DATA PRIVACY AND SECURITY POLICY

This Privacy Policy describes what information McGrath RentCorp and its affiliates and subsidiaries and all subdomains (“we”, “our”, “us” or “the Company”) collects from and is related to you, and how we use such information, when you use the Company websites at https://www.mgrc.com, https://www.adlertankrentals.com, https://www.enviroplex.com, https://www.mobilemodular.com, https://blog.mobilemodular.com, https://www.mobilemodularcontainers.com, https://www.trsrentelco.com, https://blog.mobilemodularcontainers.com, https://kitchenstogo.com (collectively, the "Websites").

Please read this Privacy Policy carefully and in its entirety before using the Websites as it applies to every visitor to the Websites. We reserve the right to make changes at any time to this Privacy Policy. We will advise you of material changes to this Privacy Policy through the Websites or by any other reasonable means of reaching you. All amended terms shall be automatically effective as of the date of the amended Privacy Policy. You should regularly check this Privacy Policy. Your continued use of the Websites constitutes acceptance of any and all changes to this Privacy Policy.

Collection of Personal Information

We collect personal information directly from users of our Websites from correspondence, faxes, live chats, e-mails, telephone inquiries, web forms, and other means of communication. We collect such information when we provide online services, and for other lawful purposes. We (and our affiliates and authorized service providers) may collect, store and use:

(a) information about your visits to and use of the Websites;

(b) information about any transactions carried out between you and us, including information relating to online education and other services;

(c) any information you provide to us if you correspond with us, such as when you request a quote for one of our products or services or contact us;

(d) if you create an account with us, we may ask you for your name, and other demographic information, e-mail address, street address or other personal information. You may, however, visit the Websites without providing that information.

(e) if you sign up to receive our newsletter, we may ask for your e-mail address.

(f) information by which you may be personally identified, such as your name, address, and phone number.

(g) if you purchase Company products and services, we collect billing and credit card information.

(h) anonymous demographic information, which is not unique to you.

(i) your search queries on our Websites.

As you navigate through and interact with our Websites, we may use automatic data collection technologies to collect certain information about your equipment, browsing actions, and patterns, such as your IP address, geographical location, browser type, domain names, traffic data, logs, referring website addresses, access times, length of visit and number of page views, error information, clickstream data, and other communication data and the resources that you access and use on the Websites. The information we collect automatically may include personal information, or we may maintain it or associate it with personal information we collect in other ways or receive from third parties. We may use this information in the administration of the Websites, to improve the Websites usability, to provide better service, to send you newsletters, updates, marketing communications, and other information or that may be of interest to you. We may sometimes permit our authorized service providers to have access to aggregate and de-identified statistics about our customers, sales, traffic patterns, usage and related information.

The automatic data collection technologies that we use include:

• Cookies (or browser cookies). A cookie is a small file placed on the hard drive of your computer. We only place cookies on your hard drive with your consent. You can set your browser to refuse all or some browser cookies, or to alert you when cookies are being sent. However, if you do not consent to our use of cookies or select this setting you may be unable to access certain parts of our Websites. You can find more information about cookies at http://www.allaboutcookies.org and http://youronlinechoices.eu.
• Web Beacons. Pages of our Website may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs) that permit the Company, for example, to count users who have visited those pages and for other related website statistics (for example, recording the popularity of certain website content and verifying system and server integrity).

We use automatic data collection technologies provided by third parties, including analytics providers. These third parties may use cookies to collect information about you when you use our Website. The information that they collect may be associated with your personal information or they may collect information, including Personal Information, about your online activities over time and across different websites and other online services. We do not control these third parties’ use of cookies or other tracking technologies, or how they may be used. If you have any questions about the use of this information, you should contact the responsible party directly.

Details about the automated data collection technologies and the specific cookies that we use can be found by following the link entitled “Manage Cookies” on our Websites and adjusting your preferences in the cookie consent manager, which you may access by selecting the links. The cookie consent manager enables you to control the settings of the cookies that we set on your device and whether we collect information from them.

How We Use Your Personal Information

We only use the information that we collect about you or that you provide to us, including any personal information:

• to present our Websites and their contents to you;
• to provide you with information, products, or services that you request from us;
• for our marketing and analytical purposes, consistent with our legitimate interests and any choices that we offer or consents that may be required under applicable laws;
• to fulfill any other purpose for which you provide it;
• to provide you with notices about your account, including expiration and renewal notices;
• to provide you with our newsletter;
• to carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including for billing and collection;
• to notify you about changes to our Websites or any products or services we offer or provide though them;
• in any other way we may describe when you provide the information; and
• for any other purpose with your consent.

With your consent, we may also use your information to contact you about our own and third parties’ goods and services that may be of interest to you, such as via e-mail. If you wish to consent to this use, please check the relevant box or the appropriate button located on the form on which we collect your data. If you wish to change your choice, you may do so at any time by selecting the unsubscribe link that is provided in one of our emails or by sending us an email stating your request at privacyinquiry@mgrc.com. For more information, see Choices About How We Use and Disclose Your Information.

Please note that regardless of your choice, we may always use your information to contact you about an order or product service experience. For more information, see Your Choices and Access to Your Personal Information below.

We do not, as a condition of providing services to you or on your behalf, or as an administrative or management requirement, require consent to the collection, use or disclosure of personal information beyond that reasonably required for such purposes, or to comply with its obligations under applicable law.

