Privacy Policy

1. About This Policy

This Privacy Policy explains how The Fashion Week Blueprint LLC ("Fashion Week Blueprint," "Company," "we," "us," or "our") collects, uses, shares, retains, and protects personal data when you use our software-as-a-service platform at fashionweekblueprint.com (the "Platform").

The Platform is used by fashion show and fashion week producers ("Members") to plan and run their productions. The Platform processes two kinds of personal data: (a) personal data about Members themselves (the people who create and manage Member accounts) and (b) personal data about third parties whom Members add to the Platform (contacts, applicants, models, sponsors, vendors, and others). Different rules and roles apply to each category; see Section 4.

This Policy is incorporated into our Terms of Service by reference. By using the Platform, you agree to this Policy.

2. Personal Data We Collect

Company collects the following categories of personal data:

Account data. Member name, email address, hashed password, and the organization name and production details Member enters at signup or in account settings.

Production content data. Event name, show dates, venue, budget figures, timelines, casting calls, document drafts, sponsor pipeline entries, and other operational content Member enters into the Platform.

Contact and third-party data. When Member adds contacts to the Platform's CRM, casting system, sponsor pipeline, or any other feature, the personal data of those contacts is uploaded to the Platform. This includes names, email addresses, phone numbers, postal addresses, agency representation, body measurements (for applicants and models), photographs and video (for casting submissions), and any other fields Member chooses to fill.

Communications content. When Member sends messages, emails, or scheduling invitations through the Platform, the content of those communications is processed and stored.

Payment data. Payment card numbers are processed by our payment provider (Stripe) and do not touch Company servers. Company retains billing metadata (subscription tier, payment dates, invoice records).

Usage and device data. Pages Member visits on the Platform, features Member uses, IP address, user-agent string, session timestamps, and similar diagnostic data. Company uses this data in aggregate for product improvement and security monitoring.

Connected social media account data. If Member connects a Facebook Page or Instagram Business account through Social Studio, Company receives and stores the account ID, name, profile photo URL, and an encrypted access token. See Section 12.

Trial account data. If Member begins a free trial, the same categories of data above are collected. Trial data retention is governed by Member TOS Section 4(c).

Sources of personal data. Most personal data Company holds comes directly from Member (when Member fills out signup, account, or in-product forms) or from contacts Member uploads. A limited amount comes from connected third-party services (Meta for connected accounts; Stripe for payment metadata). Company does not buy personal data from data brokers.

3. How We Use Personal Data

Company uses personal data for the following purposes, in each case under the indicated lawful basis under GDPR Article 6 where Member or data subject is in the EU or UK:

To provide the Platform. Operating Member's dashboard, CRM, casting system, timeline, budget tracker, document generation, mass email, and other features. Lawful basis: performance of a contract (Article 6(1)(b)).

To process payments and manage billing. Sending invoices, processing subscription renewals, responding to billing inquiries, applying nonprofit/educational discounts under Member TOS Section 4(k). Lawful basis: performance of a contract.

To send account and service communications. Account confirmations, password resets, security alerts, material changes to these terms or to this Policy, trial-end and post-trial deletion notices, renewal warnings, plan-change confirmations, and breach notifications where applicable. Lawful basis: performance of a contract and legitimate interest in operating the Platform (Article 6(1)(b) and (f)).

To improve and secure the Platform. Analyzing usage in aggregate, debugging, monitoring for security and abuse. Lawful basis: legitimate interest (Article 6(1)(f)) in operating, improving, and securing the Platform.

To comply with legal obligations. Responding to legal process, complying with tax and accounting laws, complying with anti-spam and data protection laws, complying with CSAM reporting obligations under 18 U.S.C. Section 2258A. Lawful basis: legal obligation (Article 6(1)(c)).

To enforce these terms. Investigating violations of the Terms of Service, the Mass Email and Anti-Spam Policy, the Acceptable Use Policy, or this Privacy Policy. Lawful basis: legitimate interest in protecting Company, Members, and third parties.

