MARSH & McLENNAN COMPANIES

California Resident Privacy Notice

Last Updated: November 2024

This privacy notice applies to ’s business contacts who are California residents, including marketing contacts, website visitors, investors, vendors, and other commercial contacts covered by California privacy law. California applicants should review . Commercial contacts of our individual businesses should review the privacy notices available on those businesses’ sites.

What Personal Information Do We Collect?We collect the following categories of personal information and sensitive personal information (note that the categories are specifically defined under California law, and we may not collect all of the listed exemplary data types for the category):

Category

Examples

Personal Identifiers

Real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver's license number, passport number, or other similar identifiers.

Any personal information described in Cal. Civ. Code § 1798.80(e)

Name, signature, social security number, address, telephone number, passport number, identification card information, insurance policy number, bank account number, credit or debit card number, any other financial information, or medical information.

Protected Classifications under California or federal law

Voluntarily provided age, race, color, national origin, citizenship, marital status, physical or mental disability, sex (including gender, gender identity, gender expression), sexual orientation, veteran, or military status; Where required for background checks and legal disclosures for engagement: criminal records

Commercial Information

Reimbursable expenses for business needs or travel

Internet or other similar network activity

Browsing history, search history, interaction with a website, application, or advertisement, data from cookies or web beacons, and interactions with marketing emails, including when you read and respond to email correspondence

Geolocation Data

Physical location (from websites and not including precise geolocation)

Sensory Data

Call recordings, video, and photographs (not systematically associated with an individual but collected based on attendance at public recorded webinars or visits to buildings)

Professional Information

Job history, work status,skills, professionalqualifications

Inferences drawn from other personal information

Profile reflecting a person's preferences, characteristics, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes

Government Identifiers (SPI (Sensitive Personal Information))

Social security number, Driver's license number, State ID card number, Passport number where necessary for legal or regulatory compliance

Sensitive Classifications (SPI)

Voluntarily provided racial/ethnic origin

What are our Business Purposes for Collecting and Disclosing Personal Information?

We collect and use personal information for the following business purposes:

· Provide, administer, and support our and our services

· Manage our commercial relationship

· Verify your identity

· Register and service your or your company’s accounts, subscriptions, or attendance at in person or online events, including on behalf of our subsidiaries

· Contact you when necessary and to respond to your requests and inquiries

· Manage and maintain online and physical security and protect our property, data, systems, clients, and colleagues against cyber attacks, fraud, and other legal and security threats

· Market our services and offerings of interest to you and your employer

· Analyze, administer, and improve our offerings and services and evaluate the overall effectiveness of our marketing activities and overall services

· Drive diversity and inclusion initiatives in vendor engagement

· Comply with and enforce applicable laws, regulations, client contractual requirements, industry standards, and our own policies

· Complete required anti-fraud, AML (Anti Money Laundering), and sanctions checks before engaging you as a supplier or providing services to you as a client

· To process payments to you for services rendered or other reimbursements

· For any other purpose described to you at the point of collection or pursuant to your consent

We may also process or disclose de-identified information that is not likely to identify you for commercially legitimate and lawful business purposes. Where we have de-identified data, we will maintain and use it without attempting to re-identify the data other than as permitted under law. We do not use sensitive personal information to infer characteristics about our business contacts.

How Long Do We Keep Personal Information?

Our products, services, and regulatory obligations are complex, and thus our retention periods for personal information vary. We consider the following obligations when setting retention periods for personal information and the records we maintain: the need to retain information to accomplish the business purposes or contractual obligations for which it was collected; our duties to effectuate our clients’ instructions with respect to personal information we process on their behalf; our duties to comply with mandatory legal and regulatory record-keeping requirements; and other legal impacts such as applicable statute of limitations periods. We may also retain personal information for other purposes delineated in applicable privacy laws.

Sale of your Personal Information or Sharing for Cross-Context Advertising

We allow certain third parties to use cookies and other online tracking technologies to collect personal information on our websites and web-based applications to support our business purposes. These third parties analyze activity and help us personalize outreach and content based on your interests, measure the performance of marketing content, and derive insights about the audiences who saw our content. These third parties may also provide free or enhanced add-on services to our company, and they may use your personal information for purposes beyond the services they provide to our company (for example, building consumer profiles to help other clients with their targeted advertising or enriched analytics). California law considers these types of online exchanges of personal information to be “sales” (disclosures of PI in return for something of value) or “sharing” (disclosures of PI for purposes of cross-context behavioral advertising), with some exceptions.We “sell” or “share” (as defined by the law) the following categories of personal information to third party online analytics and advertising providers: Personal Identifiers; Internet or other similar network activity; Geolocation data; Professional Information (to the extent it can be derived from your activity on our website). For the specific third parties that we “sell” or “share” online information with, please click on the “Manage Cookies” link below for the names of Analytics and Advertising providers.

