Last Updated: 03/12/2026

This Privacy Policy describes the types of Personal Information (defined below) that Cotton On U.S. Inc. and its subsidiaries and affiliates, including Cotton On, Cotton On Body, CO. by Cotton On, Free by Cotton On, Cotton On Kids, Rubi Shoes and Typo (collectively, "Cotton On U.S.," "we," "our," or "us") collects from and about you, how we may use and disclose such information, and your choices and legal rights with respect to such information. We ask that you carefully review this Privacy Policy, as it applies to the Cotton On U.S. websites (the "Website(s)") and mobile applications (the "App(s)"), as well as the services owned, operated, and/or provided by Cotton On U.S. that display or link to this Privacy Policy, including our offline locations (collectively, our "Services").

By using our Services, you agree to the collection, use, and disclosure of your Personal Information as described in this Privacy Policy. If you do not agree, please do not use our Services.

For purposes of this Privacy Policy, "Personal Information" refers to information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to you, and includes "personal data" or similar terms as defined in applicable law.

Please note, this Privacy Policy solely applies to Cotton On's U.S.-based brands, and business operations in connection with Cotton On's U.S. activities. It does not apply to Cotton On's non-U.S. brands, affiliates, or subsidiaries, including those operating in Australia or other jurisdictions, or individuals accessing the Services from outside of the U.S. For information about our privacy practices in other jurisdictions, please visit our International Privacy Policy.

I. Notice at Collection of Personal Information

a. Categories of Personal Information We Collect

Cotton On U.S. collects the following categories of Personal Information, and discloses these categories of Personal Information to our service providers for legitimate business purposes such as payment processing, order fulfillment, and information security (described further in Section III below). In addition, as indicated in the chart, certain of these categories we "sell" or "share," or use for "targeted advertising" as these terms are defined in applicable U.S. law.

We do not knowingly sell or share the Personal Information of individuals under the age of eighteen (18).

Please click here to opt-out of the use of your Personal Information for sale, sharing, or targeted advertising. Additionally, in certain jurisdictions, you may also choose to enable a universal browser tool that automatically communicates your opt-out preferences, such as the Global Privacy Control ("GPC"). We will process the GPC signal as a request to opt-out.

b. The Business and Commercial Purposes That We Collect and Process Your Personal Information

We collect and process the categories of Personal Information described above for the following purposes:

• To provide you with the Websites, Apps, and Services, and to analyze and improve your experience with us

• To provide and maintain your account with us

• To process your payments and fulfill your orders for goods you purchase and/or your returns

• To provide you tailored products, services and offers, and to notify you about our new products and services, discounts, promotions or upcoming events, including through data driven targeted advertising

• To communicate with you, including through bots or artificial intelligence technologies, to respond to your inquiries/requests and request feedback from you, to provide customer service, and to send you important updates and messages about changes to our Services, this Privacy Policy, and/or other applicable terms and conditions

• To send you information, newsletters, and marketing/promotional material from us and, or on behalf of, our marketing partners and affiliates

• To review the usage and maintain the operation of our Services

• To conduct analysis and develop and/or improve our products and Services

• To monitor, protect, and maintain the security and integrity of our Services and our business, such as protecting against and preventing fraud, unauthorized transactions, claims and other liabilities

• To comply with applicable laws and regulations and respond to lawful requests and communications from law enforcement and other government officials

• To carry out sales and business transactions in which information held by us is among the assets transferred or is otherwise relevant to the evaluation, negotiation, or completion of the transaction

• To protect our rights, privacy, safety, property and/or those of others

• To fulfill any other purpose for which you provide your Personal Information or as explained to you at the point of information collection

c. Personal Information Retention

We will retain your Personal Information for as long as reasonably necessary to provide you with our Services that you request, for marketing purposes unless you opt out as described in our Privacy Policy, or otherwise where permitted or required in accordance with applicable law. We will retain and use your Personal Information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. What this means in practice will vary between different types of information, and when we consider our approach, we take into account ongoing business or legal needs for the information, for example in relation to tax, health and safety, and potential or actual disputes or investigations.

II. HOW WE COLLECT YOUR PERSONAL INFORMATION

There are several ways we may obtain Personal Information about you, including through (a) information you provide to us; (b) information we automatically collect; (c) information we receive from third parties; and (d) combining information from different sources.

a. Information You Provide

We collect Personal Information you provide us directly, including in the following instances:

• When you use our Services, including when you inquire about our products, create an account to use the Services, sign up for our rewards program, or communicate with us.

• When you make a purchase from our Websites or stores, and when you return products you purchased.