What Company does not do. Company does not sell personal data to third parties. Company does not share personal data with advertisers. Company does not use Member's CRM contacts to market to anyone on Member's behalf or our own behalf. Company does not use Member data, Member-uploaded content, or content generated through the Platform to train Company AI models (Company does not train its own AI models). See Section 14 regarding third-party AI inference (Anthropic).

4. Roles: Who Is the Controller

The Platform involves three kinds of data relationships:

(a) Between Fashion Week Blueprint and the Member. When Company processes personal data about Member directly (account data, billing data, usage data), Company is the data controller for that processing. This Policy explains what Company does.

(b) Between the Member and the Member's contacts. When Member uploads, imports, or otherwise causes the Platform to process personal data about third parties (contacts, applicants, models, sponsors, vendors, attendees), Member is the data controller for that processing and Company acts as Member's data processor. Member decides what data to collect, why, and for how long; Company processes the data only to provide the Platform features Member uses. Members have the obligations of data controllers under applicable law (including obtaining consent where required and providing required notices to data subjects).

For all Members regardless of tier, Company's substantive processor commitments are set forth in Member TOS Section 18.6, which is substantively aligned with GDPR Article 28(3). For Enterprise and Enterprise Plus Members, Section 18.6 applies directly through Section 18. For Professional-tier Members, Section 18.6 is incorporated by reference into Member TOS Section 11 and is executed by Member's acceptance of the Terms at signup; no separate document execution is required. Enterprise or Enterprise Plus Members whose procurement requirements call for a separately executable Data Processing Addendum may request one on substantially Section 18.6 terms.

(c) Between Meta and the connected account owner. When Member connects a Facebook Page or Instagram Business account through Social Studio, Member remains the data controller for the connected account's content. Company acts as Member's processor for the limited purpose of calling Meta's Graph API on Member's instruction. Meta's own privacy policy governs how Meta itself handles the underlying account.

5. Sub-Processors and Other Recipients

Company shares personal data with the following categories of recipients, only as needed to operate the Platform or as required by law.

Sub-processors. Company uses the following service providers to operate the Platform:

The current canonical sub-processors list is also maintained at https://www.fashionweekblueprint.com/subprocessors. In the event of conflict between the table above and the canonical list, the canonical list controls; Company will update this Policy to match within a reasonable period.

Enterprise Members are notified of sub-processor changes per Member TOS Section 18.6(g). Other Members may subscribe to sub-processor change notifications by emailing privacy@fashionweekblueprint.com.

Legal disclosures. Company may disclose personal data when Company believes in good faith that disclosure is required by law, regulation, court order, subpoena, or other legal process; necessary to enforce Company's terms; or necessary to protect the rights, property, or safety of Fashion Week Blueprint, our Members, or others. This includes CSAM reporting to the National Center for Missing and Exploited Children (NCMEC) and applicable law enforcement per Member TOS Section 8.

Business transfers. If Fashion Week Blueprint is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of substantially all assets, personal data may be transferred to the successor. Company will notify affected users by email and post notice on the Platform.

With Member direction. When Member instructs Company to share data (for example, when Member connects a Meta account and authorizes Company to publish to it on Member's behalf, or when Member directs Company to share documents with third parties through the Platform's collaboration features).

Company does not sell personal data, does not share personal data for cross-context behavioral advertising, and does not share personal data with advertisers. Company does not use personal data to train AI models.

6. International Data Transfers

Fashion Week Blueprint is based in the United States, and Company's sub-processors are predominantly located in the United States. If Member or a data subject is located in the European Economic Area, the United Kingdom, Switzerland, or another jurisdiction with cross-border data transfer restrictions, personal data is transferred to and processed in the United States, which the European Commission has determined does not, by default, provide an "adequate" level of data protection.

