California Privacy Policy & Notice (For California Residents Only)

Last Updated: June 6, 2026

California Privacy Policy & Notice

(For California Residents Only)

Last Updated: June 6, 2026

This California Privacy Policy & Notice describes how BOD Group, Inc. and each of their affiliates, and subsidiaries (“Bolton” “us” “we” or “our”) “we,” or “us“) collect and process personal information about our consumers who reside in California. The California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CPRA“) requires us to provide our California consumers with a privacy policy that contains a comprehensive description of our online and offline practices regarding our collection, use, sale, sharing, and retention of their personal information, along with a description of the rights they have regarding their personal information. This Privacy Policy & Notice, provides the information the CPRA requires, together with other useful information regarding our collection and use of personal information. Any terms defined in the CPRA have the same meaning when used in this policy.

This California Privacy Policy applies to our consumers, current and former employees, job applicants, and business-to-business partners that reside or are otherwise located in California.

This California Privacy Policy does not apply to our collection and use of personal information from residents, current or former employees, job applicants, or business-to-business partners outside of California. Consumers residing in other locations should see our general privacy policy at: boltonusa.com/privacy .

Personal Information Collected

We collect and use information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household (“personal information“). Personal information does not include:

Publicly available information, including from government records, through widely distributed media, or that the consumer made publicly available without restricting it to a specific audience.
Lawfully obtained, truthful information that is a matter of public concern.
Deidentified or aggregated consumer information.
Information excluded from the CPRA’s scope, like:
- health or medical information covered by the Health Insurance Portability and Accountability Act (HIPAA) and the California Confidentiality of Medical Information Act (CMIA), clinical trial data, or other qualifying research data; or
- personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA), California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act.

Personal Information Categories Chart

The chart below identifies the categories of personal information we collected from our consumers within the last 12 months and the expected retention period.

Category

Examples

Collected

A. Identifiers.

A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, or other similar identifiers.

YES

B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).

A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some personal information included in this category may overlap with other categories.

YES

C. Protected classification characteristics under California or federal law.

Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).

D. Commercial information.

Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

YES Your account ordering history with us

E. Biometric information.

Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.

YES

F. Internet or other similar network activity.

Browsing history, search history, information on a consumer's interaction with a website, application, or advertisement.

NO Except through online cookies and other online tracking technology that you have permitted to operate, or did not opt out of, through visiting our Websites. Please see our privacy policy at boltonusa.com/privacy for additional information.

G. Geolocation data.

Physical location or movements.

H. Sensory data.

Audio, electronic, visual, thermal, olfactory, or similar information.

I. Professional or employment-related information.

Current or past job history or performance evaluations.

J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).

Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.

K. Inferences drawn from other personal information.

Profile reflecting a person's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

Sensitive Personal Information Categories Chart

Sensitive personal information is a subtype of personal information consisting of the specific information categories listed in the chart below. We use this information only for employment-related and business administration purposes (such as payroll, benefits, security, and legal compliance) and not to infer characteristics about individuals.

The chart below identifies which sensitive personal information categories, if any, we have collected information from our employees and job candidates and the expected retention period.

Sensitive Personal Information Category

Collected?

Retention Period

L.1. Government identifiers, such as your SSN, driver's license, state identification card, or passport number.

L.2. Complete account access credentials, such as usernames, account logins, account numbers, or card numbers combined with required access/security code or password.

L.3. Precise geolocation, such as physical access to a Company office location, the location of a delivery, sales, or other employee in the field, or GPS data from the Company's mobile phone, device, or vehicle used by an employee that can provide its location in a geographic area, with an approximate radius of 1,850 feet.

L.4. Racial or ethnic origin.

L.5. Citizenship or immigration status.

L.6. Religious or philosophical beliefs.

L.7. Union membership.

L.8. Mail, email, or text messages not directed to the Company.

L.9. Genetic data.

L.10. Neural Data, such as information generated by measuring a consumer's central or peripheral nervous system's activity that is not inferred from nonneural information.

L.11. Unique identifying biometric information.

L.12. Health information, including job restrictions and workplace illness and injury information.

L.13. Sex life or sexual orientation information.

L.14. Children's personal information (under age 16).

Sources of Personal Information

We collect your personal information through your interactions with our Websites and Service,

We may obtain information about you from third-party sources, such as Google, Apple or your employer, when applicable. This information may be utilized, analyzed, and/or compared with information that Bolton has collected from you or that you have submitted to the Services.

