Privacy Notice

Dated: August 1, 2023

Nicolay Consulting Group, Inc., a California corporation (“NCG,” “we,” or “us”) believe protecting your privacy is critical to the way we conduct business. We conduct pension plan consulting services for our clients who are pension plan sponsors, pension plan administrators, and public health plan sponsors (collectively “Clients”) to provide pension plan actuarial and administrative services and health plan actuarial services for our Clients (collectively, “Services”). If you are a participant in a pension plan that we provide Services for, you may from time-to-time access our webpage for information or to communicate with us. The purpose of this webpage is to inform you how we collect, use, and share the personal information we collect about you from your use of our (i) websites; (ii) mobile apps, if applicable; (iii) Services; or (iv) when you otherwise interact with us or receive a communication from us.

Our Information Collecting Practices

For detailed information regarding our collection of personal information (i.e., Why we collect it; How we use it; and Your options for limiting our receipt of such personal information) please review the NCG Privacy Policy, below.

Additional Protections

NCG complies with all applicable federal regulations related to the handling and processing of your personal information. In addition to these laws, some states, including California, provide their residents with additional protections and rights regarding our use of personal information. To learn more about your state’s additional privacy rights, if applicable, please review the section below, captioned State Privacy Rights. Note that we never sell your personal information. We also do not disclose your personal information unless permitted or required by law or contract.

Contact Directory

NCG strives to provide an enhanced customer service experience. For privacy related questions, please use one of the following contact methods:

General Privacy Related Inquiries:
For general questions regarding NCG privacy policies, please contact us through one of the following means:

Email address: Service@nicolayconsulting.com
Regular Mail: 231 Sansome St, Ste 300, San Francisco, CA 94104
Telephone:(415) 512-5300

Specific Privacy Related Inquiries:
For specific questions regarding a particular financial product, please contact us by telephone at the number displayed on the Contact Us page or at the number located on your plan documents or account statements.

For any questions regarding your rights under a particular state’s laws, please refer to your state’s section under State Privacy Rights, below, for contact information. If your state is not listed below, then your state does not have any additional rights beyond those addressed in the NCG Privacy Policy, and you may contact us as described above for general or product-specific inquiries.

Note: To help ensure your personal information is kept confidential, we require that you identify yourself when calling by providing specific information, such as your account information and other identifying information.

State Privacy Rights

If your state of residence has privacy laws related to your personal information, and you have questions or would like to exercise such rights, please refer to your applicable state’s Privacy Statement section below: If there is no Privacy Statement section listed for your state that means no additional privacy rights, beyond current federal statutes or regulations, exist within your state at this time.

CALIFORNIA

PRIVACY STATEMENT – CALIFORNIA

This PRIVACY NOTICE FOR CALIFORNIA RESIDENTS supplements the information contained in the NCG Privacy Policy and applies solely to those who reside in the State of California (“consumers” or “you”). Nicolay Consulting Group, Inc., and its affiliated companies (“NCG,” “we,” or “us”) adopts this notice to comply with the California Consumer Privacy Act of 2018 and its implementing regulations, as amended by the California Privacy Rights Act (“CPRA”). Any terms defined in the CPRA have the same meaning when used in this statement. Note that we do not sell your personal information. We also do not disclose your personal information unless permitted or required by law or contract.

Information We Collect

We collect personal information. For purposes of the CPRA, personal information is information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked directly or indirectly with a particular consumer or device. In particular, we have collected for a business purpose, the following categories of personal information from consumers within the last 12 months:

A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.
Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).
A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some personal information included in this category may overlap with other categories.
Protected classification characteristics under California or federal law.
Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).
Commercial information.
Records of products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
Internet or other similar network activity.
Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement.
Professional or employment-related information.
Current or past job history; employer names and addresses.
Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).
Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.
Inferences drawn from other personal information, which may include a person’s preferences, characteristics, and predispositions.
Sensitive personal information.
Social security, driver’s license, state identification card, or passport number; account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; union membership; contents of a consumer’s mail, email, and text messages.

Our Services are not intended for minors, including those under the age of 16. In the preceding twelve (12) months, we have not sold or shared any personal information, including personal information of individuals under the age of 16.

The categories of personal information noted above are obtained from the following categories of sources:

Directly from our Clients or their agents. For example, from documents and data that our Clients provide to us related to the services for which they engage us.
Indirectly from our Clients or their agents. For example, through information we collect from our Clients in the course of providing services to them.
Directly and indirectly from activity on our websites. For example, from submissions through our website portal or website usage details collected automatically.
From third parties that interact with us in connection with the services we perform for you. For example, from affiliated institutions that provide specified pension plan service products.