For transfers of personal data from the EEA, UK, or Switzerland to the United States, Company relies on the Standard Contractual Clauses (Module Two: Controller to Processor) adopted by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, and the equivalent UK International Data Transfer Addendum or Swiss equivalent where applicable. For Enterprise Members, these clauses are incorporated by reference into the data processing terms at Member TOS Section 18.6(h).

Company has evaluated the transfer impact in light of Schrems II (Case C-311/18) considerations, including the legal regime of the United States. Company relies on the Standard Contractual Clauses together with supplementary technical measures (including encryption in transit and at rest) and contractual safeguards (including restrictions on government access requests and a commitment to challenge overly broad requests). The United States has enacted the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (Executive Order 14086) and the Data Protection Review Court, the framework supporting the EU-U.S. Data Privacy Framework, which provides an additional safeguard for affected individuals.

If Member or a data subject would like more information about Company's transfer impact assessment, contact privacy@fashionweekblueprint.com.

7. Data Retention

Company retains personal data for as long as Member's account is active and as needed to provide the Platform and comply with Company's legal obligations. Default retention periods:

If applicable law requires longer retention for any category, Company will retain accordingly.

8. Security and Breach Notification

Security measures (platform-wide; apply to all Members regardless of tier). Company protects personal data using administrative, physical, and technical safeguards, including:

• Encryption in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent industry standard).

• Role-based access controls and the principle of least privilege for personnel with access to production systems.

• Multi-factor authentication available for all Member and team-member accounts.

• Regular vulnerability scanning and remediation, and periodic third-party penetration testing.

• Background checks consistent with applicable law for personnel with access to personal data, and confidentiality undertakings from all such personnel.

• A written incident response policy.

SOC 2 commitment. Company targets SOC 2 Type II certification (or ISO 27001 or an equivalent independent attestation) within twelve (12) months of Company's first Enterprise subscription. Certification is platform-wide and applies to the entire Platform once achieved.

Breach notification (platform-wide; applies to all Members regardless of tier). If Company becomes aware of a Personal Data Breach (as defined in GDPR Article 4(12)) that materially affects Member's personal data or personal data Member has uploaded to the Platform, Company will notify Member without undue delay, and in any event within seventy-two (72) hours of becoming aware of the breach. The notification will include, to the extent then known, the nature of the breach, the categories and approximate number of data subjects and personal data records concerned, the likely consequences, and the measures taken or proposed to address the breach.

For Enterprise Members, breach notification commitments are also expressed contractually in Member TOS Section 18.6(i) as the Article 28(3) processor-to-controller obligation. The platform-wide commitment in this Section 8 and the Enterprise-specific Article 28(3) commitment in Section 18.6(i) run in parallel; they do not narrow each other.

No security measure is perfect; Company cannot guarantee absolute security.

9. Your Rights

Subject to applicable law and to identity verification, Member and data subjects have the following rights with respect to personal data Company holds about them.

Rights available to all data subjects (substantive scope varies by jurisdiction; see Section 16 for California-specific rights and Section 17 for other state-specific rights):

• Access. Request a copy of the personal data Company holds about Member or the data subject.

• Correction (Rectification). Request correction of inaccurate or incomplete personal data.

• Deletion (Erasure). Request deletion of personal data. Company may retain certain data as required by law (see Section 7).

• Restriction of processing. Request that Company restrict processing of personal data in certain circumstances (for example, while Company verifies the accuracy of disputed data).

• Objection. Object to processing of personal data based on Company's legitimate interests.

• Portability. Request a copy of personal data in a structured, commonly used, machine-readable format.

• Withdrawal of consent. Where Company relies on consent, withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

• Opt out of marketing communications. Opt out of marketing emails by clicking unsubscribe in any marketing email or by contacting privacy@fashionweekblueprint.com.

• Lodge a complaint with a supervisory authority. If Member or the data subject is in the EEA, the UK, or another jurisdiction with a data protection supervisory authority, the right to lodge a complaint is available. Company would appreciate the chance to address concerns first.

