efforts of both parties, any disputes or claims that may arise out of or in connection with the Terms and for which either party shall seek equitable relief, as well as all differences, disputes, or claims arising out of or in connection with this provision or any transaction or occurrence contemplated hereby, whether based in statute, tort, contract, misrepresentation, fraud, or any other legal theory, shall be finally settled under the Commercial Rules of the American Arbitration Association (“AAA”) in the Essex County of New Jersey by one or more arbitrators appointed in accordance with such rules, except that no punitive damages may be awarded. The arbitrator will hold any hearings, if needed, by teleconference or videoconference rather than requiring in-person attendance, unless either party requests an in-person hearing and the arbitrator agrees it is appropriate. If an in-person hearing is held, it will take place at a location that is reasonably convenient for both parties, taking into account ability to travel and other relevant factors. If the parties cannot agree on a location, the arbitrator will decide. The arbitrator’s decision will be consistent with this provision and will be final and binding. The arbitrator may grant temporary, interim, or permanent injunctive relief, or order specific performance under the Policy, but only to the extent necessary to resolve the individual claim at issue. The arbitrator’s award may be confirmed and enforced in any court with proper jurisdiction.

(iv) CLASS ACTION AND JURY TRIAL WAIVER. YOU AGREE THAT, TO THE FULLEST EXTENT PERMITTED BY LAW, BY ENTERING INTO THIS AGREEMENT, EACH PARTY IS WAIVING THE RIGHT TO A TRIAL BY JURY OR TO PARTICIPATE IN A CLASS ACTION LAWSUIT. ALL CLAIMS MUST BE BROUGHT IN THE PARTIES’ INDIVIDUAL CAPACITY IN ARBITRATION, AND NOT AS A PLAINTIFF OR CLASS MEMBER IN ANY PURPORTED CLASS OR REPRESENTATIVE PROCEEDING, AND, UNLESS WE AGREE OTHERWISE, THE ARBITRATOR MAY NOT CONSOLIDATE MORE THAN ONE PERSON’S CLAIMS. THIS MEANS THAT YOU AND DAMASCUS MAY NOT PARTICIPATE IN ANY CLASS, COLLECTIVE, CONSOLIDATED, PRIVATE ATTORNEY GENERAL, OR REPRESENTATIVE PROCEEDING BROUGHT BY ANY THIRD PARTY.

(v) Opt-out/Consent: You may opt out of binding arbitration and this class action and jury trial waiver by notifying us in writing within 30 days of your initial agreement to or acceptance of this Policy, unless a longer period is required by applicable laws. Your written notification must be delivered to us at Privacy@DamascusBakery.com within 30 days after you have accepted this Policy and must include your name, your address, and a clear statement that you do not wish to resolve disputes through arbitration.

12. CONTACT US

If you wish to exercise your rights, submit a complaint, ask questions, or provide feedback, please contact us using the information below. When you email us, please place “Data Privacy/Personal Data” in the subject line. Please note, if your communication is sensitive, you may wish to contact us by postal mail or telephone instead.

Mail:

Damascus Bakery Opco, LLC

60 McClellan St.

Newark, NJ, 07114 USA

Phone: 1 (888) 367-7482

Email: Privacy@DamascusBakery.com

13. U.S. STATE-SPECIFIC PRIVACY ADDENDUM

This U.S. State-Specific Privacy Addendum (“U.S. Privacy Addendum”) supplements our Privacy Policy (“Policy”) and provides additional information regarding data protection and privacy rights provided under applicable U.S. state laws. The information below applies if you are a resident of the state(s) specified below, and the relevant rights will be available from the date when the applicable U.S. state laws and regulations take effect. For the purposes of this U.S. Privacy Addendum, “Personal Information” shall have the same meaning as the term “personal data,” “personal information,” or “personally identifiable information” as defined in the U.S. state privacy laws, as applicable.

We reserve the right to amend this U.S. State-Specific Privacy Addendum at our discretion and at any time. When we update this U.S. Privacy Addendum, we will post the updated version on our website and update the Effective Date for the applicable section.

