Privacy Notices

American Eagle Outfitters Global Privacy Notice

This Global Privacy Notice is effective as of July 8, 2021, and applies to our customers outside of North America.

This Global Privacy Notice (this "Notice") explains how data about you is collected, used and disclosed by American Eagle Outfitters, Inc., a company incorporated under the laws of Delaware (United States of America) and our affiliates and subsidiaries, including AEO Management Company (collectively, "AEO", "we", "us", or "our").

We are responsible for the processing of your Personal Data (as defined below) that we collect or receive from you, as a data controller. This Notice applies to data we collect when you access or use our technology platforms (including, without limitation, our websites, mobile applications and other AEO-controlled or related properties that link to this Notice; collectively, the "Platforms"), engage with us via social media, or when you otherwise interact with us.

In some locations, we have partnered with third parties to operate AEO-branded stores, websites and apps, to promote and sell our products and services, and to fulfill orders (“Retail Partners”). Retail Partners will collect and process Personal Data about you, subject to their own privacy policies, which they make available to you when you make a purchase from, visit a website operated by, or otherwise interact with such Retail Partners. This Notice also applies to our processing of any Personal Data that we may receive from one of our Retail Partners.

Please read this Notice completely (before providing us with your Personal Data or otherwise interacting with us or any Retail Partner or a third party that refers to this Notice in its privacy policy) to understand how we collect, use and disclose your Personal Data. We may supply different or additional notices on how we process Personal Data specific to certain programs or activities. We may also provide different notices on how we process Personal Data with respect to certain subsidiaries or affiliates, in which case this Notice will not apply. This Notice does not apply to job applicants and candidates who apply for employment with us, or to employees and non-employee workers in the context of our working relationship with them.

QUICK GUIDE TO CONTENTS

1. COLLECTION & USE OF PERSONAL DATA.

2. SHARING OF DATA.

3. YOUR RIGHTS AND CHOICES.

4. SECURITY AND RETENTION.

5. AKNOWLEDGEMENT OF PROCESSING AND TRANSFER OF PERSONAL DATA.

6. CHANGES.

7. CONTACT US.

8. ADDITIONAL INFORMATION FOR CERTAIN JURISDICTIONS.

1. COLLECTION & USE OF PERSONAL DATA.

a) Definition of Personal Data

In this Notice, our use of the term "Personal Data" includes other similar terms under applicable privacy laws—such as "personal information" and "personally identifiable information." In general, "Personal Data" includes any information relating to an identified or identifiable natural person, such as name, e-mail address, telephone number, home address, or payment data (e.g., account data or credit card number).

b) When do we collect your Personal Data?

We may collect Personal Data when you interact with AEO, any of our brands, or Platforms, such as when you:

• Purchase, return, reserve or try-on merchandise at one of our stores or through our Platforms;

• Consent to receive our promotional email, SMS/text messages, or other communications;

• Visit, use, and/or register through our Platforms;

• Consent to our use of cookies;

• Participate in our contests, sweepstakes or promotions;

• Participate in one of our surveys or other customer research;

• Consent to the collection and processing of your location data;

• Purchase gift cards for others; and

• Contact or visit our Customer Service Department, or otherwise contact us or one of our service providers with a comment, question or complaint.

In addition, we may collect and receive Personal Data about you from third parties, including our Retail Partners, vendors and service providers. For instance, we may engage vendors and work with other partners to provide services to us or to you on our behalf (such as payment processors, cloud hosting and service providers). As noted above, we work with Retail Partners to make our products and services available in certain locations. These Retail Partners may be responsible for processing orders, communicating with customers and handing returns in their respective locations, and they may provide us with customer Personal Data including, but not limited to, name, contact information, demographics, purchase history and marketing preferences.

c) Purpose of use and legal bases of processing for Personal Data

While the purposes for which we may process Personal Data will vary depending upon the circumstances, in general, we use Personal Data for the business purposes set forth in this section.

In this section, we also explain the legal bases upon which we process Personal Data, as required by privacy laws, such as the EU General Data Protection Regulation (the "GDPR"),UK Data Protection Act 2018, Brazilian General Data Protection Law (the "LGPD"), and Hong Kong Personal Data (Privacy) Ordinance ("PDPO").

Where applicable, pursuant to the GDPR and other relevant laws, in general, we process your Personal Data on the following legal bases:

• Performance of our contract with you: The Personal Data we collect may be used to perform our agreements with you, including our Terms of Use and other terms and conditions applicable to the Platform you use.