You have the right to opt out of the “sale” of your personal information or the “sharing” of your personal information for cross context behavioral advertising or targeting purposes. To do so, please click on the “Manage Cookies” link at the bottom of this webpage and ensure the toggles for “Advertising” and “Analytics” trackers are set to “No.”

You may also implement a browser setting or extension to communicate your selling and sharing preferences automatically to the websites you visit. Our websites process such “opt out preference signals” in a frictionless manner. The current “opt out preference signal” with a defined protocol for companies to follow if they receive the signal is called the Global Privacy Control (GPC). GPC is available for an increasing number of browsers and browser extensions, listed . If you want to use GPC, you can download and enable it via a participating browser or browser extension. More information about downloading GPC is available .

Sources of Personal Information?

We collect personal information from the following categories of sources:

· Directly from you

· Your employer

· Third party business contacts who make referrals or provide prospect information

· Your online activity

· Advertising Networks

· Data analytics providers

· Government Entities

Disclosures of Personal Information for Business Purposes

We disclose PI for the following business purposes:

· Provision and administration of our services and facilities: We engage or partner with third parties that help support our business, technical, and operational needs and provide building management and security services.

· Assessment, improvement, and marketing of our services: We sometimes contract with other companies and individuals to perform functions or services for us or on our behalf, such as event hosting and email marketing. We also share limited business information with subsidiaries and affiliates for business analytics and assessment, lead generation and marketing activities.

· Business Transfers: As we continue to develop our business, we might sell or buy assets. In such transactions, client, vendor, and other commercial information generally is one of the transferred business assets. Also, if either the Company itself or any of the Company’s assets were acquired (including through bankruptcy proceedings), your personal information may be one of the transferred assets.

· Legal Matters: The Company may preserve, and has the right to disclose any information about you to:

o (a) protect and defend the rights, property, or safety of the Company or its affiliates, our colleagues, visitors to our buildings, or the public;

o (b) enforce theterms and conditions that apply to use of our websites and services;

o (c) respond to claims that any content violates the rights of third parties;

o (d) respond to claims of suspected or actual illegal activity;

o (e) respond to an audit or investigate a complaint or security threat;

o (f) comply with applicable law, regulation, legal process, or governmental requests:

o (g) comply with contractual requirements;

o (h) respond to data breaches

We disclose the following categories of personal information to the following categories of third parties where necessary, appropriate, or required:

Category

Categories of Third Parties PI is Disclosed to for a Business Purpose

Personal Identifiers

· Vendors, service providers, and professional advisors

· Public and governmental entities, including regulatory, tax and other authorities, law enforcement agencies, courts, arbitration bodies, and fraud prevention agencies.

· Affiliates, subsidiaries, and successors

· Online analytics and advertising providers

Any personal information described in Cal. Civ. Code § 1798.80(e)

· Vendors, service providers, and professional advisors

· Public and governmental entities, including regulatory, tax and other authorities, law enforcement agencies, courts, arbitration bodies, and fraud prevention agencies.

· Affiliates, subsidiaries, and successors

Protected Classifications under California or federal law

· Vendors, service providers, and professional advisors

· Public and governmental entities, including regulatory, tax and other authorities, law enforcement agencies, courts, arbitration bodies, and fraud prevention agencies.

· Affiliates, subsidiaries, and successors

Commercial Information

· Vendors, service providers, and professional advisors

Internet or other similar network activity

· Vendors, service providers, and professional advisors

· Online analytics and advertising providers

Geolocation Data (general)

· Vendors, service providers, and professional advisors

· Online analytics and advertising providers

Sensory Data

· Vendors, service providers, and professional advisors

· Affiliates, subsidiaries, and successors

Professional Information

· Vendors, service providers, and professional advisors

· Affiliates, subsidiaries, and successors

Inferences drawn from other personal information

· Vendors, service providers, and professional advisors

· Affiliates, subsidiaries, and successors

Government Identifiers (SPI)

· Vendors, service providers, and professional advisors

· Public and governmental entities, including regulatory, tax and other authorities, law enforcement agencies, courts, arbitration bodies, and fraud prevention agencies.