Use of Personal Information

We use or disclose the personal information we collect for one or more of the following business purposes:

To provide you with information, products, or services that you or a third party acting on your behalf requests from us. For example, if we receive your personal information in order for us to maintain or administer your pension plan, we will use that information to provide you those services.

To provide you with email alerts, event registrations and other notices concerning our products or services, or events or news that may be of interest to you.
To carry out our obligations and enforce our rights arising from any contracts entered into between you (or on your behalf) and us, including for billing and collections.
To maintain and improve our website.
To protect the rights, property, or safety of NCG, our Clients or others as is necessary or appropriate.
To respond to law enforcement requests and as required by applicable law, rule, regulation, court order, or governmental regulations.
To fulfill or meet the reason for which the information is provided.
As described to you when collecting your personal information or as otherwise set forth in the CPRA.
To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, or similar proceeding, in which personal information held by us is among the assets transferred.

We will not collect additional categories of personal information or use the personal information collected for materially different, unrelated, or incompatible purposes without providing you notice. Notice will be in the form of an update to this Privacy Management Page.

Note that the following information is excluded from the scope of the CPRA:

Publicly available information from government records (if used for a purpose compatible with the purpose for which the data is maintained and made available in the government records).
De-identified or aggregated consumer information. De-identified information is information that cannot reasonably identify, relate to, or describe a particular consumer. In other words, the information cannot be traced to any particular person.
Aggregated information is information about a group of consumers from which individual consumer identities have been removed.
Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data; and
Personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994.

Disclosing Personal Information

In order to effectively deliver our services to you, your personal information may be disclosed to a third party for a business purpose, in accordance with the Information We Collect section above. This may include but not be limited to (i) our affiliates;

(ii) service providers (e.g., a print vendor with responsibility to produce and/or mail paper statements and notices; or (iii) the applicable custodial banking institutions who hold your money); and third parties to whom you or your agents authorize us to disclose your personal information in connection with products or services we provide to you.

Prior to any such disclosure to any third party, we require an executed contract that describes the specified purpose and requires the recipient to both keep that personal information confidential and not use it for any purpose, except to perform the specific services stated within such contract.

Retention of Personal Information

We will retain each category of your personal information for as long as necessary to fulfill the purposes described in the “Use of Personal Information” section above, unless otherwise required by applicable laws. Criteria we will use to determine how long we will retain your information include whether: we need your information to provide you with products or services you have requested; we continue to have a relationship with you; you have requested information, products, or services from us; we have a legal right or obligation to continue to retain your information; we have an obligation to a third party that involves your information; our retention or recordkeeping policies and obligations dictate that we retain your information; we have an interest in providing you with information about our products or services; and we have another business purpose for retaining your information.

Your Rights and Choices

California law provides California residents with specific rights regarding their personal information. This section describes your California privacy rights and explains how to exercise those rights.

Access to Specific Information and Data Portability Rights

You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months. Once we receive and verify your request, we will disclose specific information to you as it relates to your account regarding:

The categories of personal information we collected about you.
The categories of sources for the personal information we collected about you.
Our business or commercial purpose for collecting that personal information.
The categories of third parties with whom we share that personal information.
The specific items of personal information we collected about you which are subject to such disclosure.

Correction Request Rights

You have the right to request correction of any inaccurate personal information, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will correct (and direct our service providers to correct) your personal information, unless an exception applies. We may deny your correction request if:

We cannot verify your identity.
We believe a request is fraudulent or abusive.
We are not the source of the personal information that you believe is inaccurate. In such cases, we will provide you the name of the source from which received the personal information.

Deletion Request Rights

You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies. Accordingly, we may deny your deletion request if retaining the information is necessary for us or our service providers to:

Complete the transaction for which we collected the personal information, provide a good or service that you requested or that a third party requested on your behalf, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you or the sponsor of your plan or account.
Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
Debug products to identify and repair errors that impair existing intended functionality.
Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 seq.).
Comply with a legal obligation.
Make other internal and lawful uses of that information that are compatible with the context in which you provided the information.

Opt Out of the Sale/Sharing of Your Personal Information

The CPRA provides California consumers with the right to opt-out of the sale of their personal information to third parties. The CPRA defines “sale” or “sell” as disclosing or making available to a third-party personal information in exchange for monetary or other valuable consideration. We do not sell your personal information.

