JURISDICTIONAL - The Marker

ANNEX A: JURISDICTIONAL ADDENDUM (CA & CAN)

1. THE CALIFORNIA STRATUM: CCPA & CPRA COMPLIANCE

1.1. Introduction to California Rights. This section supplements the Global Privacy Notice and applies exclusively to “California Consumers.” Under the California Consumer Privacy Act of 2018 (CCPA) and the California Privacy Rights Act of 2020 (CPRA), you are granted specific proprietary rights over your personal information.

1.2. California “Shine the Light” Law. Pursuant to California Civil Code Section 1798.83, residents of California may request, once per calendar year, a comprehensive list of the categories of personal information disclosed by the Company to third parties for their direct marketing purposes.

Mandatory Submission Protocol: Requests must be transmitted to privacy@tmpublisher.com with the subject line “CA Shine the Light“. You must provide your legal name, physical street address, and the specific Company Service (e.g., Orion Research) to which the request pertains.

1.3. Taxonomy of Data Collection (The 12-Month Lookback). The following matrix delineates the categories of data harvested by The Marker Publishing Group over the preceding twelve (12) months:

Category of Personal Information	Business/Commercial Purpose	Primary Sources of Acquisition
Identifiers (Name, IP, Email, Device ID)	Fulfillment; Fraud Prevention; Quality Assurance; Research & Development	Directly from You; Service Metadata; Affiliates
Commercial Data (Purchase History, Transaction Logs)	Transaction Processing; Consumer Profiling; Financial Auditing	Services Use; Payment Gateways; Partners
Biometric/Protected Data (Gender, Preferences)	Targeted Editorial Content; Research Segmentation	Voluntary Surveys
Internet/Network Activity (Clickstream, Browsing)	UI/UX Optimization; Ad-Impression Auditing; Cyber-Security	Automated Tracking; Cookies; JavaScript
Geolocation Data (IP-based Location, WiFi Triangulation)	Territorial Licensing; Tax Compliance; Market Research	ISP Metadata; Device GPS (with consent)
Inference & Profile Data (Behavioral Attitudes)	Predictive Reading Models; Strategic Marketing	Service Use Analysis; Analytics Providers
Sensitive Personal Information (Credentials, Financial Accounts)	Authentication; Secure Transactional Settlement	Secure Login Portals; Encrypted Gateways

2. THE CANADIAN STRATUM: PIPEDA & QUEBEC LAW 25

2.1. Federal Sovereignty (PIPEDA). The Company, as a Canadian entity, operates under the Personal Information Protection and Electronic Documents Act (PIPEDA). This provides all Canadian residents with the right to:

Understand why their information is being collected (The “Knowledge” mandate).
Withdraw consent at any time, subject to legal or contractual restrictions.
Challenge the Company’s compliance via the Office of the Privacy Commissioner (OPC).

2.2. The Quebec Mandate (Law 25 / Bill 64). Residents of the Province of Quebec are granted enhanced protections that mirror the GDPR. The Company acknowledges its “Fiduciary Responsibility” toward Quebec data subjects:

A. Confidentiality by Default: For Quebec residents, all privacy settings are configured to the most restrictive level by default.
B. Privacy Impact Assessment (PIA): The Company conducts mandatory PIAs before transferring any personal information of Quebec residents outside of the province.
C. Mandatory Breach Notification: Any “Confidentiality Incident” involving Quebec residents is subject to immediate reporting to the Commission d’accès à l’information (CAI).

3. BUSINESS AND COMMERCIAL OBJECTIVES FOR DATA UTILIZATION

The Company utilizes the data categories defined above for the following rigorous commercial objectives:

3.1. Performing Services (Operational Core). Maintaining accounts, providing customer service for Orion Research subscribers, processing payment for physical manuscripts, and verifying the eligibility.

3.2. Auditing and Quality Assurance. Monitoring the quality of “Ad Impressions” on our websites, auditing internal compliance with global data standards, and ensuring that Story Book Nook Creators content remains within safe-usage parameters for families.

3.3. Research, Development, and Demonstration. Conducting “Deep-Tissue” internal research to enhance the technological delivery of Our digital content. This involves “Debugging” proprietary software and demonstrating the efficacy of new manuscript-delivery systems.

3.4. Commercial Interests (Economic Advancement). Executing targeted outreach to induce subscription renewals, membership in loyalty programs, and participation in exclusive “Insider” events. This includes “Cross-Contextual” customization of advertisements based on previous interactions with Company IP.

DISSEMINATION ARCHITECTURE & DATA COMMERCE DISCLOSURES

4. CATEGORICAL DISCLOSURE OF INFORMATION SHARING (12-MONTH LOOKBACK)

Pursuant to the CPRA and Quebec Law 25, the Company provides a comprehensive audit of data dissemination. We classify our sharing protocols into two distinct legal silos: Internal Synergies and Third-Party Disclosures.