Disclosure of Your Information

We do not share, sell, or otherwise disclose your personal information, except for the purposes as outlined in this privacy policy, or new purposes to which you have consented, or as required or as expressly permitted by applicable law. However, we may disclose aggregated information about our users without restriction.

We may disclose personal information that we collect or you provide as described in this privacy policy:

• to our subsidiaries and affiliates.
• to contractors, service providers, and other third parties we use to support our business and who are bound by contractual obligations to keep personal information confidential and use it only for the purposes for which we disclose it to them. These entities provide IT and infrastructure support services, and payment processing services.
• with other business entities in connection with the sale, assignment, merger or other transfer of all or a portion of the Company business or assets to such business entity (including due to a sale in connection with a bankruptcy). We will require any such purchaser, assignee or other successor business entity to honor the terms of this privacy statement.
• in response to a subpoena, search warrant, in connection with judicial proceedings, or pursuant to court orders, legal process or other law enforcement measures.
• when we have reason to believe that disclosing this information is necessary to identify, contact or bring legal action against someone who may be violating any agreement with the Company, or may be causing injury to or interference with (either intentionally or unintentionally) our rights or property, other Website users, or anyone else that could be harmed by such activities.
• when we believe in good faith that the law requires it, to establish our legal rights or to defend against legal claims, and for administrative and other purposes that we deem necessary to maintain, service and improve our products and services.
• to enforce our agreements, including for billing and collection purposes.

Linking Sites

The Websites contain links to other websites whose privacy practices may differ from ours. The Company is not responsible for the privacy practices or the content of such websites, including any sites that may indicate a special relationship or partnership with us (such as co-branded pages or "powered by" or "in cooperation with" relationships). We do not share information we gather with other websites or any other entities or individuals except as provided in this privacy policy. Other linked sites, however, may collect personal information from you that is not subject to our control. To ensure protection of your privacy, always review the privacy policy of the sites you may visit by linking from the Websites.

Social Media

We may collect information from other sources, such as social media platforms that may share information about how you interact with our social media content. We do not control how your personal information is collected, stored or used by such third party sites or to whom it is disclosed. You should review the privacy policies and settings on any social networking site that you subscribe to so that you understand the information they may be sharing. If you do not want your networking sites to share information about you, you must contact that site and determine whether it gives you the opportunity to opt-out of sharing such information. The Company is not responsible for how these third party sites may use information collected from or about you.

Security

The Company employs security measures to protect the loss, misuse or alteration of personal information that you disclose through the Websites. If you have additional questions regarding security, please feel free to contact us directly at privacyinquiry@mgrc.com.

To ensure that our employees comply with our privacy policies, we have developed a training program that provides our employees with the tools and knowledge to protect member privacy in all aspects of their work. Any employee who violates our privacy policies is subject to disciplinary action, including possible termination and civil and/or criminal prosecution.

We also take additional cybersecurity measures that include but are not limited to, for example:

• We have a cybersecurity training and testing program that applies to our geographic locations- employees that use technology are required to complete these trainings and testing, which occurs on a regular monthly basis.
• We brief our Board of Directors on cybersecurity on a regular basis (this occurs minimally on an annual basis, with additional discussion as needed).
• We have purchased cybersecurity insurance.
• We comply with PCI-DSS. We have also implemented multi-layer cyber protections, including engaging a third-party independent cybersecurity company, who does security testing and monitoring for our Company, which includes penetration testing, auditing, and security assessment.

The safety and security of your information also depends on you. Where we have given you (or where you have chosen) a password for access to certain parts of our Websites, you are responsible for keeping this password confidential. We ask you not to share your password with anyone. Unfortunately, the transmission of information via the internet is not completely secure. Although we do our best to protect your personal information, we cannot guarantee the security of your personal information transmitted to our Websites. Any transmission of personal information is at your own risk. We are not responsible for circumvention of any privacy settings or security measures contained on the Websites.

Child Online Privacy Protection Act (COPPA) Compliance and Related Information

The Child Online Privacy and Protection Act (COPPA) regulates online collection of information from persons under the age of 13. It is our policy to refrain from knowingly collecting or maintaining personally identifiable information relating to any person under the age of 18. If you are under the age of 18, please do not supply any personally identifiable information through the Website. If we learn we have collected or received personal information from a child under 18 without verification of parental consent, we will delete that information. If you are under the age of 18 and have already provided personally identifiable information through the Website, please have your parent or guardian contact us immediately using the information below so that we can remove such information from our files.

Opt-In & Unsubscribe - Your Choices About How We Use and Disclose Your Personal Information

We do not control the collection and use of your information collected by third parties described above in Disclosure of Your Information. When possible, these organizations are under contractual obligations to use this data only for providing the services to us and to maintain this information strictly confidential. These third parties may, however, aggregate the information they collect with information from their other customers for their own purposes.

