Health Management Associates, Inc. and Affiliates — Comprehensive Privacy Policy

Effective date: September 12, 2025

Who We Are

This Privacy Policy (“Policy”) explains how Health Management Associates, Inc. (“HMA,” “we,” “us,” or “our”) and our related companies, including our subsidiaries and affiliates, collect, use, disclose, share, and protect your personal information when you use our websites (like healthmanagement.com, and any other sites linking to this Policy), mobile apps, marketing materials, events, and other online services (the “Services”). This Policy does not apply to information we handle on behalf of our clients under a contract, (e.g. consulting engagements. In those cases, we follow the rules in the specific contracts or agreements we have with those clients, or when applicable, Business Associate Agreements, not this Policy. The HMA Family of Companies currently includes 720 Strategies, Burns & Associates,  Crestline Advisors, Leavitt Partners, Lovell Communications, State of Reform, and Wakely Consulting Group, along with any future partners or companies that join us. We may update this list from time to time.

Notice of Data Collection

We collect information to make our website and Services work smoothly and to provide you with a better experience. This includes data required to manage your account, process transactions, and keep our website running properly. For example, we may use cookies (i.e., small files stored on your device) to remember things like your language or time zone preferences, track how you use our site, and show you personalized ads. For a full list of the data we collect and what it’s used for, see the chart titled “Data Collection Categories” in Appendix A of this Privacy Policy, which also includes a summary of our practices in relation to California CCPA and CPRA. We use the Data Collection Categories for the purposes stated and retain them as long as needed for the listed purposes or as required by law.

You Can Opt-Out

You can choose to opt out of non-essential cookies, (e.g. for personalized ads, analytics, or marketing emails. If you’re a California resident, you can also opt out of sharing your personal information for targeted advertising. Selecting “Decline All” in our Cookie Settings turns off non-essential cookies and related cross-context behavior advertising via cookies. You can also use the Do-Not-Sell or Share My Personal Information link to opt out of other sharing covered by applicable law.  We collect information necessary  to operate our Sites and Services.  For non-essential features (e.g. personalized ads), we seek your consent or provide opt-outs as applicable.

Definitions

• “Affiliate” means a related company that works with Health Management Associates, Inc. and follows the same rules for handling personal information. These companies may share or process your data as part of our services, and we may update our list of affiliates as new ones join.
• “Aggregated data” means personal information combined from many people to show trends or patterns, without identifying any individual.
• “Authorized agent” is a person or company you give permission to act on your behalf to make requests about your personal information, such as asking to see, correct, or delete it. They need to show proof of your approval, like a signed document, and we may verify your identity to ensure the request is legitimate.
• “De-identified Data” means personal information that has had personal details removed, like names, addresses, or Social Security numbers, so it can no longer be linked to a specific person.
• “Cookies” are small text files that a website saves on your computer or phone when you visit it. They help the website work better, by remembering your settings or keeping you logged in.
• “Debugging” is the process of finding and fixing errors or problems in a computer program, website, or software to make it work correctly. It’s like troubleshooting to spot what’s causing issues, such as broken features or crashes, and then correcting them.
• “HIPAA” or the Health Insurance Portability and Accountability Act, is a U.S. law that protects the privacy and security of people’s health information. It sets rules for how doctors, hospitals, health plans, and their business partners handle sensitive data, like medical records, to keep it safe and private.
• “IP Address” means a unique number given to your device (like a computer or phone) when it connects to the internet. It’s like an address that helps websites know where to send information.
• “Protected Health Information” (“PHI”) any information about a person’s health, medical care, or payment for medical care that can identify them, such as their name, address, or medical records, as defined by the U.S. Department of Health and Human Services (HHS) under the Health Insurance Portability and Accountability Act (HIPAA).
• “Personal Information” (“PI”) means information that identifies, relates to, describes, or could reasonably be linked to a particular consumer or household, or, in the EU/UK, a natural person (“data subject”).
• “Process” or “processing” means any operation performed on PI, such as collection, use, disclosure, storage, deletion, or transfer.
• “Sale” and “Share” have the meanings given in the California Consumer Privacy Act (as amended by the CPRA). Generally, “sale” includes exchanging PI for valuable consideration and “share” includes disclosure for cross-context behavioral advertising.
• “Service Provider/Processor” means a vendor that processes PI on our behalf under a written contract; “Third Party” means an entity that processes PI for its own purposes.
• “SMS” stands for Short Message Service, which is just a fancy term for regular text messages that people send and receive on their phones.
• “TCPA” stands for the Telephone Consumer Protection Act, a U.S. law that protects consumers from unwanted telemarketing calls, texts, and faxes. It limits things like using automated systems to make calls or send texts, and it requires companies to get your permission before contacting you this way.

