PA.PLAYSUGARHOUSE ONLINE PRIVACY POLICY Last Updated: July 7th, 2023 Table of Contents I. INFORMATION WE MAY COLLECT ABOUT YOU A. Information You Provide to Us B. Information We May Automatically Collect About You C. Information We Collect from Third Parties D. Biometric Information II. LOCATION INFORMATION III. COOKIES & OTHER TRACKING TECHNOLOGIES USED TO COLLECT INFORMATION ABOUT YOU IV. HOW WE USE YOUR INFORMATION A. Use and Purpose of Processing Your Information B. Sharing or Disclosing Your Information V. LINKS TO OTHER WEBSITES VI. INFORMATION SECURITY VII. DATA RETENTION VIII. YOUR CHOICES IX. GEOGRAPHIC LOCATION OF DATA STORAGE AND PROCESSING X. ELIGIBILITY XI. DIFFICULTY ACCESSING OUR PRIVACY POLICY XII. "DO NOT TRACK" SIGNALS XIII. CHANGES TO THIS PRIVACY POLICY XIV. HOW TO CONTACT US Rush Street Interactive, LP and the Rush Street group companies (hereinafter collectively referred to as "RSI," "us," "we," "our," or "Company") has created this Privacy Policy to apply to all users and customers of this website (pa.playsugarhouse.com) and mobile application, and all digital assets contained, including if applicable, our mobile site, or offered therein (collectively, our "Services"). This Privacy Policy describes, among other things, the types of information we collect from users when you use our Services, how we use it, and how you can access your information. This Privacy Policy does not apply to information collected or obtained by any third party, including through any application or content that may link to or be accessible from or on the Services. This Privacy Policy is integrated into and constitutes a part of our Terms of Service (https://pa.playsugarhouse.com/?page=eula&l=RiversPhiladelphia&tos=TOC). By using the Services and providing us with your personal Information (defined below), you agree to the practices described in this Privacy Policy and Terms of Service referenced below and to the updates to these policies posted here from time to time. We encourage you to review the Privacy Policy whenever you access our Services to stay informed about our information practices. Any disputes related to this Privacy Policy, including any breaches in security or privacy, will be subject to the limitations on liability and dispute resolution provisions contained in our Terms of Service. When you have elected to establish an account with another service offered by RSI or one of its affiliated entities, including without limitation additional wagering sites and applications, you agree that we may use any Information you provide in connection with registration and use of the Services to establish accounts for such other services. I. INFORMATION WE MAY COLLECT ABOUT YOU We may collect the following types of information about you which are described in more detail below: (A) information you provide to us, (B) information we may automatically collect, and (C) information we may receive from third parties. All of the information listed in (A)-(C) above, are detailed below, and hereinafter referred to as "Information." To provide the Services, RSI is required to obtain certain Information for account registration, identity verification, location tracking, communications monitoring, and to otherwise comply with applicable law. This Information includes, at a minimum, your name, address, date of birth, driver's license (or other government-issued ID) information, social security number, location information (using Geolocation Technologies), and in some cases, financial account/deposit and withdrawal method details. A. Information You Provide to Us In using our Services, you may provide us with Information, including, without limitation: Contact information such as name, home address, phone number, and email address; Demographic information such as date of birth and gender; Identification information such as your driver's license (or other government-issued ID) information or social security number; Proof of address such as a utility bill or bank statement; Account login information including username and password; Access to your geo-location; Financial and billing information, such as billing name and address, credit card number or bank account information, transactional information (what you deposited, price, date, and time); Your Rush Rewards or similar loyalty account number; and Any other Information you voluntarily provide and any inferences we may draw from the Information you provide. B. Information We May Automatically Collect About You Our Services may automatically collect certain Information about you. This Information may include: IP address, which is the number associated with the service through which you access the Internet, like your ISP (Internet service provider); Location from which you visit or use our Services; Date and time of your visit or use of our Services; Domain server from which you are using our Services; Type of computer, web browsers, search engine used, operating system, or platform you use; Data identifying the web pages you visited prior to and after visiting our website or use of our Services; Your movement and activity within the Services, which is aggregated with other information; Mobile device information, including the type of device you use, operating system version, and the device identifier (or "UDID"); and Mobile application identification and behavior, use, and aggregated usage, performance data, and where the application was downloaded from. C. Information We Collect from Third Parties We may receive information about you from other sources and combine or link that information with Information we have about you. For example, we (directly or through our third-party service providers) may perform background checks on you in order to verify your identity, history, or any other Information you have provided to us. These background checks may