Privacy Policy

Last modified: December 17, 2020

This Privacy Policy (this "Policy") describes the types of information Davis Graham & Stubbs LLP ("DGS") may collect through our websites, including dgslaw.com, dgslaw.com/alumni, and our other websites that display this Policy (collectively, the "DGS Sites"). To the extent that any DGS Site includes specific privacy policies or notices, those policies or notices will take priority over this Policy.

This Policy describes how DGS collects, uses, discloses and otherwise processes information, including personal information, from and about users of DGS Sites. This Policy does not apply to information provided to DGS offline, in the course of our attorney-client relationships or to information which is protected by confidentiality, attorney-client privilege, or any other similar protections. This Policy does not create an attorney-client relationship with any user of a DGS Site.

Please note that, for users located in the European Economic Area ("EEA") or California, section 8, entitled "Jurisdiction-specific information," provides additional information regarding our privacy practices with respect to your personal information and supplements the other terms of this Policy. In the event of any inconsistency between the statements made in rest of this Policy and the terms under section 8, the terms under section 8, to the extent applicable, will take precedent.

The data controller of this website is: Davis Graham & Stubbs LLP, 1550 17th Street, Suite 500, Denver, CO 80202. If you have any questions about this Policy or our privacy practices, please contact us at info@dgslaw.com.

Collection

DGS may collect and use certain information when you voluntarily submit it, automatically when you access or use a DGS Site, and from other sources, such as third parties (e.g. service providers or other organizations with whom we collaborate on certain activities or events) or publicly available sources. To the extent that any such information identifies or is reasonably capable of being associated with an individual person, it will be considered "personal information" for purposes of this Policy.

We do not collect any sensitive information, such as information about your race, ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, genetic or biometric data, or information about criminal convictions or offenses ("sensitive information").

DGS may also collect deidentified or aggregated information. Such information may be derived from personal information, but it is not considered personal information since it does not directly or indirectly reveal your identity.

Information collected directly from you. The information we collect directly from you on DGS Sites varies depending on the particular activities carried out, but may include:

• identity information, such as your name and title ("identity information");
• contact information, such as your email address, phone number, and postal address ("contact information");
• profile information, such as your username and password ("profile information"); and/or
• marketing and communications information, including your preferences in receiving marketing and other communications from DGS ("marketing and communications information").

We may collect this information from you when you fill in online forms on DGS Sites, such as when you request information or materials from us, including when you subscribe to our publications or register for events, when you otherwise correspond with us through a DGS Site, or for other purposes indicated on a DGS Site. We may also collect this information from you when you register for an account, including when you register on our alumni portal.

Information collected automatically. As you navigate through and interact with a DGS Site, we may use automatic data collection technologies to collect certain information about your equipment, browsing actions, and patterns, which may include:

• technical information, such as your IP address, browser type and version, information about your operating system, and information about the device you use to access a DGS Site, such as device identification number and device type ("technical information"); and/or
• usage information, such as "clickstream" information and other information about how you use a DGS Site ("usage information").

As explained in more detail in our Cookie Policy, DGS and our service providers collect this information, which may be considered personal information in applicable jurisdictions, using cookies and other technologies. Cookies, which are small data files that are transferred to your hard drive when your browser settings permit, track how and when you use a DGS Site in order to, for example, recognize and count the number of users to a DGS Site and see how they move around the DGS Site.

Please see section 3 (Choices) below for information about how to manage your cookie preferences.

Use and disclosure

We may use and disclose personal information to:

• process and respond to your inquiries and requests;
• register you for events or other activities;
• send you publications, such as newsletters, client alerts, legal, industry, news and policy updates, event/program invitations, and other materials;
• enter into or perform a contract or agreement we may have with you;
• administer and protect our business and the DGS Sites, including to operate, maintain and provide the features and functionality of the DGS Sites, including for data analysis, system maintenance, and market research;
• conduct research and analysis;
• assess and improve the effectiveness of the DGS Sites and our services, publications, events, marketing, and client relationships;
• manage our alumni portal and network;
• comply with any court order, law, or legal process, including to respond to any government or regulatory request, to prevent, detect, mitigate and investigate fraud, security breaches or other potentially prohibited or illegal activities, and to otherwise protect the DGS Sites and our employees, users or operations;
• evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of DGS' assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by DGS about our DGS Site users is among the assets transferred;
• for other reasons with your consent; and
• for advertising, marketing, and public relations purposes. You may receive marketing communications from us, for example, if you have requested information or materials from us, registered for or attended a DGS hosted or sponsored event or program, or subscribed to receive publications or other communications from us. Please see below for examples of parties with whom we may share your personal information and section 3 (Choices) to learn more about your choices with respect to receiving marketing communications from us.

We may disclose the personal information we collect or you provide as described in this Policy:

• for internal purposes, such as for internal administration and to provide you with certain services and offerings;
• to our service providers, advisors, and other third parties we use to support our business, including those that provide mailing or email services, fraud prevention, web hosting, or analytic services;
• with other third-party organizations we may collaborate with on various activities or events, such as with other firms or businesses for co-sponsored events or programs;
• to any competent law enforcement body, regulator, government agency, court or other third party where we believe disclosure is necessary to comply with any court order, law, or legal process, including to respond to any government or regulatory request, and/or where we believe it necessary to protect the rights, property, or safety of DGS, our clients, or others; or
• to a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of DGS' assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by DGS about DGS Site users is among the assets transferred.

We may also use and share personal information to fulfill any purpose for which you provide it and/or with your consent, and we may use and share non-personal information without restriction.

Choices

If you do not want information collected through the use of cookies, you can turn off cookies using your browser's settings. You may also withdraw consent for our cookie uses that are not strictly necessary by sending an email to info@dgslaw.com, provided you accompany such a request with sufficient information that allows us to reasonably verify you. We cannot respond to your request if we cannot verify your identity or authority to make the request. If you disable or refuse cookies, please note that some parts of the relevant DGS Site(s) may become inaccessible or not function properly. For more information about our use of cookies and other tracking technologies, please see section 1 (Collection) above and our Cookie Policy.

You can ask us to stop sending you marketing messages and other email publications by following the opt-out or unsubscribe links on any such communication sent to you or by contacting us at info@dgslaw.com. Please note that, if you opt out of receiving such messages or publications, we may still send you emails about other services or offerings you have requested or received from us.

Finally, although most modern browsers include a "Do Not Track" feature, like many other websites, DGS Sites do not currently respond to such Do Not Track signals at this time.

Third parties

The DGS Sites may contain links to websites not operated by DGS. Certain third-party service providers may also provide services on the DGS Sites. This Policy does not apply to such third-party sites, services, or to information collected by any third party, including through any content that may link to or be accessible from the DGS Sites. DGS is not responsible for the privacy practices or the content of such third parties. For privacy information relating to these other third parties, please consult their privacy policies as appropriate.

In certain circumstances, an event, program, or similar activity accessed through a DGS Site may be hosted or sponsored with another firm or organization. Should you choose to register electronically for any of these events or submit your information to these third parties, DGS will have no control over the third party's use of this information, and this Policy will not apply.

Security and retention

We use reasonable security measures designed to protect personal information collected through the DGS Sites. Unfortunately, the transmission of information via the internet is not completely secure. As such, we cannot guarantee the security of your personal information transmitted to DGS Sites.

We will only retain your personal information for as long as reasonably necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal information for a longer period if there are valid legal grounds for doing so, for example, in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

To determine the appropriate retention period for personal information, we consider many factors, including the amount, nature and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

In some circumstances we will anonymize your personal information (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

Children's online privacy

DGS Sites are not intended for children under 13 years of age. No one under age 13 may provide any information to or on a DGS Site. We do not knowingly collect personal information from children under 13. If you are under 13, do not use or provide any information on any DGS Site or on or through any of its features, use any of the interactive or public comment features of any DGS Site, if any, or provide any information about yourself. If we learn we have collected or received personal information from a child under 13 without verification of parental consent, we will delete that information. If you believe we might have any information from or about a child under 13, please contact us at info@dgslaw.com.