1. Types of Information We Collect

   Information you provide: We may collect personal details you share with us, such as your name, business email, phone number, job title and employer, event registrations, newsletter preferences; paid subscriptions (e.g., HMAIS subscriptions), payments and files/content you  upload or submit, such as through forms or emails. Do not submit any Protected Health Information (PHI) through general website forms.

   Information from your organization or partners: We may receive business-related information such as leads from other companies, conference attendee lists, referrals, or third-party data, such as enrichment data (e.g., industry, role, and interests).

   Automatically collected information: While some cookies that are necessary for a website to operate may automatically be active, if you allow cookies, we may collect device and usage data (e.g., IP address, device/browser, pages viewed, timestamps, referring URLs) and use cookies, pixels, SDKs, and tags for analytics, personalization, measurement, A/B testing, advertising, and security (e.g., Google reCAPTCHA) on certain forms. You may change your cookie preferences at any time.

   Public sources: We may gather information from publicly available sources such as websites, government publications, professional profiles, and industry databases.

   De‑identified/aggregated data: We may create and use de-identified or aggregated data and will not attempt to re-identify it except as permitted by law.

2. How We Use Your Personal Information (Purpose)

   To Operate Our Services: We may use your information to provide and manage our services, including delivering content, managing your accounts or subscriptions (like HMAIS subscriptions), processing payments, offering support, and communicating with you.

   To Improve and Secure Our Services: We may use your data for activities like debugging, analyzing performance, and tracking how well the website works. We also may use it to detect security threats and prevent fraud.

   For Marketing and Personalization: We may use your information to send you emails, including as part of e-mail campaigns, invite you to events, create custom audience groups, create cross-device and cross-site measurements, and cross-context behavioral advertising, subject to your preferences.

   For Recruiting & HR: If you apply for a job, we use your information to evaluate your application.

   For Compliance and Legal Matters: We use your information to conduct audits, enforce our terms and policies, respond to legal requests, and handle legal issues or regulatory matters.

   For Corporate Transactions: In the event of a merger, acquisition, financing, or sale of assets, your data may be used as part of those business transactions.

3. How We Share Personal Information

   HMA Affiliates: We may share your information with other companies we’re connected to, such as our affiliates, subsidiaries and parent companies, for central operations (including cross-brand insights,  managing our operations, analyzing data, improving our products, and coordinated marketing across different brands). You can choose to opt out of marketing and the sale or sharing of your data.

   Service Providers/Processors: These are companies that help us with things like hosting, security, analytics, reCAPTCHA, email/SMS services, marketing, form building, event tools, payment processing, customer support, and session recording, bound by contracts limiting use to our purposes.

   Advertising/Analytics Partners: We share information with these companies to measure campaigns, create and serve ads, and help us analyze data (this might be considered a “sale” or “share” of data under California law, but you can opt out if you want).

   Professional Advisors and Legal: We may share your information with our lawyers, auditors, and insurers for legal or business-related purposes, including to prevent fraud and security incidents, protect rights, and business transfers as part of mergers, acquisitions, or other corporate events.