Sensitive Personal Information

Where we collect sensitive personal information about you, we only use it to provide our products and services to you. California consumers also have the right to opt-out of the sharing of their personal information. NCG does not share your personal information as that term is defined under CPRA.

Exercising Your Rights

To receive access to your personal information or exercise your other rights:

METHOD 1

To access your personal information, please log into your existing account profile within the applicable secure portal, which enables you to view your account and other associated personal details.

METHOD 2

For general inquiries or requests with respect to your rights under CPRA, please submit a request to one of the following options:

Phone: (415) 512-5300

Email Address: service@nicolayconsulting.com

Address: 231 Sansome St. Ste 300, San Francisco, CA 94104, Attention: Compliance Department

Please note that we must verify your identity before we can discuss your request for any details about your account. Only you or an authorized agent registered with the California Secretary of State that you authorize to act on your behalf may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child. If you are an authorized agent making a request on behalf of a California resident, we will also need to verify your identity, which may require proof of your written authorization or evidence of a power of attorney.

You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:

Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative; and
Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with any personal information if we cannot verify your identity or if we determine that you do not have the authority to make the request or confirm the personal information relates to you. Making a verifiable consumer request does not require you to create an account with us. To verify a consumer request, we will only use personal information previously provided to us to verify the requestor’s identity and authority to make the request.

Response Timing and Format

We will attempt to respond to a verifiable consumer request within 45 days. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. If you have an account with us, we will deliver our written response to the address on record for that account. If you do not have an account with us, we will deliver our written response by mail or electronically. Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons why we cannot comply with a request, if applicable, and instructions on how to appeal the decision. For data portability requests, we’ll select a format to provide your personal information that is secure and readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

Generally, we do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine the request warrants a fee, we will tell you why that decision was made and provide you with a cost estimate before completing your request.

Non-Discrimination

We will not discriminate against any California resident in the exercise of their CPRA rights. Unless permitted by the CPRA, we will not do any of the following solely because you exercised your CPRA rights:

Deny you goods or services.
Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
Provide you a different level or quality of goods or services.
Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

COLORADO

PRIVACY STATEMENT – COLORADO

This PRIVACY NOTICE FOR COLORADO RESIDENTS supplements the information contained in the NCG Privacy Policy and applies solely to those who reside in the State of Colorado (“you”). NCG Group, LLC, and its affiliated companies (“NCG,” “we,” or “us”) adopt this notice to comply with the Colorado Privacy Act. Note that we never sell your personal information. We also do not disclose your personal information unless permitted or required by law or contract.

Information We Collect

We collect personal information in accordance with Section 2 of our Policy. We do not sell personal information.

Use of Personal Information

We use personal information in accordance with Section 4 of our Privacy Policy.

Note that the following information is excluded from the scope of the above state laws:

Publicly available information from government records (if used for a purpose compatible with the purpose for which the data is maintained and made available in the government records).
De-identified or aggregated consumer information. De-identified information is information that cannot reasonably identify, relate to, or describe a particular consumer. In other words, the information cannot be traced to any particular person. Aggregated information is information about a group of consumers from which individual consumer identities have been removed.
Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) or clinical trial data; and
Personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA), and the Driver’s Privacy Protection Act of 1994.

Disclosing Personal Information

We disclose personal information in accordance with Section 5 of our Privacy Policy.

Your Rights and Choices

If you reside in Colorado, you have specific rights regarding your personal information. This section describes your privacy rights and explains how to exercise those rights.

Access to Specific Information and Data Portability Rights

You have the right to request that we disclose certain information to you about our collection and use of your personal information. Once we receive and verify your request, we will disclose specific information to you as it relates to your account.

Correction Request Rights

We cannot verify your identity.
We believe a request is fraudulent or abusive.
We are not the source of the personal information that you believe is inaccurate. In such cases, we will provide you the name of the source from which received the personal information

Deletion Request Rights

Complete the transaction for which we collected the personal information, provide a good or service that you requested or that a third party requested on your behalf, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you or the sponsor of your plan or account.
Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
Debug products to identify and repair errors that impair existing intended functionality.
Comply with a legal obligation.
Make other internal and lawful uses of that information that are compatible with the context in which you provided the information.

Opt Out of Profiling and Targeted Advertising

In addition, you have the right to opt out of targeted advertising and profiling, to the extent that profiling makes decisions that produce legal or similarly significant effects concerning you. NCG does not engage in targeted advertising or profiling as such terms are defined under Colorado Privacy Act. To the extent we do profile you, it will be related to our legal obligations under applicable financial laws and regulations (i.e., know your customer requirements).

