1. INTRODUCTION.

2. WHEN DOES THIS PRIVACY NOTICE APPLY.

3. PROCESSING OF YOUR PERSONAL DATA.

4. SHARING OF PERSONAL DATA.

5. INTERNATIONAL DATA TRANSFERS.

6. HOW IS MY PERSONAL DATA SECURED.

7. RETENTION OF PERSONAL DATA.

8. YOUR RIGHTS.

9. CHILDREN’S PERSONAL DATA.

10. YOUR RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY

11. UPDATES TO PRIVACY NOTICE.

12. IDENTITY OF THE CONTROLLER OF PERSONAL DATA.

13. CONTACT US.

1. INTRODUCTION

1.1 This Privacy Notice (“Notice”) describes the information that Rheem Manufacturing Company and its subsidiaries and affiliates (collectively, “Rheem”, or “we”) collects, uses, shares and stores about you, including personal data, and provides guidance and information regarding our processing of personal data. For purposes of this Notice, Data Protection Legislation generally defines “personal data” as any information about an identifiable individual, which includes information that can be used on its own or with other information to identify, contact, or locate a single person.

1.2 We are committed to protecting and respecting your privacy. This Notice sets out the legal bases we rely on when processing any personal data we collect from you that you provide to us, either directly or through our trusted partners, or that we obtain from others. Please read this Notice carefully to understand how we process personal data about you.

1.3 In this Notice, references to “you” means the person about whom we collect, use and process personal data.

1.4 We will use personal data about you only for the purposes and in the manner set forth below, which describes the steps we take to ensure that our processing of personal data complies with U.S. laws and regulations, Canadian Privacy laws and regulations, as well as with European Union Law, including Regulation (EU) 2016/679, known as the General Data Protection Regulation or GDPR, and any subsequent amendments or successor laws thereto (collectively referred to as “Data Protection Legislation”).

1.5 We seek to maintain the privacy, accuracy, and confidentiality of data (including personal data about you) that we collect and use.

2. WHEN DOES THIS PRIVACY NOTICE APPLY

2.1 This Notice applies to personal data that we collect, use, disclose and otherwise process about you in connection with your relationship with us. This includes personal data we collect about you, or you provide to us, through our websites, mobile applications, or call centers; through product registrations; and through any other online or offline methods through which we communicate with you, as well as when we obtain personal data about you from a third party.

3. PROCESSING OF YOUR PERSONAL DATA

3.1 The personal data we collect about you helps us provide the best possible support for your products, optimize your use of our websites and mobile applications, and show advertisements to you based on your interests. In addition, we are required to process certain personal data for legal, regulatory, tax and auditing purposes. The personal data we collect, the basis for our processing, and the purposes of our processing, are detailed below. Sometimes, these activities are carried out by third parties (see “Sharing of Personal Data” section below).

3.2 You are not required to provide all the personal data described below to us; however, if you choose not to do so, we may not be able to offer you certain services and related features. You may provide personal data to us in various ways. The types of personal data we may obtain includes the following:

Personal data we process

Basis of processing

Purpose of processing

If your product is registered with us by you, or via contractors or plumbers, we will collect your name, postal address, email address, telephone number, or other identifiers by which we may contact you online or offline. We will also maintain this information with your purchase history.

It is necessary for the performance of our contract with you to provide warranty service (including any potential recalls) as necessary.

This is required to register your product or to provide you with service under the warranty, including any recalls.

If you purchase an extended warranty, or make a claim under any warranty, we will collect your name, postal address, email address, telephone number, or other identifiers by which we may contact you online or offline, purchase history, installation information, and credit card or

other payment details.

It is necessary for the performance of our contract with you if you purchase an extended warranty or make a claim under any warranty.

This is required to provide extended warranties to your purchased products, and to process and fulfill claims in connection with our products and to inform you of the status of claims.

If you sign up for a contest or promotion, we will collect your name, email address, telephone number, product

interest, and postal address.

Consent.

This is required to enter you into the contest or promotion you have chosen to participate in.

If you correspond with us, we will collect your name, contact details, and the details of your correspondence.

We collect this information because in some cases it is necessary for the performance of a contract with you, and in other cases when it is in our legitimate business interest to do so,

depending on the nature of the correspondence.