   Authorities: We may share information if required by law or to protect rights, privacy, safety, or property, or to detect and prevent fraud or security risks.

4. Cookies, Pixels, and Similar Technologies

   We use different types of technologies and categories commonly labeled: (1) Strictly Necessary (operation/security); (2) Functional (Preferences); (3) Analytics (Usage/diagnostics); (4) Advertising/retargeting, and in some instances (5) Unclassified (Non-Essential)  on our site. Here’s what we collect and why:

   • Strictly Necessary Cookies: These are needed for the website to work, like letting you log in or manage your account (i.e., essential cookies that cannot be turned off).
   • Functionality Cookies: These remember your preferences, like language or time zone, to make your experience more personal (i.e., nonessential cookies that can be turned off).
   • Performance Cookies: These help us see how people use our site so we can make it better. They don’t directly identify you (i.e., nonessential cookies that can be turned off).
   • Advertising or Targeting Cookies: These help us show you ads that match your interests (i.e., nonessential cookies that can be turned off).
   • Unclassified Cookies: Some cookies are still being reviewed to determine their exact impact and may relate to ads or session management. Unclassified cookies are cookies that do not belong to any other category or are in the process of categorization. (i.e., nonessential cookies that can be turned off).

   Your choices: You may manage, via our Cookie Preferences tool or preferences settings which cookies are functional, and you may manage via your browser or device which cookies you accept. We also use commercially reasonable efforts to honor your preferences communicated via the Global Privacy Control (GPC) and other legal opt-out signals (like the Colorado Universal Opt-Out Mechanism). However, we do not currently respond to “Do Not Track” (DNT) signals because there is no standard way to handle them.

5. Third-Party Analytics and Advertising Technologies

   We may use technologies from other service providers to help us understand how people use our site, measure the effectiveness of our ads, and show you more personalized content. These tools may collect data like your IP address, device details, browser type, which pages you visit, and more.

   Some of the service providers we work with include: Google Analytics, Google Ads, LinkedIn, Facebook/Instagram (Meta Pixel), Microsoft Ads, Twitter, Pinterest, Reddit, HubSpot, Salesforce, Hotjar, Crazy Egg, and others, however, the specific providers may change over time.

6. Website Interactions, Recordings, and Monitoring Disclosures

   We use tools to communicate with you on our website and understand how you use it, including to protect our Services, prevent fraud and improve user experience. This includes:

   Emails and Messages: If you sign up for our newsletters, fill out forms, or contact us, we may send you emails or messages (like SMS) about our services, events, or updates. You can opt out of marketing emails anytime using the “unsubscribe” link or by contacting us. However, even if you unsubscribe, we may still send you emails regarding the Services we perform.

   Session Recordings: We may use tools like session replay to record how you move through our website (e.g., clicks, scrolling, or page visits). These tools help us improve the website but are set up to avoid capturing sensitive information, like passwords or payment details.  For example, we may monitor and log metadata about web requests and form submissions (e.g. IP address, timestamps, URL, and use sessions-replay/interaction analytics. Where required, we obtain consent before enabling such tools via our cookie banner.

   Monitoring for Legal Compliance: In some cases, we may monitor or record website interactions to comply with laws or protect against fraud, as allowed under privacy laws (like rules about wiretapping or tracking). We only do this when required and follow strict legal guidelines to protect your privacy.

   You can control some of these tools through our Cookie Preferences tab at the bottom of our website, and if required by law or regulations, we will let you know how we monitor or use your information.

7. TCPA/Telemarketing & SMS Disclosures

   If you give us your mobile number and agree, we (and our affiliates) may contact you by phone call or text message for marketing or informational purposes. We may use an autodialer or prerecorded voice.

   Consent is not required to purchase goods/services. Message & data rates may apply; message frequency varies. You may opt out at any time by replying STOP (to end) or HELP (for help). We maintain records of consent and opt‑outs as required by law and comply with applicable Do‑Not‑Call obligations.

