TerrAscend - Privacy Policy Effective Date: January 11, 2024 TerrAscend and its subsidiaries and affiliates (“TerrAscend”, “We” or “Us”) respects your privacy and recognizes your desire to safeguard your information. This Privacy Policy describes our practices in connection with information that we may collect about you through your interactions with us in our stores, on our websites and on our mobile applications (collectively, the “Services”). Section 11, titled “Your California Privacy Rights” describes our practices with respect to the information we collect, online and offline, from California residents. 1. Privacy Policy Scope If you have any questions or concerns about this Privacy Policy, how we collect and use your personal information, or questions about which policy applies to information you have provided, please do not hesitate to contact us at privacy@terrascend.com (mailto:privacy@terrascend.com). We may change this Privacy Policy. The "Effective Date” at the top of this page shows when it was last revised. Any changes take effect when we post the revised Privacy Policy on our website. We designed our Services for users from the United States and we control and operate the Services from the United States. 2. Personal Information We Collect We want you to know how we collect and use your personal information. Some examples of the personal information we may collect about you include: Contact information including your name, mailing address, email address, and telephone number Your password, if you create an account Demographic information such as your age and date of birth, sex and/or gender, race and/or ethnicity Language preferences Enrollment in programs, your use of coupons or other offers Transaction information such as purchase history or returns Use of certain store services such as if you arrange to have your order delivered to your home Your interactions with our websites or mobile sites, mobile apps, Wi-Fi and other online services, such as how you use our Services including search terms, pages you visit on our website and our mobile applications Information about the apps, browsers and devices you use to access our Services including your computer’s IP address and/or mobile device information (e.g., device model, operating system version, unique device identifiers, mobile network information) Views and interactions with emails, communications, content and ads Driver’s license number or other government issued identification information Geolocation information and in-store location Images you provide to us (e.g., when you upload photos) or that are viewed or recorded on an in-store security camera Health information you provide us based on your participation with certain programs Biometric information which may include voice recognition information, facial scans, and/or other similar biometric identifiers Professional or employment-related information, such as whether you are a TerrAscend employee Other information you provide to us If you choose not to provide your personal information to us in connection with the Services, we may not be able to provide you with certain products, services or information. We may also combine information that does not personally identify you with personal information. If we do, we will treat the combined information as personal information for as long as it stays combined. Please note that personal information collected as described in this Privacy Policy may be used and disclosed in a de-identified format. Personal information is no longer within the scope of this Privacy Policy once it has been de-identified. Unless you take some action to re-identify your de-identified information, we will not attempt to re-identify this information so that it may be associated with you. 3. Sources We Collect Personal Information From We collect the personal information described above from the following sources. Directly from you. We collect personal information directly from you when you interact with us through our Services and automatically when you visit our websites and mobile applications. From subsidiaries and affiliates. We collect personal information from our subsidiaries and affiliates you interact with as permitted by applicable law. From other sources. We may also collect information about you from other sources to help us correct or supplement our records, improve the quality or personalization of our services to you, and prevent or detect fraud. 4. How We Use Personal Information We use your personal information to provide you with the Services and products you purchase from us as well as to provide customer service to you. Additionally, we may use the personal information we collect about you for the purposes listed below. To communicate with you. We use your personal information to respond to your requests and otherwise communicate with you about your orders or accounts. For instance, we may use your personal information to fulfill your order, contact you with information about your order, send you email alerts, send you newsletters, and to provide you with related customer service. We may use your personal information to send marketing communications and administrative information. This may include push notifications in our mobile applications. To manage your accounts and orders. We use personal information to manage your accounts, orders, billing, and improve reorder experiences. To enhance your experience. We may use your personal information to personalize your experience shopping and interacting with us. We may present products and offers tailored to your interests. For our internal business purposes. We may use your personal information for our internal business purposes, such as training, data analysis, audits, fraud monitoring and prevention. We may also use it for developing our Services and new product and services, to assess the effectiveness of our campaigns, and to operate and expand our business activities. To administer our loyalty program. As further described below in Section 11, we use personal information to administer our loyalty program. Business transfers. To consider and implement mergers, acquisitions, reorganizations, and other business transactions, and where necessary to the administration of our general business, accounting, recordkeeping, and legal functions. To protect our legal rights and prevent misuse. To protect the Services and our business operations; to prevent and detect fraud, unauthorized activities and access, and other misuse; where we believe necessary to investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety or legal rights of any person or third party, or violations of our terms and conditions or this Privacy Policy. For recruiting and employment purposes. To process your application; to evaluate you for current and future employment opportunities, based on your skills, qualifications, and interests; to communicate with you and inform you of employment opportunities; to fulfill our legal obligations; to conduct continued evaluation of background checks; to improve our recruitment and hiring process, including performing analysis of our applicant pool; to carry out internal record keeping; to carry out equal opportunities monitoring; to conduct investigations related to company policies. Other permissible uses. We also may use personal information in other ways, for which we provide specific notice at the time of collection. 