We retain this information to keep track of our communications with you, to respond to your requests and inquiries, and to provide you with the best possible service.

If you respond to any surveys, we will collect your name and your responses, some of which may include personal data.

We retain this information because it is in our legitimate business interest to do so.

We retain this information to understand how you use our products to improve our products and services, for developing new products and features, and to administer your participation in surveys

and market research.

If you access our websites, we will collect non-persistent information about your computer equipment, device IP address, operating system, browser type, and browsing behavior including the details of your visits to our website, web traffic data, location data, and logs.

We process this information based on our legitimate business interests, or with your consent.

We process this information to enable and monitor your use of our websites and services, and to improve those services. We also collect this information so you will not have to re-enter it when you use our services, and also track and understand how you use and interact with our websites and applications, and also to tailor our services around your preferences and to enable us to manage and enhance

our services.

If you access our websites, we will collect persistent information, including your device IP address, domain name, identifiers associated with your device, device and operating system type, and characteristics, web browser characteristics, language preferences, clickstream data, your interactions with our products and services, the pages that led or referred you to our websites or applications, dates and times of access, geolocation information, and other information about your use of our websites and applications.

We process this information based on your consent.

We use this information to provide you with interest-based (behavioral) advertising or other targeted content. For geolocation information, we use this information to understand where our products are used, and to respond to service requests or automatic service notifications.

Content you post in public areas of our websites, and 3rd party industry and social media sites.

We process this information based on our legitimate business interests. Please note that third party sites may have their own collection policies and processes, which we do not control.

We use this information to effectively communicate to you, respond to your requests or inquiries, and to better understand how our products are used.

If you apply for a job through our sites, we will collect name, address, social security number or other similar identifier, education information, employment history, and salary history.

We process this information on the basis of performance of an employment contract between you and us, and/or taking steps, at your request, to enter into such a contract.

We use this information to manage your application for, or interest in, career opportunities with us.

If you use any Rheem App, we will collect identifiers such as your name, geolocation information, telephone number, email, IP address and the name or designation you give to your account. The app would also collect certain additional information about your products, including usage history and functionality.

We process this information on the basis of the performance of a contract, or, for alerts, on the basis of consent.

When you sign up for connected services, we use the information to administer your Rheem App account, manage its interaction with Smart Thermostats, and to send you fault alerts or status updates. We use geolocation information for various purposes including for you to be able to set your home location, and to determine the distance you are from your home location. This allows your equipment to save energy by only running when you are within a certain distance of your home location. This feature is completely optional and can be controlled from within your App.

3.3 Where does Rheem obtain personal data about me?

Information you provide:

We obtain personal data about you directly from you, or via contractors and plumbers who assist you, when you register a product, when you extend a warranty, and when you submit information to us via our websites or mobile applications. We may also collect personal data in the course of the performance of your contract with us or if you contact us via phone, email or direct messaging services provided by third-party social media platforms.

Information we collect automatically:

As discussed above, when you navigate through and interact with our websites or mobile applications or through email, we may use automatic data collection technologies to collect information about you. This includes browser cookies, Flash cookies, web beacons, device identifiers, server logs, and other technologies.

Some content or applications, including advertisements on our websites, are served by third parties, including advertisers, ad networks and servers, content providers and application providers. These third parties may use cookies alone or in conjunction with web beacons or other tracking technologies to collect information about you when you use our websites, but only with your consent. Third parties that collect such information may associate it with your personal data where permitted by law, or they may collect information, including personal data, about your online activities over time and across different websites and other online services. They or Rheem may use this information to provide you with interest-based (behavioral) advertising or other targeted content. We do not control these third parties’ tracking technologies or how they may be used outside of our services. If you have any questions about an advertisement or other targeted content, you should contact the responsible provider directly and/or review that provider’s privacy policy.

We do not support the Do Not Track browser option.

Information we obtain about you from third parties:

We may receive personal data about you from contractors or plumbers who may assist you in registering your products and purchasing extended warranties.

We also send out mailings via the post office from public records.

4. SHARING OF PERSONAL DATA

4.1 We do not sell personal data for any commercial or marketing purposes, have not sold personal data in the preceding 12 months and will not sell personal data.

