Common use of Compliance with Privacy and Security Laws Clause in Contracts

Compliance with Privacy and Security Laws. (a) The Company has established and implemented such policies, programs, procedures, contracts and systems, as are necessary to comply with (i) applicable state and federal laws governing the privacy and security of health information pertaining to individuals, including regulations promulgated pursuant thereto, and (ii) applicable state and federal laws governing the privacy and security of Personal Information (collectively, the “Privacy and Security Laws”). (b) All Personal Information that has been collected, acquired, stored, disposed, processed, maintained, treated or otherwise used by the Company has been collected, acquired, stored, disposed, processed, maintained, treated and otherwise used in compliance in all material respects with all applicable industry standards and requirements, in each case to the extent applicable to the Company, and the Company’s own applicable policies and procedures related to rights of publicity, privacy, data protection, information security, or the collection, use, storage or disposal of Personal Information collection, used or held for use by the Company in the conduct of their businesses. To the Knowledge of the Company there has been no loss of, or unauthorized access, use, disclosure or modification of any Personal Information or of any confidential information that would trigger a mandatory breach notification as required by applicable Law. (c) The Company has established, and is in compliance in all material respects with, its currently posted privacy policy and terms of use available on its website(s), and its current internal information security and human resources policies and procedures (and has been in compliance in all material respects with all historically posted privacy policies, terms of use and all historic information security and human resources policies and procedures) pertaining to the collection, access, storage, transfer, receipt and use of Personal Information, and to the Company’s Knowledge has never collected, accessed, stored, transferred, received, or used any Personal Information in a manner violative of such privacy policies, terms of use, information security policies and human resource policies and procedures. (d) Each privacy policy or other privacy notice, as applicable, used in the conduct of the Company’s business contains, and has since the date that is three (3) years prior to the Agreement Date contained, express authorization for the Company to transfer Personal Information to a partner, successor, or transferee in a merger, or an acquirer of its business, equity or assets. (e) The Company has not received notice of noncompliance with any Privacy and Security Law, guidelines or industry standards, and no claim or proceeding has been asserted in writing or threatened in writing against the Company alleging a violation of any Person’s rights of publicity or privacy or Personal Information or data rights. The consummation of the transaction contemplated hereunder will not breach or otherwise cause any violation in any material respect of any of the Company’s own applicable policies and procedures related to rights of publicity, privacy, data protection, information security, or the collection, use, storage or disposal of Personal Information collection, used or held for use by the Company in the conduct of their businesses. (f) The Company has not, and currently does not, market its products and services to any Persons under the age of 13, and the Company does not knowingly collect Personal Information from any Persons under the age of 13. (g) The Company has complete and correct records of all Persons who have notified the Company of such Person’s election not to receive any electronic communications or solicitations (“Opt-Out Notifications”) from the Company. The Company has complied in all material respects with all such Opt-Out Notifications. (h) The Company has in place, maintains, and complies with adequate anti- virus and malware protection, and security measures and safeguards to protect business data and Personal Information against illegal or unauthorized access or use by its personnel or third parties, or access or use of such information by its personnel or third parties in a manner violative of any Privacy and Security Law, applicable industry standards or guidelines, or the privacy rights of third parties, as applicable, in each case consistent with industry practices. To the Knowledge of the Company, no Person has gained unauthorized access to or made any unauthorized use of any trade secrets of the Company or Personal Information collected or received by the Company in a manner that would trigger a mandatory breach notification as required by applicable Law. (i) Except as set forth on Section 3.24(i) of the Disclosure Schedules, the Company is in compliance in all material respects with the Privacy and Security Laws and the Company has not received notice of any incident reports or allegations that it has breached the Privacy and Security Laws. Attached to Section 3.24(i) of the Disclosure Schedules are all written consultant reports, corrective actions and plans of action for implementation of any requirements with respect to the Business of the Company under the Privacy and Security Laws.