How to exercise rights. Send a request to privacy@fashionweekblueprint.com with the subject line "Privacy Rights Request." Include name, the email associated with the account, and a description of the right being exercised. Company may ask for additional information to verify identity.

Response timelines. Company will respond within thirty (30) days for requests under GDPR (extendable by an additional two (2) months for complex requests, with notice to Member) and within forty-five (45) days for requests under California and other U.S. state privacy laws (extendable by an additional forty-five (45) days where reasonably necessary, with notice). If Company cannot fulfill a request, Company will explain why.

Identity verification. For requests that involve sensitive operations (deletion, export of all data), Company may require additional identity verification before processing, such as confirmation from a verified email account, a small fee-less transaction confirmation, or a request submitted from within a logged-in account session.

Authorized agent. Under California and certain other state laws, an authorized agent may make requests on Member's behalf. The authorized agent must provide proof of authorization, and Company may require Member to verify Member's own identity directly.

If Member is a data subject uploaded by a Member. If a Member has uploaded the data subject's personal data to the Platform (for example, as a contact, applicant, or sponsor), the Member is the data controller for that data. Direct rights requests to the Member. If Company receives a rights request about Member-uploaded data, Company will forward the request to the Member and, where reasonably required by law, assist the Member in responding. Where the request asks Company to delete data from the Platform (across all Member accounts, for example to suppress future marketing), see Section 13 on cross-account suppression.

10. Cookies and Tracking

Company uses cookies and similar technologies that are strictly necessary for authentication and session management. Company does not use third-party tracking cookies, advertising cookies, or cross-site behavioral tracking. Because Company does not engage in cross-context behavioral advertising, Company does not respond to Global Privacy Control (GPC) or "Do Not Track" signals as a stand-alone matter, though Company honors the underlying right to opt out where applicable law requires.

11. Minors and Parental Consent

Member account holders (producers) must be 18 or older. The Platform may only be used as an account holder by individuals who are at least 18 years of age and legally able to enter into binding agreements.

The Platform supports producers who work with performers, models, and participants of any age, including children under the age of 13 appearing in kids' runway shows and similar productions. When a Member collects, uploads, or processes personal data of any individual under 18 ("minor data subject"), the rules in this Section apply.

Parental consent required. A parent or legal guardian must provide verifiable consent before the data is submitted. This includes the guardian's name, email address, phone number, and an explicit affirmation that they consent to the collection and processing of the minor's personal data, including photos, videos, measurements, contact details, and any other information submitted on the minor's behalf.

Children under 13. For children under the age of 13, the parent or legal guardian is expected to complete any submission form on the child's behalf. The Platform's submission forms are designed to be completed by an adult acting for the minor. Company retains a record of the consent (including a timestamp and the consenting guardian's identifying information) alongside the submission.

COPPA responsibility. For minors under the age of 13 in particular, the producer is solely responsible for complying with the Children's Online Privacy Protection Act (COPPA), 16 CFR Part 312, and any equivalent state, federal, or international laws governing the collection of personal data from children. This includes, where applicable, providing a COPPA-compliant direct notice to the parent and obtaining verifiable parental consent in accordance with the methods enumerated by the Federal Trade Commission. The producer is solely responsible for obtaining any additional releases, work permits, child labor authorizations, image releases, model releases, and written agreements required by law in the relevant jurisdiction before engaging any minor of any age in any production-related activity.

Roles. Producer is the data controller; Fashion Week Blueprint LLC is a processor. Company has no direct relationship with the data subjects whose information producers upload, and Company does not independently solicit, market to, or otherwise reach out to those individuals.

Non-waivable protection of minors content prohibition. Member TOS Section 8 contains a non-waivable prohibition on the upload, generation, storage, transmission, or distribution of any nude, sexually suggestive, or sexually exploitative content depicting any person under the age of 18. The editorial carve-out for tasteful artistic nudity in fashion editorial contexts in Section 8 does not apply to any content depicting any person under 18.