I. Notice to California Residents

II. Notice to New Jersey, Texas, and Nebraska Residents

NOTICE TO CALIFORNIA RESIDENTS

If you are a resident of California (“California Consumer(s)”), you have the right to make specific requests with respect to your Personal Information under the data privacy and protection laws and regulations in California (“California Privacy Laws”). For purposes of the “Notice at Collection” as defined under the California Privacy Laws, please review Section 2 (Information We May Collect), Section 3 (How We May Use Your Information), Section 4 (How We May Disclose or Make Available Your Information), and Section 5 (How Long We Retain Your Information) of the Policy.

1. Your California Privacy Rights: This section describes Consumers’ rights under California Privacy Laws and explains how to exercise those rights, subject to certain exceptions:

Right to Know. With respect to the Personal Information we have collected about you, you have the right to request information about our collection and use of your information over the past 12 months. In addition, to the extent it is determined that our information exchanges constitute a sale or sharing of Personal Information under the California Privacy Laws, a Consumer shall have the right to request the business to identify, during the past 12 months: (i) the categories of Personal Information that we sold or shared, and the categories of third-party recipients; and (ii) the categories of Personal Information that we disclosed for a business purpose and the categories of recipients.

Right to Deletion. Subject to several exceptions, you have the right to request that we delete any of your Personal Information collected from you and retained, subject to certain exceptions and as permitted under California Privacy Laws.

Right to Opt-out of “Sale” and Certain “Sharing” Practices. A California Consumer has the right to opt-out of the “sale” and “sharing” of your Personal Information with third parties, as those terms are defined under California Privacy Laws. “Sell” in this case does not mean providing data in exchange for money – we don’t do that (and we do not have actual knowledge that we sell or share Personal Information of minors under 16 years of age). You may opt out by using the settings on the Cookie Banner or by broadcasting an opt-out preference signal.

Right to Correct. Subject to certain restrictions, you have the right to request that we correct inaccurate Personal Information that we maintain about you. We endeavor to keep your Personal Information accurate, current, and complete. If you believe your Personal Information is not accurate, you may submit a request by following the instructions in the “How to Exercise Your California Privacy Rights” section below.

Right to Limit Use and Disclosure of Sensitive Personal Information. In certain circumstances, a California Consumer has the right to limit the use and disclosure of Sensitive Personal Information. Our use of your Sensitive Personal Information is necessary to provide services or offerings reasonably expected by an average Consumer and not for those purposes for which you may exercise a right to limit the use or disclosure under California Privacy Laws. While this Consumer right is not applicable to how we collect or use your Sensitive Personal Information, we provide this information as this is a core part of your rights as a California Consumer.

Right to Non-Discrimination. We do not discriminate against you for exercising any of your rights under California Privacy Laws. Unless permitted by the California Privacy Laws, we will not:

Deny you goods or services;
Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties;
Provide you a different level or quality of goods or services; or
Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

2. How to Exercise Your California Privacy Rights

(i) Authorized Agent. You may designate an authorized agent to make a request on your behalf. Authorized agents will be required to provide proof of their authorization. Individuals operating as an authorized agent on behalf of a California Consumer must provide a written authorization document, signed by the California Consumer, containing the California Consumer’s name, address, telephone number, and valid email address, and expressly authorizing the individual to act on behalf of the California Consumer. We may also require that you directly verify your identity and the authority of your authorized agent. We reserve the right to reject authorized agents who have not fulfilled the above requirements or automated requests under California Privacy Laws, where we have reason to believe the security of the requestor’s Personal Information may be at risk.

(ii) Verification Procedures. We are required by California Privacy Laws to verify the identity of individuals who submit a Consumer request. The verifiable Consumer request must provide sufficient information that allows us to reasonably verify your identity and describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it. The information we may need to verify your identity differs depending upon the request made and our relationship(s) with you and might include (as applicable) your name, the email address you regularly use to interact with us, your telephone number, your date of birth, etc. We will take steps to verify your request by matching the information you provide with the information we have in our records. In some cases, we may request additional information to verify your identity, or where necessary to process your request. We can only respond to your request or provide you with relevant information if we can verify your identity or authority to make the request. If we cannot verify your identity after a good faith attempt, we may deny the request and, if so, will explain the basis for the denial.