• When you participate in promotions, contests or surveys.

b. Information We Collect Automatically

When you visit our Websites or Apps, we and/or our third-party partners and service providers use a variety of technologies to automatically collect certain Personal Information from you. These data collection technologies include cookies, pixels, and tags on our Website, and in email messages and certain online advertisements. These technologies make your Website navigation more efficient, help remember your preferences, enhance your browsing experience, and improve the use and functionality of our Websites and related content. They can also enable the delivery of relevant and personalized advertisements to you across the Internet. For information on the choices you may have with respect to these data collection technologies, see the "Your Privacy Choices" section below.

The specific types of Personal Information that we, our partners, and service providers may automatically collect when you visit our Websites or Apps, and/or interact with our Services include:

• Device and Browser Information. This includes your device's IP address and/or other unique identifiers, browser type, device type, internet service provider, operating system, and when you access our Services from a mobile device, your device's approximate location (derived from your device's IP address or other signals).

• Usage Information. When you interact with our Services, certain information may be collected by us or our third party vendors, including the date and time of your visit, the pages you view immediately before and after you access our Services, the areas or pages of our Services that you visit, the amount of time you spend viewing or using our Services, items placed or left in your shopping cart on the Website or App, keystrokes, mouse movements, form field entries, recordings of chat sessions or your use of and inputs to other AIsupported tools, and other use and overall engagement with our Services.

• Marketing Information. If you receive an email from us, information may be collected about your interactions with the message (e.g., whether you opened, forwarded, or clicked through to our Website).

• Third-party analytics technologies. We may use third-party analytics tools to better understand who is using our Services, how people are using them, and how to improve their effectiveness as well as the effectiveness of any related content.

Our Third-Party Partners: The partners that assist us in automatically collecting your Personal Information include, but are not limited to, the following:

Google - We deploy technologies provided by Google to serve advertisements on our behalf and to provide analytics services. Google may use cookies and other tracking technologies to collect Personal Information from our Website for remarketing, traffic, demographics and interest reporting purposes via Google advertising cookies and anonymous identifiers. This information includes browsing and Website usage data and can be combined with other data related to you collected through Google's advertising cookie or other third-party technology. You can opt out of the use of this technology through the Google Analytics opt-out browser add on, Google Ad Settings, and/or Ad Settings for mobile apps.

Rakuten - Rakuten may collect personal information when you interact with our Websites, including IP addresses, digital identifiers, information about your web browsing and app usage and how you interact with our properties and ads for a variety of purposes, such as personalization of offers or advertisements, analytics about how you engage with websites or ads, and other commercial purposes. For more information about the collection, use and sale of your personal data and your rights, please use the following links:https:// rakutenadvertising.com/legal-notices/services-privacy-policy/ and https:// rakutenadvertising.com/legal-notices/subject-requests/.

c. Personal Information We Receive From Other Sources

We may receive Personal Information from other sources, including but not limited to:

• Our business partners, including companies that co-sponsor our promotions.

• Our marketing/advertising and analytics partners, including online advertising networks and analytics providers that assist us in engaging in targeted advertising.

d. Combination of Personal Information

In certain instances, we may combine information we receive about you from various sources. For example, we may combine Personal Information that we collect from you offline with Personal Information we collect from you through our Services. Similarly, we may combine Personal Information that we receive from third parties with Personal Information we already have about you. We use, disclose, and protect combined Personal Information as described in this Privacy Policy.

III. HOW WE DISCLOSE YOUR PERSONAL INFORMATION

We may disclose each category of Personal Information we collect as listed in Section I in a number of ways.

We disclose Personal Information for business purposes with the following categories of entities:

• Our service providers, that provide business, professional, or technical support services to us, help us operate our business and the Services, or administer activities on our behalf. We contractually require our service providers to only use your Personal Information in connection with providing services to Cotton On U.S.

• Our corporate affiliates, for purposes consistent with this Policy and other business and operational purposes.

Additionally, in some instances, we may disclose your Personal Information to the following categories of third parties. As indicated in Section I, these disclosures may be considered a "sale" or "share" or "targeted advertising" as these terms are defined in applicable law.

• Our advertising and analytics partners, including third parties that help us engage in targeted advertising, remarketing, and interest reporting, such as social media platforms, third-party advertising networks, and similar entities that help optimize our advertising and marketing efforts.

• Acquiring entities (and their advisors) in the event of a reorganization, merger, sale, joint venture, assignment, transfer, or other disposition of all or any portion of our business, assets, or stock (including in connection with a bankruptcy or similar proceeding).

• Governmental, regulatory, and/or public authorities where compelled by a legal obligation.

