This Website Privacy Policy applies to our services available under the domain and subdomains of www.greatstonewealth.com (the “Website”). We recognize that privacy is important to our users, so we design and operate our Website with protecting your privacy in mind. This Privacy Policy outlines the types of personal information we may gather when you visit the Website or use our services and some of the steps we take to safeguard it.

Greatstone Wealth (the “Company”) has adopted general policies and procedures concerning confidentiality, proprietary data, and privacy of customer personal information, and the information we gather over the Website is protected by those policies and procedures. Generally, we collect nonpublic personal information about our clients from the following sources:

• Information from forms you fill out and send to us in connection with your investments, insurance policies, or portfolios managed by the Company (such as your name, address, and social security number);

• Information you provide orally to us or our representatives;

• Information from electronic sources such as our websites or emails; and,

• Information about any bank account you use for transfers between your bank account and your account(s) with the Company.

• Information submitted through our insurance Carriers (please consult carriers for their unique Privacy Policies)

Our policy is that we do not disclose any nonpublic personal information about our current or former clients to anyone, except as permitted by law. We may voluntarily disclose nonpublic personal information about our current or former clients to regulatory authorities in connection with our business or that of our affiliates. In addition, we share nonpublic personal information with certain service providers to the extent permitted by law, and we require those service providers to keep the non-public information confidential. For example, we may provide such information to brokers, RIAs, attorneys, third-party marketing firms, and auditors.

• We restrict access to nonpublic personal information about our clients to employees and service providers who need to know that information to provide services to our clients.

• We maintain physical, electronic, and procedural safeguards that comply with federal standards to guard clients’ personal information.

In general, you can browse the Website without telling us who you are or revealing any personal information about yourself. We automatically track certain information that your browser makes available whenever you visit a website. This information includes your Internet Protocol (IP) address, browser type, browser language, and one or more files that may uniquely identify your browser. We may use this information to do internal research on our users’ demographics, interests, and behavior to better understand, protect, and serve you and our clients. This information may include the URL from which you just came (whether this URL is on the Website or not), to which URL you next go (whether this URL is on the Website or not), your computer browser information and your IP address. We use this information to operate, develop, and improve our services. The only other information collected is if you enter your name and email address.

The Website collects personal data to power our site analytics, including:

• Information about your browser, network, and device

• Web pages you visited prior to coming to this website

• Your IP address

This information may also include details about your use of the Website, including:

• Clicks

• Internal links

• Pages visited

• Scrolling

• Searches

• Timestamps

We share this information with our website analytics provider to learn about site traffic and activity. This website uses cookies and similar technologies, which are small files or pieces of text that download to a device when a visitor accesses a website or app. These functional and required cookies are always used, which allow our hosting platform to securely serve this website to you.

These analytics and performance cookies are used on this website only when you acknowledge our cookie banner. This website uses analytics and performance cookies to view site traffic, activity, and other data.

When you submit information to this website via webform, we collect the data requested in the webform in order to track and respond to your submissions. We share this information with our online hosting provider, so that they can provide website services to us. We also share this information with Google for collection and storage for storage.

Our website host collects personal data when you visit this website, including:

• Information about your browser, network and device

• Web pages you visited prior to coming to this website

• Web pages you view while on this website

• Your IP address

• Our host needs the data to run this website, and to protect and improve its platform and services. Our host analyzes the data in a depersonalized form.

We use the information we collect from our browser to improve our operations. We may use information collected from you to measure interest or customize your experience.

We may use your information to send correspondence and perform services on your behalf in connection with client-related activities.

We may use personal information about you to analyze Website usage, improve our content and product offerings, and customize the Website’s content, layout, and services. These uses improve the Website and better tailor it to meet your needs, so as to provide you with a smooth, efficient, and safe experience while using the Website.

In providing our services, we also may share personal information about you with other third parties to help us process transactions relating to your account, including, but not limited to, asset transfers from a financial institution and processing or administering investment transactions and portfolios. In certain instances, we may contract with third parties that are not affiliated with us to perform services for us, and, if necessary, we may disclose information about you to those third parties solely for the purpose of carrying out their assigned responsibilities. In those circumstances, we require those third parties to treat your private information with the same degree of confidentiality that we do. In some instances, the third-party service provider may collect information directly from you. In these cases, you will be notified of the involvement of the service provider, and all additional information you provide to it and its additional uses will be strictly up to you. If you provide additional information to a service provider directly, its use of your personal information is governed by its applicable privacy policy.

We may also share information about you if we believe that disclosure is required under law. For example, we may disclose information in response to a subpoena or to cooperate with regulatory or law enforcement authorities.

We cannot ensure that all of your private communications and other personal information will never be disclosed in ways not otherwise described in this Privacy Policy. For example (without limiting the foregoing), we may be forced to disclose personal information to the government or third parties under certain circumstances, third parties may unlawfully intercept or access transmissions or private communications, or service providers may abuse or misuse your personal information that they collect from the Website. Therefore, although we use industry-standard practices to protect your privacy, we do not promise, and you should not expect, that your personal information or private communications will always remain private.

We may send you marketing emails, which you can unsubscribe from by clicking the link at the bottom of the email. We may share your contact information with our host and our email marketing provider, so they can send these emails on our behalf.

You can review and change any information you submit to us by contacting us at 720-204-8148.