vary on a case-by-case basis but could include general background investigations. You hereby expressly consent to such background checks and acknowledge that we are not obligated to advise you when we perform a background check or the nature of any particular investigation. We may also receive Information from state agencies and regulatory bodies which we use to confirm whether you can legally and safely use our Services, such as information regarding your self-excluded status or other prohibitions on your right to make wagers. D. Biometric Information We and our third-party service providers may use facial recognition technology that collects biometric information, identifiers, or data, together with a photo ID and additional identity verification, to verify your identity, conduct user authentication, and prevent fraud on an ongoing basis. RSI may use a third-party vendor that provides these services. The third-party service provider's facial recognition technology scans your face to collect biometric information, including measurements of your facial geometry (e.g., the distance between eyes, width of nose, etc.). The technology then compares that biometric information to the biometric information from a separate reference photo that you provide (such as a photo ID) to verify your identity and prevent unauthorized individuals from accessing your account. RSI does not store your biometric information. The third-party service provider will retain the data only for as long as necessary to provide the identity verification, fraud prevention, and authentication services. By clicking the relevant icons presented during the verification process and using the facial recognition technology, you acknowledge and agree that you have read the disclosures, and that you voluntarily consent to the collection, storage, retention, use, and disclosure and processing, of your biometric information for identify verification, authentication, and on-going fraud prevention. II. LOCATION INFORMATION We and/or our third-party service providers will utilize Geolocation Technologies to verify and record your physical location to participate in wagering games through the Services. These Geolocation Technologies tell us the physical location of the device you are using to access any wagering games through our Services. By registering for an account through the Services and/or by using the Services, you consent to these uses of Geolocation Technologies. RSI must maintain all Information necessary to recreate player game play and account activity during each player session, including any identity or location verifications, for no less than the specified period of time as required by applicable laws. For more information, please see "Your Choices" below. III. COOKIES & OTHER TRACKING TECHNOLOGIES USED TO COLLECT INFORMATION ABOUT YOU We may use various technologies to collect the above Information via our Services, and through the use of third parties using certain technologies such as cookies, web beacons, pixels, tags, JavaScript, or other technologies. Cookies (or browser cookies). A cookie is a small file placed on the hard drive of your computer. You may refuse to accept browser cookies by activating the appropriate setting on your browser. However, if you select this setting, you may be unable to access certain parts of our Services. Unless you have adjusted your browser setting so that it will refuse cookies, our system will issue cookies when you direct your browser to our website. Web Beacons. Website pages may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs) that permit us, for example, to count users who have visited those pages and for other related statistics (for example, recording the popularity of certain content and verifying system and server integrity). We may also use these technical methods to analyze the traffic patterns, such as the frequency with which our users visit various parts of the Services. These technical methods may involve the transmission of Information either directly to us or to a third party authorized by us to collect Information on our behalf. Our Services may use retargeting pixels from Google, Facebook, and other ad networks. We may also use web beacons in HTML emails that we send to determine whether the recipients have opened those emails and/or clicked on links in those emails. Analytics. Analytics are tools we may use, such as Google Analytics, to help provide us with information about traffic to our website and use of our Services, which Google may share with other services and websites who use the collected data to contextualize and personalize the ads of its own advertising network. You can view Google's Privacy Practices here: Privacy Policy - Privacy & Terms - Google (https://policies.google.com/privacy?hl=en-US). Mobile Application Technologies. When we offer a mobile application that you use, we may collect the unique device identifier assigned to your mobile device by phone makers, carriers, or makers of your mobile device's operation system (the "Device ID"). Device IDs allow app developers, advertisers, and others to uniquely identify your device for purposes of storing application preferences and other data. We may use your Device ID to contact you directly through push notifications. Additionally, we may use Device IDs to monitor suspicious activity. For example, if we detect that a single account on our mobile application is being accessed from multiple devices, as determined by tracking the Device IDs that access an account, we may contact the user to confirm that such access has been authorized by the user. Do Not Track. Do Not Track ("DNT") is a privacy preference that users can set in certain web browsers. We are committed to providing you with meaningful choices about the Information collect on our Services for online advertising and analytics