Exercising Your Rights

To receive access to your personal information or exercise your other rights:

METHOD 1

To access your personal information, please log into your existing account profile within the applicable secure portal, which enables you to view your account balance and other associated personal details.

METHOD 2

For general inquiries or requests with respect to your rights, please submit a request to one of the following options:

Phone: (415) 512-5300

Email Address: service@nicolayconsulting.com

Address: 231 Sansome St. Ste 300, San Francisco, CA 94104, Attention: Compliance Department

Please note that must verify your identity before we can discuss your request for any details about your account. Only you or an authorized agent that you authorize to act on your behalf may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child. If you are an authorized agent making a request on behalf of an individual, we will also need to verify your identity, which may require proof of your written authorization or evidence of a power of attorney.

You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:

Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative; and
Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

Response Timing and Format

Non-Discrimination

We will not discriminate against you for exercising your rights. Unless permitted, we will not do any of the following solely because you exercised your rights:

Deny you goods or services.
Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
Provide you a different level or quality of goods or services.
Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

Sensitive Personal Information

Where we collect sensitive personal information about you, we will only do so to perform a contracted service.

CONNECTICUT

PRIVACY STATEMENT – CONNECTICUT

This PRIVACY NOTICE FOR CONNECTICUT RESIDENTS supplements the information contained in the NCG Privacy Policy and applies solely to those who reside in the State of Connecticut (“you”). NCG Group, LLC, and its affiliated companies (“NCG,” “we,” or “us”) adopt this notice to comply with the Connecticut Act Concerning Personal Data Privacy and Online Monitoring. Note that we never sell your personal information. We also do not disclose your personal information unless permitted or required by law or contract.

Information We Collect

We collect personal information in accordance with Section 2 of our Policy. We do not sell personal information.

Use of Personal Information

We use personal information in accordance with Section 4 of our Privacy Policy.

Note that the following information is excluded from the scope of the above state laws:

Publicly available information from government records (if used for a purpose compatible with the purpose for which the data is maintained and made available in the government records).
De-identified or aggregated consumer information. De-identified information is information that cannot reasonably identify, relate to, or describe a particular consumer. In other words, the information cannot be traced to any particular person. Aggregated information is information about a group of consumers from which individual consumer identities have been removed.
Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) or clinical trial data; and
Personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA), and the Driver’s Privacy Protection Act of 1994.

Disclosing Personal Information

We disclose personal information in accordance with Section 5 of our Privacy Policy.

Your Rights and Choices

If you reside in Connecticut, you have specific rights regarding your personal information. This section describes your privacy rights and explains how to exercise those rights.

Access to Specific Information and Data Portability Rights

Correction Request Rights

We cannot verify your identity.
We believe a request is fraudulent or abusive.
We are not the source of the personal information that you believe is inaccurate. In such cases, we will provide you the name of the source from which we received the personal information

Deletion Request Rights

Complete the transaction for which we collected the personal information, provide a good or service that you requested or that a third party requested on your behalf, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you or the sponsor of your plan or account.
Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
Debug products to identify and repair errors that impair existing intended functionality.
Comply with a legal obligation.
Make other internal and lawful uses of that information that are compatible with the context in which you provided the information.

Opt Out of Profiling and Targeted Advertising

In addition, you have the right to opt out of targeted advertising and profiling, to the extent that profiling makes decisions that produce legal or similarly significant effects concerning you. NCG does not engage in targeted advertising and profiling as such terms are defined under the Connecticut Act Concerning Personal Data Privacy and Online Monitoring. To the extent we do profile you, it will be related to our legal obligations under applicable financial laws and regulations (i.e., know your customer requirements).

Exercising Your Rights

To receive access to your personal information or exercise your other rights:

METHOD 1

METHOD 2

For general inquiries or requests with respect to your rights, please submit a request to one of the following options:

Phone: (415) 512-5300

Email Address: service@nicolayconsulting.com

Address: 231 Sansome St. Ste 300, San Francisco, CA 94104, Attention: Compliance Department

Please note that we will need to verify your identity before we can discuss your request for any details about your account. Only you or an authorized agent that you authorize to act on your behalf may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child. If you are an authorized agent making a request on behalf of an individual, we will also need to verify your identity, which may require proof of your written authorization or evidence of a power of attorney.