5. How We Disclose Personal Information We may disclose personal information described above with the following parties: Vendors. We may disclose Personal Information we collect to our service providers or agents who perform functions on our behalf. These may include, for example, IT service providers, help desk, payment processors, analytics providers, consultants, auditors, and legal counsel. Subsidiaries and affiliates. We may disclose personal information we collect to our subsidiaries or affiliates. Government or public authorities. We may disclose personal information to a third party if (a) we believe that disclosure is reasonably necessary to comply with any applicable law, regulation, legal process, or governmental request, (b) to enforce our agreements, policies, and terms of service, (c) to protect the security or integrity of our Services, (d) to protect the property, rights, and safety of TerrAscend, our users, or the public from harm or illegal activities, (e) to respond to an emergency which we believe in the good faith requires us to disclose information to assist in preventing the death or serious bodily injury of any person, or (f) to investigate and defend ourselves against any third-party claims or allegations. We may disclose personal information for the following purposes: To provide information to our service providers and contractors. We may disclose personal information to our service providers. They provide services such as website hosting, data analysis, payment processing, order fulfillment, information technology and infrastructure, customer service, email delivery, auditing and other services. In connection with a sale or transfer of business assets. We may disclose or transfer your personal information to other parties if some or all of our business, assets or stock are sold, transferred or used as security. This includes in connection with any bankruptcy or similar proceeding. To respond to law enforcement officials or enforce our rights. We may disclose your personal information only as permitted or if required to do so by law enforcement officials or other government authorities. We disclose personal information in matters involving claims of personal or public safety, or in litigation. This may include disclosure of your personal information to allow us to pursue remedies or to limit the damages we may sustain. We may also use or disclose your information to enforce our terms and conditions, to protect our operations or those of any of our affiliates, to prevent misuse of our Services, or to protect our rights, privacy, safety or property and/or that of our affiliates, you or others. To maintain and enhance the safety and security of our Services. We may disclose personal information to detect, prevent and address issues involving our Services, including security breaches. 6. Security We use reasonable physical, technical and administrative safeguards. Please be aware that despite our efforts, no data security measures can guarantee security. You should take steps to ensure your personal information is protected like using passwords that would be difficult to guess, not using the same password for multiple accounts and periodically changing your password. 7. Cookies and Other Technologies Information We Collect Automatically When you interact with our website, we can obtain certain information by automated means (collectively, “Online User Activity”) through cookies, web server logs, web beacons and other similar technologies implemented on our website and mobile app. A “cookie” is a text file that websites send to a visitor’s computer or other Internet-connected device to uniquely identify the visitor’s browser or to store information or settings in the browser. A “web beacon,” also known as an Internet tag, pixel tag or clear GIF, links web pages to web servers and their cookies and may be used to transmit information collected through cookies back to a web server. We may use these automated technologies to collect information about your device (e.g., computer, mobile phone), browsing actions, and usage patterns. The information we obtain in this manner may include your device IP address, identifiers associated with your devices, types of devices connected to our services, web browser characteristics, device characteristics, language preferences, referring/exit pages, clickstream data, and dates and times of website visits. These technologies help us (1) remember your information so you will not have to re-enter it; (2) track and understand how you use and interact with our products and services; (3) tailor our website around your preferences; (4) measure the usability of our website and the effectiveness of our communications; (5) provide customer support; and (6) otherwise manage and enhance our website. Your browser may be configured to alert you when receiving certain types of cookies or enable you to restrict or disable certain types of cookies. You can find out how to do this for your particular browser by clicking “help” on your browser’s menu or visiting www.allaboutcookies.org. For mobile devices, you can manage how your device and browser share certain device data by adjusting the privacy and security settings on your device. Our website is not designed to respond to “do not track” signals received from browsers. Please note that without cookies you may not be able to use or benefit from all of the functionality or features on our website. Third-Party Web Analytics Services We use third-party web analytics services on our website, such as Google Analytics. The service providers that administer these services use automated technologies to collect data (such as IP addresses, cookies, and other device identifiers) to evaluate use of our website. To learn more about Google Analytics and how to opt out of their tool entirely, please visit www.google.com/analytics/learn/privacy.html (http://www.google.com/analytics/learn/privacy.html). 