• To comply with a legal obligation to which AEO is subject: The Personal Data we collect may be processed in order to comply with the law and our legal obligations.

• For our legitimate business interests: We may process Personal Data in furtherance of our legitimate business interests in protecting, maintaining and improving the Platform; developing new Platforms, features and services; marketing and promoting our products and Platforms (including by profiling and marketing); protecting our legal rights and interests; in support of mergers, acquisitions, reorganizations and other business transactions; and to generally operate and improve our business.

• With your consent: We may process Personal Data about you based on your consent, for example to send you marketing communications, surveys, news, updates and other communications. Where required by applicable law, AEO will obtain your consent to this Notice and our collection, use and disclosure of your Personal Data. You may be able to withdraw your consent at any time in accordance with applicable laws; please see Section 3. Your Rights and Choices below for information on how to withdraw your consent.

Please read in the following additional details about how we may collect and use Personal Data, including, where applicable, Personal Data we receive from third parties, for example Retail Partners:

i. Purchasing, returning, reserving or trying-on merchandise

When you purchase or return merchandise through one of our stores or through our Platforms, we collect and use the Personal Data that you provide, such as your order, postal address, email address, age and payment information, for the purposes of fulfilling your order, processing your return, and updating you on the status of your order/return. When you reserve or try-on merchandise in-store, we may collect Personal Data such as your name, telephone number, email address, location and the items you wish to reserve or try-on for the purposes of fulfilling your request.

Where applicable, the processing of your Personal Data for these purposes is as necessary for the performance of a contract with you. We also use this Personal Data collected as necessary for our legitimate

interests, including fraud detection, improving the Platforms and business operations, information security purposes, monitoring our sales, and aggregate analytic modeling.

ii. Promotion/marketing

When you consent to receive information from us such as promotional/marketing emails, or other information, we process your email address and/or postal address for the purposes of fulfilling your request. You may unsubscribe from promotional communications by following the instructions in the message. If you have any questions about unsubscribing from our messages or would like assistance in unsubscribing from promotional messaging, please contact us as outlined below.

Where applicable, the processing of your Personal Data for this purpose is based on your consent, as well as in compliance with the direct pyramid selling requirements in the PDPO.

iii. Platform use

If you choose to visit, use, and/or register with one of our Platforms, we process the information that you provide, such as your name, email address, date of birth, shipping/billing address, credit card and account-related data for the purposes of administering and securing your account on our Platforms. Please note, when registering an account, you will be prompted to provide certain information. If you do not provide shipping, billing or credit card information upon account registration, we will automatically save this information to your account when subsequently provided, including upon your completion of an order. If you would like to revise this information, please access your account at any time.

Where applicable, the processing of your Personal Data for these purposes is as necessary for the performance of a contract with you. We also use this Personal Data collected as necessary for our legitimate interests. These legitimate interests are namely improving our Platforms and business operations, information security purposes, monitoring our sales, and aggregate analytic modeling.

iv. Cookies

Most of the Platforms use cookies and other automated technologies to collect certain information about the use of the Platforms and to provide certain features on our Platform. For example, these technologies may be used as analytics tools to understand what users like on our Platform, to improve our Platforms and to deliver personalized content (e.g. targeted advertisement). Most of the websites that AEO manages or controls include a Cookie Notice (accessible, for example, through the “Cookie Notice” link in the footer of the website), which contains more information about our use of cookies and similar technologies.

Where applicable, the processing of your Personal Data for this purpose is based on your consent and in compliance with applicable legal requirements.

v. Sweepstakes/contests/promotions

We process the Personal Data that you provide if you choose to participate in one of our contests, sweepstakes or promotions for the purposes of conducting them and communicating with you, all as further described in the respective terms and conditions. Where applicable, the processing of your Personal Data for these purposes is as necessary for the performance of a contract with you.

If you consent, we may also process your photo and/or video recorded at any relating event where you participate. The processing of your Personal Data for this purpose is then based on your consent.

vi. Customer surveys and other customer research

If you consent, we process the Personal Data that you provide if you choose to participate in one of our customer surveys or other research tools to analyze and better understand how customers like you interact with our brands.

Where applicable, the processing of your Personal Data for this purpose is based on your consent.

vii. Location data

When you navigate to any of the Platforms, we use location information to tailor your user experience and provide relevant content. Specifically, we use your device’s address and location information to geo-locate you to a default country, and we also use it to provide relevant store location, shipping, and product selection pages. Additionally, when you first launch any of our mobile applications, you will be asked to consent to the application’s collection of location data. We use this information to provide you with information about nearby stores/locations; products, their availability/location, or reserved items; and special offers and promotions.

