CCPA Employee Privacy Policy

EFFECTIVE DATE: April 29, 2026

The California Consumer Privacy Act, as amended by the California Privacy Rights Act, and its implementing regulations (collectively, the "CCPA"), gives California residents certain rights and requires businesses to make certain disclosures regarding their collection, use, and disclosure of Personal Information. This CCPA Employee Privacy Policy (the "Employee Policy") provides such notice to So Good Brand, Inc. (collectively, "So Good So You," "we," "us," or "our") California employees and independent contractors, their family members and beneficiaries, and other individuals who interact with So Good So You in an employment-related capacity (collectively, "Employees").

Please note that this Employee Policy only addresses So Good So You's collection, use, and disclosure of employment-related Personal Information and only applies to residents of California. This Employee Policy does not apply to individuals who are residents of other U.S. states or other countries and/or who do not interact with So Good So You as an Employee. For further details about our privacy practices pertaining to non-Employee Personal Information, please see our Privacy Policy.

I. DEFINITIONS

  • "Personal Information" means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular Employee or household. Personal Information includes the sensitive personal information described in this Employee Policy. It does not include deidentified or aggregate information, public information lawfully available from governmental records, or other information that falls outside of the scope of the CCPA.
  • "Vendor" means a service provider, vendor, contractor, or processor which collects, stores, or otherwise handles Personal Information for us and is bound by certain contractual obligations consistent with applicable laws.
  • "Third Party" means a person or organization which is not an Employee, Vendor, or an entity owned or controlled by us.

II. EMPLOYEE PERSONAL INFORMATION WE COLLECT

We collect and have collected in the past 12 months the following categories of Personal Information about Employees:

  1. Identifiers, such as name, alias, postal address, unique personal identifier, online identifiers, Internet Protocol address, email address, account name, signatures, physical characteristics or description, photographs, telephone number, or other similar identifiers.
  2. Financial Information, including bank account number, credit card number, debit card number, or any other financial information that does not allow access or withdrawal of funds.
  3. Insurance Information, including insurance policy number or health insurance information.
  4. Characteristics of Protected Classifications under state or federal law, such as age, gender, and marital status.
  5. Audio, Electronic, Visual and Similar Information, such as call and video recordings.
  6. Professional or Employment-Related Information, such as information on your résumé and cover letter; details of qualifications; skills; certifications; credentials; positions and roles you are or may be interested in; work authorizations, status, visa, or other immigration information; and employment history, including references from previous employers.
  7. Education Information, such as education history, degrees, diplomas, certifications, and institutions.
  8. Inferences drawn from any of the Personal Information listed above to create a profile or summary about, for example, an individual's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
  9. Sensitive Personal Information, including:
    1. Personal Information that reveals:
      1. Social security, driver's license, state identification card, or passport number;
      2. Account log-in, financial account number, debit card number, or credit card number in combination with any required security or access code, password, or credentials for allowing access to an account;
      3. Precise geolocation;
      4. Racial or ethnic origin, religious or philosophical beliefs, or union membership;
      5. Contents of an Employee's email and text messages, unless the business is the intended recipient thereof; or
    2. Biometric data processed for the purpose of uniquely identifying an Employee;
    3. Personal Information Collected and analyzed concerning an Employee's health; and
    4. Personal Information Collected and analyzed concerning an Employee's sex life or sexual orientation.

III. PURPOSES FOR COLLECTING, PROCESSING, & DISCLOSING EMPLOYEE PERSONAL INFORMATION

We collect, process, and disclose, and we have collected, processed, and disclosed in the past 12 months, the categories of Personal Information listed in Section II of this Employee Policy for the following purposes:

  • Manage your Employee relationship with us;
  • Manage and provide compensation, payroll, tax, benefits and benefits planning, enrollment, and administration;
  • Manage our workforce and its performance, including personnel planning, productivity monitoring, and evaluation;
  • Provide you access to So Good So You systems, networks, databases, equipment, and facilities;
  • Manage workforce development, education, training, and certification;
  • Monitor, maintain, and secure So Good So You's systems, networks, databases, equipment, and facilities;
  • Authenticate your identity and verify your access permissions;
  • Arrange, confirm, and monitor work-related travel, events, meetings, and other activities;
  • Assess your working capacity or the diagnosis, treatment, or care of a condition impacting your fitness for work, and other preventative or occupational medicine purposes (including work-related injury and illness reporting);
  • Contact and communicate with you regarding your employment, job performance, compensation, and benefits, or in the event of a natural disaster or other emergency;
  • Contact and communicate with your designated emergency contact(s) in the event of an emergency, illness, or absence;
  • Contact and communicate with your dependents and designated beneficiaries in the event of an emergency or in connection with your benefits;
  • Comply with laws and regulations, including (without limitation) applicable tax, health and safety, anti-discrimination, immigration, labor and employment, and social welfare laws;
  • Monitor, investigate, and enforce compliance with and potential breaches of So Good So You policies and procedures and legal and regulatory requirements;
  • Comply with civil, criminal, judicial, or regulatory inquiries, investigations, subpoenas, or summons; and
  • Exercise or defend the legal rights of So Good So You and its employees, affiliates, customers, contractors, and agents.

Purposes for Processing and Disclosing Employee Sensitive Personal Information

We, and our Vendors, collect, process, and disclose the categories of Sensitive Personal Information described in this Employee Policy only as reasonably necessary for:

  • Performing the services or providing the goods reasonably expected by an average Employee who requests those goods or services (including offering benefits to Employees and their beneficiaries);
  • Preventing, detecting, and investigating security incidents that compromise the availability, authenticity, integrity, or confidentiality of stored or transmitted Personal Information;
  • Resisting malicious, deceptive, fraudulent, or illegal actions directed at us and prosecuting those responsible for those actions;
  • Ensuring the physical safety of natural persons;
  • Short-term, transient use, including, but not limited to, non-personalized advertising shown as part of an Employee's current interaction with us, provided that we will not disclose the Employee's Personal Information to a third party and/or not build a profile about the Employee or otherwise alter the Employee's experience outside the current interaction with us;
  • Performing services on our behalf, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on our behalf;
  • Verifying or maintaining the quality or safety of a product, service, or device that is owned, manufactured, manufactured for, or controlled by us, and to improve, upgrade, or enhance the service or device that is owned, manufactured by, manufactured for, or controlled by us; and
  • Collecting or processing Sensitive Personal Information where such collection or processing is not for the purpose of inferring characteristics about an Employee.

We may also deidentify any Personal Information we collect about you. When we do so, we take reasonable measures to ensure that the information cannot be associated with an Employee or household, and we maintain and use the information in deidentified form. We will not attempt to reidentify the information, except that we may attempt to reidentify the information solely for the purpose of determining whether our deidentification processes satisfy applicable legal requirements. After it has been deidentified, the information is no longer Personal Information and is not subject to this Employee Policy.

We may also process Personal Information via use of automated technologies, including artificial intelligence, for the purposes listed above. To the extent permitted by applicable law, we may also use Personal Information we collect to train automated technologies we use for the above purposes. However, we do not process Personal Information using automated decision making technologies to make significant decisions concerning Employees.

IV. RETENTION OF EMPLOYEE PERSONAL INFORMATION

We retain each of the above-listed categories of your Personal Information for the duration of your Employee relationship with us. We may also retain your Personal Information for longer if it is necessary for legitimate business purposes, including to satisfy legal or reporting obligations, resolve disputes, improve our services or maintain security, comply with regulatory requirements, or as permitted or required by applicable law. When we no longer need to retain Personal Information for the above purposes, we will either delete the Personal Information or deidentify it so that it no longer constitutes Personal Information.

V. SALE & SHARING OF PERSONAL INFORMATION

We generally do not Sell or Share Personal Information that we collect about Employees. Subject to some exceptions, a "Sale" is the disclosure of Personal Information to a third party for monetary or other valuable consideration, and a "Share" is the disclosure of Personal Information to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.

However, we do Sell and Share, and we have Sold and Shared in the past 12 months, Personal Information we collect from consumers in other contexts. This includes Personal Information collected via cookies and other tracking technologies, including identifiers, such as IP addresses and other device identifiers, internet or other electronic network activity information, and inferences to Third Party marketing and analytics providers for advertising and marketing, including interest-based marketing, and analytics purposes. We Sell and Share these categories of Personal Information to improve the content, functionality and usability of our websites and other online services; to advertise and market our products and services; to improve our website and other online services and our marketing and promotional efforts; and to better understand your needs and interests, and for analytics purposes. We do not otherwise "Sell" or "Share" other types of Personal Information we may collect about Employee outside the cookie and online tracking technology context.