No biometric identifier extraction. Company does not extract biometric identifiers (face geometry, voiceprints, fingerprints, iris scans, or similar) from any content Member uploads to the Platform. Photographs uploaded for casting purposes are used for visual review only. If Member chooses to use uploaded content for biometric processing or identification, Member is solely responsible for compliance with all applicable biometric privacy laws (BIPA, CUBI, Washington biometric statute, CPRA sensitive personal information provisions, and equivalent laws) and must obtain the additional written, opt-in consent required for such processing.

Reporting concerns. If Member or any other person believes data about a minor has been collected through the Platform without proper consent, or wishes to have such data reviewed or removed, contact privacy@fashionweekblueprint.com. Where appropriate Company will investigate and forward the matter to the relevant producer (the data controller), who is responsible for taking action. Where the matter involves suspected CSAM, Company will also comply with reporting obligations under 18 U.S.C. Section 2258A.

12. Connected Social Media Accounts (Meta: Facebook and Instagram)

The Platform's Social Studio (Social Media Scheduler) lets Member connect Facebook Pages and Instagram Business accounts Member manages so the Platform can publish posts on Member's behalf. This Section explains what Company receives from Meta when Member connects, how Company stores it, and how Member can delete it.

What Company receives when Member connects. When Member clicks "Connect Instagram and Facebook," Company redirects Member to Meta's standard OAuth consent flow. After Member approves, Meta returns:

• A long-lived user access token tied to Member's Facebook account.

• A list of Facebook Pages Member manages (each page's ID, name, profile photo URL, and a page-scoped access token).

• For each Page that has one linked, the connected Instagram Business account (ID, username, profile photo URL).

Company does not request permission to read Member's Facebook News Feed, Member's friends list, Member's private messages, or any data unrelated to the specific Pages and Instagram Business accounts Member selects during the connection flow.

What Company stores and how. Only the items below are persisted server-side, and only for the Pages and Instagram accounts Member explicitly selects on the "Choose accounts to connect" screen:

• The page or Instagram Business account ID, name, handle, and profile photo URL (so Company can show the right account in Member's dashboard and tag the right destination on each scheduled post).

• An encrypted page or user access token (encrypted at rest with AES-256-GCM using a key Company holds; raw tokens are never logged, never returned to Member's browser, and never shared with any third party other than Meta itself when Company publishes on Member's behalf).

• Token expiry timestamps and refresh history so Company can rotate tokens before they lapse.

• Per-account audit log entries (connected, refreshed, disconnected, published, failed) used only for support and incident review.

How Company uses it. Meta-derived data is used solely to (a) display Member's connected accounts inside the Fashion Week Blueprint dashboard, (b) publish scheduled posts to those accounts on Member's instruction, (c) refresh tokens automatically before expiry, and (d) read post-performance metrics Member chooses to bring back into Member's reports. Company does not use Meta data for advertising, does not sell or rent it to anyone, and does not use it to train AI models.

How long Company keeps it. Encrypted tokens are kept for as long as the account is connected. When Member disconnects an account in Connected Accounts, the row is marked disconnected and the underlying access token is no longer used to call Meta. Published-post records (post IDs, captions, timestamps, performance snapshots) are retained as part of Member's production history.

How to delete it. Member has three options:

• Disconnect a single account. Go to Connected Accounts and click Disconnect. The connection is paused immediately and tokens are no longer used.

• Remove the Fashion Week Blueprint app from Meta. Open Facebook, then Settings and Privacy, then Settings, then Apps and Websites, and remove "Fashion Week Blueprint." Meta will notify Company via the Data Deletion Callback and Company will mark all data tied to Member's Meta user as scheduled for deletion within thirty (30) days.

• Direct request. Email privacy@fashionweekblueprint.com with "Meta data deletion" in the subject. Company will confirm receipt within five (5) business days and complete deletion within thirty (30) days.