Where applicable, the processing of your Personal Data for this purpose is based on your consent.

If you initially consent to our mobile application’s collection of this location data, you can subsequently change the collection of this data at any time by changing the preferences on your device. You may also stop our collection of location data by following the standard uninstall process to remove all of our mobile applications from your device.

viii. Gift cards for others

In certain circumstances, we may also collect Personal Data that you provide to us regarding other people. For example, you may provide us with the name and address for a gift recipient. When you provide us with this Personal Data, we use it for the purposes of processing the shipment. We rely on you to obtain any necessary information from the intended recipient for our use of their Personal Data for these purposes. You are responsible for obtaining the informed consent of others whose Personal Data you provide.

As applicable, the processing of the gift recipient’s Personal Data for this purpose is as necessary for the performance of a contract with you.

Where the gift recipient has consented, we use their Personal Data to communicate with the intended recipient. As applicable, the processing of the gift recipient’s Personal Data for this purpose is then based on your consent.

ix. Customer Service

We process the Personal Data you provide to us when you contact our Customer Service Department (name, telephone number, email address, purchase details) for the purposes of reviewing any issues you raise and responding to you. Depending upon the nature of your query, we may request additional Personal Data for the purposes of verifying your identity (e.g. birth date or banking details).

As applicable, the processing of your Personal Data for this purposes is as necessary for the performance of a contract with you.

x. Securing our business and complying with legal obligations

We may process Personal Data to secure and protect our business, defend our legal rights, and comply with legal obligations. In addition, we may process Personal Data for our internal auditing, reporting, corporate governance, and internal operations purposes.

As applicable, the processing of your Personal Data for these purposes is as necessary to comply with legal obligations and for our legitimate interests.

xi. Managing our relationships with others, including Retail Partners

We also process the above mentioned Personal Data to manage our relationship with vendors, Retail Partners, and third parties who assist us in providing our services or goods, for example, to ensure the proper performance of their tasks, to evaluate our work with them, and to ensure the smooth transition between different service providers or Retail Partners.

As applicable, the processing of your Personal Data for these purposes is as necessary for the performance of a contract with you, and/or as it is necessary for our legitimate interests, namely, improving business operations, monitoring our sales, and securing the proper performance of our service providers and Retail Partners.

2. SHARING OF DATA.

Except as described in this Notice, we will not share your Personal Data with third party controllers (i.e. third parties that use the Personal Data for their own purposes). We may, however, share aggregated, non-personal

or anonymous data, which cannot be used to identify you, with third parties. We may also share your Personal Data in the following circumstances:

Your Consent to have Your Personal Data Shared: While utilizing our Platforms, you may have the opportunity to opt-in to receive information and/or marketing offers from someone else or to otherwise consent to the sharing of your data with a third party. If you agree to have your Personal Data shared, your Personal Data will be disclosed to the third party and the Personal Data you disclose will be subject to the privacy notice and business practices of that third party.

Third Parties Providing Services and Retail Partners: We may share your Personal Data with vendors that perform functions on our behalf or assist with our business operations to perform contracts with you, such as those that host or operate our Platforms, process transactions and payments, fulfill orders or provide customer service; or other third parties that participate in or administer our marketing (including promotions, contests, sweepstakes, and surveys), provide internal promotional assistance, and analyze our data. Additionally, we may share your Personal Data with vendors that provide targeted marketing or promotional assistance, manage our credit card, analyze data, advertisers and “powered by” partners who power product reviews on our products or services. If we transition from one Retail Partner to another in a particular location, then we may transfer the Personal Data we received about you from our current or former Retail Partner to a new Retail Partner, or we may ask our current or former Retail Partner to transfer the Personal Data collected about you to the new Retail Partner.

AEO Group Companies: Your Personal Data may be processed by members of AEO group companies for purposes of assisting us to market our products and Platforms, analytics, research and demographic studies, development, and to help us improve and tailor our Platforms. Our group companies are subject to this Notice when they use your Personal Data.

Compliance with Legal Obligations: We may also disclose your Personal Data if we believe we are required to do so by law, or that doing so is reasonably necessary to comply with legal processes; when we believe it is necessary or appropriate to disclose Personal Data to law enforcement or other governmental or regulatory authorities or the courts (in any relevant jurisdiction worldwide), such as to investigate actual or suspected fraud or violations of law, breaches of security, or breaches of this Notice; to regularly exercise our rights in judicial, administrative or arbitration proceedings (as applicable in Brazil); to respond to any claims against us; and, to protect the rights, property, or personal safety of AEO, our customers, or the public.