8. HIPAA and Our Role as a Business Associate

   HMA is a consulting company and usually not a HIPAA “covered entity” (like a doctor or health plan). Please don’t send Protected Health Information (PHI), like medical records, through our website forms. We do not intend our public website, forms, or marketing tools to receive PHI. If you believe you may need to send PHI, please contact us for a secure transmission method.  If we receive PHI while working for a covered entity, we generally receive such information under a contractual agreement, such as  under a Business Associate Agreement (BAA), and we handle that data according to the BAA, not this Privacy Policy.  When HMA acts as a Business Associate, we comply with all HIPAA requirements, including administrative, physical, and technical safeguards; minimum necessary use and disclosure; and breach-notification obligations. Where applicable, individuals retain their HIPAA rights of access and amendment, as described in the Notice of Privacy Practices of the relevant covered entity.

9. Your Privacy Choices and Rights (U.S. State Laws)

   Depending on where you live (e.g., CA, CO, CT, VA, UT, OR, TX, MT, DE, IA, TN, IN, etc.), you may have rights to access/know, correct, delete, data portability, and to opt out of targeted advertising, sale/share, and certain profiling. California residents may request to limit use/disclosure of Sensitive PI. You may use an authorized agent; we will verify identity/authority and may request a signed declaration where permitted. If we deny a request, you may appeal; we will respond within required timelines. We will not discriminate for exercising your rights. We do not offer financial incentives at this time; if we do, we will provide a Notice of Financial Incentive.

   Authorized agents & verification: You can have someone else (an authorized agent) make these requests for you. But we’ll need to verify both your identity and the agent’s authorization before we can fulfill the request. In some cases, we may ask for a signed statement confirming your request under penalty of perjury.

   Appeals: If we reject your request, you can appeal. We’ll explain how to do this when we respond to your request.

   Non-discrimination: We won’t treat you unfairly for exercising your privacy rights. Right now, we don’t offer any financial incentive programs, but if we ever do, we will provide clear notice of how that works.

   We may disclose identifiers, internet/network activity, and inferences to advertising/analytics partners for measurement and cross‑context behavioral advertising, which may constitute a “sale” or “share” under California law. You can opt out at any time using our Do Not Sell/Share controls or by enabling GPC. We do not knowingly sell or share PI of consumers under sixteen (16).

10. EU/EEA/UK/Switzerland (GDPR) Disclosures

    Health Management Associates, Inc. is based in Michigan, United States, and provides services primarily within North America. We do not offer goods or services to individuals in the European Economic Area (EEA), the United Kingdom (UK), or Switzerland, nor do we monitor their behavior within the meaning of Article 3 of the EU General Data Protection Regulation (GDPR) or UK GDPR.

    Because our processing of personal data is occasional, does not include large-scale processing of special categories of data, and does not otherwise create a risk to the rights and freedoms of individuals in the EEA/UK/Switzerland, we are not required to appoint an EU or UK representative under Article 27 of the GDPR or UK GDPR.

    If this changes in the future—for example, if we begin to target or monitor individuals in the EEA/UK/Switzerland—we will update this Privacy Policy and appoint a representative as required by law.

    You have rights to access, rectification, erasure, restriction, portability, and objection; you may withdraw consent without affecting prior processing. For transfers outside the EEA/UK/CH, we rely on Standard Contractual Clauses and appropriate safeguards.

11. Canada (PIPEDA) and Other Non‑S. Jurisdictions

    If you are in Canada, you have rights of access and correction and may withdraw consent to the extent permitted by law. We process PI in the U.S. and other countries; by using the Services, you consent to such transfers, subject to applicable law.

12. Washington “My Health My Data” (when applicable)

    If our web properties collect “consumer health data” as defined by Washington law (e.g., interactions with wellness content), you may have additional rights. Where applicable, we will present a Consumer Health Data Notice and obtain any required consent for collection, use, and sharing.