In addition, we strive to provide you with choices regarding the personal information you provide to us. We have created mechanisms to provide you with control over your personal information:

• Tracking Technologies. We and third parties may use cookies, action tags, or similar technologies on your computer to provide the Websites and online services and help collect data. You may block or delete cookies and control data collection through your web browser settings and through our cookie consent manager, which you can access through the link on our homepage entitled “Manage Cookies.” However, adjusting your browser settings may impact your experience with the Websites.
• Promotional Offers from the Company. We will only use your contact information to promote our own or third parties’ products and services with your consent as described in our General Privacy Notice.
• Disclosure of Your Information for Third-Party Advertising. We will only share your personal information with unaffiliated or non-agent third parties for promotional purposes with your consent. If you wish to consent to such use, you can check the relevant box located on the form on which we collect your personal information or otherwise seek such consent.
• Targeted Advertising. Our third-party advertising partners may collect data about your visits to the Websites to help them better understand your advertising preferences, and provide you with offers they believe you will be interested in. We do not control third parties’ collection or use of your information to serve interest-based advertising. However, these third parties may provide you with ways to choose not to have your information collected or used in this way. You may inform us of whether you would like your data to be used in this way by setting your preferences for advertising cookies through our cookie consent manager, which you can access through the link on our homepage entitled “Manage Cookies,” however if you disable these types of cookies, you may still see advertising on ours or our third-party advertising partner sites, but these advertisements may not be as relevant to your interests. If you would like to learn more about interest-based advertising and your right to opt out of behavioral advertising, please visit:
  • http://www.aboutads.info/choices/
  • https://policies.google.com/technologies/ads
  • http://optout.networkadvertising.org/?c=1#!/

Please note that the options you select are browser and device specific.

Accessing, Correcting, and Deleting Your Information

You may contact us at the contact information below to request access to, correct, or delete any personal information that we have collected about you. If you have a registered account through our Websites, we cannot delete your personal information without also deleting your account. We may not accommodate a request to change your personal information if we believe the change would violate any law or legal requirement or cause the information to be incorrect.

Jurisdiction Specific Privacy Rights

The law in some jurisdictions may provide you with additional rights regarding our use of personal information. To learn more about any additional rights that may be applicable to you as a resident of one of these jurisdictions, please see the privacy addendum for your jurisdiction that is attached to this Data Privacy and Security Policy.

For Residents of California
If you are a resident of California, you have the additional rights described in our California Privacy Addendum.

For Residents of the Commonwealth of Virginia
If you are a resident of Virginia, you have the additional rights described in our Virginia Privacy Addendum.

For Individuals Located within the European Economic Area
If you are located in the European Economic Area, you have the additional rights described in our GDPR Privacy Addendum.

For Individuals Located within Canada
If you are located in Canada, you have the additional rights described in our Canada Privacy Addendum.

Contact Us

Personal information is generally located at our corporate or divisional offices in the United States. A list of corporations, divisions, subsidiaries and affiliates to which this Privacy Policy applies is available upon request. Please direct all complaints or other inquiries regarding personal information, the Privacy Policy, and requests related to your personal information pursuant to applicable laws to our Privacy Director as follows: privacyinquiry@mgrc.com.

---

California Privacy Addendum

Effective Date: September 9, 2021

Last Reviewed on: September 9, 2021

This Privacy Addendum for California Residents (the "California Privacy Addendum") supplements the information contained in McGrath RentCorp’s Data Privacy and Security Policy (the "General Privacy Notice") and applies solely to all visitors, users, and others who reside in the State of California ("consumers" or "you"). We adopt this California Privacy Addendum to comply with the California Consumer Privacy Act of 2018 ("CCPA") and the California Consumer Privacy Rights Act ("CPRA"), which will go into effect on January 1, 2023. Any terms defined in the CCPA or CPRA have the same meaning when used in this California Website Privacy Addendum. If you are a California resident with disabilities, and need to be provided with an accessible version of this section or the policy as a whole, please contact us at privacyinquiry@mgrc.com. This California Privacy Addendum takes precedence over anything contradictory in our General Privacy Notice.

Note that this California Privacy Addendum does not apply to employment-related personal information collected from our California-based employees, job applicants, contractors, or similar individuals. Please contact your local human resources department if you are a California employee and would like additional information about how we process your Covered Personal Information (as defined below). It also does not apply to Covered Personal Information reflecting a written or verbal business-to-business communication between you and us.

Information We Collect

Our Websites, as applicable to your use of the services, collect information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device ("Covered Personal Information"). In particular, our Websites have collected the following categories of Covered Personal Information from its consumers within the last twelve (12) months:

Category	Examples
A. Identifiers.	A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, or other similar identifiers.
B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).	A name, address, telephone number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information. Some Covered Personal Information included in this category may overlap with other categories.
D. Commercial information.	Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
F. Internet or other similar network activity.	Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement.
G. Geolocation data.	Physical location or movements.
L. Sensitive Personal Information	Information that is not publicly available and reveals account log-in number in combination with any required security or access code, password, or credentials allowing access to an account.

Covered Personal Information does not include:

• Publicly available information from government records.
• Deidentified or aggregated consumer information.
• Information or organizations excluded from the CCPA’s scope as set forth in the law.

We will only use deidentified or aggregated consumer information in deidentified form and will not attempt to reidentify the information, except as is required by law, and will contractually obligate any recipients of such deidentified or aggregated consumer information to follow the same requirements.

Use of Covered Personal Information

We may use or disclose the Covered Personal Information we collect for the business purposes described in the General Privacy Notice.