Corporate Transactions: In addition, your Personal Data may be disclosed as part of any proposed or actual merger, sale, and transfer of AEO, assets, acquisition, bankruptcy, or similar event.

3. YOUR RIGHTS AND CHOICES.

You have certain rights with respect to your Personal Data, which may vary depending on your location. These are set out in more detail by location in Section 8 below.

a) Opt-out of marketing communications.

In addition to the rights set out in Section 8 below, you may opt-out of marketing emails by: (i) logging into your online account and updating your preferences; (ii) contacting us by phone, email or postal mail, or (iii) following the removal instructions in the communication that you received. If you opt out of direct marketing communications, we may to the extent permitted by applicable law still send you non-promotional communications, such as those about your account or our ongoing business relations. For example, if our service is temporarily suspended for maintenance, or your payment could not be processed, we might send you an email.

b) Withdraw your consent.

In all cases where we process your Personal Data based on your consent, you may withdraw consent for each individual purpose at any time without reasons. Please contact us via privacy@ae.com to withdraw consent.

Please note that if you would like to withdraw consent regarding your Personal Data collected and processed by one of our Retail Partners, you must submit a request directly to such Retail Partner.

c) Exercise of your rights.

Generally, registered account holders may review and update their profile information and communications preferences directly within their account. If you are not a registered account holder, require our help to exercise your rights or want to make a request regarding your Personal Data, you may contact us as set forth below, in Section 7. Contact Us.

Please note that if you would like to submit a request regarding your Personal Data collected and processed by one of our Retail Partners, you must submit a request directly to such Retail Partner.

Privacy requests should be directed to the AEO‘s privacy team as set forth below in Section 7. Contact Us. Please keep in mind that certain services will not be available if you withdraw your consent, or otherwise delete or object to our processing of certain Personal Data. We will respond to your request in accordance with applicable law, and we will inform you if we do not intend to comply with your request.

4. SECURITY AND RETENTION

We have implemented administrative, technical and physical measures to help protect the Personal Data we collect from loss, theft, misuse and unauthorized access, disclosure, alteration and destruction. However, no website or Internet transmission is completely secure. Thus, we cannot and do not guarantee that unauthorized access, hacking, data loss, or other breaches will never occur. We urge you to take steps to keep your Personal Data safe, such as choosing a strong password and keeping it private, enabling multifactor authentication (where available), as well as logging out of your account, and closing your web browser when finished using the Platforms.

In general, we retain your Personal Data as long as necessary for purposes for which the Personal Data was collected and is used by us, as stated in this Notice, and as otherwise necessary to fulfill our legal obligations, resolve disputes, maintain appropriate business records, enforce our agreements or for such longer period as required by applicable law. The retention period depends on the information and the reason for which we have collected it. For example, we keep records of customer purchases and transactions in accordance with the relevant return and exchange periods under our return policy.

5. ACKNOWLEDGEMENT OF PROCESSING AND TRANSFER OF PERSONAL DATA.

We are based in the United States and are governed by U.S. law, and have operations, entities and vendors in the United States and throughout the world. By accessing or using the Platforms, or otherwise providing information to us, you acknowledge that we collect, process, transfer and store data about you in and to the United States and other applicable territories in which the privacy laws may not be as comprehensive as or equivalent to those in the country where you reside and/or are a citizen. We will take steps to ensure that your Personal Data receives an adequate level of protection in the jurisdictions in which we process it, including through appropriate written data processing terms and/or data transfer agreements. Please use the contact information below if you have a question or complaint about the policies, practices or manner in which we or our vendors treat your Personal Data.

a) Users in the European Economic Area (EEA) and United Kingdom.

Your Personal Data may be transferred to and processed in the United States and other jurisdictions that do not provide equivalent levels of data protection according to the European Commission. In such cases, AEO will take steps to ensure that appropriate safeguards are in place to protect your Personal Data, including by putting in place standard contractual clauses as approved by the European Commission.

b) Users in Brazil.

If your Personal Data is subject to Brazilian laws, AEO will ensure that appropriate safeguards are in place to protect your Personal Data, as required by the Lei Geral de Proteção de Dados ("LGPD”).