13. Nevada Privacy Rights

    Nevada residents may opt out of the sale of certain covered information. To submit a request, use the methods in Section 20.

14. Children’s Privacy

    Our Services are not directed to children under thirteen (13), and we do not knowingly collect PI from children. We also do not knowingly sell or share PI of consumers under sixteen (16).

15. Data Security

    We maintain reasonable administrative (e.g., policies, procedures, and training), technical (e.g., encryption), and physical safeguards (secure data centers) appropriate to the nature of the PI (e.g., TLS in transit, role‑based access, encryption for certain data, vendor due diligence, logging/monitoring, secure development). No method of transmission or storage is completely secure.

16. Security Incident and Breach Response

    HMA maintains a written incident-response and breach-notification plan consistent with HIPAA, applicable U.S. state data-breach laws, and the EU/UK GDPR (Articles 33–34). In the unlikely event of a security incident that compromises personal information or Protected Health Information, HMA will investigate promptly, mitigate potential harm, and notify affected individuals and regulators as required by law and contractual obligations.

17. Data Retention

    We retain PI only as long as necessary for the purposes described or as required by law, then delete or de‑identify it.

18. International Data Transfers

    If you access our Services from outside the United States, your data may be transferred to and processed in the U.S. and other countries with different data protection laws. Where required, we implement appropriate transfer mechanisms (e.g., SCCs).

19. Automated Decision‑Making

    We do not engage in solely automated decision‑making that produces legal or similarly significant effects about individuals. We may use automated tools for audience segmentation and marketing analytics; you may opt out of targeted advertising as described above.

20. Use of Automated Tools and AI/ML Analytics

    We may use limited automated tools, including machine-learning (AI/ML) algorithms, to perform analytics, improve website performance, and personalize marketing content (for example, recommending resources or tailoring email outreach). These activities do not involve solely automated decisions that produce legal or similarly significant effects on individuals.

    Where required by law (such as GDPR Articles 21–22 or applicable U.S. state privacy laws), you may object to this type of processing or opt out of targeted advertising by following the instructions in the Your Privacy Choices and Rights section or by contacting us using the details in Contact Us.

21. Data Governance, DPIAs, and Vendor Management

    We maintain a data inventory and perform vendor assessments appropriate to risk. Where required, we conduct Data Protection Impact Assessments (DPIAs) for high‑risk processing (e.g., certain profiling or new tracking technologies). Vendors processing PI on our behalf are bound by written contracts with confidentiality, security, and data‑use restrictions.

22. Vendors and Subprocessors

    To deliver our Services, HMA engages carefully selected service providers (“processors” or “subprocessors”) that perform functions such as hosting, analytics, email delivery, payment processing, and marketing support. These vendors are bound by written contracts that include confidentiality, data-security, and data-use limitations consistent with applicable privacy laws.

    Upon request, HMA will provide a current list of its key processors and subprocessors, including the nature of the services they provide and the jurisdictions in which they process data.

23. Changes to This Policy

    We may update this Policy. The Effective date will reflect the latest version. Material changes will be highlighted for a reasonable time. We will retain prior versions in an archive available upon request.

24. Contact Us

    Email: [email protected]
    Mail: 2501 Woodlake Circle, Suite 100, Okemos, MI 48864
    Toll‑free: 800-678-2299
    Data Subject Request: [email protected]
    EU/UK Representative: [email protected]
    Chief Compliance Officer: [email protected]

---

Exhibit A — Cookie & Tracking Technologies Policy

Last updated: [November 12, 2025]

This Exhibit A (the “Cookie Policy”) explains how Health Management Associates, Inc. and its affiliates (the “HMA Family of Companies”, collectively “HMA”) use cookies, pixels, tags, SDKs, local storage, session‑replay, and related technologies (collectively, “Cookies”) on healthmanagement.com, hmais.healthmanagement.com, and any other websites or online services that link to this Cookie Policy (the “Sites”). It describes what these technologies are, why we use them, and how you can control them via our Consent Management Platform (CMP), your browser, and mobile settings.