We limit the collection of Covered Personal Information to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the Covered Personal Information is processed. We may process the Covered Personal Information we collect, for one or more of the purposes described in the General Privacy Notice. We will not process Covered Personal Information for purposes that are neither reasonably necessary to nor compatible with the purposes for which the Covered Personal Information is processed as described in the General Privacy Notice without your consent.

Sources of Covered Personal Information

We obtain the categories of Covered Personal Information listed above directly from you, or automatically when you use or interact with our Websites.

Sensitive Personal Information

We collect Sensitive Personal Information solely to enable you to login and access our Websites. We do not use Sensitive Personal Information for an incompatible purpose.

Disclosing Covered Personal Information

We may disclose your Covered Personal Information to a third party for a business purpose. When we disclose Covered Personal Information for a business purpose, we generally enter into a contract that describes the purpose and requires the recipient to both keep that Covered Personal Information confidential, maintain reasonable security to protect the Covered Personal Information, and not use the Covered Personal Information for any purpose except performing the contract. In the preceding twelve (12) months, we have disclosed all of the above categories of personal information collected for a business purpose to third party vendors who provide marketing, payment processing, and other services to us.

Company neither “sells” Covered Personal Information for monetary or other consideration nor “shares” Covered Personal Information for cross-context behavioral advertising (whether or not for monetary or other valuable consideration).

Automated Decision Making

We do not use your Covered Personal Information with any automated decision making process, including profiling, which may produce a legal effect concerning you or similarly significantly affect you.

Data Security

We have implemented measures designed to secure your Covered Personal Information from accidental loss and from unauthorized access, use, alteration, and disclosure.

The safety and security of your information also depends on you. Where we have given you (or where you have chosen) a password for access to our services, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.

Unfortunately, the transmission of information via the internet is not completely secure. Although we do our best to protect your Covered Personal Information, we cannot guarantee the security of your Covered Personal Information transmitted to our Websites. Any transmission of Covered Personal Information is at your own risk. We are not responsible for circumvention of any privacy settings or security measures contained on the Websites.

Your Rights and Choices

The CCPA provides consumers (California residents) with specific rights regarding their Covered Personal Information. This section describes your CCPA rights and explains how to exercise those rights.

Access to Specific Information and Data Portability Rights

To the extent you provide us with your Covered Personal Information and to the extent we process the Covered Personal Information by automated means, you have the right to request that we provide you a copy of, or access to, all or part of such Covered Personal Information in portable, and to the extent technically feasible, readily usable format that allows you to transmit the Covered Personal Information to another entity without hindrance.

We will provide Covered Personal Information to you that was collected beyond 12 months before the request unless providing such information is impossible or would involve a disproportionate effort. Once we receive and verify your request (see Exercising Access, Data Portability, and Deletion Rights), we will disclose to you:

• The categories of Covered Personal Information we collected about you.
• The categories of sources for the Covered Personal Information we collected about you.
• Our business or commercial purpose for collecting that Covered Personal Information.
• The categories of third parties with whom we share that Covered Personal Information.
• The specific pieces of Covered Personal Information we collected about you (also called a data portability request).
• If we sold or disclosed your personal information for a business purpose, two separate lists disclosing:
  • “sales” for monetary or other valuable consideration and “sharing” for cross-context behavioral advertising (whether or not for monetary or other valuable consideration), identifying the personal information categories that each category of recipient received; and
  • disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained.

Deletion Request Rights

You have the right to request that we delete any of your Covered Personal Information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request (see Exercising Access, Data Portability, and Deletion Rights), we will delete (and direct our service providers and/or contractors to delete) your Covered Personal Information from our records, unless an exception applies.

We may deny your deletion request if retaining the information is necessary for us or our service providers and/or contractors to:

1. Complete the transaction for which we collected the Covered Personal Information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.
2. Detect bugs or errors in our Website or service, detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
3. Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).
4. Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
5. Comply with a legal obligation.
6. Make other internal and lawful uses of that information are permitted by law or that are compatible with the context in which you provided it.

Correction Rights

You can review and change your Covered Personal Information by logging into the Websites and visiting your “Account” page. You may also notify us through a verifiable consumer request as described below of any changes or errors in any Covered Personal Information we have about you to ensure that it is complete, accurate, and as current as possible. We may not be able to accommodate your request if we believe it would violate any law or legal requirement or cause the information to be incorrect.

Exercising Access, Correction, Data Portability, and Deletion Rights

To exercise the access, correction, data portability, correction, and deletion rights described above, please submit a verifiable consumer request to us by emailing us at privacyinquiry@mgrc.com or contacting us at 1-800-548-0814.

Only you, or a person registered with the California Secretary of State that you authorize to act on your behalf (an “Authorized Agent”), may make a verifiable consumer request related to your Covered Personal Information. You may also make a verifiable consumer request on behalf of your minor child.

Please note that we are not obligated to provide information to a consumer in response to a request more than twice in a twelve (12) month period. The verifiable consumer request must:

• Provide sufficient information that allows us to reasonably verify you are the person about whom we collected Covered Personal Information. Before completing your request to exercise the below, we will verify that the request came from you based on information we have for you in our records, or though some other method in compliance with the CCPA.
• Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with Covered Personal Information if we cannot verify your identity or authority to make the request and confirm the Covered Personal Information relates to you. With few exceptions, we will only review and fulfill a request from your Authorized Agent if (a) you grant the Authorized Agent written permission to make a request on your behalf, (b) you or the Authorized Agent provides us notice of that written permission, and (c) we are able to verify your and the Authorized Agent’s identity in connection with that notice and the request.