Changes to this Policy

We may update this Policy from time to time, so you should review this page periodically. When we change this Policy in a material way, we will update the "Last modified" date at the top of this Policy. Changes to this Policy are effective when they are posted on this page.

Jurisdiction-specific information

Supplemental information for users located in the EEA

The following terms apply to the extent we process personal information of data subjects in the EEA or data that is otherwise subject to the EU General Data Protection Regulation (2016/679) ("GDPR") and laws and regulations implementing or supplementing the GDPR ("EU Data Protection Law"). The following terms explain how we collect and process data subjects' personal information as a data controller. We process such personal information in accordance with EU Data Protection Law, to the extent applicable.

Legal basis for processing personal information

The table below provides more information about the legal bases that DGS relies on to process the personal information of data subjects located in the EEA.

Legal basis	Purpose/activity
Where it is necessary to perform a contract we are about to enter into or have entered into with you	For example, to register you for events or other activities; and to enter into or perform any other contract or agreement we may have with you
Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests	For example, to send you publications, such as newsletters, client alerts and other legal, industry, news and policy updates, event/program invitations, and other materials; to ensure compliance with and to update you about our policies and terms; to process and respond to your inquiries and requests; to administer and protect our business and the DGS Sites, including to operate, maintain and provide the features and functionality of the DGS Sites, including for data analysis, system maintenance, and market research; to conduct research and analysis; to assess and improve the effectiveness of the DGS Sites and our services, publications, events, marketing, and client relationships; to manage our alumni portal and network; to evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of DGS' assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by DGS about our DGS Site users is among the assets transferred; for advertising, marketing, and public relations purposes; and for any other legitimate purpose communicated to you at the time of collection of your personal information
Where we need to comply with a legal obligation	For example, to comply with any court order, law, or legal process, including to respond to any government or regulatory request, to prevent, detect, mitigate and investigate fraud, security breaches or other potentially prohibited or illegal activities, and to otherwise protect the DGS Sites and our employees, users or operations
Where you provide your consent	For example, to process and respond to your inquiries and requests; to the extent applicable laws in certain jurisdictions require your consent for advertising, marketing and public relations purposes; and where you otherwise provide us with your valid consent

Note that we may process your personal information for more than one legal basis depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal basis we rely on to process your personal information.

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal information without your knowledge or consent where required or permitted by law.

Your rights under EU Data Protection Law

Under certain circumstances, you may have certain rights under EU Data Protection Law in relation to your personal information, including to:

• Request access to your personal information, which enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
• Request correction of the personal information that we hold about you, which enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
• Request erasure of your personal information, which enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
• Object to processing of your personal information where we are relying on our legitimate interests (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts your fundamental rights and freedoms. You also have the right to object if we process your personal information for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
• Request restriction of processing of your personal information, which enables you to ask us to suspend the processing of your personal information in the following scenarios: (i) if you want us to establish the data's accuracy; (ii) where our use of the data is unlawful but you do not want us to erase it; (iii) where you need us to hold the data even if we no longer require it as you need it to establish, exercise, or defend legal claims; or (iv) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
• Request the transfer of your personal information to you or to a third party. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
• Withdraw consent at any time where we are relying on consent to process your personal information. If you withdraw your consent, we may not be able to provide certain services or offerings to you.

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request under these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal information (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within one month; however, it may take us longer than a month if your request is particularly complex or you have made a number of requests, in which case we will notify you and keep you updated.

We hope that we can resolve any query or concern you raise about our use of your information. EU Data Protection Law also gives you the right to lodge a complaint with a supervisory authority, in particular in the EEA state where you normally live or where any alleged infringement of data protection laws occurred.

Supplemental privacy notice for California residents

This section 8.2 supplements the information contained in sections 1 through 7 of the Policy and applies solely to users who reside in the State of California ("consumers" or "you"). We adopt this notice to comply with the California Consumer Privacy Act of 2018, as amended (Cal. Civ. Code §§ 1798.100 to 1798.199), and any related regulations issued by the California Attorney General ("CCPA"), and any terms defined in the CCPA will have the same meaning when used in this section 8.2.

