Last Modified: June 20th, 2023
Captuure, Inc. d/b/a Orson and its subsidiaries and affiliates (collectively, “Orson,” “we,” “us,” or “our”) are committed to protecting the privacy of visitors to our websites, heyorson.com and https://www.storyshop.ai/ (collectively, “Sites”), and others interested in our business (collectively, “you” and “your”). We provide this privacy policy (“Privacy Policy”) to describe and explain our data collection practices and our commitment to data security when you interact with the Sites, use our Slack integration bot, utilize our video storytelling platform, or make a purchase via our StoryShop (collectively, the “Services”), which collects personal data that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, as defined by applicable privacy laws (“Personal Data”).
Orson processes two categories of Personal Data:
- Personal Data that our partners and customers ask us to process on their behalf (“Service Provider Data”). Orson provides an Automated Video Engine that generates team videos (the “Product”), and related support services (collectively, the “Business Services”). Under applicable law, in certain contexts Orson is considered the “processor” or “service provider” (“ Service Provider”) of Personal Data we receive through the Product and Business Services, and our customer is (or acts on behalf of) the “controller” of the data (i.e., the company with the right to decide how the data is used).
- Personal Data that we collect or process for our own business (“Controller Data”). Under applicable law, Orson is a “controller” of Controller Data.
This Privacy Policy applies to our handling of Controller Data. Our obligations with respect to Service Provider Data are covered under the agreement we enter into between us and each of our business partners and customers.
By providing us your Personal Data or utilizing the Services, you acknowledge that you have read this Privacy Policy and consent to the privacy practices as described in this Privacy Policy. Your further affirm your consent by submitting content or materials to us through the Services. Please read this Privacy Policy carefully to understand our policies and practices regarding your Personal Data and how we will treat it. If you do not agree with the terms and conditions of this Privacy Policy, including our use and disclosure of your Personal Data, and the Terms of Service, please do not use the Services and do not provide us with any Personal Data. Please note, however, that if you choose to limit the data that you provide to us while using the Services, you may not be able to use or participate in certain features of the Services.
1. CHANGES OR UPDATES TO THIS PRIVACY POLICY
We reserve the right to revise or update this Privacy Policy at any time, and you agree to be bound by those revisions or updates. We will notify you of any changes to the Privacy Policy by posting the revised or updated Privacy Policy and its “Last Modified” date on the Services. Your use of the Services thereafter constitutes your agreement to and acceptance of the Privacy Policy and its revisions or updates. You should periodically read the Privacy Policy to learn of any revisions or updates. If we make any material changes to the Privacy Policy, we will notify you 30 days prior to posting the revised Privacy Policy and require you to affirmatively accept the Privacy Policy before you are able to access and use the Services.
2. COLLECTION OF PERSONAL DATA
During your use of the Services, Orson collects both Personal Data and non-personally identifiable data about you in various ways, including
- Directly from you when you provide it to us;
- Automatically as you use the Sites; and
- From third parties.
-
Data Provided by You
We may collect the following types of Personal Data and other data directly from you when you use the Services, sign up for Beta testing of Orson, or contact us. We may collect the following types of Personal Data:
- Identifiers, including name, company name, Slack username and ID, email address, postal address, phone number;
- Information in Customer Records, including name, email address, postal address, phone number, payment and other financial data;
- Contact Information, including name, email address, and phone number;
-
Biometric Data, including imagery of face, video and audio recordings;
- Audio and Video Recordings. Orson may collect, receive, capture, and store audio and video recordings of you and metadata derived from your use of features, and additional related data.
- Financial Data, including billing and payment data; and
-
Sensitive Personal Data, including biometric data.
Special Category Information
Some of the data that we may collect as a result of providing the Services is particularly sensitive (e.g., biometric data). We only collect this data as provided by or consented by you.
Such sensitive data is only shared for the purpose of providing the Services you request or as consented for and will not be shared or used by us for any other purposes. This data is held to a strict retention schedule, as described in the Retention Period Section below.
-
Data Automatically Collected by the Sites
Orson and third-party service providers may automatically collect data about you when you use the Sites. This data is primarily needed to maintain the security and operation of the Sites, and for our internal analytics so that we can improve the Product and Business Services. This data may include:
-
Identifiers, including IP address and cookies;
- Cookies, are small data files that we transfer to your computer’s hard disk for record-keeping purposes. Cookies do not personally identify you; they merely identify the computer or device with which you access the Sites. The Sites use cookies to analyze trends, recognize you, tailor our Product and Business Services to you, or to detect and prevent fraud. You can instruct your browser, by changing its options, to disable cookies or to prompt you before accepting a cookie from the Sites. If you disable cookies, however, you may not be able to use all portions or functionality of the Sites;
- Internet or Other Electronic Network Activity Data, including device and usage data, Internet Protocol (IP) address, browser and device characteristics, how you use the Sites, browser type, version, language and time zone setting, browser plug-in types, country or location, operating system, internal automations and system settings, type of device you are using, actions you take on the Sites, the pages that led you to the Sites and, if applicable, the search terms you typed into a search engine that led you to the Sites; and
-
Third Party Cookies
- Google Analytics, visitors to the Sites may be tracked using Google Analytics. The Personal Data collected by Google Analytics is primarily used to optimize the Sites for users; however, we may also use this data for marketing purposes. The Personal Data we automatically collect using Google Analytics is shared with Google. For more information on Google’s Privacy Policies, visit: https://policies.google.com/privacy. You can also opt-out of having your Personal Data used by Google Analytics by following the instructions located at https://tools.google.com/dlpage/gaoptout/. Google Analytics may collect the following types of data from users of the Sites:
- Type of web browser used, software manufacture and version number.