Data Deletion Callback URL (for Meta App Review): https://fashionweekblueprint.com/api/social/data-deletion. Confirmation status pages are served at /data-deletion-status.

Roles. When Member connects a Facebook Page or Instagram Business account, Member (the producer) remains the data controller for that account's content. Fashion Week Blueprint LLC acts as Member's processor, calling Meta's Graph API on Member's instruction. Meta's own privacy policy governs how Meta itself handles the underlying account.

13. Cross-Account Email Suppression

To protect recipient choice and Company's deliverability infrastructure, when a recipient unsubscribes from one Member's mailing list on the Platform, the unsubscribe is automatically applied across all other Members' mailing lists on the Platform. In effect, a recipient who has chosen to unsubscribe is suppressed from receiving further commercial electronic messages from any Member through the Platform.

This means recipient data (specifically the email address and the suppression timestamp) is processed at the Platform level, not segregated by Member account, for the purpose of honoring recipient choice. Recipients can request review or correction of suppression-list entries by emailing privacy@fashionweekblueprint.com.

This practice is also set forth in the Mass Email and Anti-Spam Policy at Section 5(b).

14. AI Document Generation and Automated Decision-Making

The Platform uses Anthropic's Claude AI to generate documents and to power related AI features. When Member generates a document or uses an AI feature:

• Member's template variables, prompts, and organization context are sent to Anthropic for inference.

• Generated content is stored in Member's account.

• Per Anthropic's published policies for commercial API customers, content sent to Anthropic for inference is not used by Anthropic to train AI models.

• Company does not use Member data, Member-uploaded content, or generated content to train AI models. Company does not train its own AI models.

Anthropic's data processing terms govern Anthropic's processing of data Company sends for inference. A current summary is available at https://www.anthropic.com/legal/aup or at the equivalent successor location.

Automated decision-making. Company does not engage in automated individual decision-making, including profiling, that produces legal effects concerning Member or a data subject or similarly significantly affects Member or the data subject, within the meaning of GDPR Article 22. AI-generated content provided through the Platform requires Member's human review, customization, and acceptance before use; a human is always in the loop. Member retains full responsibility for any decision Member makes informed by AI-generated content.

15. Changes to This Policy

Company may update this Privacy Policy from time to time. For material changes (including changes affecting the categories of personal data Company collects, the purposes for which Company uses personal data, the recipients with whom Company shares personal data, retention periods, or Member's rights and choices), Company will both (i) post the updated Policy on the Platform with an updated "Last Updated" date, and (ii) notify Member by email at the address associated with Member's account. For material changes, Member will be required to affirmatively re-accept the updated Policy through an in-app acceptance flow before continued use of affected features. For non-material changes (typographical corrections, clarifications, formatting updates, internal cross-reference updates), Company will post the updated Policy on the Platform with an updated "Last Updated" date, and continued use of the Platform after the posting date constitutes acceptance of the updated Policy.

Material changes affecting how Company processes Member's personal data will not apply retroactively without Member's consent.

This Section 15 mirrors Member TOS Section 15, which provides parallel notification commitments for changes to the Terms of Service.

16. California Residents (CCPA/CPRA Disclosures)

This Section 16 supplements the rest of this Policy and applies only to California residents. This Section satisfies the disclosure requirements of the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (collectively, the "CCPA").

(a) Categories of personal information collected. In the prior twelve (12) months, Company has collected the following categories of personal information (as defined by CCPA):

• Identifiers (name, email, account ID, IP address).

• Customer records (account data, billing records).

• Internet or other network activity information (usage and device data).

• Commercial information (subscription tier, payment history).

• Geolocation data (city-level, derived from IP address).

• Audio, electronic, visual, thermal, olfactory, or similar information (photographs and video uploaded by Members or by their contacts for casting submissions).

• Professional or employment-related information (Member's role, production type, organization).

• Inferences (aggregate usage patterns).