4.2 The following are limited circumstances where we may share your personal data with third parties:

4.2.1 External vendors, service providers, and technicians who help with our data processing and storage.

4.2.2 In connection with a merger or sale of the company and/or parts of its assets, your personal data may be among items sold or transferred.

4.2.3 Contractors or plumbers who may assist you in registering your products or purchasing extended warranties, or performing diagnostics or service.

4.2.4 Third parties who you have requested information from for purposes of financing or rebate information.

4.2.5 Affiliates, subsidiaries, divisions, and service providers who provide services to us or on our behalf;

4.2.6 Third parties who assist us in providing our products and services and to help us understand your use of our products;

4.2.7 External professional advisors;

4.2.8 Select third party vendors, business partners and other companies so that they can send promotional materials about products and services (including special offers or promotions);

4.2.8 For any other purpose disclosed by us when you provide the information; and

4.2.9 With your consent.

We require all service providers that we share personal data about you with to provide assurances regarding the confidentiality and security of that information.  These third parties agree to only use such information for the purpose for which it was provided and in accordance with this Notice.

4.3 We may also disclose your personal data:

4.3.1 To comply with any court order, law, or legal process, including to respond to any government or regulatory request, in accordance with applicable law.

4.3.2 To enforce or apply our terms of use and other agreements (including warranties) and for billing and collection purposes.

4.3.3 If we believe disclosure is necessary or appropriate to protect the rights, property, or safety of Rheem Manufacturing Company, our customers, or others. This includes exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction.

4.3.4 To others, where it is permitted by law.

5. INTERNATIONAL DATA TRANSFERS

5.1 Your personal data may be transferred, stored and processed in foreign countries, including the United States, with different privacy laws that may or may not be as comprehensive as the Data Protection Legislation in your home country. In these circumstances, the governments, courts, law enforcement, or regulatory agencies of the that country may be able to obtain access to your personal data through the laws of the foreign country. For transfers of personal data to foreign countries, we take additional steps in line with all applicable laws, including European and Canadian Data Protection Legislation. We have put in place adequate safeguards with respect to the protection of your privacy, fundamental rights and freedoms, and the exercise of your rights. Whenever we engage a service provider in a foreign country, we require that its privacy and security standards adhere to this policy and applicable Data Protection Legislation.

6. HOW IS MY PERSONAL DATA SECURED

6.1 We operate and use appropriate administrative, technical and physical security measures to protect your personal data.

6.2 We have in particular taken appropriate security measures to protect personal data about you from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access, to personal data about you. Access is granted on a need-to-know basis to those employees and other people whose roles require them to process personal data about you.

7. RETENTION OF PERSONAL DATA

7.1 We will keep personal data about you for as long as it is necessary to fulfill the purposes for which we process it as described above in Section 3, or if we have another lawful basis for retaining the data beyond the period for which it is necessary to serve the original purpose for collecting the data. This may mean that we will retain some information about you for longer than other information. The criteria we use to determine data retention periods for personal data includes the following:

7.2 Retention in case of queries; we will retain it for a reasonable period after the relationship between us has ceased;

7.3 Retention in case of claims; we will retain it for the period in which it may be enforced; and

7.4 Retention in accordance with legal and regulatory requirements; we will consider whether we need to retain any additional period because of a legal or regulatory requirement.

7.5 Under some circumstances we may anonymize your personal data so that it can no longer be associated with you. We reserve the right to use such anonymous and de-identified data for any legitimate business purpose, including sharing it with utility companies, without further notice to you or your consent.

7.6 If you would like further information about our data retention practices, please contact us.

8. YOUR RIGHTS

8.1 You may have various rights under data protection legislation in your country (where applicable).

To the extent permitted by applicable law and subject to certain conditions, you may (1) seek confirmation regarding whether Rheem is processing personal data about you; (2) request access to the personal data that we maintain about you; (3) request that we update, correct, amend or erase or restrict information about you; or (4) exercise your right to data portability, by clicking here to submit a request via our web portal, or by contacting us directly at compliancemanager@rheem.com. In addition, you may object to Rheem’s processing of your personal data at any time; however, doing so may impact your use of the services that we provide. To protect your privacy, Rheem will take commercially reasonable steps to verify your identity before granting access to or making any changes to your personal data. We may ask that you provide us with your name, postal address, email address, telephone number, and/or equipment serial number.