You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:

Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative; and
Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

Response Timing and Format

We will attempt to respond to a verifiable consumer request within 45 days. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. If you have an account with us, we will deliver our written response to the address on record for that account. If you do not have an account with us, we will deliver our written response by mail or electronically. Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons why we cannot comply with a request, if applicable, and instructions on how to appeal the decision. For data portability requests, we will select a format to provide your personal information that is secure and readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

Non-Discrimination

We will not discriminate against you for exercising your rights. Unless permitted, we will not do any of the following solely because you exercised your rights:

Deny you goods or services.
Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
Provide you a different level or quality of goods or services.
Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

Sensitive Personal Information

Where we collect sensitive personal information about you, we will only do so to perform a contracted service.

UTAH

PRIVACY STATEMENT – UTAH

This PRIVACY NOTICE FOR UTAH RESIDENTS supplements the information contained in the NCG Privacy Policy and applies solely to those who reside in the State of Utah (“you”). NCG Group, LLC, and its affiliated companies (“NCG,” “we,” or “us”) adopt this notice to comply with the Utah Consumer Privacy Act. Note that we never sell your personal information. We also do not disclose your personal information unless permitted or required by law or contract.

Information We Collect

We collect personal information in accordance with Section 2 of our Privacy Policy. We do not sell personal information.

Use of Personal Information

We use personal information in accordance with Section 4 of our Privacy Policy.

Note that the following information is excluded from the scope of the above state laws:

Publicly available information from government records (if used for a purpose compatible with the purpose for which the data is maintained and made available in the government records).
De-identified or aggregated consumer information. De-identified information is information that cannot reasonably identify, relate to, or describe a particular consumer. In other words, the information cannot be traced to any particular person. Aggregated information is information about a group of consumers from which individual consumer identities have been removed.
Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) or clinical trial data; and
Personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA), and the Driver’s Privacy Protection Act of 1994.

Disclosing Personal Information

We disclose personal information in accordance with Section 5 of our Privacy Policy.

Your Rights and Choices

If you reside in Utah, you have specific rights regarding your personal information. This section describes your privacy rights and explains how to exercise those rights.

Access to Specific Information and Data Portability Rights

Correction Request Rights

We cannot verify your identity.
We believe a request is fraudulent or abusive.
We are not the source of the personal information that you believe is inaccurate. In such cases, we will provide you the name of the source from which received the personal information

Deletion Request Rights

Complete the transaction for which we collected the personal information, provide a good or service that you requested or that a third party requested on your behalf, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you or the sponsor of your plan or account.
Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
Debug products to identify and repair errors that impair existing intended functionality.
Comply with a legal obligation.
Make other internal and lawful uses of that information that are compatible with the context in which you provided the information.

Opt Out of Profiling and Targeted Advertising

In addition, you have the right to opt out of targeted advertising and profiling, to the extent that profiling makes decisions that produce legal or similarly significant effects concerning you. NCG does not engage in targeted advertising or profiling as such terms are defined under Utah Consumer Privacy Act. To the extent we do profile you, it will be related to our legal obligations under applicable financial laws and regulations (i.e., know your customer requirements).

Exercising Your Rights

To receive access to your personal information or exercise your other rights:

METHOD 1

METHOD 2

For general inquiries or requests with respect to your rights, please submit a request to one of the following options:

Phone: (415) 512-5300

Email Address: service@nicolayconsulting.com

Address: 231 Sansome St. Ste 300, San Francisco, CA 94104, Attention: Compliance Department

You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:

Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative; and
Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

Response Timing and Format

We will attempt to respond to a verifiable consumer request within 45 days. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. If you have an account with us, we will deliver our written response to the address on record for that account. If you do not have an account with us, we will deliver our written response by mail or electronically. Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons why we cannot comply with a request, if applicable, and instructions on how to appeal the decision. For data portability requests, we will select a format to provide your personal information that is secure and readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

Non-Discrimination

We will not discriminate against you for exercising your rights. Unless permitted, we will not do any of the following solely because you exercised your rights:

Deny you goods or services.
Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
Provide you a different level or quality of goods or services.
Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

Sensitive Personal Information

Where we collect sensitive personal information about you, we will only do so to perform a contracted service.

VIRGINIA

PRIVACY STATEMENT – VIRGINIA

This PRIVACY NOTICE FOR VIRGINIA RESIDENTS supplements the information contained in the NCG Privacy Policy and applies solely to those who reside in the State of Virginia (“you”). NCG Group, LLC, and its affiliated companies (“NCG,” “we,” or “us”) adopt this notice to comply with the Virginia Consumer Data Protection Act. Note that we never sell your personal information. We also do not disclose your personal information unless permitted or required by law or contract.