Sensitive Classifications (SPI)

· Vendors, service providers, and professional advisors

· Public and governmental entities, including regulatory, tax and other authorities, law enforcement agencies, courts, arbitration bodies, and fraud prevention agencies.

· Affiliates, subsidiaries, and successors

*We may be required or compelled to produce any of the above categories of personal information that we have collected in response to valid legal process, subpoenas, or regulatory requests to authorized parties, including government entities, law enforcement, courts and tribunals, or litigants.

YourRights Under California Law

Under California law, including the California Consumer Privacy Act as amended by the California Privacy Rights Act, you may have the following rights regarding your personal information. These rights are subject to a number of exceptions and limitations enumerated under the law.

Right to Access Personal Information

You can request to access either the specific pieces of personal information we have collected about you as of January 1, 2022, or the below descriptions about that personal information:

· The categories of personal information we have collected about you.

· The categories of sources for the personal information we have collected about you.

· Our business or commercial purpose for collecting that personal information.

· The categories of third parties to whom we disclose that personal information.

· If we sold your personal information for a business purpose, a list of the personal information types that each category of recipient purchased.

· If we disclosed your personal information to a third party for a business purpose, a list of the personal information types that each category of recipient received.

Right to Delete Personal Information

You may have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. If you submit a valid and verifiable request and we can confirm your identity and/or authority to make the request, we will determine if retaining the information is permitted or required under law.

If no retention conditions apply, we will delete your personal information from our records and direct our service providers to do the same.

Right to Correct Personal Information

You may have the right to correct inaccuracies in your personal information, considering the nature of the personal information and the purposes of processing it. If you submit a valid and verifiable request and we can confirm your identity and/or authority to make the request, we will use commercially reasonable efforts to correct the inaccurate information.

Right to Opt-out of Profiling

We do not engage in automated processing of personal Information without human intervention to make decisions that produce a legal or other significant effect. Because we do not engage in such automated processing, we do not provide a mechanism for you to limit our processing of personal information in such a manner.

Right to Non-Discrimination

You may exercise your privacy rights without discrimination. For example, unless applicable law provides an exception, we will not deny you opportunities or services, or provide you with different pricing, level, or access to opportunities or services.

How to exercise the above rights

To exercise your rights to access, correction, or deletion described above with respect to the information collects, please visit our online privacy rights portal by clicking . Alternatively, you may call us at 1-866-374-2662. You may have a separate commercial relationship with one of our businesses. Please review the privacy notice on the website of that business to exercise your rights with respect to the personal information that business has collected.

You will not be required to create an account. Only you or a person legally authorized to act on your behalf may make a verifiable consumer request related to your personal information.Agents must provide a power of attorney showing their lawful authority to act on your behalf or submit both a written authorization from you and allow us to contact you to verify your consent.

You may only submit two privacy requests every 12 months. During the request process you must provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative, including via the provision of a copy of a valid photo ID and confirming other information we hold about you. To safeguard personal information in our possession, if we cannot verify your identity or authority to act on another’s behalf, we will be unable to comply with your request. We will process and retain personal information you provide when submitting a verifiable request only to confirm your identity or authority, or to fulfill your request.We will respond to most requests within 45 days, unless it is reasonably necessary for us to extend our response time.

How to appeal an action we have taken with respect to your request to exercise a right

If we deny your privacy request in full or in part, please contact the email address for appeals provided in our written response to your request. Our privacy team will consider your request and applicable law, and either agree to honor your appeal request or deny it.

Minors

We do not knowingly collect personal information from children under 13. If we learn that we have collected any personal information from a child under the age of 13 without verifiable parental consent, we will delete that information from our files as quickly as possible. If you believe we may have collected information from a child under 13, contact us at the email address below.

If you are 16 years of age or older, you have the right to direct us to not sell your personal information at any time (the “right to opt-out”). However, we never knowingly sell or share the personal information of minors under 16 years of age and would not do so in the future without affirmative authorization of the consumer if between 13 to 16 years of age, or the parent or guardian of a consumer less than 13 years of age.

Questions or Complaints

To submit general questions, complaints, or appeals regarding this Privacy Notice or our privacy practices, please contact us at privacy@mmc.com