Making a verifiable consumer request does not require you to create an account with us.

We will only use Covered Personal Information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.

Response Timing and Format

We endeavor to respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time, we will inform you of the reason and extension period in writing.

If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option.

Any disclosures we provide will only cover the twelve (12) month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your Covered Personal Information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Non-Discrimination

You have the right not to receive discriminatory treatment by us for exercising any of your rights under the CCPA. However, we may offer you certain financial incentives permitted by the CCPA that can result in different prices, rates, or quality levels. Any CCPA-permitted financial incentive we offer will reasonably relate to your Covered Personal Information’s value and contain written terms that describe the program’s material aspects. Participation in a financial incentive program requires your prior opt-in consent, which you may revoke at any time.

Other California Privacy Rights

For California residents, California Civil Code Section 1798.83 permits you to request information regarding the disclosure of your personal information, as that term is defined in Section 1798.83, to third parties for the third parties’ direct marketing purposes. To make such a request, you may contact us by emailing us at privacyinquiry@mgrc.com.

At this time, the Company does not honor “Do Not Track” signals.

Retention of Covered Personal Information

If you create an account with us, we will retain your Covered Personal Information for the entire time that you keep your account open. After you close your account (or if you have not created an account), we may retain your Covered Personal Information for any of the following reasons, whichever is longer: (a) fulfill the purposes for which it was collected and for legal or business requirements; (b) in our backup and disaster recovery systems in accordance with our backup policies and procedures; or (c) for as long as necessary to protect our legal interests or otherwise pursue our legal rights and remedies.

We retain data that has been aggregated or otherwise rendered anonymous in such a manner that you are no longer identifiable, indefinitely.

Changes to This California Privacy Addendum

Company reserves the right to amend this California Privacy Addendum at our discretion and at any time. When we make changes to this California Privacy Addendum, we will post the updated addendum on the Websites and update the addendum’s effective date. Your continued use of our Websites following the posting of changes constitutes your acceptance of such changes.

Contact Information

If you have any questions or comments about this California Privacy Addendum, the ways in which Company collects and uses your information described above and in the General Privacy Notice, your choices and rights regarding such use, or wish to exercise your rights under California law, please do not hesitate to contact us by emailing us at privacyinquiry@mgrc.com.

---

Virginia Privacy Addendum

Effective Date: September 9, 2021

This Privacy Notice Addendum for Virginia Residents (the "Virginia Privacy Addendum") supplements the information contained in McGrath RentCorp’s Data Privacy and Security Policy (the “General Privacy Notice”) and describes our collection and use of personal data. This Virginia Privacy Addendum applies solely to all visitors of our Websites (as defined in the General Privacy Notice), users of our goods and services, and others acting only in an individual or household context, each of whom reside in the Commonwealth of Virginia (“consumers” or “you”). We adopt this notice to comply with the Virginia Consumer Data Protection Act of 2021 (“CDPA”) and any terms defined in the CDPA have the same meaning when used in this notice.

Note that this Virginia Privacy Addendum only applies to you as an individual and not to you acting in an employment or commercial context.

Information We Will Collect

We collect information that is linked or is reasonably linkable to you and as identified or identifiable person (“personal data”) as described in our General Privacy Notice.

Personal data does not include, and this Virginia Privacy Addendum does not cover:

• Publicly available information from government records or that we have a reasonable belief is lawfully made available to the general public either by widely distributed media, by you, or by a person to whom you have disclosed the information (unless you have restricted the information to a specific audience).
• Information that has been de-identified such that the information can no longer be reasonably linked to any you or a device linked to you.
• Information excluded from the CDPA’s scope, like:
  • health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), health records for the purposes of Title 32.1 of the Virginia Code, or clinical trial data;
  • Records of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any program or activity relating to substance use disorder education, prevention, training, treatment, rehabilitation, or research, which is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States;
  • Information and documents created for the purposes of the U.S. Health Care Quality Improvement Act of 1986 and patient safety work product for the purposes of the U.S. Patient Safety and Quality Improvement Act;
  • personal data covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA), the Family Educational Rights and Privacy Act (FERPA), the Farm Credit Act (FCA), and the Driver’s Privacy Protection Act of 1994.

Use of Personal Data

We limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the personal data is processed. We may process the personal data we collect, for one or more of the purposes described in the General Privacy Notice. We will not process personal data for purposes that are neither reasonably necessary to nor compatible with the purposes for which the personal data is processed as described in the General Privacy Notice without your consent.

Sharing Personal Data

The Company may share your personal data with our affiliates and other third parties. When we disclose personal data, we enter a contract that describes the purpose and requires the recipient to both keep that personal data confidential and not use it for any purpose except performing the contract. The categories of personal information that we share with third parties, and the categories of third parties that we share your personal information with, are described in the following table:

Category of Personal Data Shared With Third Parties	Categories of Third Parties the Personal Data are Shared With
Identifiers	Service Providers, Data brokers or aggregators, and Internet cookie information recipients, such as analytics and behavioral advertising services
Commercial information, i.e. records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies	Service Providers
Internet or other similar network activity	Service Providers, and Internet cookie information recipients, such as analytics

Sales of your Personal Data

We do not sell your personal data to third parties for their own commercial use.