Information We Collect

We collect personal information in accordance with Section 2 of our Policy. We do not sell personal information.

Use of Personal Information

We use personal information in accordance with Section 4 of our Privacy Policy.

Note that the following information is excluded from the scope of the above state laws:

Publicly available information from government records (if used for a purpose compatible with the purpose for which the data is maintained and made available in the government records).
De-identified or aggregated consumer information. De-identified information is information that cannot reasonably identify, relate to, or describe a particular consumer. In other words, the information cannot be traced to any particular person. Aggregated information is information about a group of consumers from which individual consumer identities have been removed.
Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) or clinical trial data; and
Personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA), and the Driver’s Privacy Protection Act of 1994.

Disclosing Personal Information

We disclose personal information in accordance with Section 5 of our Privacy Policy.

Your Rights and Choices

If you reside in Virginia, you have specific rights regarding your personal information. This section describes your privacy rights and explains how to exercise those rights.

Access to Specific Information and Data Portability Rights

Correction Request Rights

We cannot verify your identity.
We believe a request is fraudulent or abusive.
We are not the source of the personal information that you believe is inaccurate. In such cases, we will provide you the name of the source from which received the personal information

Deletion Request Rights

Complete the transaction for which we collected the personal information, provide a good or service that you requested or that a third party requested on your behalf, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you or the sponsor of your plan or account.
Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
Debug products to identify and repair errors that impair existing intended functionality.
Comply with a legal obligation.
Make other internal and lawful uses of that information that are compatible with the context in which you provided the information.

Opt Out of Profiling and Targeted Advertising

In addition, you have the right to opt out of targeted advertising and profiling, to the extent that profiling makes decisions that produce legal or similarly significant effects concerning you. NCG does not engage in target advertising or profiling as such terms are defined under Virginia Consumer Data Protection Act. To the extent we do profile you, it will be related to our legal obligations under applicable financial laws and regulations (i.e., know your customer requirements).

Exercising Your Rights

To receive access to your personal information or exercise your other rights:

METHOD 1

METHOD 2

For general inquiries or requests with respect to your rights, please submit a request to one of the following options:

Phone: (415) 512-5300

Email Address: service@nicolayconsulting.com

Address: 231 Sansome St. Ste 300, San Francisco, CA 94104, Attention: Compliance Department

You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:

Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative; and
Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

Response Timing and Format

We will attempt to respond to a verifiable consumer request within 45 days. If we require more time (up to 90 days), we’ll inform you of the reason and extension period in writing. If you have an account with us, we will deliver our written response to the address on record for that account. If you do not have an account with us, we will deliver our written response by mail or electronically. Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons why we cannot comply with a request, if applicable, and instructions on how to appeal the decision. For data portability requests, we will select a format to provide your personal information that is secure and readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

Non-Discrimination

We will not discriminate against you for exercising your rights. Unless permitted, we will not do any of the following solely because you exercised your rights:

Deny you goods or services.
Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
Provide you with a different level or quality of goods or services.
Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

Sensitive Personal Information

Where we collect sensitive personal information about you, we will only do so to perform a contracted service.

Changes to Our Privacy Notice

By using our Site, you acknowledge that you have read, understand, and accept this Privacy Notice.

This Privacy Notice is subject to change at any time. If we amend this Privacy Notice, we will update the “Effective Date” at the top of this page and post it on our Site(s). Where required by local law, we will also notify you of any changes we make to this Privacy Notice in accordance with law and the notice provisions in the terms of our engagement. To the extent permitted by law, any changes we make to this Privacy Notice become effective immediately.

Our contractual commitments to Clients will supersede any terms in this Privacy Notice.

Privacy Policy – Supplement to Privacy Notice

(dated August 1, 2023)

Nicolay Consulting Group, Inc., is dedicated to protecting the privacy of its clients, who are pension plan sponsors and pension plan administrators, and public health plan sponsors (hereinafter, collectively, the “Clients”), pension plan participants and any on-line website visitors. This Privacy Policy (hereinafter the “Policy”) covers the information privacy practices of Nicolay Consulting Group, Inc., (“NCG” or “we” or “our” or “us”), and describes NCG’s information security practices relating to the collection and use of personal information collected either (a) in our capacity as service provider to our Clients, or (b) through visitors accessing any websites NCG maintains (hereinafter, the “Site”). For more specific information about how we process your personal information, including information specific to privacy laws in your state of residence (California, Colorado, Connecticut, Utah, and Virginia), please review our Privacy Notice above, and references to your state.