• Other third parties at your direction or with your consent, where required by law, or as we believe necessary or appropriate either to: (i) comply with applicable law; (ii) protect our operations and those of any of our affiliates; (iii) investigate and prevent against fraud; (iv) protect our rights, privacy, safety, or property and/or those of others; or (v) allow us to pursue available remedies or limit damages that we may sustain.

We may disclose your Personal Information for other reasons that we will describe at the time of information collection or prior to disclosing your information.

Please note that we may de-identify or aggregate Personal Information so that it will no longer be considered Personal Information and disclose such information to other parties for purposes consistent with those described in this Privacy Policy. We will protect de-identified information in accordance with applicable law and will never attempt to "re-identify" the information.

IV. YOUR PRIVACY CHOICES AND RIGHTS

Cotton On U.S. provides you a number of choices and rights with respect to the Personal Information we collect and maintain about you in accordance with this Privacy Policy.

a. U.S. State Privacy Rights

Residents of California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Texas, Tennessee, Utah, Virginia, or any other state with an applicable privacy law have certain rights relating to the collection, use, disclosure, and other processing of their Personal Information. The exact scope of these rights may vary by state and depending on certain exceptions:

• Right to Know. You may have the right to know what Personal Information we have collected about you, including the categories of Personal Information collected, the sources from which the Personal Information is collected, the business or commercial purpose for collecting, selling, or sharing Personal Information, the categories of third parties to whom we disclose Personal Information, the categories of Personal Information disclosed to third parties, and the specific pieces of Personal Information we have collected about you. You may also have the right to access this Personal Information in a portable format.

• Right to Request Categories of Third Parties. You may have the right to request a list of the categories of third parties with which we disclose your Personal Information.

• Right to Request Specific List of Third Parties. You may have the right to request a list of the specific third parties with which we disclose your Personal Information. RI residents can access a list of all third parties with which we have sold or may sell Personal Information by following the instructions linked here.

• Right to Delete. You may have the right to request that we delete Personal Information that we have collected from or about you, subject to certain exceptions.

• Right to Correct. You may have the right to correct inaccurate Personal Information that we may maintain about you, subject to appropriate verification. Where appropriate, we may comply with a right to correct by deleting your Personal Information.

• Right to Opt Out of Sale, Sharing, and Targeted Advertising. We use and disclose to third parties Personal Information for analytics and advertising purposes which may be considered a "sale" under applicable state laws. Accordingly, you may have the right to opt out of the sale or "sharing" of your Personal Information, or the use and disclosure of your Personal Information for "targeted advertising" (as these terms are defined in applicable law).

To exercise your right to opt out of sale, sharing, and targeted advertising, please click here or the "Your Privacy Choices" link in the footer of the Website.

In some jurisdictions, you may choose to enable a tool that automatically communicates your opt-out preferences to all businesses that you interact with online. If you enable a browser-based opt-out preference signal, such as the GPC, upon receipt or detection, we will treat the signal as a valid request to opt out of sale, sharing, or targeted advertising linked to that browser and, where we can do so, consumer profiles that we have associated with that browser. Please note that if you use different browsers or browser profiles, you will have to enable the signal on each one that you use. We will never ask you to verify your identity to exercise your right to opt out of the sale of your Personal Information.

To exercise all other privacy rights, please contact us by phone at 1 (844) 319-5970 or email us at privacyofficer@cottonon.club. Please put the statement "Your Privacy Rights" in the subject field of your email.

You are not required to create an account to exercise your privacy rights described herein.

Verification: To protect the confidentiality of yours and others' Personal Information, we will only complete your request when your identity has been verified (other than for requests to opt out). We will seek to match the information in your request to the Personal Information we maintain about you. As part of our verification process, we may ask you to: submit additional information, use identity verification services to assist, or, if you have set up an account on our website, to sign into your account as part of our identity verification process. Where permitted under applicable law, we may decline a request if we are unable to verify your identity (or an agent's authority to make the request) and confirm the Personal Information we maintain relates to you.

Authorized agents. In certain states, consumers may designate an authorized agent to exercise their privacy rights. You may designate an authorized agent to submit requests on your behalf using the methods described in this section. However, we may require written proof of the agent's permission to do so and verify your identity directly with you.

Right to appeal. Depending on your U.S. state residency, you may have the right to appeal a decision we have made in connection with your privacy rights request. To appeal a refusal to take action on your request, please contact privacyofficer@cottonon.club or 1 (844) 319-5970. If you are unsatisfied with the way that we have handled your appeal, you may have the right to complain to your state's attorney general.