Your Rights and Choices

The CDPA provides you as consumer in Virginia with specific rights regarding their personal data. This section describes your CDPA rights and explains how to exercise those rights. You may exercise these rights yourself or through your authorized agent.

• Confirmation and Access. You have the right to confirm whether or not we are processing your personal data and to have access to that personal data. You may exercise this right by emailing us at privacyinquiry@mgrc.com. You may also exercise this right as described below.
• Correction. You have the right to correct any inaccuracies in your personal data processed by us, taking into account the nature of the personal data and the purposes of the processing of your personal data. We may also not be able to accommodate your request to change the personal data if we believe it would violate any law or legal requirement or cause the personal data or the information associated with the personal data to be incorrect.
• Deletion. You have the right to request that we delete all of your personal data. In cases in which you have a user account, we cannot delete your personal data except by also deleting your user account. However we may not accommodate a request to erase your personal data if we believe the deletion would violate any law or legal requirement or cause any information associated with the personal data to be incorrect.
• Portability. To the extent you provide us with your personal data and to the extent we process the personal data by automated means, you have the right to request that we provide you a copy of, or access to, all or part of such personal data in portable, and to the extent technically feasible, readily usable format that allows you to transmit the personal data to another controller without hindrance.
• Opt-Out of Certain Processing. You have the right to opt-out of processing your personal data for the purposes of: (i) targeted advertising; (ii) the sale of your personal data; or (iii) profiling in furtherance of decisions that produce legal effects or similarly significant affects concerning. These decisions include decisions that results in the provision or denial by the controller of financial and lending services, housing, insurance, education enrollment, criminal justice, employment opportunities, health care services, or access to basic necessities, such as food and water.

To exercise the right to opt-out, you (or your authorized representative) may adjust your cookie preferences by selecting the link entitled “Manage Cookies” on one of our Websites. You may also opt-out of receiving cookie’s by setting your browser to refuse all or some browser cookies, or to alert you when cookies are being sent. However, if you do not consent to our use of cookies or select this setting you may be unable to access certain parts of our Websites or other websites. You can find more information about cookies at http://www.allaboutcookies.org and http://youronlinechoices.eu.

Exercising Your Rights

To exercise the rights described above, please submit a request to us by contacting us through the contact information provided in our General Privacy Notice.

You may only make a request to exercise the above rights twice within a 12-month period. The request must:

• Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal data.
• Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with personal data if we cannot authenticate that the personal data that is the subject of your request relates to you through commercially reasonable efforts. In this case, we may request additional information, which we will only use to authenticate you.

Making a verifiable consumer request does not require you to create a password-protected, online account with us. However, if you do have such an account, we may require you to use it in order to make your request. Doing so will enable us to consider your requests through that account to authenticate that the personal data that is the subject of your request relates to you.

To exercise the right to opt-out of targeted advertising, you (or your authorized representative) adjust your cookie preferences by visiting the following Internet Web page link: entitled “Manage Cookies” on one of our Websites. You may also opt-out by setting your browser to refuse all or some browser cookies, or to alert you when cookies are being sent. However, if you do not consent to our use of cookies or select this setting you may be unable to access certain parts of our Websites or other websites.

Response Timing and Format

We will generally process these requests within forty-five (45) days of its receipt. If we require more time (up to 45 days), we will inform you of the reason and extension period in writing. If we cannot comply with your request, we will provide you with an explanation of the reasons we cannot comply with a request.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Appeals Process

You may appeal a refusal by us to take action on your request to exercise any of the above rights within a reasonable period of time after we provide you notice of such refusal by contacting us through the contact information listed in the General Privacy Notice. Within sixty (60) days after we receive your appeal, we will inform you in writing of any action taken or not taken in response to your appeal, including any explanations for the reasons for the decision. If your appeal is denied, you may lodge a complaint with the Virginia Attorney General through his/her contact information available at: https://www.oag.state.va.us/contact-us/contact-info.

Non-Discrimination

We will not discriminate against you for exercising any of your CDPA rights. Unless permitted by the CDPA, we will not:

• Deny you goods or services.
• Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
• Provide you a different level or quality of goods or services.

However, we may offer you certain financial incentives permitted by the CDPA that can result in different prices, rates, or quality levels, or selection of goods and services (including the possibility of offering our goods and services for no fee), if you have exercised your rights to opt-out of certain processes as described above or if the offer is related to your voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program.

Changes to This Virginia Privacy Addendum

Company reserves the right to amend this Virginia Privacy Addendum at our discretion and at any time. When we make changes to this Virginia Privacy Addendum, we will post the updated addendum on the Websites and update the addendum’s effective date. Your continued use of our Websites following the posting of changes constitutes your acceptance of such changes.

Contact Information

If you have any questions or comments about this Virginia Privacy Addendum, the ways in which the Company collects and uses your information described above and in the General Privacy Notice, your choices and rights regarding such use, or wish to exercise your rights under the CDPA, please do not hesitate to contact us through the contact information provided in the General Privacy Notice.