Compliance with Privacy and Security Laws. (a) The Company has established and implemented such policies, programs, procedures, contracts and systems, as are necessary to comply with (i) applicable state and federal laws governing the privacy and security of health information pertaining to individuals, including regulations promulgated pursuant thereto, and (ii) applicable state and federal laws governing the privacy and security of Personal Information (collectively, the “Privacy and Security Laws”). (b) All Personal Information that has been collected, acquired, stored, disposed, processed, maintained, treated or otherwise used by the Company has been collected, acquired, stored, disposed, processed, maintained, treated and otherwise used in compliance in all material respects with all applicable industry standards and requirements, in each case to the extent applicable to the Company, and the Company’s own applicable policies and procedures related to rights of publicity, privacy, data protection, information security, or the collection, use, storage or disposal of Personal Information collection, used or held for use by the Company in the conduct of their businesses. To the Knowledge of the Company there There has been no loss of, or unauthorized access, use, disclosure or modification of any Personal Information or of any confidential information that would trigger a mandatory breach require notification as required by applicable Lawto individuals under Privacy and Security Laws. (c) The Company has established, and is in compliance in all material respects with, its currently posted privacy policy and terms of use available on its website(s), and its current internal information security and human resources policies and procedures (and has been in compliance in all material respects with all historically posted privacy policies, terms of use policies and all historic information security and human resources policies and procedures) pertaining to the collection, access, storage, transfer, receipt and use of Personal Information, and to the Company’s Knowledge has never collected, accessed, stored, transferred, received, or used any Personal Information in a manner alleged to be violative of such privacy policies, terms of use, information security policies and human resource policies and procedures. Each such privacy policy, information security policy, human resources policy and procedure, and all materials distributed or marketed by the Company have at all times made all disclosures to employees, users, customers, and prospective customers, as the case may be, required by applicable Privacy and Security Laws and none of such disclosures made or contained in any such materials have been alleged to be inaccurate, misleading, or deceptive or in violation of any applicable Privacy and Security Laws. The Company has made available to Parent a true, correct, and complete copy of each Company privacy policy, information security policy, and human resources policy pertaining to Personal Information in effect at any time since inception of the Company. (d) Each privacy policy or other privacy notice, as applicable, used in the conduct of the Company’s business contains, and has since the date that is three (3) years prior to the Agreement Date contained, express authorization for the Company to transfer Personal Information to a partner, successor, or transferee in a merger, or an acquirer of its business, equity or assets. (e) The Company has not received a notice of noncompliance with any Privacy and Security Law, guidelines or industry standards, and no claim or proceeding has been asserted in writing or threatened in writing against the Company alleging a violation of any Person’s rights of publicity or privacy or Personal Information or data rights. The consummation of the transaction contemplated hereunder Merger and the Transactions will not breach or otherwise cause any violation in any material respect of any of the Company’s own applicable policies and procedures related to rights of publicity, privacy, data protection, information security, or the collection, use, storage or disposal of Personal Information collection, used or held for use by the Company in the conduct of their businesses. (fe) The Company has not, and currently does not, market its products and services to any Persons under the age of 13, and the Company does not knowingly collect Personal Information from any Persons under the age of 13. (gf) The Company has complete and correct records of all Persons who have notified the Company of such Person’s election not to receive any electronic communications or solicitations (“Opt-Out Notifications”) from the Company. The Company has complied in all material respects with all such Opt-Out Notifications. (hg) The Company has in place, maintains, and complies with adequate anti- anti-virus and malware protection, and security measures and safeguards to protect business data and Personal Information against illegal or unauthorized access or use by its personnel or third parties, or access or use of such information by its personnel or third parties in a manner violative of any Privacy and Security Law, applicable industry standards or guidelines, or the privacy rights of third parties, as applicable, in each case consistent with applicable industry best practices. To the Knowledge of the Company, no Person has gained unauthorized access to or made any unauthorized use of any trade secrets of the Company or Personal Information collected or received by the Company in a manner that would trigger a mandatory breach notification as required by applicable LawCompany. (ih) Except as set forth on Section 3.24(i) of the Disclosure SchedulesSchedule 2.24(h), the Company is in compliance in all material respects with the Privacy and Security Laws and the Company has not received notice of any Laws, there exist no incident reports or allegations that it has breached the Privacy and Security Laws and the Company has maintained an accounting of any disclosures required by the Privacy and Security Laws. Attached to Section 3.24(iSchedule 2.24(h) of the Disclosure Schedules are all written consultant reports, corrective actions and plans of action for implementation of any requirements with respect to the Business of the Company under the Privacy and Security Laws.. The Parent, the Buyer, Merger Sub I, and Merger Sub II hereby represent and warrant to the Company that:

Compliance with Privacy and Security Laws. (a) The Company has established and implemented such policies, programs, procedures, contracts Contracts and systems, as are reasonably necessary to comply with (i) applicable state and federal laws governing the privacy and security of health information pertaining to individuals, including regulations promulgated pursuant thereto, and (ii) applicable state and federal laws governing the privacy and security of Personal Information (collectively, the “Privacy and Security Laws”). (b) All To the Company’s Knowledge, all Personal Information that has been collected, acquired, stored, disposed, processed, maintained, treated or otherwise used by the Company has been collected, acquired, stored, disposed, processed, maintained, treated and otherwise used in compliance in all material respects with all applicable industry standards Privacy and requirementsSecurity Laws, in each case to the extent applicable to the Company, and the Company’s own applicable policies and procedures related to rights of publicity, privacy, data protection, information security, or the collection, use, storage or disposal of Personal Information collection, used or held for use by the Company in the conduct of their businesses. To the Knowledge of the Company there has been no loss of, or unauthorized access, use, disclosure or modification of any Personal Information or of any confidential information that would trigger a mandatory breach notification as required by applicable Law. (c) The Company has established, and is in compliance in all material respects with, with its currently posted privacy policy and terms of use available on its website(s), and its current internal information security and human resources policies and procedures (and to the Company’s Knowledge, has been in compliance in all material respects with all historically posted privacy policies, terms of use and all historic information security and human resources policies and procedures) pertaining to the collection, access, storage, transfer, receipt and use of Personal Information, and and, to the Company’s Knowledge Knowledge, has never collected, accessed, stored, transferred, received, or used any Personal Information in a manner violative of such privacy policies, terms of use, information security policies and human resource policies and procedures. The Company has made available a true, correct, and complete copy of each Company privacy policy, terms of use, information security policy, and human resources policy pertaining to personal data in effect at any time since inception of the Company. (d) Each privacy policy or other privacy notice, as applicable, used in the conduct of the Company’s business contains, and has since the date that is three (3) years prior to the Agreement Date contained, express authorization for the Company to transfer Personal Information to a partner, successor, or transferee in a merger, or an acquirer of its business, equity or assets. (e) The Company has not received a notice of noncompliance with any Privacy and Security Law, guidelines or industry standards, and no claim or proceeding has been asserted in writing or or, to the Company’s Knowledge, threatened in writing against the Company alleging a violation of any Person’s rights of publicity or privacy or Personal Information or data rights. The To the Company’s Knowledge, the consummation of the transaction contemplated hereunder Mergers and the Transactions will not breach or otherwise cause any violation in any material respect of any of the Company’s own applicable policies and procedures related to rights of publicity, privacy, data protection, information security, or the collection, use, storage or disposal of Personal Information collection, used or held for use by the Company in the conduct of their businesses. (fe) The Except to the extent permitted under applicable state Law, the Company has not, and currently does not, market its products and services to any Persons under the age of 13, and the Company does not knowingly collect the Personal Information from any Persons under the age of 13 without express parental consent. For the avoidance of doubt, “marketing cannabis products and services to any Persons under the age of 13” shall not include providing services to a parent or designated caregiver of a minor child insofar as a state Law permits such provision of services. (gf) The Company has complete and correct records of all Persons who have notified the Company of such Person’s election election, available under any applicable Privacy and Security Law, not to receive any electronic communications or solicitations (“Opt-Out Notifications”) from the Company. The Company has complied in all material respects used reasonable efforts to comply with all such Opt-Out Notifications. (hg) The to the Company’s Knowledge, the Company has in place, maintains, and complies with adequate anti- anti-virus and malware protection, and security measures and safeguards to protect business data and Personal Information against illegal or unauthorized access or use by its personnel or third parties, or access or use of such information by its personnel or third parties in a manner violative of any Privacy and Security Law, applicable industry standards or guidelines, or the privacy rights of third parties, as applicable, in each case consistent with industry practices. To the Knowledge of the Company, no Person has gained unauthorized access to or made any unauthorized use of any trade secrets of the Company or Personal Information personal data collected or received by the Company in a manner that would trigger a mandatory breach notification as required by applicable LawCompany. (ih) Except as set forth on Section 3.24(i) of the Disclosure SchedulesSchedule 2.23(g), the Company is believes itself to be in compliance in all material respects with the Privacy and Security Laws and the Company has not received notice of any incident reports or allegations that it has breached the Privacy and Security Laws. Attached to Section 3.24(iSchedule 2.23(g) of the Disclosure Schedules are all written consultant reports, corrective actions and plans of action for implementation of any requirements with respect to the Business business of the Company under the Privacy and Security Laws.