8. Your Choices and Access You can take yourself off our email and SMS list for promotional offers at any time. Just update your notification preferences in your Account Profile. If you opt out of getting promotional emails from us, we may still send you important administrative messages. You cannot opt out of these messages. You may stop push notices through your mobile device settings. You may be able to allow or deny us to collect your device’s location by using the settings on your mobile device, and/or to avoid the collection of location by beacons by disabling Bluetooth on your mobile device. If you deny such collection, we and our service providers may not be able to offer you certain personalized services and content. You can stop all further collection of information by the mobile app. All you need to do is uninstall it. If you uninstall the mobile app from your device, the unique identifier associated with your install and/or device may continue to be stored. If you re-install the app on the same device, we might be able to link this identifier to your past activities. 9. Children’s Privacy Only persons aged eighteen (18) or older have permission to access our Services, subject to any additional legal requirements as may vary from state to state. This includes users accessing our Services on their own behalf or, as permitted under state law, a parent, guardian, or other authorized caretaker accessing our Services on behalf of a minor child permitted to take part in a medical cannabis program. Our collection of personal information of individuals under age eighteen (18) is limited to situations in which a parent, guardian, or other authorized caregiver acts consistently with state law to provide the personal information of a minor child who is permitted to take part in a medical cannabis program. If we discover that we have collected the personal information of an individual under the age of eighteen (18) in any other situation, we will delete the information from our systems. If you are a parent or guardian and you learn that your minor child has provided us with personal information, please contact us so we can delete the information from our systems. 10. Contact Information If you have any questions or concerns about the way we collect and use your information or any other questions about the content of this Privacy Policy, contact us by email at privacy@terrascend.com (mailto:privacy@terrascend.com). 11. Your California Privacy Rights Last Updated: January 11, 2024 This section supplements the Privacy Policy and applies solely to California residents about whom we have collected personal information from any source, including through the use of our website(s), mobile applications or other online services, by buying our products or services, or by communicating with us electronically, in paper correspondence, or in person (collectively, "you"). Under the California Consumer Privacy Act, as amended by the California Privacy Rights Act of 2020 (the “CCPA”), California residents have the right to receive certain disclosures regarding our information practices related to “personal information,” as defined under the CCPA. The terms used in this section have the same meaning given to them in the CCPA. A. What Personal Information We Collect We may collect the following categories of personal information (as enumerated in the CCPA) about you. For more information about the personal information we collect, please see Section 2 of our Privacy Policy. Identifiers, which may include your name, mailing address, email address, telephone number, and government-issued ID numbers. Commercial information, which may include purchase history, returns, exchanges, and enrollment in loyalty programs. Information relating to Internet activity or other electronic network activity, which may include your interactions with our websites or mobile sites, mobile apps, Wi-Fi, emails, communications, content and ads. Geolocation data, which may include Global Positioning System ("GPS") data or in-store location. Audio, electronic or visual information, which may include images you provide to us (e.g., when you upload photos) or that are viewed or recorded on an in-store security camera. Professional or employment-related information, such as whether you are a TerrAscend employee. Inferences about you, such as head of household or caregiver status. Information not listed above and related to characteristics protected under California or federal law, which may include demographic information such as your age or date of birth, gender and/or sex, language preferences. Other personal information not listed above and described in California Civil Code § 1798.80(e), which may include payment card information and other financial or health information and other information you provide to us. We may also collect the following categories of sensitive personal information about you: Government identification, such as government issued identification. Account log-in information, which may include your account username and password, if you make an account with us. Precise geolocation data, if you choose to share with us, to identify the Services nearest or most applicable to you. Information concerning your health, if you choose to share with us, which may include your interactions with our employees in our stores. Biometric information, which may include voice recognition information, facial scans, and/or other similar biometric identifiers. Racial or ethnic origin, such as information that reveals your race or ethnic origin. B. How Long We Retain Personal Information We retain personal information only as long as necessary and in alignment with our data retention schedules. Information may be retained to comply with applicable law, adhere to contractual requirements, in anticipation of litigation or a legal matter, or as otherwise necessary and proportionate to provide you with a product or service. C. What We Do with Personal Information We may use your personal information for the purposes described above in Section 4 of our Privacy Policy and for the following business and commercial purposes specified in the CCPA: Performing services, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing advertising or marketing services, providing analytics services, or providing similar services. Auditing related to a current interaction with you and concurrent transactions, including, but not limited to, auditing compliance. Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity. Debugging to identify and repair errors that impair existing intended functionality. Undertaking internal research for technological development and demonstration. Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by us, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by us. D. Sources of Collected Information We may collect personal information about you from these sources: Directly from you or your device, including via purchasing goods and services in our stores, your use of our websites and mobile applications, and your communications with us, including by telephone, text message, postal mail, social media, forums, message boards, chatbots, or other means Our subsidiaries and affiliates Our service providers, including but not limited to, marketing/customer relationship management providers, technology/website hosting providers, analytics providers, and systems administrators/security and fraud investigations providers Government entities, regulators and law enforcement E. What Personal Information We disclose and Who We Disclose It To As described above in Section 10(C), we disclose information for business purposes. In the twelve (12) months prior to the date of this Privacy Policy, we disclosed and we may continue to disclose the following categories of information with third parties who are considered “service providers” as defined under the CCPA since we disclose information to them for our business purposes. Category Disclose to: “Sold” or “Shared” with: Identifiers Service Providers Not sold or shared Commercial information Service Providers Not sold or shared Information relating to Internet activity or other electronic network activity Service Providers Not sold or shared Geolocation data Service Providers Not sold or shared Audio, electronic, or visual information Service Providers Not sold or shared Professional or employment-related information Service Providers Not sold or shared Inferences about you Service Providers Not sold or shared Other personal information not listed above and described in California Civil Code § 1798.80(e) Service Providers Not sold or shared Sensitive personal information Service Providers Not sold or shared Information not listed above and related to characteristics protected under California or federal law Service Providers Not sold or shared We restrict service providers from using personal information for any purpose that is not related to Our engagement. We do not “sell” or “share” your information with third parties. Under the CCPA, a business “sells” personal information when it discloses personal information to a company for monetary or other benefit. A company may be considered a third party either because personal information is disclosed to the company for something other than an enumerated business purpose under California law, or because its contract does not restrict it from using personal information for purposes unrelated to the service it provides. A business “shares” personal information when it discloses personal information to a company for purposes of cross-context behavioral advertising. F. Your Privacy Rights If you are a California resident and we collect, use, or disclose personal information subject to CCPA, you may have the following rights under the CCPA with respect to your personal information. Right to know/access. : With respect to the personal information we have collected about you, you have the right to request from us (up to twice per year and subject to certain exemptions): (i) categories of personal information about you we have collected; (ii) the sources from which we have collected that personal information; (iii) our business or commercial purposes for collecting, selling, or disclosing that personal information; (iv) the categories of third parties to whom we have disclosed that personal information; and (v) a copy of the specific pieces of your personal information we have collected. Right to delete. Subject to certain conditions and exceptions, you may have the right to ask us to delete certain personal information we have collected from you. Right to correction. You may have the right to ask us to correct inaccuracies in the personal information we have collected. Right to opt out of sale/sharing. We do not sell or share your personal information, so we do not have an opt-out. Limit certain uses and disclosures of sensitive personal information. We do not engage in uses or disclosures of “sensitive personal information” that would trigger the right to limit use or disclosure of sensitive personal information under applicable law. Right to non-discrimination. We will not discriminate against you if you exercise any of these privacy rights. G. How to Submit a Request If you are a California consumer and wish to exercise these rights, you can reach us in one of the ways shown below. Right to Know / Delete / Correct: Fill out this form (https://privacyportal-eu.onetrust.com/webform/4f36df5d-4334-4e98-a869-417b8226058c/4d07a709-7f91-422f-8a08-88384ee3c5b0); or Mail a letter with the request to: ATTN: CCPA 2455 Bennett Valley Rd Ste C106 Santa Rosa, CA 95404 You may also give someone else permission to exercise these rights for you. To submit a request as an authorized agent on behalf of a consumer, write us at privacy@terrascend.com (mailto:privacy@terrascend.com) or mail a letter with the request to 2455 Bennett Valley Rd, Ste C106, Santa Rosa, CA 95404. We will need proof showing you have asked someone else to make a request on your behalf, which may include a Power of Attorney form or other signed document. If we have information on your minor child, you may exercise these rights for them. H. Verifying Requests Before we fulfill a request, we may need to verify your identity and ability to exercise these rights. There are also some exclusions and exceptions that may apply. So that we can verify your identity, you may be asked to give us certain personal information via webform or on the phone, as described above. We may require you to provide any of the following information: full legal name, email address, and/or phone number. Such information shall only be used for verifying your identity or authority to make the request, except that a limited amount of data may be maintained to