From Business Partners and Service Providers

In connection with our Services, we may receive personal data about you from business partners and service providers. They may share this information with us in accordance with their own privacy practices and, where applicable, the choices and consents you provided to them. We may associate or combine information we receive from these third parties with information we collect directly from you, as further discussed below.

Please see our Bolton Privacy Policy for additional information regarding our sources of personal information and our Cookie Declaration.

How We Use Personal Information

We may use and share your information for any legally permissible purpose. We may match, use, and share any of the information we collect from you to any personally identifiable information we obtain through third parties.

The ways we may use or share information that we collect about you include:

providing you with use of the Websites and Services;
providing you with products or services, whether from Bolton, or any related organizations, entities, or affiliates;
providing you with customized content and other services;
providing technical or customer support;
performing research and analysis to gauge the use of the Websites and Services;
communicating with you by e-mail, postal mail, telephone, text message, and/or mobile devices about products or services that may be of interest to you from Bolton, any affiliates, sponsors, or other third-parties, provided that we do not sell or share your personal information with any third parties other than in connection with fulfillment of services that we provided to you;
enforcing, this Privacy Policy, other Bolton posted policies, enforce Bolton agreements, or otherwise manage our business;
to administer the working relationship with you/your employer;
improving our Services, including by analyzing your information and creating aggregated data derived from your information) to develop, maintain, analyze, improve, optimize, measure, and report on our Services and their features and how users interact with them. Our analysis may include the use of technology like machine learning and large language models, which may include training these models or sharing with third parties for model training;
carrying out our obligations and enforce our rights arising from any contracts entered into between you and us;
notifying you when Services updates are available and about changes to any services we offer or provide though them;
where we have another legitimate interest in doing so;
in connection with any possible sale merger or restructuring of all or any part of our business or assets; and
performing functions as otherwise described to you at the time of collection or where we have otherwise obtained your consent.

To perform certain services on your behalf, we may publish certain information that you provide. You agree that any testimonial feedback, stories, posts, interactions, or other comments provided by you to Bolton through any form of communication including but not limited to through the Websites, becomes the sole and exclusive property of Bolton and that such information may be used for any legally permissible purpose, including, but not limited to marketing and advertising our Services.

We may also use your information to contact you about goods and services that may be of interest to you. For more information, see Your Rights and Choices section.

You acknowledge and agree that, unless otherwise prohibited by law, Bolton may use and disclose your personal and non-personal information to public or private third-parties: (i) for inspection by law enforcement officials (including in the case of potential criminal activity); (ii) to respond to cease and desist letters, arbitration proceedings, legal actions and suits, criminal and civil subpoenas, any court orders; (iii) to enforce or apply the terms of this Privacy Policy or any other agreement between us; and (iv) to protect our, our users, and others’ rights, property, or safety whether during or after the term of your use of our Services.

Unless otherwise provided in this Privacy Policy, we shall not disclose Personal Information you submit to us except (i) with affiliates, licensees, subsidiaries, and successors, (ii) when we have your permission, or (iii) as necessary to:

To our affiliates as permitted by law;
To third parties who provide information technology services such as website hosting, computer systems maintenance, or data security and privacy services;
To our partners, affiliates, vendors, or others who help us operate the Services or assess your interest or satisfaction with the Services, our organization, or our products, provided they have contractually agreed to adhere to this Privacy Policy. Also, to your employer in connection with your orders on their behalf; or
To comply with our legal obligations, enforce this Privacy Policy, any other Bolton agreements, or otherwise to protect the rights, property or safety of our users and business partners.

We may also use your information for targeted advertising (also known as interest-based advertising), to send and/or show you advertisements that may be more relevant to you across our Services and third-party websites or applications. You may have the right to opt out of targeted advertising by contacting us at the address listed in the Contact Information section. We will process your request in accordance with applicable laws and this policy. You can also opt out of receiving targeted advertising from members of the Network Advertising Initiative (“NAI“) on the NAI’s website here.

Sensitive Personal Information Use and Disclosure Purposes

We do not currently collect, use or disclose sensitive personal information.

Additional Categories or Other Purposes

We will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice. If required by law, we will also seek your consent before using your personal information for a new or unrelated purpose.

We may collect, process, and disclose aggregated or deidentified consumer information for any purpose, without restriction. When we collect, process, or disclose aggregated or deidentified consumer information, we will maintain and use it in deidentified form and will not attempt to reidentify the information, except to determine whether our deidentification processes satisfies any applicable legal requirements.