Sensitive personal information. Company may incidentally collect personal information that constitutes sensitive personal information under CCPA where Members upload such data to the Platform, including (without limitation) precise geolocation data (only where Member voluntarily provides), and content of communications. Company does not use sensitive personal information for purposes that trigger the CCPA "right to limit use" beyond providing the Platform services Member has requested. See subsection (e) below for the right to limit, which Company honors notwithstanding the limited scope of Company's sensitive-personal-information processing.

(b) Categories of personal information disclosed for business purposes. Company has disclosed personal information to the following categories of recipients for business purposes in the prior twelve (12) months: sub-processors listed in Section 5 (Supabase, Stripe, Resend, Anthropic, Vercel, Cloudflare R2, Google Workspace, and Meta), in each case only as necessary to provide the Platform.

Company has not sold personal information for monetary or other valuable consideration in the prior twelve (12) months and has not shared personal information for cross-context behavioral advertising in the prior twelve (12) months. Company does not have actual knowledge of selling or sharing the personal information of consumers under sixteen (16) years of age.

(c) Sources. See Section 2 of this Policy.

(d) Purposes. See Section 3 of this Policy.

(e) Retention. See Section 7 of this Policy.

(f) Rights of California residents. In addition to the rights described in Section 9, California residents have the following rights under CCPA:

• Right to know. Request specific pieces of personal information and categories of personal information collected, sold, or shared.

• Right to delete. Request deletion of personal information Company has collected from Member.

• Right to correct. Request correction of inaccurate personal information.

• Right to opt out of sale or sharing. Because Company does not sell or share personal information for cross-context behavioral advertising, no opt-out is needed; nevertheless, Company honors any opt-out signals received.

• Right to limit use of sensitive personal information. Because Company does not use sensitive personal information for purposes that trigger this right (Company uses it only as necessary to provide the Platform), no limit is needed. Company will honor a limit request notwithstanding.

• Right to non-discrimination. Company will not discriminate against Member for exercising these rights.

(g) Authorized agent. Member may designate an authorized agent to make requests on Member's behalf. The authorized agent must provide proof of authorization, and Company may require Member to verify Member's own identity directly.

(h) How to exercise California rights. Send a request to privacy@fashionweekblueprint.com with the subject line "California Privacy Rights Request." Company will respond within forty-five (45) days, extendable by an additional forty-five (45) days where reasonably necessary, with notice to Member.

(i) "Shine the Light." California Civil Code Section 1798.83 permits California residents to request information about disclosures to third parties for those parties' direct marketing purposes. Company does not disclose personal information to third parties for their direct marketing purposes.

(j) Notice at collection. This Privacy Policy serves as Company's CCPA notice at collection. Categories collected and purposes are as set forth above.

17. Other State Privacy Rights

If Member is a resident of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Tennessee, Iowa, Indiana, Delaware, New Jersey, Minnesota, New Hampshire, Maryland, Rhode Island, or any other U.S. state with a comprehensive consumer privacy law, Member has rights generally similar to those described in Section 9 (access, correction, deletion, portability, opt out of certain processing, appeal of denied rights requests). To exercise these rights, send a request to privacy@fashionweekblueprint.com with the subject line "State Privacy Rights Request" and identify Member's state of residence. Company will respond within the timeframes required by Member's state's law, generally forty-five (45) days, extendable by an additional forty-five (45) days where reasonably necessary.

Appeal of denied requests. Where Member's state law provides a right to appeal a denied rights request, send the appeal to privacy@fashionweekblueprint.com with the subject line "Privacy Rights Appeal" within sixty (60) days of Company's denial. Company will respond to the appeal within sixty (60) days.

18. Contact

For privacy-related questions, requests, or concerns, contact Company at privacy@fashionweekblueprint.com.

For California-specific requests, see Section 16. For other state-specific requests, see Section 17.

If Member is in the EEA, UK, Switzerland, or another jurisdiction with a supervisory authority and would like to lodge a complaint, Member has the right to do so. Company would appreciate the chance to address Member's concerns first.