1. What is Personal Information?

As used in this Policy, “personal information” means data identifiable to any person, including, among other things, your name and address, Social Security or taxpayer identification number, and date of birth or as otherwise defined by applicable law.

2. Information Collected

Information you provide to us.

We obtain information you, or someone on your behalf, provides to us in writing or by telephone, such as when you, or your employer or retirement plan sponsor acting on your behalf, sign up for services with NCG; contact NCG’ customer service staff members; and/or input information through our Site(s). This information may include items such as your name, address, birthdate, telephone number, location, social security number, credit card numbers, gender, log-in credentials, beneficiary name, beneficiary birthdate, e-mail address, passport number, account activity and/or other financial account information such as account numbers.

Information we receive from third parties.

We obtain information about you from third parties, including our Clients, partners, or public sources. This information may include name, address, birthdate, telephone number, social security number, gender, beneficiary name, beneficiary birthdate, as well as information about your retirement plan and/or benefits, information about your transactions and account activity with us.

Information we collect automatically when you connect to NCG technology systems via your technology device.

When you access a page of a Site via a browser, application, or handheld device, our web servers automatically record certain information, known as “log information.” This log information includes information such as the web page you are coming from or going to, terms you search, pages you view on a Site or mobile application, your interaction with a Site, application or online service provider, your IP address, mobile device ID, browser type, browser language, device type, and data contained in one or more Cookies (discussed in more detail, below) that uniquely identifies your browser, your computer, your device and/or your NCG account. This log information is collected to allow us to deliver services or information you have requested, better understand user behavior on our Site, assist in troubleshooting problems, and improve the quality of our service. Please be aware that in some cases your IP address will be used to determine your general location.

Additionally, if you allow your browser and/or mobile device provider to send information to us, we shall receive your location, mobile device ID, publicly available demographic data, and information used (i) to comply with regulatory or contractual requirements, (ii) to ensure the accuracy of data, (iii) to better understand your likely interests and/or (iv) to prevent fraud.

3. The Following Privacy Practice applies to information received through technology devices only:

Use of Cookies and Other Tracking Technology to Collect Information

A “Cookie” is a small string of text that is sent to your computer or mobile device when you use a website. NCG does not presently use “cookies “ on its website to automatically collect certain types of usage information when you visit our site (our “Site”), read our emails, or otherwise engage with us. Nor are there any analytics tracking installed on our Site. Further, there are no third-party integrations running on our Site. You may set your e-mail options to prevent the automatic downloading of images that may contain technologies that would allow us to know whether you have accessed our e-mail and performed certain functions with it. Deleting Cookies does not delete local storage objects, such as Flash objects and HTML5.

4. Use of Personal Information

NCG uses your personal information solely to develop, offer, deliver, and improve our products and services, to fulfill legal, regulatory and/or contractual requirements, and as otherwise permitted by applicable law. NCG does not sell personal information.

For example, we use the personal information to:

Operate the Site and services;
- Deliver products and services to people who use our Site and services;
- Understand how visitors use our Site, and determine whether the content on the Site is effective;
- Improve our Site and/or services offerings;
  - Personalize your experience when you use our Site and services and customize the communications and advertisements you receive from us and our affiliates or customers;
  - Deliver advertisements and other information about products, services and applications offered by NCG via email, and when you visit or use third-party sites;
  - Let us know which emails have been opened by recipients to understand the effectiveness of our marketing and other communications and to make those communications more useful and interesting to you;
- Communicate with you, including via email, text message, push notifications, and/or telephone calls;
- Remember your information so that you will not have to re-enter it during your next visit;
- Identify you across different devices that you use;
- Diagnose or fix technology problems.

If you do not wish to receive marketing messages from NCG, you may indicate your preferences by clicking the “Unsubscribe” link in the email.

5. Our Information Sharing Practices

Information about our customers, website visitors, and mobile application users, if applicable, is an important part of our business. We never sell your personal information, and we do not share your personal information except as permitted or required by law or contract, including as provided below:

Sharing Information with Non-affiliated Third Parties. We do not share your personal information with non-affiliated third parties, except as permitted or required by law, including as provided below:

Clients and Service Providers. In order to provide our products and services, we may receive and share personal information about you with our Clients and service providers to perform functions on our behalf, such as to send email and postal mail, analyze data, provide marketing services, and service accounts. When we use these third parties, we disclose some of the personal information that we collect, although we give them only the personal information reasonably necessary to perform the service. Service providers with access to personal information are pre-qualified by NCG to ensure that information security practices are maintained throughout the term of their contract with NCG.
- Maintain and Service your NCG Account. We disclose personal information about you to third parties as reasonably necessary to maintain and service your NCG account, including to facilitate transactions. The personal information collected at the time of your enrollment in a financial product, administered by NCG, is required in order to provide you with contracted services, which is why you are not able to opt-out of information sharing, as described in this Policy, once enrolled.

