PRIVACY NOTICE

PURSUANT TO THE COLORADO PRIVACY ACT

Effective 7/1/2023

This Colorado privacy notice (“Notice”) pursuant to the Colorado Privacy Act, Colorado Revised Statutes § 6-1-1301 et seq., (“CPA”), supplements the information contained in the Privacy Policy of Rausch Sturm LLP (“Rausch Sturm,” “we,” “us,” or “our”), and applies solely to visitors, users, and others who reside in the State of Colorado (“consumers” or “you”). Rausch Sturm is a debt collector. This Notice applies to both our online and offline practices. We adopt this Notice to comply with the CPA. Any terms defined in the CPA have the same meaning when used in this Notice. For questions concerning this Notice or to obtain a copy of this Notice in an alternative format or in Spanish, please call us at 855-517-6279.

A. Consumer Rights

The CPA provide consumers with specific rights regarding their personal data. This section describes your rights.

1. Right to opt out:

   You have the right to opt out of the processing of personal data concerning you for purposes of:

   1. Targeted advertising;
   2. The sale of personal data; or
   3. Profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.

   You may authorize another person, acting on your behalf, to opt out of the processing of your personal data for one or more of the purposes specified above. We will comply with any opt-out request received from a person authorized by you to act on your behalf if we are able to authenticate with commercially reasonable effort, the identity of you and the authorized agent’s authority to act on your behalf.

   We will not sell your personal data. Nor will we process your personal data for purposes of targeted advertising or profiling in furtherance of decisions that produce legal or similarly significant effects concerning you. If in the future, we anticipate selling your personal data or processing your personal data for purposes of targeted advertising or profiling in furtherance of decisions that produce legal or similarly significant effects, we will provide you with the opt-out rights pursuant to the CPA.

2. Right of Access

   You have the right to confirm whether we are processing personal data concerning you and to access your personal data.

3. Right to Correction:

   You have the right to correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes of the processing of your personal data.

4. Right to Deletion:

   You have the right to delete personal data concerning you.

5. Right to Data Portability:

   When exercising the right to access personal data, you have the right to obtain the personal data in a portable and, to the extent technically feasible, readily usable format that allows you to transmit the data to another entity without hindrance. You may exercise this right no more than two times per calendar year. We are not required to provide data to you in a manner that would disclose our trade secrets.

B. Our Duties

The CPA provides controllers with specific duties regarding personal data. This section describes our duties in connection with our role as a controller.

1. Duty of Transparency: We must provide you with the following information.
   1. Categories of personal data collected or processed by us:
      • Personal identifying information, like name, address and account number, as well as other identifying information, which we obtain from the consumer’s creditor, credit reports and other skip trace tools, and the consumer;
      • Characteristics such as age, gender, etc., which we obtain from the consumer’s creditor and consumer’s credit report;
      • Retail information, which we obtain from the consumer’s creditor and the consumer’s credit report;
      • Commercial information, including records of personal property;
      • Internet activity regarding online payments and account updates, which we collect if the consumer visits our website or payment portal;
      • Geolocation data, which we obtain from process servers;
      • Recordings, which are made when the consumer has a telephone conversation with us;
      • Professional and employment related information, which we obtain from the consumer’s creditor, credit reporting agencies, the consumer, and other skip trace sources; and
      • Educational information, which we obtain from the consumer’s creditor, credit reporting agencies, the consumer, and other skip trace sources.
   2. Purposes for which the categories of personal data are processed:
      1. Helping to ensure security and integrity to the extent the use of personal data is reasonably necessary and proportionate for these purposes;
      2. Debugging to identify and repair errors that impair existing intended functionality;
      3. Short-term, transient use, including, but not limited to, non-personalized advertising shown as part of consumer’s current interaction with the business, provided that the consumer’s personal data is not disclosed to another third party and is not used to build a profile about the consumer or otherwise alter the consumer’s experience outside the current interaction with us.
      4. Performing services on our behalf of the business, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the business.
      5. Undertaking internal research for technological development and demonstration.
      6. Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufacture for, or controlled by the business.
      7. Other business or business operational purposes as follows:
         • Debt collection.
         • To fulfill or meet the reason for which the information is provided. For example, if you provide us with personal data in order for us to process a payment, we will use that information to process said payment.
         • To provide you with information or services that you request from us.
         • To provide you with email or text alerts and other notices concerning our services.
         • To carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including for collections.
         • To carry out our obligations and enforce our rights arising from any contracts entered into between you and our clients, including for collections.
         • To improve our website and present its contents to you.
         • For testing, research, analysis and service development.
         • As necessary or appropriate to protect the rights, property or safety of us, our clients or others.
         • To respond to law enforcement requests and as required by applicable law, court order, governmental regulations, or comply with a court order or subpoena to provide information.
         • As described to you when collecting your personal data or as otherwise set forth in the Colorado collection laws.
   3. How and where you may exercise your rights
      • Submission: To exercise the access, deletion, or correction rights described above, please submit a verifiable consumer request to us by either:
        • Calling us at 855-517-6279
        • Submitting the submission form located at: Colorado Privacy Request
      • Appeal: To exercise your right to appeal our response to your submission, please submit a verifiable consumer appeal to us by either:
        • Calling us at 855-517-6279
        • Submitting the submission form located at: Colorado Privacy Request
      • Verification: We will use commercially reasonable methods for authenticating the identity of the person submitting a request to exercise rights. These methods will take into consideration the right exercised, sensitivity, value and volume of personal data involved, the level of possible harm that improper access or use could cause to you and the cost of authentication. If we cannot verify the request, we will inform you and may request additional information to verify the request.
      • You may authorize another person, acting on your behalf, to exercise your rights as specified herein. We will comply with any opt-out request received from a person authorized by you to act on your behalf if we are able to authenticate with commercially reasonable effort, the identity of you and the authorized agent’s authority to act on your behalf.
   4. Categories of personal data that we share with third parties:
      • Personal identifying information
      • Characteristic information
      • Retail information
      • Professional or employment related information
   5. Categories of third parties with whom we share personal data:
      • Service providers and contractors.
      • Third parties to whom you or your agents authorize us to disclose your personal data in connection with products or services we provide to you.
2. Duty of Purpose Specification: The express purposes for which personal data are collected and processed are those set forth above in B(1)(ii).
3. Duty of Data Minimization: Our collection of personal data is adequate, relevant and limited to what is reasonably necessary in relation to the specified purposes for which the data are processed.
4. Duty to Avoid Secondary Use: We will not process personal data for purposes that are not reasonably necessary to or compatible with the specified purposes unless we obtain consumer consent.
5. Duty of Care: We will take reasonable measures, as appropriate to volume, scope and nature of the personal data and our business, to secure personal data during both the storage and use of personal data.
6. Duty to Avoid Unlawful Discrimination: We will not process personal data in violation of state or federal laws regarding discrimination.
7. Duty Regarding Sensitive Data: We will not process your sensitive data without first obtaining your consent.
8. Professional and employment related information, which we obtain from the consumer’s creditor, credit reporting agencies, the consumer, and other skip trace sources; and
9. Educational information, which we obtain from the consumer’s creditor, credit reporting agencies, the consumer, and other skip trace sources.