These may include (as relevant):

Your right

What does it mean?

How do I execute this right?

Conditions to exercise?

Right of access

Subject to certain conditions, you have a right to access personal data about you which we hold.

You may make a request for access to personal data via our web form by clicking here, or in writing to compliancemanager@rheem.com. Please specify the type of personal data you would like to access.

1. We must be able to verify your identity. 2. Your request may not affect the rights and freedoms of others. 3.We generally do not provide access to data we keep solely for data backup purposes. 4. Applicable law may allow or require us to refuse to provide you with access to some or all of the personal data that we hold about you, or we may have destroyed, erased, or made your personal data anonymous in accordance with our record retention obligations and practices. If we cannot provide you with access to your personal data, we will inform you of the reasons why, subject to any legal or regulatory restrictions.

Right of data portability

Subject to certain conditions and limitations, you have the right to receive from us personal data which you have provided to us.

You may make a request for data portability via our web form by clicking here, or in writing to compliancemanager@rheem.com. Please specify the type of information you would like to receive.

Your right to data portability is limited. It applies only when:

1. our processing is based on your consent or on our contract with you; and 2. when our processing is done through automated means (e.g. not paper records); and 3. You provided us with the personal data at issue.

Rights in relation to inaccurate personal or incomplete data

You may challenge the accuracy or completeness of personal data about you. If the personal data is inaccurate, you are entitled to have the inaccurate data removed, corrected or completed, as appropriate.

Please notify us of any changes regarding personal data about you as soon as they occur.

You may make a request via our web form by clicking here, or in writing to compliancemanager@rheem.com.

This right only applies to personal data about you. When exercising this right, please be as specific as possible.

Right to object to or restrict our data processing

Subject to certain conditions, you have the right to object to or ask us to restrict the processing of personal data about you.

You may make a request via our web form by clicking here, or in writing to compliancemanager@rheem.com.

This right applies only if our processing of personal data about you is based on our legitimate interests (see Section 3 above). Any objections must be based on your particular situation, and must contain specific reasons.

Right to have personal data erased

Subject to certain conditions, you have a right to have your personal data erased

e.g. where you think that the information we are processing is inaccurate, or the processing is unlawful.

You may make a request via our web form byclicking here, or in writing to compliancemanager@rheem.com.

We may not be in a position to erase personal data about you, for example when:

1. where we have to comply with a legal obligation; 2. in case of exercising or defending legal claims; or 3. where retention periods apply by law or regulations.

Right to withdrawal

You have the right to withdraw your consent to any processing for which you have previously given that consent.

You may make a request via our web form by clicking here, or in writing to compliancemanager@rheem.com.

If you withdraw your consent, this will only take effect for the future.

9. CHILDREN’S PERSONAL DATA

The products and services that we offer are designed for a general audience and are not intended for children under the age of 16. We do not knowingly collect personal data from children under 16. If we learn we have collected or received personal data form a child under the age of 16, we will promptly delete the information.

10. YOUR RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY

10.1 Without prejudice to any other administrative or judicial remedy you might have, you may have the right under data protection legislation in your country (where applicable) to lodge a complaint with the relevant data protection supervisory authority in your country if you consider that we have infringed applicable data protection legislation when processing personal data about you. This means the country where you are habitually resident, where you work or where the alleged infringement took place.

11. UPDATES TO PRIVACY NOTICE

11.1 We reserve the right to change this Notice at any time in our sole discretion without prior notice to you to reflect changes. We will indicate at the top of the notice when it was most recently updated.

12. IDENTITY OF THE CONTROLLER OF PERSONAL DATA

12.1 For the purposes of Data Protection Legislation, the Data Controller is Rheem Manufacturing Company, a U.S. organization with its principal place of business at 1100 Abernathy Road, Suite 1700, Atlanta, GA 30328.

13. CONTACT US

13.1 For further information or if you have any questions or queries about this Privacy Notice, please contact the Chief Privacy Officer, Law Department, Rheem Manufacturing Company, 1100 Abernathy Road, Suite 1700, Atlanta, GA 30328, or call (770) 351-3000. We have procedures in place to receive and respond to complaints or inquiries about our handling of personal data, our compliance with this Notice and with applicable privacy laws.