The CCPA requires that we describe our collection and disclosure of consumers' personal information by reference to certain statutorily enumerated categories set forth in the statute. Please see Appendix A for more information about these categories.

Supplemental information about collection, use, and disclosure

In the past 12 months, we have collected, used, and disclosed the following categories of personal information:

Category of personal information	Category by source	Business or commercial purpose(s) for collection	Categories of third parties with whom we share
Identifiers	Directly from you; third-party organizations we collaborate with on certain events and activities	Security detection/fraud, illegal activity protection; performing services (e.g. managing our relationship, marketing and advertising, communications, personalization); internal research	Service providers; third-party organizations we collaborate with on certain events and activities
Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e))	Directly from you; third-party organizations we collaborate with on certain events and activities	Security detection/fraud, illegal activity protection; performing services (e.g. managing our relationship, marketing and advertising, communications, personalization); internal research	Service providers; third-party organizations we collaborate with on certain events and activities
Commercial information	Directly from you; third-party organizations we collaborate with on certain events and activities; service providers	Performing services (e.g. managing our relationship, marketing and advertising, communications); internal research	Service providers; third-party organizations we collaborate with on certain events and activities
Internet or other similar network activity	Directly or indirectly from you; service providers	Security detection/fraud, illegal activity protection; performing services (e.g. managing our relationship, marketing and advertising, personalization); internal research and analytics	Service providers

DGS will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice.

In the preceding 12 months, DGS has not sold personal information of consumers.

Consumer rights under California law

Under certain circumstances, you may have certain rights under California law in relation to your personal information, including:

• Access request rights. Under the CCPA, you may have the right to request that DGS disclose certain information to you about our collection and use of your personal information over the past 12 months. Once we receive and confirm your verifiable consumer request, we will disclose to you: (i) the categories of personal information we collected about you; (ii) the categories of sources for the personal information we collected about you; (iii) our business or commercial purpose for collecting or selling that personal information (where applicable); (iv) the categories of third parties with whom we share that personal information; (v) the specific pieces of personal information we collected about you; and (vi) if we sold or disclosed your personal information for a business purpose, two separate lists disclosing: (a) sales, identifying the personal information categories that each category of recipient purchased; and (b) disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained.
• Deletion request rights. Under the CCPA, you may have the right to request that DGS delete personal information that we have collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies, in which case we will notify you and identify that exception.
• Non-discrimination. We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA we will not: (i) deny you goods or services; (ii) charge you different prices or rates for goods or services; (iii) provide you a different level or quality of goods or services; or (iv) suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.
• Opt-out of sale request rights. The CCPA provides a right to opt-out of the sale of personal information, as that term is defined in the statute. However, we do not sell California consumer personal information for monetary or other valuable consideration. For clarity, we also do not sell the personal information of consumers we know are less than 16 years of age.
• California's "Shine the Light" law. Under California's "Shine the Light" law (Civil Code Section § 1798.83), DGS Site users that are California residents may request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes; however, we do not disclose personal information to third parties for their direct marketing purposes.

To exercise the access and deletion rights described above, please submit a verifiable consumer request to us by either calling us at 833.909.0835 or emailing us at info@dgslaw.com.

Only you, or someone legally authorized to act on your behalf, may make a verifiable consumer request related to your personal information. You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must: (i) provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative and (ii) describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use personal information provided in a verifiable consumer request to verify the requestor's identity or authority to make the request.

We endeavor to respond to a verifiable consumer request within 45 days of its receipt. If we require more time (which may be up to 90 days), we will inform you of the reason and extension period in writing. Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request's receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Contact Information

Questions, comments and requests regarding this Policy and our privacy practices are welcomed and should be addressed to info@dgslaw.com.

APPENDIX A

CCPA PERSONAL INFORMATION CATEGORIES

Categories	Examples
Identifiers	A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver's license number, passport number, or other similar identifiers.
Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e))	A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some personal information included in this category may overlap with other categories.
Commercial information	Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
Internet or other similar network activity	Browsing history, search history, information on a consumer's interaction with a website, application, or advertisement.