purposes, and that is why we provide the variety of opt-out mechanisms listed herein. However, we do not currently recognize or respond to browser-initiated DNT signals. IV. HOW WE USE YOUR INFORMATION A. Use and Purpose of Processing Your Information We use and process your Information for things that may include, but are not limited to, the following: To set up, administer, or manage your account and records (including processing deposits and withdrawals); To provide you with the Services; To perform identity verifications; To manage contests or promotions; To help you locate gaming services that are relevant to you; To process transactions and subscriptions you make through or in connection with the Services; To verify your location as required by applicable laws; To respond to your comments, inquiries, and questions and provide customer service; To tailor promotions, contests, surveys, or other offerings for you and to reach new players; For general or targeted marketing and advertising purposes, including sending you promotional material, or special offers on our behalf, or on behalf of our marketing partners and/or their respective affiliates and subsidiaries and other third parties, provided that you have not already opted-out of receiving such communications; To manage, improve, and foster relationships with third-party service providers, including vendors, suppliers, and parents, affiliates, subsidiaries, and business partners; To maintain, improve, customize, or administer the Services, perform business analyses, or other internal purposes to improve the quality of our business and the Services, resolve technical problems, or improve security or develop other products and Services; To detect, prevent, and address security issues and fraud; To comply with our Terms of Service; Analytics for business purposes and business intelligence; To comply with any applicable laws and regulations and respond to lawful requests; and/or For any other purposes disclosed to you at the time we collect your Information and/or pursuant to your consent. We may also use Information that has been de-identified and/or aggregated for purposes not otherwise listed above. B. Sharing or Disclosing Your Information We may share your information as set forth in this Privacy Policy and in the following circumstances: Third-Party Service Providers. We may share your Information with third-party service providers that perform certain functions or Services on our behalf (such as to host the Services, provide identity verification Services, assist with fraud and cybersecurity, manage databases, perform analyses, process credit card payments, sponsor contests and promotions for us, provide customer service, or send communications for us). These third-party service providers are authorized to use your Information only as necessary to provide these Services to us. In some instances, we may aggregate Information we collect so third parties do not have access to your identifiable Information to identify you individually. Social Sharing Features The Services may offer social sharing features and other integrated tools, which let you share actions you take on our Services with other media. The use of such features enables the sharing of Information with your friends or the public, depending on the settings you establish with the entity that provides the social sharing feature. For more information about the purpose and scope of data collection and processing in connection with social sharing features, please visit the privacy policies of the entities that provide these features. If you use the message boards, chat rooms, comment tools, or other public forums of the Services, you will be publicly identified by your screen name you use and other User Content (as that term is defined in our Terms of Service https://pa.playsugarhouse.com/?page=eula&l=RiversPhiladelphia&tos=TOC) you submit. Additionally, when you participate in certain promotions offered through the Services (e.g., the Leaderboard Promotion), we may also identify you by your screen name. Your screen name and all information you provide on these public forums will be viewable by the general public. We cannot be responsible for any personal or sensitive information in your screen name or which you choose to post on public forums, and we recommend careful consideration before you include any personal or sensitive information in your screen name or otherwise post such information. You agree that you will not disclose personal or sensitive information relating to any other person in a public forum of the Services without that person's prior, express consent. Testimonials. We may share your screenname on our website (pa.playsugarhouse.com) when you provide a testimonial about our Services. Disclosure of Information for Legal, Administrative, and Regulatory Reasons. We may disclose your Information without notice: (i) when required by law or to comply with a court order, subpoena, search warrant, or other legal process; (ii) to cooperate with or undertake an internal or external investigation or audit; (iii) to comply with legal, regulatory, or administrative requirements of governmental authorities (including, without limitation, requests from governmental authorities to view your Information) or relevant gaming authorities; (iv) to protect and defend the rights, property or safety of us, our subsidiaries and affiliates, and any of our or their officers, directors, employees, attorneys, agents, contractors and partners, and the Services users; (v) to enforce or apply our Terms of Service; and (vi) to verify the identity of the user of our Services. Business Transfers. Your Information may be shared, transferred, sold, or otherwise conveyed to a third party in connection with, or during the negotiation of: (i) a merger with or acquisition by another business entity; (ii) a