ensure proper record-keeping regarding CCPA compliance and fulfillment of the request. In addition, if you ask us to provide you with specific pieces of personal information, we may require you to sign a declaration under penalty of perjury that you are the consumer whose personal information is the subject of the request. I. Notice of Financial Incentives As further described below, we may offer you special pricing or service differences in exchange for your enrollment in our loyalty program, which may be considered “financial incentive” programs under the CCPA. If you join our loyalty program, we may offer the opportunity to earn points and members-only rewards in connection with your disclosure of personal information. Subject to certain restrictions, members using an account subscribed to the loyalty program at eligible stores, on our website, or on our app, can earn points that can be used towards the purchase of eligible products. Members also may be eligible for additional savings, discounts, exclusive pricing, and promotional offers made available by TerrAscend as part of the loyalty program. We may also send members marketing and promotional communications (such as by email, text or through our mobile app). Please see our loyalty program page [LINK] as well as the program-specific terms here [LINK] for more information, including with respect to enrollment and withdrawal from the loyalty program, earning points, and redeeming points. Please note that loyalty program offers and terms are subject to change from time to time. TerrAscend does not generally assign monetary value to consumers’ personal information, and promotions associated with the loyalty program can change continually. To the extent privacy laws requires that a value be assigned to such programs, or to the price or service differences they involve, the points, additional savings, discounts, exclusive pricing, and promotional offers made available in connection with the loyalty program are reasonably related to the value provided to TerrAscend by your personal information. In particular, TerrAscend values the information collected and used under the loyalty program as being equal to the value of the discounts or other benefits provided in the loyalty program, based upon a practical and good-faith effort to assess, on an aggregate basis for all collected information: (i) the type of information collected in the loyalty program (e.g., email address), (ii) the use of such information by TerrAscend in connection with its marketing activities, (iii) the range of discounts provided (which can depend on each individual’s purchases under such offers), (iv) the volume of individuals enrolled in the loyalty program, and (v) the eligible products and services for which the benefits (such as a discount) can apply. These variable factors continue to change over time. This description is without waiver of any proprietary or business confidential information, including trade secrets, and it does not constitute any representation with regard to generally accepted accounting principles or financial accounting standards. You have the right to withdraw from the loyalty program at any time. To withdraw from the loyalty program, you must submit a request to delete your personal information, as set forth in Section 11(G) above. J. Employee and Business-to-Business Consumers Privacy rights apply to all individuals (not just retail customers), including job applicants, current and former employees, contractors and business partners. Due to the nature of these relationships, the collection and use of personal information can vary, but in general terms and in addition to all the disclosures above: Job applicants may provide us with personal information as part of an employment application and review process that includes the applicant’s contact information, education and employment history, resume and cover letter. We do not use this information for any purpose other than to evaluate the individual for employment with us and manage our career program. Job applicants may provide additional information for routine background checks to a third-party provider of such services, under specific privacy terms and consents that will be provided at the time of collection. Employees receive information that provides additional details regarding our employee privacy practices. We collect contact information and other personal information reasonably necessary to engage and work with contractors and business partners in the course of a business relationship. All such individuals who are California residents can request additional information about our privacy practices with respect to their information, as well as make the access, deletion, correction and opt-out requests as described above, by following the process set forth in Section 11(G). Please provide sufficient information so that we can identify you and be aware that we may employ a more extensive authentication process to verify your identity before responding to your request. If you have any questions about the notices or rights above, or our privacy practices as they are relevant to you, please contact us at privacy@terrascend.com (mailto:privacy@terrascend.com). K. CCPA Reporting Metrics – Calendar Year 2022 The table below details the number of requests we received under the California Consumer Privacy Act (CCPA) in 2022. A request is received when a consumer or their agent submits a request through our online form or contact center. A request may be denied if the consumer submitted a request but did not complete steps to enable us to verify their identity, or their identity could not otherwise be verified. A request submitted by an authorized agent may be denied if the agent did not provide sufficient documentation to allow us to determine that the agent was authorized by the consumer to submit the request. We take seriously the trust you place in us and the privacy of the information you share with us. We want to ensure that we provide your personal information to only you or a person you specifically authorize. Because of this, we only fulfill requests for access to or deletion of personal information when we can verify the identity or authorization of the requestor. Request Type # of Requests # Unable to be Fulfilled* Median Days to Respond Data Deletion 8 2 25.4 *This reflects the number of requests we were unable to fulfill due to the following reasons: There was no record of the requestor in any of our data systems. Requestor was not a California resident.