California Employees have the right to opt-out of the Sale and Sharing of their Personal Information and can submit a request to opt out by clicking the "Your Privacy Choices" link in the footer of our website and clicking "Reject All" to opt out of non-strictly necessary Cookies.

Additionally, we do not have actual knowledge that we Sell or Share Personal Information of consumers who are under 16 years of age.

VI. HOW WE DISCLOSE EMPLOYEE PERSONAL INFORMATION

We disclose, and have disclosed in the past 12 months, the categories of Personal Information listed in Section II of this Employee Policy in the following contexts:

  • To our Affiliates. We may disclose Personal Information we collect to our affiliates for the purposes listed in Section III of this Employee Policy.
  • To our Vendors. So Good So You discloses the Personal Information we collect to our Vendors who act on our behalf. For example, we use Vendors to provide us with benefits and wellness services, website services, as well as other products and services, such as web hosting, data analysis, customer service, infrastructure services, technology services, email delivery services, tax, financial, and legal services, and other similar services. These Vendors may need Personal Information about you to perform their obligations. We contractually require our Vendors to keep the Personal Information they process on our behalf confidential and to use it only to provide services on our behalf.
  • To Marketing and Analytics Providers. We may disclose Personal Information we collect via our website and other online services to Third Parties for marketing and analytics purposes. This primarily includes disclosure of IP address and related web browsing information via cookies and similar tracking technologies.
  • As Described in a Privacy Notice or With Your Consent. We may disclose Personal Information as described in any privacy notice we provide to you, or with your consent if we obtain it from you in a particular context.
  • In Aggregate or Deidentified Form. We may aggregate or deidentify the Personal Information we collect, and we may disclose aggregated and/or deidentified information to our Vendors, and to Third Parties for our business operational purposes and for any other purposes permitted by applicable law.

We may also disclose Personal Information in the following contexts:

  • As Part of a Business Transfer. We may disclose Personal Information to a successor organization if, for example, we transfer the ownership or operation of all or a portion of So Good So You to another organization, we merge with or are acquired by another organization, or if we liquidate our assets. If such a transfer occurs, we will seek assurances that the successor organization will treat the Personal Information we disclose to it in accordance with this Employee Policy.
  • To Comply with Laws and Protect Our Rights and the Rights of Others. We may disclose Personal Information when we, in good faith, believe disclosure is appropriate to comply with the law, a court order, or a subpoena. We may also disclose Personal Information to prevent or investigate a possible crime, such as fraud or identity theft; to protect the security of So Good So You; to enforce or apply our other agreements; or to protect our own rights or property or the rights, property, or safety of our users or others.

VII. SOURCES OF EMPLOYEE PERSONAL INFORMATION

We collect Personal Information directly from all Employees, including Personal Information about Employees' beneficiaries or dependents, and passively via cookies and other tracking technologies when Employees use our websites and other online services. We also collect Personal Information from joint marketing partners, public databases, providers of demographic data, publications, professional organizations, educational institutions, social media platforms, prior employers and references, Vendors, and Third Parties that help us screen and onboard individuals for hiring purposes, and Vendors and Third Parties when they disclose information to us.

VIII. HOW WE PROTECT YOUR PERSONAL INFORMATION

The security of your Personal Information is important to us, and we use technical, contractual, administrative, and physical security measures to protect the Personal Information we collect. We instruct our employees to comply with privacy laws and with this Employee Policy. We strive to regularly improve the security of Personal Information that you may provide to us, but please note that there is no method of transmitting or storing data that is 100% secure. We therefore cannot ensure that your Personal Information will not be disclosed, misused, or lost by accident or by the unauthorized acts of others.

IX. YOUR PRIVACY RIGHTS

As a California Employee, you have the following rights regarding our collection and use of your Personal Information, subject to certain exceptions.