---

GDPR Privacy Addendum

Effective Date: September 9, 2021

Introduction

This GDPR Privacy Addendum (the “GDPR Privacy Addendum”) supplements the information contained in the McGrath RentCorp Data Privacy and Security Policy (“General Privacy Notice”) and applies solely to all users who are located in the European Economic Area. We adopt this GDPR Privacy Addendum to comply with the General Data Protection Regulation (2016/679) and any implementing acts of the foregoing by any of the member states of the European Economic Area, the United Kingdom, or Switzerland (“GDPR”) and any terms defined in the GDPR or our Privacy Notice have the same meaning when used in this GDPR Privacy Addendum. This GDPR Privacy Addendum takes precedence over anything contradictory in our General Privacy Notice.

Data Controller

The Company is the data controller of your personal information. At this time, the Company is not required to appoint a Data Protection Officer or a representative in the EU, and has elected not to do so. The Company may be contacted by email at privacyinquiry@mgrc.com.

Lawful Basis for Processing Your Personal Information

The processing of your personal information is lawful only if it is permitted under the applicable data protection laws. We have a lawful basis for each of our processing activities (except when an exception applies as described below):

• Performance of a contract. We may need to collect and use your personal information to in order to fulfill our obligations to you or your employer pursuant to our contract with you or your employer to deliver our goods and services to you or your employer.
• Consent. By using our Websites, you consent to our collecting, using, and sharing your personal information as described in this privacy policy. If you do not consent to this privacy policy, please do not use the Websites.
• Legitimate interests. We may use your personal information with our third party vendors and service providers for our legitimate interests to deliver the services you have requested and to improve our services. Our legitimate interests are balanced against your rights and freedoms and we do not process your personal information if your rights and freedoms outweigh our legitimate interests. Our legitimate interests are to: facilitate communication between the Company and you or your employer; detect and correct bugs and to improve our Websites; safeguard our IT infrastructure and intellectual property; detect and prevent fraud and other financial crime; promote and market our business; check your credit and perform risk assessments; develop our products and services and perform employment screening and to manage our workforce, assets, and business.
• As required by law. We may also process your personal information when we are required or permitted to by law; to comply with government inspections, audits, and other valid requests from government or other public authorities; to respond to legal process such as subpoenas; or as necessary for us to protect our interests or otherwise pursue our legal rights and remedies (for instance, when necessary to prevent or detect fraud, attacks against our network, or other criminal and tortious activities), defend litigation, and manage complaints or claims.

Special Categories of Information

The Company does not ask you to provide, and we do not knowingly collect, any special categories of personal information from you.

Automated Decisions Making

The Company does not use your personal information with any automated decision making process, including profiling, which may produce a legal effect concerning you or similarly significantly affect you.

Your Rights Regarding Your Information and Accessing and Correcting Your Information

Applicable data protection laws may provide you with certain rights with regards to our processing of your personal information.

• Access and Update. You can review and change your personal information by emailing us at privacyinquiry@mgrc.com. You may also notify us of any changes or errors in any personal information we have about you to ensure that it is complete, accurate, and as current as possible. We may also not be able to accommodate your request if we believe it would violate any law or legal requirement or cause the information to be incorrect.
• Restrictions. You have the right to restrict our processing of your personal information under certain circumstances. In particular, you can request we restrict our use of it if you contest its accuracy, if the processing of your personal information is determined to be unlawful, or if we no longer need your personal information for processing but we have retained it as permitted by law.
• Portability. To the extent the personal information you provide the Company is processed based on your consent or that we process it through automated means, you have the right to request that we provide you a copy of, or access to, all or part of such personal information in structured, commonly used and machine-readable format. You also have the right to request that we transmit this personal information to another controller, when technically feasible.
• Withdrawal of Consent. To the extent that our processing of your personal information is based on your consent, you may withdraw your consent at any time by closing your account. Withdrawing your consent will not, however, affect the lawfulness of the processing based on your consent before its withdrawal, and will not affect the lawfulness of our continued processing that is based on any other lawful basis for processing your personal information.
• Right to be Forgotten. You have the right to request that we delete all of your personal information. We cannot delete your personal information except by also deleting your user account, and we will only delete your account when we no longer have a lawful basis for processing your personal information or after a final determination that your personal information was unlawfully processed. We may not accommodate a request to erase information if we believe the deletion would violate any law or legal requirement or cause the information to be incorrect. In all other cases, we will retain your personal information as set forth in this policy. In addition, we cannot completely delete your personal information as some data may rest in previous backups. These will be retained for the periods set forth in our disaster recovery policies.
• Complaints. You have the right to lodge a complaint with the applicable supervisory authority in the country you live in, the country you work in, or the country where you believe your rights under applicable data protection laws have been violated. However, before doing so, we request that you contact us directly in order to give us an opportunity to work directly with you to resolve any concerns about your privacy.
• How You May Exercise Your Rights. You may exercise any of the above rights by completing the REQUEST FORM and emailing it to us at privacyinquiry@mgrc.com. If you contact us to exercise any of the foregoing rights, we may ask you for additional information to verify your identity. We reserve the right to limit or deny your request if you have failed to provide sufficient information to verify your identity or to satisfy our legal and business requirements. Please note that if you make unfounded, repetitive, or excessive requests (as determined in our reasonable discretion) to access your personal information, you may be charged a fee subject to a maximum set by applicable law.
• Response Times. We will make every reasonable effort to respond to each of your written requests not later than 30 days after receipt of such requests. When applicable, we will advise you in writing if we cannot meet your requests within this time limit. When applicable, you have the right to make a complaint to the appropriate privacy commission with respect to this time limit.