financing; (iii) a sale of sell all or substantially all our assets; (iv) an adjudication of bankruptcy; or (v) a liquidation or other reorganization. You agree to any and all such conveyances of your Information. Information Shared with our Subsidiaries and Affiliates. We may share your Information with our subsidiaries and affiliates. Third-Party Partners for Marketing or Analytics Purposes. We may share your Information with partners whose offerings we think may interest you, including based on your responses to certain survey questions or other Information you have provided to us. Contest or Promotion Participation. If you choose to participate in a contest, promotion, or survey by voluntarily answering questions or completing a questionnaire that we offer on our Services, we may retain the answers and the Information contained in it for our branding, marketing, or research purposes. Online Communications. Any Information you submit in a public forum (e.g., a blog, our live chat room, community chats, or social network) may be read, collected, or used by us and other participants, and could be used to personalize your experience. You are responsible for the Information you choose to submit in these instances. De-Identified or Aggregated Data. We may aggregate, anonymize, and/or de-identify any Information collected from you so that such Information can no longer be linked to you or your device. We may use aggregated, de-identified or anonymized Information for any purpose, including without limitation for research and marketing purposes, and may also share such data with any third parties, including advertisers, promotional partners, and sponsors, in our discretion. With Your Consent. We may share your Information consistent with the specific purposes for which it was obtained or compiled in accordance with this Privacy Policy. V. LINKS TO OTHER WEBSITES The Services may offer social sharing features and other integrated tools (such as Facebook, Twitter, or Instagram), which may let you share actions you take on our Services with other media. The use of such features enables the sharing of Information with your friends or the public, depending on the settings you establish with the entity that provides the social sharing feature. For more information about the purpose and scope of data collection and processing in connection with social sharing features, please visit the privacy policies of the entities that provide these features. This Privacy Policy only applies to Information collected by our Services. We are not responsible for the privacy and security practices of these social sharing features, or the Information collected by these tools (which may include IP address). Links to any social sharing features does not constitute or imply an endorsement or recommendation by us of the linked website, social media platform, and/or content. VI. INFORMATION SECURITY We use commercially reasonable measures to protect Information we receive from misuse, acquisition, deletion, or unauthorized access or disclosure. We have controls in place designed to secure and safeguard such Information, however, you should assume that no data transmitted over the Internet or stored or maintained by us or our third-party service providers can be 100% secure. Therefore, although we believe the measures implemented by us reduce the likelihood of security problems to a level appropriate to the type of data involved, we do not promise or guarantee, and you should not expect, that your Information or private communications will always remain private or secure. We do not guarantee that your Information will not be misused by third parties. We are not responsible for the circumvention of any privacy settings or security features. You agree that we will not have any liability for misuse, access, acquisition, deletion, or disclosure of your Information. If you believe that your Information has been accessed or acquired by an unauthorized person, you should promptly contact us via the How to Contact Us section below so that we can quickly take necessary measures. VII. DATA RETENTION We will retain your Information for as long as needed to provide you the Services or as required by applicable laws. If you wish to request that we no longer use your Information to provide you Services, please contact us at PAprivacy@playsugarhouse.com. Please note that when exercising your right to restrict processing, your account will be closed and any promotional bonus, prizes, or benefits which may have been acquired will be forfeited. Following the closure of your account, we will retain and may continue to process your Information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. In accordance with our routine record keeping, we may delete certain records that contain Information you have submitted to us. We are under no obligation to store such Information indefinitely and disclaim any liability arising out of, or related to, the destruction of such Information. VIII. YOUR CHOICES A. Emails. You may opt out of receiving promotional emails from RSI by following the instructions in those emails, through your My Account page or How to Contact Us (Email us: PAprivacy@playsugarhouse.com). If you opt out, we may still send you transactional or relationship email messages about our ongoing business relations. B. Text Messages.You may sign up to receive text messages from RSI, its affiliates, or third-party service providers on behalf of RSI (e.g., on-site chats or text message marketing). By using our Services, signing up for text messaging services or otherwise opting in to receive text messages (opting in via short code or entering your phone number into an on-site collection widget), you agree that you have provided RSI, its affiliates, or its third-party service providers with prior express written consent to be contacted