On your request, we will remove your contact information from our active databases. We will retain in our files the personal information you have asked us to remove from our active databases to prevent fraud, resolve disputes, troubleshoot problems, assist with any investigations, and comply with legal requirements. Therefore, you should not expect that your personal information will be completely removed from our databases in response to your requests. However, such personal information will only be available to select employees, service providers, and governmental persons or entities.

Your information is stored on our servers located in the United States. We use procedural and technical safeguards to protect your personal information against loss or theft as well as unauthorized access and disclosure to protect your privacy, which may include encryption, “firewalls”, Secure Sockets Layer (SSL), and/or Transport Layer Security (TLS). We treat data as an asset that must be protected against loss and unauthorized access. We employ security techniques to protect such data from unauthorized access by users inside and outside the firm.

A third party may circumvent our security measures, however, and we do not guarantee that our security measures will successfully prevent third parties from accessing the information we collect. In the event of a security breach involving your personal information, we will make any legally required disclosures to you as expediently as possible and without unreasonable delay, consistent with the legitimate interests of law enforcement, or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

Because you may need to submit Personal Health Information (PHI) for insurance applications, we utilize Google’s BAA option. View the Google Workspace HIPAA Business Associate Addendum here for more information on how the BAA protects your sensitive personal and health information. Greatstone Wealth uses the BAA to ensure all sensitive information is collected using HIPAA-compliant means.

Identity theft and the practice currently known as “phishing” are of great concern to us. Safeguarding information to help protect you from identity theft is a top priority. We do not and will not, at any time, request your credit card information or social security number in an unsolicited e-mail or telephone communication. For more information about phishing, visit the Federal Trade Commission’s website.

Persons under the age of 18 are not eligible to use the Website and, therefore, we do not knowingly collect any personal information from persons under the age of 18.

If you choose to visit the Website, your visit and any dispute over privacy is subject to this Privacy Policy, including limitations on damages and application of the law of the State of Colorado. If you have any concerns about privacy, please contact us.

If you are a resident of Colorado, you may have rights under the Colorado Privacy Act of 2021 (“CPA”).

1. Your Right to Request Disclosure of Information We Collect and Share About You

The Company is committed to ensuring that you know what information we collect and share about you. You can submit a request to the Company for the following information:

• The categories of Personal Information that we have collected about you.

• The categories of sources where we collected the Personal Information.

• The business or commercial purposes for why we collected the Personal Information.

• The specific pieces of information we collected.

• The third parties with whom we shared the information.

• The categories of Personal Information that we’ve shared with service providers who provide services for us.

To exercise the right to request the disclosure of Personal Information that we collect or share about you, contact us at compliance@greatstonewealth.com or 720-204-8148.

2. Categories of Personal Information We Disclose

We may disclose your Personal Information to a third party for a business purpose.

3. Categories of Personal Information We Sell

We do not sell your Personal Information to any third party for a business purpose.

4. Our Process for Responding to Requests for Access or Deletion

You have the right to request that we delete any of your Personal Information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your Personal Information from our records, unless an exception applies. We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:

• Complete the transaction for which we collected the Personal Information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, or otherwise perform our contract with you.

• Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.

• Debug products to identify and repair errors that impair existing intended functionality.

• Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.

• Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent.

• Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.

• Comply with a legal obligation.

• Make other internal and lawful uses of that information that are compatible with the context in which you provided it.

To respond to your request, we will ask you for certain pieces of personal information and endeavor to match those to information we maintain about you. The nature and number of verifying data elements we may request will depend on the nature of your request and the nature of the information we maintain about you. If we are unable to verify your identity with the degree of certainty required, we will not be able to respond to the request. In that case, we will notify you to explain the basis of our denial.

If you are legally entitled to such rights, you may designate an agent to submit a request on your behalf. The agent can be a natural person or a business entity that is registered with the Colorado Secretary of State. If you would like to designate an agent to act on your behalf, you and the agent will need to comply with our agent verification process.

For requests for access or deletion, we will respond to your request or your authorized agent’s request in writing, or verbally if requested, as soon as practicable and in any event generally not more than within 45 days after receipt of the request. We may extend this period to 90 days and, in the event that we do extend the period, we will explain to you or your authorized agent why we did so.

Please note that this subsection does not apply when an agent is authorized to act on your behalf pursuant to a valid power of attorney. Any such requests will be processed in accordance with Colorado law pertaining to powers of attorney.

You have a right not to be discriminated against for the exercise of the privacy rights conferred by the CPA.

“Do Not Track” (“DNT”) browser setting is a feature offered by some browsers which, when enabled, sends a signal to websites to request that your browsing is not tracked, such as by third party ad networks, social networks, and analytic companies. We do not currently take actions to respond to DNT signals because a uniform technological standard has not yet been developed. We continue to review new technologies and may adopt a DNT standard once one is created. For information about DNT, visit All About DNT.

Please note this Privacy Policy may change from time to time. We may amend this Privacy Policy at any time by posting the amended terms on the Website. All amended terms shall automatically be effective 30 days after they are initially posted on the Website. Your continued use of the Website constitutes your agreement to this Privacy Policy and any changes to this Privacy Policy. If we make any material changes to this Privacy Policy that affect your information already stored in our database, we will post a prominent notice on the Website stating that this Privacy Policy has changed. If you do not agree with this Privacy Policy or any changes to the Privacy Policy, please do not use or access the Website.

If you have any additional questions, please feel free to contact us any time at 720-204-8148.