4.1. Disclosure Matrix: Third-Party Recipients The following table delineates exactly which categories of data were disclosed for a “Business Purpose” and the specific entities involved:

Category of Third Party	Categories of Personal Information Shared	Business Objective for Disclosure
Subsidiaries & Affiliates (e.g., Orion Research, Story Book Nook)	All Categories (Identifiers, Commercial, Internet Data, Protected)	Intra-corporate synergy; Enhancing unified customer profiles; Cross-divisional marketing.
Marketing & Advertising Partners	Identifiers; Internet/Device Activity; Geolocation; Inference Data	Delivering targeted literary campaigns; Optimizing conversion funnels; Retargeting scripts.
Analytics Providers (e.g., Google Analytics, Hotjar)	Identifiers; Internet Data; Geolocation Data	Evaluating UI/UX performance; Auditing ad-impression quality; Identifying technical bugs.
Payment Processors & Fraud Units	Financial Data; Identifiers; Commercial Data	Transaction settlement; Detecting and prosecuting malicious or fraudulent activity.
Logistics & Delivery Partners	Identifiers (Name/Address); Commercial Data	Physical fulfillment of manuscripts; Print-on-demand logistics (via IngramSpark).
List Rental Services	Identifiers; Commercial Data (where legally permitted)	Expanding Company outreach to lookalike audiences; Strategic industry benchmarking.

5. THE “SALE” OR “SHARING” OF DATA (CALIFORNIA & QUEBEC)

5.1. Definition of “Sale” and “Sharing”. Under the CPRA, “Sale” includes the transfer of personal information for monetary or other valuable consideration. “Sharing” refers specifically to the transfer of data for “Cross-Context Behavioral Advertising.” Under Quebec Law 25, any transfer outside of the province is subject to a mandatory Privacy Impact Assessment (PIA).

5.2. Transparency of Transfers. THE COMPANY HAS “SHARED” OR “SOLD” (AS DEFINED BY THE BROAD STATUTORY INTERPRETATIONS OF THE CPRA) THE FOLLOWING DATA CATEGORIES OVER THE PRECEDING 12 MONTHS:

Identifiers (specifically Cookies and IP addresses used for retargeting).
Internet/Network Activity (specifically browsing behavior linked to advertising IDs).
Commercial Data (anonymized purchase trends used for market-level analytics).

5.3. Opt-Out Empowerment. California and Quebec residents maintain the absolute right to halt this flow of data. The Company provides a dedicated “Do Not Sell or Share My Personal Information” portal and recognizes automated Global Privacy Control (GPC) signals.

6. THE QUEBEC PROTOCOL: LAW 25 AND THE SOVEREIGNTY OF CONSENT

Because Quebec positions itself with a distinct legal identity within the Canadian confederation, The Marker Publishing Group implements specialized protocols for residents of the province:

6.1. The “Confidentiality Incident” Mandate. Under Quebec Law 25, any breach, no matter how minor, that presents a “risk of serious injury” must be reported to the CAI and the affected data subjects. This threshold is significantly more stringent than federal PIPEDA standards.

6.2. Mandated Privacy Impact Assessments (PIAs). For our operations in Montreal or any engagement with Quebec data subjects, the Company must complete a PIA before:

Implementing any new biometric or sensitive data collection system.
Transferring data to service providers located outside of Quebec (including providers in Ontario or the United States).
Utilizing automated decision-making processes (e.g., algorithms used by Orion Research) that produce legal effects.

6.3. The Right to “De-indexation”. Unique to the Quebec framework, residents have the right to request that the Company cease disseminating their personal information or de-index any hyperlink associated with their name if the dissemination causes “serious injury” to their right to privacy or reputation.

7. LIST RENTAL AND DIRECT MARKETING GOVERNANCE

7.1. Permissible Industry Exchanges. Consistent with elite publishing standards, the Company may occasionally share contact Identifiers and Commercial Data with vetted “List Rental Services” or industry partners.

A. Vetting Process: All partners must certify compliance with the Company’s “Data Integrity Standards.”
B. Opt-In Prerequisite: For residents of Canada (specifically under CASL) and California, this sharing is contingent upon the User not having opted out of third-party marketing disclosures.

THE CODEX OF CONSUMER SOVEREIGNTY – EXECUTION OF STATUTORY RIGHTS

8. ARCHITECTURE OF CALIFORNIA CONSUMER PRIVACY RIGHTS (CCPA/CPRA)

The Company recognizes that under the California Privacy Rights Act (CPRA), the relationship between a Publisher and a Consumer is fiduciary in nature regarding data. Consequently, We provide the following rigorous framework for the exercise of Your rights.