Consent to Processing of Personal Information Outside the European Economic Area

The Websites are hosted in the United States. If you are a resident of the European Economic Area (“EEA”), please note that by providing your information it is being transferred to, stored or processed in the United States and other countries, where our data center and servers are located and operated. The data protection and other laws of the United States, including to countries that may not or do not provide an equivalent level of protection for your personal information.

Your personal information is transferred by the Company to another country only if it is required or permitted under applicable data protection law and provided that there are appropriate safeguards in place to protect your personal information. By using our Websites, you represent that you have read and understood the above and hereby consent to the storage and processing of personal information that you provide directly to us on our Websites. If you are visiting the Websites form outside the United States and do not wish to allow the transfer of your personal information to the United States, you should not use the Websites and you should not opt-in to (or send us a request to opt-out of) the collection of cookies. To ensure your personal information (other than personal information you provide directly to us on our Websites) is treated in accordance with this privacy policy, the Company uses Data Protection Agreements between the Company and all other recipients of your data that include, where applicable, the Standard Contractual Clauses adopted by the European Commission (the “Standard Contractual Clauses”). The European Commission has determined that the transfer of personal information pursuant to the Standard Contractual Clauses provides for an adequate level of protection of your personal information. Under these Standard Contractual Clauses, you have the same rights as if your data was not transferred to such third party. You may request a copy of the Data Protection Agreement by contacting us by email at privacyinquiry@mgrc.com.

Retention of Personal Information

If you create an account with us, we will retain your personal information for the entire time that you keep your account open. After you close your account (or if you have not created an account), we may retain your personal information for any of the following reasons, whichever is longer: (a) fulfill the purposes for which it was collected and for legal or business requirements; (b) in our backup and disaster recovery systems in accordance with our backup policies and procedures; or (c) for as long as necessary to protect our legal interests or otherwise pursue our legal rights and remedies.

We retain data that has been aggregated or otherwise rendered anonymous in such a manner that you are no longer identifiable, indefinitely.

Changes to this GDPR Privacy Addendum

The Company reserves the right to amend this GDPR Privacy Addendum at our discretion and at any time and at any time and as further described in our General Privacy Notice. When we make changes to this GDPR Privacy Addendum, we will post the updated notice on the Website and update the notice’s effective date. Your continued use of our websites following the posting of changes constitutes your acceptance of such changes.

Contact

Personal information is generally located at our corporate or divisional offices in the United States. A list of corporations, divisions, subsidiaries and affiliates to which this Privacy Policy applies is available upon request. Please direct all complaints or other inquiries regarding personal information, the Privacy Policy, and requests related to your personal information pursuant to applicable laws to our Privacy Director as follows: privacyinquiry@mgrc.com.

---

Canada Privacy Addendum

Effective Date: September 9, 2021

This Canada Privacy Addendum (the “Canada Privacy Addendum”) supplements the information contained in McGrath RentCorp’s Data Privacy and Security Policy (the “General Privacy Notice”) and describes our collection and use of personal information. This Canada Privacy Addendum applies solely to all visitors of our Websites (as defined in the General Privacy Notice), users of our goods and services, and others acting only in an individual or household context, each of whom are located in Canada (“consumers” or “you”). We adopt this notice to comply with the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and Canada’s Anti-Spam Legislation (“CASL”) and any terms defined in the PIPEDA and CASL. This Canada Privacy Addendum takes precedence over anything contradictory in our General Privacy Notice.

Note that this Canada Privacy Addendum only applies to you as an individual and not to you acting in an employment or commercial context.

Data Protection Officer

Company has a Data Protection Officer in compliance with the PIPEDA. Company or its Data Protection officer may be contacted in any manner set forth below in the “Contact Information” Section of this Canada Privacy Addendum.

Lawful Basis for Processing Your Personal Information

By using our Websites, you consent to our collection, use, and sharing of your personal information as described in this General Privacy Notice. If you do not consent to this collection, use, and sharing, please do not use the Websites.

Promotional Offers

We will only use your contact information to promote our own or third parties’ products and services with your consent as described in our General Privacy Notice.

Consent to Processing of Personal Information in the United States

In order to provide our services to you, we may store and send your personal information outside of Canada, including to the United States. Accordingly, your personal information may be transferred outside the country where you reside or are located, including to countries that may not or do not provide an equivalent level of protection for your personal information. Your information may be processed and stored in the United States and United States federal, state, and local governments, courts, or law enforcement or regulatory agencies may be able to obtain disclosure of your information through the laws of the United States. By accessing our Websites, you represent that you have read and understood the above and hereby consent to the storage and processing of your personal information outside the country where you reside or are located, including in the United States.

Contact

If you have any questions or comments about this Canada Privacy Addendum, the ways in which the Company collects and uses your information described above and in the General Privacy Notice, your choices and rights regarding such use, or wish to exercise your rights under the Canada privacy laws, please do not hesitate to contact us through the contact information provided in the General Privacy Notice or contact our Data Protection Officer, Jim Gallagher, at +1 925-453-3147, 5700 Las Positas Rd. Livermore, CA 94551.