Right to non-discrimination. You will not receive retaliatory or discriminatory treatment in connection with a request to exercise your privacy rights described in this section. However, the exercising of the rights described above may result in a different price, rate, or quality/level of product or service where that difference is reasonably related to the impact the right has on our relationship with you or is otherwise permitted by law.

b. Interest-Based Advertising

Self-regulatory industry organizations such as the Digital Advertising Alliance (DAA) offer browser-based opt-out tools for the companies that participate in them. Please visit the DAA's AdChoices site for more information: https:// youradchoices.com/control

c. Marketing and Promotional Communications

From time to time, we may send you marketing and promotional communications, including special offers from us or our partners. If you no longer wish to receive promotional and marketing emails from us, you may opt out of such communications at any time by following the opt-out instructions linked in any promotional or marketing email you receive from us.

V. NOTICE OF FINANCIAL INCENTIVE

Cotton On U.S. may offer financial incentives to promote our products and services. These may include:

• Discounts, coupons, and special offers when you sign up for our email list, participate in a marketing promotion or sweepstakes, or create an account.

• Points programs, including our Cotton On & Co. Perks program where you earn points for certain purchases that can be redeemed for discounts or coupons, or receive a birthday reward.

We may ask you to provide Personal Information in connection with these promotions, including the following Personal Information: first and last name, email address, phone number, mailing address, date of birth, purchase history, etc. Because these promotions involve the collection of Personal Information, they may be interpreted as "financial incentive" programs or "bona fide loyalty programs." We use this information for the purposes described above under the section titled "Notice at Collection of Personal Information," including for targeted advertising. We may share your Personal Information with third parties as described in our "Notice at Collection of Personal Information," including data analytics providers, advertising technology vendors, and social media platforms.

Participation in any financial incentive is optional. To enroll in the Cotton On & Co. Perks program, please click here. You may withdraw from the program at any time by contacting us as described in this Privacy Policy or by following the instructions linked here. To stop receiving our coupons or discounts in your email, you may unsubscribe from our emails by clicking the "unsubscribe" button at the bottom of any such email. If you ask us to delete your Personal Information or submit a sale, sharing or targeted advertising opt-out request we will not be able to provide you with access to these programs. We may stand up new incentive programs from time to time – information on how to sign up and opt out of these programs will be provided as applicable.

The value of any financial incentive we offer is reasonably related to the value of any Personal Information you provide to us. We estimate the value of your Personal Information by considering, without limitation, the expenses we incur from collecting your Personal Information and/or providing the financial incentive to you, the revenue generated by your use of the financial incentive, and any improvements we can make to our products and services based on aggregating information obtained through the financial incentive program.

Please note that we may provide additional terms that apply to a particular financial incentive. If applicable, those terms will be presented to you at sign up.

VI. EXTERNAL LINKS

Our Services may have links to third-party services, which may have privacy policies that differ from our own. We are not responsible for the practices of such sites, and encourage you to review the terms and conditions and privacy practices of each site you interact with.

VII. CHILDREN

Our Services are intended for a general audience. We do not direct our Services to individuals under eighteen (18), nor do we knowingly solicit/collect or sell any Personal Information from minors. In the event that a person under 18 tries to sign up for an account or provide us Personal Information, we will block that sign up. If we learn that we have collected Personal Information of a person under 18, we will delete that information.

VIII. DATA SECURITY

We have implemented appropriate physical, administrative, and technical safeguards to maintain the security, confidentiality, and integrity of your Personal Information that we collect and maintain. However, as no transmission of information over the internet is absolutely secure, we cannot guarantee the safety of your information.

IX. REVISIONS TO THIS PRIVACY POLICY

We reserve the right to update or modify this Privacy Policy at any time without prior notice by posting a revised version of the policy on the Website. If we make material changes to this Privacy Policy, we will notify you by temporarily noting "UPDATED" next to the Privacy Policy link in the footer of our Website or directly communicating with you via email or your account. Your use of the Website, App, or any Services following revision to this Privacy Policy constitutes your agreement that all information collected from or about you after the revised policy is posted will be subject to the terms and conditions of the revised policy. Where required by applicable law, we will obtain your opt-in consent if we use Personal Information that we previously collected about you for a purpose that is materially different from the purposes we described in the version of our Privacy Policy applicable to you at the time we collected that Personal Information.

The date listed in the "Last Updated" legend above indicates the most recent change or update to this Privacy Policy.

X. CONTACT

If you have any questions or concerns about this Privacy Policy or the practices described herein, you may contact us:

By telephone at: 1 (844) 319-5970

By email at: privacyofficer@cottonon.club

By mail at: The Privacy Officer, Cotton On Group, 14 Shepherd Court, North Geelong, Victoria 3215