8.1. The Right to Exhaustive Access and Data Portability (The “Right to Know”). You possess the statutory right to mandate that the Company disclose, twice within any given twelve-month period, a comprehensive “Data Portability Report.” This report is not a mere summary; it is an exhaustive technical dossier covering the period from January 1, 2022, to the date of the request, including:

A. The Categorical Inventory: A granular list of all categories of personal information harvested (as defined in the taxonomy in Section 1.3).
B. The Provenance of Data: Identifying the specific “Sources of Acquisition” (e.g., whether the data was harvested via Orion Research feedback loops, third-party demographic aggregators, or automated clickstream telemetry).
C. The Rationalization of Processing: The specific “Business or Commercial Purpose” for which each category was collected, sold, or shared (e.g., whether for “Algorithmic Profiling” or “Transactional Settlement”).
D. The Ecosystem of Recipients: A precise identification of the categories of third parties with whom the information was shared, and the specific “Value Exchange” associated with any “Sale” or “Sharing” of data.
E. Technical Portability: The provision of this data in a structured, machine-readable, and technically feasible format (JSON/CSV) that allows for seamless integration into your personal data-management systems.

8.2. The Right to Permanent Deletion and “Digital Expungement”. You may mandate the permanent deletion of Personal Information that the Company has collected from you. Upon receipt of a “Verified Request for Deletion,” the Company shall:

Initiate a “Deep-Scrub” of all active production databases.
De-identify any records within “Cold-Storage” or backup archives to ensure they can no longer be associated with Your legal identity.
Direct all “Service Providers” and “Contractors” to perform reciprocal deletion within their respective environments.
Exceptions to Deletion: The Company reserves the right to retain specific data elements under the “Safe Harbor” provisions of the CPRA if the data is essential for completing a transaction, detecting security incidents (Anti-Fraud), or complying with a legal obligation (e.g., Canadian tax audit requirements).

8.3. The Right to Absolute Correction of Inaccurate Information. Accuracy is paramount to the Orion Research Group mission. You have the right to mandate the correction of any “Identifiers” or “Profile Data” that you deem inaccurate. This includes the right to provide supplemental documentation to ensure your “Research Profile” reflects your current professional or academic standing.

8.4. The Right to Opt-Out of the “Sale” or “Sharing” of Information. The Company provides a “High-Visibility” mechanism to prohibit the transfer of your data for “Cross-Context Behavioral Advertising.”

A. Automated Signals: Our systems are engineered to recognize and automatically implement “Global Privacy Control” (GPC) signals transmitted by your browser kernel.
B. Manual Revocation: You may utilize our “Do Not Sell or Share My Personal Information” webform to permanently sever the link between your Identifiers and our third-party advertising partners.

8.5. The Right to Limit the Use and Disclosure of “Sensitive Personal Information” (SPI). Under the CPRA, you may restrict the Company’s use of SPI (such as account login credentials, precise geolocation, or contents of communications) to ONLY that which is strictly necessary to perform the Services requested. Any utilization of SPI for secondary commercial purposes is prohibited upon your exercise of this right via our “Limit the Use of My Sensitive Personal Information” portal.

9. THE CANADIAN AND QUEBEC EXERCISE OF RIGHTS (LAW 25 / PIPEDA)

For residents of Canada, specifically those within the Province of Quebec, the exercise of rights is governed by the principles of “Informed and Meaningful Consent.”

9.1. Right to De-Indexation and “The Right to be Forgotten” (Quebec Specific). Unique to the Quebec legal landscape, residents may demand that the Company cease the dissemination of their personal information or de-index links that associate their name with specific content if such dissemination causes “Serious Injury” to their reputation or privacy rights.

9.2. Transparency of Automated Decision-Making. If the Company utilizes automated systems (algorithms) to process Your data (e.g., for “Predictive Reading Models”), Quebec residents have the right to:

Be informed that an automated decision-making process is in use.
Understand the specific “Personal Information” used to reach the decision.
Request an explanation of the “Principal Factors and Parameters” that led to the automated result.

10. THE DOCTRINE OF NON-DISCRIMINATION

The Company is strictly prohibited from, and hereby covenants not to, penalize any User for the exercise of their privacy rights.

10.1. No Denial of Access: We will not deny you access to Orion Research or Story Book Nook Services because you exercised your right to opt-out.

10.2. Price Integrity: We will not charge different prices or provide a different level of quality for our Products or Services based on your privacy choices.

Note on Financial Incentives: The Company may offer “Financial Incentives” (e.g., discounted access or exclusive materials) in exchange for the collection of data, provided such programs are clearly disclosed and are reasonably related to the value of the data provided.