Compliance with Privacy and Security Laws. (a) The Company has established and implemented such policies, programs, procedures, contracts and systems, as are necessary to comply with (i) applicable state and federal laws governing the privacy and security of health information pertaining to individuals, including regulations promulgated pursuant thereto, and (ii) applicable state and federal laws governing the privacy and security of Personal Information (collectively, the “Privacy and Security Laws”). (b) All Personal Information that has been collected, acquired, stored, disposed, processed, maintained, treated or otherwise used by the Company has been collected, acquired, stored, disposed, processed, maintained, treated and otherwise used in compliance in all material respects with all applicable industry standards and requirements, in each case to the extent applicable to the Company, and the Company’s own applicable policies and procedures related to rights of publicity, privacy, data protection, information security, or the collection, use, storage or disposal of Personal Information collection, used or held for use by the Company in the conduct of their businesses. To the Knowledge of the Company there has been no loss of, or unauthorized access, use, disclosure or modification of any Personal Information or of any confidential information that would trigger a mandatory breach notification as required by applicable Law. (c) The Company has established, and is in compliance in all material respects with, its currently posted privacy policy and terms of use available on its website(s), and its current internal information security and human resources policies and procedures (and has been in compliance in all material respects with all historically posted privacy policies, terms of use and all historic information security and human resources policies and procedures) pertaining to the collection, access, storage, transfer, receipt and use of Personal Information, and to the Company’s Knowledge has never collected, accessed, stored, transferred, received, or used any Personal Information in a manner violative of such privacy policies, terms of use, information security policies and human resource policies and procedures. (d) Each privacy policy or other privacy notice, as applicable, used in the conduct of the Company’s business contains, and has since the date that is three (3) years prior to the Agreement Date contained, express authorization for the Company to transfer Personal Information to a partner, successor, or transferee in a merger, or an acquirer of its business, equity or assets. (e) The Company has not received notice of noncompliance with any Privacy and Security Law, guidelines or industry standards, and no claim or proceeding has been asserted in writing or threatened in writing against the Company alleging a violation of any Person’s rights of publicity or privacy or Personal Information or data rights. The consummation of the transaction contemplated hereunder will not breach or otherwise cause any violation in any material respect of any of the Company’s own applicable policies and procedures related to rights of publicity, privacy, data protection, information security, or the collection, use, storage or disposal of Personal Information collection, used or held for use by the Company in the conduct of their businesses. (f) The Company has not, and currently does not, market its products and services to any Persons under the age of 13, and the Company does not knowingly collect Personal Information from any Persons under the age of 13. (g) The Company has complete and correct records of all Persons who have notified the Company of such Person’s election not to receive any electronic communications or solicitations (“Opt-Out Notifications”) from the Company. The Company has complied in all material respects with all such Opt-Out Notifications. (h) The Company has in place, maintains, and complies with adequate anti- anti-virus and malware protection, and security measures and safeguards to protect business data and Personal Information against illegal or unauthorized access or use by its personnel or third parties, or access or use of such information by its personnel or third parties in a manner violative of any Privacy and Security Law, applicable industry standards or guidelines, or the privacy rights of third parties, as applicable, in each case consistent with industry practices. To the Knowledge of the Company, no Person has gained unauthorized access to or made any unauthorized use of any trade secrets of the Company or Personal Information collected or received by the Company in a manner that would trigger a mandatory breach notification as required by applicable Law. (i) Except as set forth on Section 3.24(i) of the Disclosure SchedulesSchedules [Omitted pursuant to Item 601(a)(5) of Regulation S-K], the Company is in compliance in all material respects with the Privacy and Security Laws and the Company has not received notice of any incident reports or allegations that it has breached the Privacy and Security Laws. Attached to Section 3.24(i) of the Disclosure Schedules [Omitted pursuant to Item 601(a)(5) of Regulation S-K] are all written consultant reports, corrective actions and plans of action for implementation of any requirements with respect to the Business of the Company under the Privacy and Security Laws.