Protection of NCG and Others. We disclose personal information about you to third parties when we believe such disclosure is appropriate to comply with a legal requirement, such as a law, regulation, court order, subpoena, or search warrant, or during a legal proceeding.

Business Transfers. If there is a change of control in NCG’ business (whether by merger, sale, or otherwise), your personal information could be sold as part of that transaction and your personal information potentially could be used by the purchaser.

With your Consent. We also share your personal information with a third-party if you consent to the sharing. NCG does not share personal information with non-affiliated institutions to enable them to market their products and services directly to you.

NCG may share with third parties, including non-affiliated, non-financial institutions, information that does not personally identify you for any reason NCG deems necessary or desirable. NCG may also anonymize and aggregate personal information for its business purposes, which include improvement and/or development of NCG’ products and services, and/or to create statistical reports or materials. Anonymized aggregated information is not considered personal information and may be used at NCG’ discretion for any purpose.

6. How We Store and Protect Your Information

Data Storage and Transfer. Your information collected through our Site is stored and processed in the United States or any another country in which we and our services providers maintain facilities. If you are located in the European Union or other regions with laws governing data collection and use that differ from U.S. laws, please note that we transfer information, including personal information, to a country and jurisdiction that does not have the same data protection laws as your jurisdiction, and you consent to the transfer of information to the U.S. or any other country in which we or our service providers maintain facilities and the use and disclosure of information about you as described in this Policy.

Keeping your Information Safe. We care about the security of your information and have implemented and continue to maintain physical, administrative, and technological safeguards intended to preserve the integrity and security of all information collected through our Site. However, no security system is impenetrable, and we cannot completely guarantee the security of our systems.

7. How can I Access and Update my NCG Data?

You may access and update information stored in your account profile by visiting the applicable Site. Please keep your contact, account, and preference information up to date.

We will retain your information for as long as we reasonably deem it necessary to provide you services, comply with our legal or other obligations, resolve potential disputes, audit our records and/or enforce our rights and obligations. If you no longer want us to use your information to

provide you with our services, you will need to take the appropriate steps to terminate your relationship with NCG. However, legal or other obligations may require us to retain your information even if you request that we delete it.

Collection of Information from Children

NCG does not knowingly collect or solicit any information from anyone under the age of 13 on our Site. In fact, we do not believe our services are appropriate for those under 16 years of age. If we learn that we have inadvertently collected personal information from a child under age 13, we will promptly delete that information. If you believe that we might have any information from a child under 13, please contact us using the contact information listed below.

Changes to this Privacy Policy

In accordance with data privacy laws that are continuously being updated, NCG reviews and updates this Policy on a regular basis, but in no event less than once annually. In the event we materially change this Policy, or our personal information-handling practices described in this Policy, we will notify you by email and/or through a notice on our Site(s) prior to the change being implemented.

Contacting NCG about this Privacy Policy If you have any questions about this Policy, our information-handling practices, or other aspects of privacy at NCG, contact us at Telephone: (415) 512-5300 or Mail to Nicolay Consulting Group, 231 Sansome Street, Suite 300, San Francisco, CA 94104 (Attn: Compliance Department), or email: Service@nicolayconsulting.com

Privacy Notice

Our Information Collecting Practices

Additional Protections

Contact Directory

State Privacy Rights

PRIVACY STATEMENT – CALIFORNIA

PRIVACY STATEMENT – COLORADO

PRIVACY STATEMENT – CONNECTICUT

PRIVACY STATEMENT – UTAH

PRIVACY STATEMENT – VIRGINIA

Changes to Our Privacy Notice

Privacy Policy – Supplement to Privacy Notice

1. What is Personal Information?

2. Information Collected

3. The Following Privacy Practice applies to information received through technology devices only:

Use of Cookies and Other Tracking Technology to Collect Information

4. Use of Personal Information

5. Our Information Sharing Practices

6. How We Store and Protect Your Information

7. How can I Access and Update my NCG Data?

NICOLAY CONSULTING

Social Media