Mobil Software Applications

The following section only applies if you use one of our mobile software applications (the “Software”). The Software requires certain permissions on your mobile device in order to work as intended. You can either allow or deny the Software access to the permissions. In some cases, it is necessary for you to grant the Software permissions to take full advantage of features or functionality of the Software. If you disallow some or all permissions, the Software may not function properly. Some of the permissions needed may include access to your device’s: camera; calendar; location; phone; sensor; SMS; and storage. Additional permissions may be requested as new features may be added in the future.

Disclosing, Selling, or Sharing Personal Information

Business Purpose Disclosures

We may disclose the personal information we collect to third parties for the business purposes described in the table below, such as to engage contractors, wholesalers, distributors, and service providers to support our business functions. For example, we may disclose your address to our shipping carrier to deliver your order.

We only make these business purpose disclosures under written contracts that describe the purposes, require the recipient to keep the personal information confidential, prohibit using the disclosed information for any purpose except performing the contract, and meet the CPRA’s other contract requirements for engaging service providers or contractors.

The chart below identifies the personal information categories we disclosed to service providers or contractors for a business purpose over the preceding 12 months and the specific business or commercial purpose for disclosing that information/categories of entities to whom we have disclosed our consumers’ personal information for a business purpose over the preceding 12 months, along with the personal information categories disclosed and the disclosure’s business purposes.

Business Purposes Disclosure Recipient Category, Personal Information Category, and Purposes Chart

Selling or Sharing Personal Information

Except as otherwise provided in this Privacy Policy, we do not rent, sell or share any personal information, including sensitive personal information, we collect with any third parties. We may share aggregate and sell, non-individual information, incapable of identifying a particular person, with third parties for any lawful purposes.

For consumers only, we may share your personal information with third parties for cross-context behavioral advertising purposes and operational purposes, as noted in this Privacy Policy and Notice. Such sharing does not include information about anyone we know that is under the age of 18.

The chart below identifies the categories of third parties to whom the Company has shared consumers’ personal information for cross-context behavioral advertising purposes over the preceding 12 months.

Category of Business Purpose Disclosure Recipients

Personal Information Categories Disclosed

Sensitive Personal Information Categories Disclosed

Business Purpose Disclosures

ORDER FULFILLMENT AND SHIPPING PROVIDERS

A. Identifiers. B. California Customer Records. D. Commercial information.

None

To deliver products you purchased from us.

OPERATIONAL SERVICE PROVIDERS

A. Identifiers. B. California Customer Records. D. Commercial information.

None

To process and fulfill orders and transactions. Fulfill contractual obligations and enforce our rights. Comply with legal obligations.

CUSTOMER SERVICE SUPPORT PROVIDERS

A. Identifiers. B. California Customer Records. D. Commercial Information. E. Internet or other similar network activity. F. Approximate Geolocation data. G. Inferences.

None

To support customers with using our products and services, including online account management and troubleshooting.

ADVERTISING NETWORKS

A. Identifiers. B. California Customer Records. C. Protected Classes. D. Commercial information. E. Internet or Network Activity. F. Geolocation data. G. Inferences. NoneTo deliver targeted advertising. To conduct research and analysis to improve and develop our Services.

None

To deliver targeted advertising. To conduct research and analysis to improve and develop our Services.

A. Identifiers. B. California Customer Records. C. Protected Classes. D. Professional or employment-related information.

L.1. Government identifiers. L.2. Complete account access credentials.

To process payroll and perform other human resources functions.

HUMAN RESOURCES/LEAVES OF ABSENCE MANAGEMENT SERVICE PROVIDERS (For Employees Only)

A. Identifiers. B. California Customer Records. C. Protected Classes. D. Professional or employment-related information.

L.1. Government identifiers. L.2. Complete account access credentials. L.3. Racial or ethnic origin. L.4. Citizenship or immigration status. L.5. Health information.

To perform human resources management services and employee support services.

HEALTH INSURANCE COMPANY SERVICE PROVIDERS (For Employees Only)

A. Identifiers. B. California Customer Records. C. Protected Classes. D. Commercial Information. E. Professional or employment-related information.

L.1. Government identifiers. L.2. Health information.

To provide and manage employee benefits.