C. Limitations

The above rights and duties may be limited if any of the following apply:

1. We are both a controller and a processor as those terms are defined by the CPA. A processor that is a business shall comply with the CPA with regard to any personal data that it collects or maintains outside of its role as a processor. Most of the personal data that we collect or maintain is done in context of our role as a processor. If we deny your verified request pursuant to this notice because all of the information collected or maintained about you has been pursuant to our role as a processor, we will provide you with the contact information of the business on whose behalf we collect or maintain the information.
2. The CPA does not apply to:
   • Protected health information that is collected, stored, and processed by a covered entity or its business associates:
   • Health-care information that is governed by part 8 of article 1 of title 25 solely for the purpose of access to medical records;
   • Patient identifying information that are governed by and collected and processed pursuant to 42 CFR 2;
   • Information and documents created by a covered entity for purposes of complying with HIPAA and its implementing regulations;
   • Information that is:
     • De-identified in accordance with the requirements for de-identification set forth in 45 CFR 164; and
     • Derived from any health-care-related information above
   • With certain exceptions and only to the extent that the activity is regulated by and used as authorized by the Fair Credit Reporting Act, an activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal data bearing on a consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by:
     • A consumer reporting agency;
     • A furnisher of information that provides information for use in a consumer report; or
     • A user of a consumer report.
   • Personal data:
     • Collected and maintained for purposes of article 22 of title 10;
     • Collected, processed, sold or disclosed pursuant to the Gramm-Leach-Bliley Act if the collection, processing, sale or disclosure is in compliance with that law.
   • Data maintained for employment records purposes;
   • Information used and disclosed in compliance with 45 CFR 164.512; or
   • A financial institution or an affiliate of a financial institution as defined by and that is subject to the Gramm-Leach-Bliley Act.
3. Compliance would restrict our ability to:
   • Comply with federal, state or local laws, rules or regulations;
   • Comply with a civil, criminal or regulatory inquiry, investigation, subpoena, or summons by federal, state, local or other governmental authorities;
   • Cooperate with law enforcement agencies concerning conduct or activity that we reasonably and in good faith believe may violate federal, state or local law;
   • Investigate, exercise, prepare for, or defend actual or anticipated legal claims;
   • Conduct internal research to improve, repair, or develop products, services or technology;
   • Identify and repair technical errors that impair existing or intended functionality;
   • Perform internal operations that are reasonably aligned with your expectations based on our existing relationship;
   • Provide a product or service specifically requested by you, perform a contract to which you are a party or take steps at your request prior to entering into a contract;
   • Protect the vital interests of you or another individual;
   • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, or malicious deceptive, or illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action;
   • Process personal data for reasons of public interest in are of public health, pursuant to certain restrictions; or
   • Assist another person with any of the above
4. Compliance would violate an evidentiary privilege under Colorado law;
5. Compliance would prevent us from providing personal data concerning you to a person covered by an evidentiary privilege under Colorado law as part of a privileged communication;
6. The information is made available by a third party that the controller has a reasonable basis to believe is protected speech pursuant to applicable law;
7. The processing of personal data is in the course of a purely personal or household activity;
8. We are unable to authenticate a request made under the CPA using commercially reasonable efforts;
9. Compliance would require us to do any of the following solely for purposes of complying with the CPA:
   • Reidentify de-identified data;
   • Comply with an authenticated consumer request to access, correct, delete or provide personal data in a portable format if all of the following are true:
     • We are not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for us to associate the request with the personal data;
     • We do not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data or associate the personal data with other personal data about the same specific consumer; and
     • We do not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party, except as otherwise authorized by the consumer.
   • Maintain data in identifiable form or collect, obtain, retain, or access any data or technology in order to enable the controller to associate an authenticated consumer request with personal data.
10. The information is Pseudonymous data and if the information necessary to identify the consumer is kept separately and is subject to effective technical and organization controls that prevent us from accessing the information.

D. Changes To Our Privacy Notice

This Notice was last updated on 01-01-2024. We reserve the right to amend this Notice at our discretion and at any time. When we make changes to this Notice, we will notify you by updating the “last updated” date on this notice.

This communication is from a debt collector.