This Cookie Policy is part of and supplements HMA’s Privacy Policy. Capitalized terms not defined here have the meanings given in the Privacy Policy. Where laws differ by jurisdiction, HMA will apply the stricter requirement.

1. Key Definitions
   • “Cookies” means text files or code snippets placed on a device to store or access information, including HTTP cookies, HTML5 local storage, SDKs, pixels/tags, beacons, and similar technologies.
   • “CMP” means our Consent Management Platform that collects and stores your consent preferences and signals them to downstream vendors.
   • “CCBA” means cross‑context behavioral advertising (sometimes called interest‑based or targeted advertising).
   • “GPC” means Global Privacy Control, a user‑enabled, browser‑based universal opt‑out signal recognized by applicable laws.

2. Legal Basis & Where This Policy Applies
   • United States: Depending on your state, non‑essential Cookies used for targeted advertising or certain analytics may constitute a “sale” or “share.” HMA honors GPC where required and provides a Do Not Sell or Share mechanism and per‑category controls in the CMP.
   • EU/EEA/UK/CH: Under the ePrivacy rules (e.g., EU ePrivacy Directive and UK PECR) and GDPR/UK GDPR, non‑essential Cookies require prior consent. The CMP presents granular purposes and vendors and records consent. Strictly necessary Cookies may be set without consent.

3. Why We Use Cookies
   • Ensure site operation and security (strictly necessary).
   • Remember choices and improve functionality (functional).
   • Measure usage and performance; perform diagnostics and session‑replay for quality and security (analytics).
   • Deliver and measure advertising, personalize content, create/maintain audiences, and prevent fraud (advertising & measurement).

4. Categories of Cookies
   • Strictly Necessary:  Core functionality, security, load balancing, session management, bot detection (e.g., Google reCAPTCHA); cannot be switched off in our systems but you can block in your browser, which may break the site.
   • Functional: Remember preferences and improve forms or features (e.g., remembering region/language).
   • Analytics: Traffic measurement, diagnostics, session‑replay/UX analytics (e.g., GA4, Hotjar/FullStory), with privacy controls enabled.
   • Advertising & Measurement: Ad delivery, measurement, frequency capping, CCBA audiences and remarketing (e.g., Google Ads, LinkedIn Insight Tag, Meta Pixel, Microsoft Advertising UET).

5. Vendors and Technologies We May Use (inclusive list)

   We use third-party analytics, advertising, measurement, and security technologies to understand usage patterns, deliver and measure ads, personalize content, and protect our Sites. These may include analytics platforms, advertising networks, customer data platforms, tag managers, session-replay tools, and similar services. The specific providers we use may change over time, and you can view or manage your preferences through our Cookie Preferences tool.

   • Analytics: Google Analytics 4 (GA4), Adobe Analytics (if deployed), Hotjar, FullStory, Crazy Egg, Dynatrace, New Relic.
   • Advertising/Measurement: Google Ads/Marketing Platform, Meta (Facebook/Instagram) Pixel, LinkedIn Insight Tag, Microsoft Advertising (UET), Pinterest Tag, Reddit Pixel, X (Twitter) Pixel.
   • Tagging/CDP/CMP: Google Tag Manager, Tealium, Segment, IAB TCF‑compatible CMP (when applicable).
   • Security/Fraud: Google reCAPTCHA on certain forms.

6. Your Choices and Controls

   • Consent choices via CMP: You can accept, reject, or fine‑tune non‑essential categories at any time.
   • Global signals: We honor GPC and, where applicable, recognized Universal Opt‑Out Mechanisms (UOOM).
   • State opt‑outs: Use our “Do Not Sell or Share My Personal Information” link to opt‑out of CCBA and certain data disclosures.
   • Browser controls: You can set your browser to block or delete Cookies; doing so may affect functionality.
   • Mobile ad choices: Use device settings and DAA/NAI tools to limit interest‑based ads.