THE INFRASTRUCTURE OF TRUST – VERIFICATION, RETENTION, AND FINAL RATIFICATION

11. ARCHITECTURE OF IDENTITY VERIFICATION (SECURITY PROTOCOLS)

To safeguard the “Privacy Integrity” of our Data Subjects and to prevent “Identity-Based Infiltration” or “Social Engineering” attacks, the Company implements a rigorous, multi-staged Verification Architecture.

11.1. The Threshold of “Reliable Identification”. Upon receipt of a request to exercise rights (Access, Deletion, or Correction), the Company shall initiate a verification process tailored to the sensitivity of the data requested:

A. Existing Account Holders: For Users with a registered portal account (e.g., Orion Research Database), verification shall primarily be conducted through existing secure authentication sub-systems (MFA).
B. Non-Account Holders (Unregistered Users): For individuals without a pre-existing account, the Company will mandate the “Matching” of at least three (3) distinct data points provided in the request against the metadata currently residing within our Secure Data Lake (e.g., matching a recent transaction ID, a specific download timestamp, and a registered IP address).

11.2. The “Risk-Based” Disclosure Exclusion. Notwithstanding any provision of the CPRA or PIPEDA, the Company shall never disclose highly sensitive data points that could pose a “Substantial and Unreasonable Risk” to the security of the User or the Company’s systems. This includes, but is not limited to:

Government-issued identification numbers (SIN/SSN).
Full financial account numbers or raw credit card telemetry.
Raw account passwords or security challenge answers.
Encrypted private keys associated with Digital Rights Management (DRM).

11.3. Declaration of Authenticity. The Company reserves the right to require a signed “Declaration Under Penalty of Perjury” that the requestor is indeed the Data Subject whose personal information is the target of the request.

12. AUTHORIZED AGENT PROTOCOLS (PROXY GOVERNANCE)

Consistent with the CPRA, California and Canadian residents may designate an “Authorized Agent” to act on their behalf.

12.1. Mandate of Authorization. To accept a request from an Agent, the Company mandates:

Direct Verification: Written and signed authorization from the Consumer granting the Agent permission to act.
Independent Identity Verification: The Consumer must still verify their own identity directly with the Company (unless the Agent possesses a valid Power of Attorney pursuant to California Probate Code or relevant Provincial Statutes in Canada).
Agent Certification: The Agent must be a natural person or a business entity registered with the Secretary of State (California) or the relevant Provincial Registrar (Canada).

13. GLOBAL RETENTION AND DATA LIFE-CYCLE POLICY

The Company does not store data indefinitely. Our Retention Matrix is designed to balance “Operational Utility” against “Data Minimization” principles.

13.1. Active Lifecycle Retention.

Account-Based Data: Retained for the duration of the “Active Life” of the account. Upon account termination, data is moved to a “Restricted Suppression Archive” for a period of twenty-four (24) months to facilitate potential account recovery or anti-fraud auditing.
Transactional and Financial Records: Retained for a minimum of seven (7) years to ensure compliance with the Canada Revenue Agency (CRA) and IRS auditing standards.

13.2. Automated Purging and De-Identification. Following the expiration of statutory or business-essential retention periods, the Company employs “Cryptographic Erasure” (Crypto-shredding). Where data is required for long-term historical research (specifically within Orion Research Group), it is subjected to “Irreversible Anonymization,” transforming Personal Data into “Statistical Aggregates” that are no longer “Personal Information” under any legal definition.

14. FISCAL RESPONSIBILITY AND REASONABLE FEES

14.1. The General “No-Fee” Rule. In compliance with the CPRA, the Company generally provides the first two (2) Data Subject Access Reports within a 12-month period free of charge.

14.2. Discretionary Surcharges. To the extent permitted by applicable law (including PIPEDA and Quebec Law 25), the Company may levy a “Reasonable Administrative Fee” if a request is found to be:

Manifestly unfounded or excessive.
Repetitive in nature (beyond the statutory limit).
Requiring “Disproportionate Technical Effort” to extract from legacy archives. The Company will provide a transparent “Fee Estimate” prior to processing any such request.

15. FINAL RATIFICATION AND CORPORATE ADHERENCE

This Annex A and the preceding Privacy Notice Highlights constitute the definitive legal stance of The Marker Publishing Group, Inc. regarding jurisdictional privacy mandates.

15.1. Conflict of Laws. In any instance where a conflict arises between the general Privacy Notice and this Jurisdictional Annex, the provisions of this Annex shall prevail for Data Subjects residing in California, Quebec, or other applicable Canadian provinces.

15.2. Contact for Escalation. For residents of California and Canada, direct escalation of privacy grievances may be directed to: Global Privacy Counsel The Marker Publishing Group, Inc. [130 Adelaide St W, M5H 3P5] | legal@tmpublisher.com