6. CHANGES.

We may update this Notice from time to time. If we make changes, we will notify you by revising the date at the top of the Notice and, in some cases, we may provide you with additional notice (such as adding a statement to our homepage or sending you a notification). We encourage you to review this Notice whenever you interact with us to stay informed about our data practices and the ways you can help protect your privacy.

7. CONTACT US.

As it relates to questions you might have about this Notice or if you have a concern that AEO may have failed to adhere to this Notice, please contact us as follows:

Please note, the role and department responsible for compliance with the obligations under this Notice is:

Assistant General Counsel, Privacy: Legal Department, privacy@ae.com

American Eagle Outfitters

c/o Legal Department

77 Hot Metal Street

Pittsburgh, PA 15203

Attention: Assistant General Counsel, Privacy

Tel: 1-888-232-4535

E-mail: privacy@ae.com

You may contact our European Local Representatives as required under Art. 27 GDPR as follows:

VeraSafe Czech Republic s.r.o

Klimentská 46

Prague 1, 11002

Czech Republic

Contact Form: https://verasafe.com/public-re...;

VeraSafe Ireland Ltd.

Unit 3D North Point House

North Point Business Park

New Mallow Road

Cork T23AT2P

Ireland

Contact Form: https://verasafe.com/public-re...;

Verasafe United Kingdom Ltd. 37 Albert Embankment London SE1 7TL United Kingdom Contact Form: https://verasafe.com/public-re...;

8. ADDITIONAL INFORMATION FOR CERTAIN JURISDICTIONS.

EEA (GDPR), UK, Brazil, and Hong Kong: Subject to the conditions set out in the applicable law, users in the European Union/European Economic Area, United Kingdom and Brazil (as well as in other jurisdictions where similar rights apply) have the following rights with regard to our processing of their Personal Data:

a) Your rights concerning your Personal Data

Accessing/Updating/Deleting or Restricting the processing of Your Personal Data: If you wish to access, modify, verify, correct, delete, or restrict the processing of any of your Personal Data collected through the Platforms, you may contact us using the contact information provided above. Alternatively, you may access, modify, verify, correct or delete your registered user data through our Platforms. Please note, all active accounts must be associated with a physical address and customer service may assist with certain changes. Additionally, we may refuse requests that are manifestly unfounded or excessive, in particular because of their repetitive character.

If you think that the processing of Personal Data by us violates data protection laws, you may lodge a complaint with the competent supervisory authority.

b) Right to Object

You may ask us at any time to stop processing your Personal Data, and we will do so, if we:

• rely on legitimate interests to process your Personal Data, except if we can demonstrate compelling legal grounds for the processing or where we need to process it for the establishment, exercise or defense of legal claims; or

• process your Personal Data for direct marketing.

c) Deletion of your Personal Data

You have the right, in certain circumstances, to request that we delete or remove your Personal Data, such as where we no longer need it or if you withdraw your consent (where applicable). To the extent permitted by applicable law, we will retain and use your Personal Data as necessary to comply with our legal obligations, resolve disputes, maintain appropriate business records, and enforce our agreements.

d) Right to Data Portability

You have the right, in certain circumstances, to receive a copy of Personal Data we have obtained from you in a structured, commonly used and machine readable format, and to reuse it elsewhere or to ask us to transfer this to a third party of your choice.

e) Right to Withdraw Your Consent

In the event your Personal Data is processed on the basis of your consent, you have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. Brazilian users also have the right to be informed about the consequences of denying or withdrawing consent.

Please note that some of these rights may be limited, such as where we have an overriding interest or legal obligation to continue to process the data. Please contact us using the information set out above, in Section 7. Contact Us, if you wish to exercise any of your rights or if you have any inquiries or complaints regarding the processing of your Personal Data by us.

Chile: Subject to the conditions set out in the applicable law, if you are a user in Chile, you have the following rights with regard to our processing of your Personal Data:

• Request information on the processing of your Personal Data;

• Request that incorrect or incomplete Personal Data be modified;

• Request that your Personal Data be deleted if they are stored without a legal basis or if they are out of date;

• Request the deletion or blocking of your Personal Data, if applicable, if the Personal Data have been provided voluntarily or if they are used for commercial communications and you no longer wish to be included in the relevant register, either permanently or temporarily;

• Oppose the use of your Personal Data for advertising, market research or opinion polling purposes;

• Revoke your consent to the processing of Personal Data at any time with effect for the future; in this case, we ask you to refrain from future use of our Platforms or interaction with us or our Retail Partners.