(iii) Response Timing: Upon receiving a Request to Know, Request to Delete, or Request to Correct, we will confirm receipt of the request within 10 business days and respond to the request within 45 calendar days from the date we receive your request. If necessary, we may take an additional 45 calendar days to respond to your request. If this extension is needed, we will notify you of the extension and explain the reasons why responding to your request will take more than 45 days. We are only required to respond to Requests to Know and Data Portability Rights twice in a 12-month rolling period.

(iv) Methods to Submit California Consumer Requests: If you are a California Consumer and would like to exercise your rights under California Privacy Laws described above, you may do so via any of the methods described below:

- Calling us at 1 (888) 367-7482; or
- Sending an email to Privacy@DamascusBakery.com (Please place “California Data Privacy/ Data Subject Request” in the subject line).

NOTICE TO OTHER STATE RESIDENTS

This Notice is applicable to residents of New Jersey, Texas, or Nebraska.

Section 2 of the Policy sets forth the categories of Personal Information we may process, the purposes for processing Personal Information, the categories of Personal Information we may disclose (or where applicable, share), and the categories of data recipients.

This “State-Specific Notice” applies if you are a resident of New Jersey, Texas, or Nebraska and explains how to exercise your data privacy rights as a resident of these states. The applicable state privacy laws (“State Privacy Laws”) provide certain residents in these states (“State Consumer(s)”) with specific rights regarding their Personal Information.

If you are a State Consumer from whom we control or process Personal Information that is within the scope of and subject to State Privacy Laws, the below provisions further apply:

A. Your State Privacy Rights. Subject always to certain limitations and exceptions under the State Privacy Laws, State Consumers have the following rights:

(i) Right to Access. You have the right to know whether or not we are processing your Personal Information as a controller and to access such Personal Information.

(ii) Right to Correct. You have the right to request that we correct any inaccurate Personal Information that we have collected about you.

(iii) Right to Delete. You have the right to request that we delete the Personal Information provided by or obtained about you.

(iv) Right to Portability.

- New Jersey State Resident: You have the right to obtain a copy of all categories of Personal Information held by us in a portable, and to the extent technically feasible, readily usable format that allows you to transmit the data to another controller without hindrance.
- Texas and Nebraska Residents: You have the right to obtain a copy of your Personal Information (if such data is available in a digital format) that you previously provided to us in a portable, and to the extent technically feasible, readily usable format that allows you to transmit the data to another controller without hindrance.

(v) Right to Opt-Out. You have the right to opt out of the processing of your Personal Information for purposes of: (a) targeted advertising; (b) the sale of your Personal Information; or (c) profiling in furtherance of a decision that produces a legal or similarly significant effect concerning you as a State Consumer (as these processing activities are defined under State Privacy Laws). To the extent State Privacy Laws determine that information exchange involving Device Identifiers, or other information automatically collected by Cookies constitutes a “Sale” of Personal Information or other data processing activities for which you are eligible to exercise your “Right to Opt-Out”, please refer to the settings in the Cookie Banner.

(vi) Right to Appeal. You have the right to appeal our decision not to act on your request to exercise your rights under the State Privacy Laws.

(vii) Right to Non-Discrimination. You have the right not to be discriminated against for exercising your rights under the State Privacy Laws.

B. Our Processes to Respond to State Consumer Request(s): As a controller, we shall:

✓ Respond to your request to exercise State Consumer rights within 45 days after receiving your request. Where reasonably necessary, we may extend the response deadline by an additional 45 days as long as we notify you within the initial 45-day response window; or

✖ Decline to take action regarding your request to exercise your State Consumer rights. In this case, we will inform you of the reasons for which we decline within the initial 45-day response window and provide instructions on how to appeal our decision.

C. Exercising Your State Privacy Rights.

If you are a State Consumer and would like to exercise your rights under State Privacy Laws as described above, you may do so via any of the methods described below:

Calling us at 1 (888) 367-7482; or
Sending an email to Privacy@DamascusBakery.com (Please place “Data Privacy/Data Subject Request for residents of [Your State]” in the subject line).