Your Rights and Choices

If you are a California resident, the CPRA grants you the following rights regarding your personal information:

Right to Know and Data Portability Requests

You have the right to request that we disclose certain information to you about our collection and use of your personal information (the “right to know“), including the specific pieces of personal information we have collected about you (a “data portability request“). You may exercise your right to know twice in any 12-month period. Once we receive your request and confirm your identity, we will disclose to you:

The categories of:
- personal information we collected about you; and
- sources from which we collected your personal information.
The business or commercial purpose for collecting your personal information and, if applicable, selling or sharing your personal information.
If applicable, the categories of persons, including third parties, to whom we disclosed your personal information, including separate disclosures identifying the categories of your personal information that we:
- disclosed for a business purpose to each category of persons; and
- sold or shared to each category of third parties.
When your right to know submission includes a data portability request, a copy of your personal information, subject to any permitted redactions.

Right to Delete and Right to Correct

You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions and limitations (the “right to delete“). Once we receive your request and confirm your identity, we will delete your personal information from our systems unless an exception allows us to retain it. We will also notify our service providers, contractors, and other recipients to take appropriate action.

You also have the right to request correction of personal information we maintain about you that you believe is inaccurate (the “right to correct“). We may require you to provide documentation, if needed, to confirm your identity and support your claim that the information is inaccurate. Unless an exception applies, we will correct personal information that our review determines is inaccurate and notify our service providers, contractors, and other recipients to take appropriate action.

Right to Limit Sensitive Personal Information Use and Disclosure to Permitted SPI Purposes

You have a right to ask businesses that use or disclose your sensitive personal information to limit those actions to just the CPRA’s Permitted SPI Purposes (the “right to limit“). Once we receive your valid request, we will limit the use and disclosure of your sensitive personal information to the Permitted SPI Purposes.

Personal Information Sales or Sharing Opt-Out and Opt-In Rights

You have the right to request that businesses stop selling or sharing your personal information at any time (the “right to opt-out“), including through a user-enabled opt-out preference signal. We cannot sell or share your personal information after we receive your request to opt-out unless you later consent to the sale or sharing of your personal information.

Right to Non-Discrimination

You have the right not to be discriminated or retaliated against for exercising any of your privacy rights under the CPRA.

How to Exercise Your Rights

You can exercise any of these rights by contacting us at the address provided in the Contact Information section.

Verification Process and Authorized Agents

Only you, or someone legally authorized to act for you, may submit a request to exercise one of your consumer rights described in this policy. If you use an authorized agent, we may require proof that the agent is authorized to act for you, such as a signed permission from you or a power of attorney, and we may ask you to verify your identity directly with us.

To process your request, we may ask you (or your authorized agent) for information to verify your identity and confirm your authority that is consistent with the verification guidelines set forth by the CPRA Regulations. If we cannot verify your identity or authority, we may not be able to respond to your request. We use the information provided in the request only to verify the request and process it.

Responding to Your Requests to Know, Delete, or Correct, or Access/Appeal

We generally respond to consumer rights requests within 45 days and may extend that period by an additional 45 days when reasonably necessary, as permitted by law. If we deny your request, you may appeal our decision by contacting us as described in our response. We will respond to appeals in writing within 60 days. If we deny your appeal, we will provide information on how you may submit a complaint to the California Attorney General through the State’s online mechanism.

We do not charge a fee to process or respond to your verifiable request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

How We Protect Your Personal Data

We use commercially reasonable administrative, physical, and technical measures designed to protect your personal data from accidental loss or destruction and from unauthorized access, use, alteration, and disclosure. However, no website, mobile application, system, electronic storage, or online service is completely secure, and we cannot guarantee the security of your personal data transmitted to, through, using, or in connection with the Services. In particular, email, texts, and chats sent to or from the Services may not be secure, and you should carefully decide what information you send to us through these communications channels. Any transmission of personal data is at your own risk.

The safety and security of your information also depends on you. You are responsible for taking steps to protect your personal data against unauthorized use, disclosure, and access.

We may update this policy from time to time, and we will provide notice of any such changes to the policy as required by law. The date the privacy policy was last updated is identified at the top of the page. We will notify you of changes to this policy by updating the “last updated” date and posting the updated policy on our website. If we regularly communicate with you via email, we may email you regarding updates to this policy, but you should check this page periodically to see the current policy and any changes we have made to it.

Contact Information

To exercise your rights or ask questions or comment about this privacy policy or our privacy practices, contact us at:

1 W. Pennsylvania Ave, Ste 600
Towson, MD 21204
info@boltonusa.com
410-547-0500 or 800-394-0263

On any email or postal letter that you send, please include “Privacy” in the subject line.