by text message, including recurring automated promotional and personalized marketing text messages. By providing prior express and/or prior express written consent, you agree to receive text messages under the Telephone Consumer Protection Act and related state laws, including by the use of an automatic telephone dialing system (ATDS) to deliver text messages to the mobile phone number which you provided to RSI and its affiliates. While you consent to receive messages sent using an ATDS (or "autodialer"), the foregoing shall not be interpreted to suggest or imply that any or all of RSI mobile messages are sent using an autodialer. We will use the Information provided by you in connection with the text messaging services in accordance with this Privacy Policy. Your consent is not a condition of any purchase or use of our Services and your consent to be contacted as described is voluntary. The number of text messages you receive may vary based upon the text messaging service(s) you sign up for. Message and data rates may apply. You may revoke your consent and opt out to discontinue text messages at any time. If you no longer want to receive text messages from us, reply STOP (or as otherwise instructed). C. Push Notifications. With your consent, we may send push notifications to your mobile device to provide game or sportsbook-related information, service updates, promotional communications, and other related messages. You can deactivate these notifications by changing the notification settings applied to our mobile application on your device, or you can opt out of receiving these notifications through your My Account page. D. Location Information. You may choose to disable certain Geolocation Technologies through the location settings applied to our mobile application on your device. You may also disable certain Geolocation Technologies by deleting our mobile application from your device or otherwise ceasing use of the Services. If you turn off any Geolocation Technologies, you may not participate in wagering activities available through the Services but may continue to access or otherwise use the Services. E. Opting Out of Direct Marketing by Third Parties. To exercise choices regarding the marketing information you receive, you may also review the following links: You may opt-out of tracking and receiving tailored advertisements on your mobile device by some mobile advertising companies and other similar entities by downloading the AppChoices app at www.aboutads.info/appchoices. You may opt-out of receiving permissible targeted advertisements by using the NAI Opt-out tool available at http://optout.networkadvertising.org/?c=1 or visiting About Ads at http://optout.aboutads.info. You can opt-out of having your activity on our Services made available to Google Analytics by installing the Google Analytics Opt-out Browser Add-on for your web browser by visiting: https://tools.google.com/dlpage/gaoptout for your web browser. IX. GEOGRAPHIC LOCATION OF DATA STORAGE AND PROCESSING RSI is based in the United States and the Information we collect is governed by U.S. law. The Services collect Information and process and store that Information in databases located in the United States. If you are visiting the Services from a country outside the United States, you should be aware that you may transfer personally identifiable Information about yourself to the United States, and that the data protection laws of the United States may not be as comprehensive as those in your own country. By accessing or using the Services or otherwise providing Information to us, including personally identifiable Information, you consent to the processing and transfer of this Information in and to the U.S. X. ELIGIBILITY The Services are not directed to, and we do not knowingly collect Information from, anyone under twenty-one (21) years of age. If we determine that a user is under this age, we will not use, maintain, or continue to collect information from such user. Should an underage user attempt to participate in wagering activities, RSI may take enforcement actions against you such as immediately stopping user activity, account closures, confiscation, and forfeiture of winnings. XI. DIFFICULTY ACCESSING OUR PRIVACY POLICY Individuals with disabilities who are unable to usefully access our Privacy Policy online may contact us to inquire how they can obtain a copy of our policy in another, more easily readable format. XII. "DO NOT TRACK" SIGNALS We do not support "Do Not Track". Do Not Track is a preference you can set in your web browser to inform websites that you do not want to be tracked. You can enable or disable "Do Not Track" by visiting the "Preferences" or "Settings" page of your web browser. Do Not Track is different from Global Privacy Controls ("GPC"), which may notify websites of consumers' privacy preferences regarding the sale or sharing of personal Information, or the use of sensitive personal Information. XIII. CHANGES TO THIS PRIVACY POLICY We reserve the right to change, modify or amend this Privacy Policy at any time to reflect changes in our products and service offerings, accommodate new technologies, regulatory requirements, or other purposes. If we modify our Privacy Policy, we will update the "Last Updated" date and such changes will be effective upon posting. It is your obligation to check our current Privacy Policy for any changes. In some cases, we may provide you with more prominent notice (such as by adding a statement to our homepage or sending you an email notification). XIV. HOW TO CONTACT US If you have any questions about this Privacy Policy or the information we have collected about you, please contact us at the following: Email us: PAprivacy@playsugarhouse.com Write us: Rush Street Interactive, LP ATTN: Legal - Privacy Counsel 900 N. Michigan Ave., Suite 950 Chicago, IL 60611