7. Session‑Replay and Interaction Analytics

   We configure session‑replay tools to avoid capturing sensitive fields (e.g., masking keystrokes in form inputs) and gate them behind consent where required. These providers act as Service Providers/Processors under contract and are restricted to our purposes.

8. Google reCAPTCHA

   Certain forms are protected by Google reCAPTCHA for security and fraud prevention. Google’s Privacy Policy and Terms apply. This functionality may set Cookies that are categorized as strictly necessary for security.

9. Cookie Duration & Retention

   Cookie lifespans vary. We set reasonable retention aligned to purpose and legal requirements.

10. Detailed Cookie Table (This table is illustrative;  actual vendors and technologies may change.  Please refer to our Cookie Preferences for the most current information.)

Appendix A – Data Collection Categories

Category	Provider	Purpose	Example Technologies / Tags	Opt‑Out/Info Links
Strictly Necessary	HMA (first‑party)	Load balancing, session state, consent log (CMP)	server_session_id; cmp_consents	N/A
Strictly Necessary	Google reCAPTCHA	Bot detection and abuse prevention on forms	reCAPTCHA cookies	https://policies.google.com/terms | https://policies.google.com/privacy
Functional	HMA (first‑party)	Remember preferences (e.g., region/language)	pref_lang; site_variant	N/A
Analytics	Google Analytics 4	Traffic measurement; performance analytics (IP not stored by GA4)	gtag.js/GA4 measurement ID	https://tools.google.com/dlpage/gaoptout
Analytics	Hotjar / FullStory (if used)	UX diagnostics and session‑replay (configured to mask sensitive fields)	hjid; fs_uid	https://www.hotjar.com/policies/do-not-track/ | https://www.fullstory.com/optout/
Advertising & Measurement	Google Ads / GMP	Ad delivery, remarketing, conversion measurement	gclid; ads/ga‑audiences	https://adssettings.google.com | https://youradchoices.com/control
Advertising & Measurement	LinkedIn	Lead gen, audience creation, conversion measurement	li_fat_id; LinkedIn Insight Tag	https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out
Advertising & Measurement	Meta (Facebook/Instagram)	Audience targeting and measurement	_fbp; Meta Pixel	https://www.facebook.com/help/568137493302217
Advertising & Measurement	Microsoft Advertising (UET)	Conversion measurement and remarketing	MUID; _uetsid	https://about.ads.microsoft.com/en-us/resources/policies/personalized-ads

11. Changes to this Cookie Policy

    We may update this Cookie Policy to reflect changes in law or our practices. When we make material changes, we will update the “Last updated” date and, where required, provide additional notice.

Appendix

Category of Personal Information	Examples	Sources	Business / Commercial Purposes	Sold / Shared for CCBA?
Identifiers	Name, email, phone, IP address, cookie/advertising IDs	You; your org; cookies/pixels; partners	Account/subscription management; respond to inquiries; events; marketing & analytics; security/fraud	May Sell/Share for cross‑context behavioral advertising; opt‑out available; GPC honored
Professional/Employment	Employer, title, practice area interests	You; conferences; public sources	B2B marketing; client development; events	May Share for marketing analytics; opt‑out available
Internet/Network Activity	Pages viewed; referring URLs; device/browser; session‑replay telemetry	Cookies/pixels, analytics, CMP	Site operations; performance; product research; personalization; advertising measurement	May Sell/Share for analytics/ads; opt‑out available; GPC honored
Geolocation (approx.)	City/region derived from IP	Analytics	Content localization; security	Share for analytics; opt‑out available
Inferences	Preferences/segments	Derived from usage & third‑party enrichment	Personalization; marketing	Share; opt‑out available
Sensitive PI (limited)	Diversity data if voluntarily provided for recruiting; account MFA secrets	You	Compliance; recruiting; security	No Sale/Share