Rights that Require Verification

California Employees may submit a request to exercise their rights to know, delete, correct, and access specific pieces of Personal Information by calling (612) 259-7245, or by clicking here, selecting "General Questions/Comments" from the drop down list, and filling out the contact form. You may also authorize an agent to make data subject requests on your behalf. In such instances, authorized agents may use the same methods as you to submit the requests on your behalf. To verify your identity and protect your Personal Information, we may ask the requestor to provide information that will enable us to verify your identity in order to comply with your data subject request, such as asking your agent to provide proof of signed permission from you, or we may ask you to confirm with us directly that you provided the agent with permission to submit the request. In some instances, we may decline to honor your request if an exception applies under applicable law. We will respond to your request consistent with applicable law.

  • Right to Know: You may request that we provide you with the following information about how we have handled your Personal Information:
    • The categories of Personal Information we have collected about you;
    • The categories of sources from which such Personal Information was collected;
    • The business or commercial purpose for collecting, Selling or Sharing Personal Information about you;
    • The categories of Personal Information about you that we disclosed and the categories of Third Parties to whom we disclosed such Personal Information; and
    • The categories of Personal Information about you that we Sold or Shared, and the categories of Third Parties to whom we Sold or Shared such Personal Information.
  • Right to Delete: You may request that we delete any Personal Information about you that we collected from you.
  • Right to Correct: You may request that we correct any inaccurate Personal Information we maintain about you.
  • Right to Access Specific Pieces of Personal Information: You may ask to obtain the specific pieces of Personal Information we have collected about you. You may not exercise this right more than two times in a calendar year.

Rights that Do Not Require Verification.

You may exercise these rights through the "Your Privacy Choices" link below or at the footer of every page on our website. The "Your Privacy Choices" link will open our Cookie Preference Center, and you can then click "Reject All" to opt out of Sale and Sharing of Personal Information.

  • Right to Opt-Out of Sale and Sales: You have the right to opt out of the Sale and Sharing for cross context behavioral advertising purposes of your Personal Information.
  • Right to Limit the Use of Your Sensitive Personal Information: We do not use Sensitive Personal Information that we collect about Employees for purposes other than those that are permitted by the CCPA regulations. But if we did, you would have the right to limit the use of your Sensitive Personal Information to the purposes permitted by the CCPA.
  • Opt-Out Preference Signals. Some web browsers or devices offer settings where you may pre-set a signal to websites that you do not want to have your online activity and behavior tracked, Sold, Shared, or otherwise used for targeted advertising purposes. We recognize the opt-out preference signals that we are required to recognize for compliance with applicable law. Where required by the CCPA, we treat the opt-out preference signals we are required to comply with as a valid request to opt-out of Sale and Sharing for the browser or device through which the signal is sent and any consumer profile we have associated with that browser or device, including pseudonymous profiles. Further, if we know the identity of the consumer from the opt-out preference signal, we will also treat the opt-out preference signal as a valid request to opt out of Sale and Sharing for such consumer. Consumers may use opt-out preference signals by downloading or otherwise activating them for use on supported browsers and setting them to send opt-out preference signals to websites they visit. Please note, however, that our sites are not currently configured to recognize the "Do Not Track" signal, which is separate from the opt-out preference signals described above.
  • Non-Retaliation. We will not retaliate against you for exercising your data subject rights. For example, we will not make hiring, firing, promotional, or disciplinary decisions, or otherwise retaliate against you, as a result of you exercising your data subject rights.

X. OTHER DISCLOSURES

  • Financial Incentives. We do not provide financial incentives to California Employees who allow us to collect, retain, Sell, or Share their Personal Information. We will describe such programs to you if and when we offer them to you.

XI. CHANGES TO THIS EMPLOYEE POLICY

So Good Brand, Inc. reviews its privacy practices from time to time, which are subject to change, and we may periodically update this Employee Policy. We ask that you periodically review this page to remain familiar with the most current version of our Employee Policy. Information collected after the posted effective date will be treated in accordance with the then most current Employee Policy. When this Employee Policy changes, we will update the "Effective Date" at the top of the Employee Policy. If required by applicable law, we will provide you with additional notice if we make a material change to the Employee Policy, for example, by sending you an email or posting a banner on our page.

XII. CONTACT US

More information about our general privacy practices can be found in our Privacy Policy. If you have any questions about this Employee Policy or our privacy practices, please contact us at privacy@sogoodsoyou.com

So Good Brand, Inc
500 Kasota Ave SE
Minneapolis, MN 55414-2811
Attn: Privacy Policy