- Type of operating system
- Color processing ability of the users screen
- JavaScript support
- Flash version
- Screen resolution
- Network location and IP address
- Country, city, state, region, county, or any other geographic data
- Hostname
- Bandwidth (internet connection speed)
- Time of visit
- Pages visited
- Time spent on each page of the website
- Referring website statistics
- The website the user came through in order to arrive at the Sites
- Search engine query used
We also use Google Analytics for Display and Search Advertising and, specifically, Google Analytics Demographics and Interest Reporting, on the Sites to help display advertising for products or services that we think may be of interest to you. We will use demographic information collected through our use of Google Analytics Demographics and Interest Reporting for purposes of performing internal statistical analytics relating to the Sites. You can opt-out of receiving interest-based advertisements through the Sites, as well as customize the types of advertisements that will be displayed to you through the Sites, by following the instructions located at https://support.google.com/ads.
- Heat Mapping and Session Recording, are used to capture how you use and interact with the Sites through behavioral metrics, heatmaps, and session replay to improve and market our products/services. Sites usage data is captured using first and third-party cookies and other tracking technologies to determine the popularity of products/services and online activity. Additionally, we use this information for Sites optimization, fraud/security purposes, and advertising.
-
Pixel Tags and Web Beacons, are tiny graphic files with a unique identifier that is similar in function to a cookie but would allow us to count the number of visitors that have visited certain pages or screens of the Sites, and to help determine the effectiveness of promotional or advertising campaigns. When used in HTML-formatted email messages, web beacons can tell the sender whether and when the email has been opened. In contrast to cookies, which may be stored on your computer’s hard drive, web beacons are typically embedded invisibly on pages or screens. We may use web beacons in providing the Services.
- Meta Pixel, We use Meta Pixel Tags to better measure, optimize, and retarget our marketing campaigns. This allows user specific behavior to be tracked after they have been redirected to the advertiser’s website by clicking on a Facebook ad. This enables us to measure the effectiveness of Facebook ads for statistical and market research purposes. The data collected in this way is anonymous to us, in other words, we do not see the Personal Data of individual users. This data is stored and processed by Facebook. Facebook may link this information to your Facebook account and also use it for its own promotional purposes, in accordance with Facebook’s Data Usage Policy https://www.facebook.com/about/privacy/. For more information on opt-out options, please visit: https://www.facebook.com/help/568137493302217.
-
Identifiers, including IP address and cookies;
-
Data Received from Third Parties
In some instances, Orson may receive Personal Data and/or anonymous data about you from other parties, such as our affiliates, business partners, and service providers. That data may be obtained online, offline, or through publicly available resources. We may combine this data with the data you provide, and other data we already have about you.
-
Data Provided by You
3. PURPOSE OF COLLECTION
We may process your Personal Data for the following lawful business and commercial purposes, in accordance with the practices described in this Privacy Policy, and based upon the legal justification set forth in the parenthetical:
- Provide the Product and Business Services. We may use your Personal Data to provide the Product and Business Services, including beta testing, and any other products or services you may request from us. [CONSENT; CONTRACT; LEGITIMATE INTEREST]
- Monitor the Services. We collect your Personal Data for monitoring purposes to help us diagnose problems with our servers, administer and troubleshoot the Services, calculate usage levels, analyze industry standards, and analyze transactions, trends, and statistics regarding the use of the Services. [CONSENT; LEGITIMATE INTEREST]
- Respond to Inquiries and Fulfill Requests. We may use your Personal Data to respond to your inquiries and to fulfill your requests for information. [CONSENT]
- Communicate with You. We may use your Personal Data to send you marketing information about the Product and Business Services, new products and services, and other items that may be of interest to you. We may also contact you on behalf of our third-party business partners about a particular offering of theirs that may be of interest to you. [CONSENT; LEGITIMATE INTEREST]
- Improve the Services. We may use your Personal Data to make the Services more stable and user-friendly, to analyze service issues, improve the design and content of the Services, personalize your experience, analyze how the Services is used, offer new products and services, and to develop new marketing programs relating to the Product and Business Services. [CONSENT; LEGITIMATE INTEREST]
- Customer Service. We may use your Personal Data when contacting you regarding customer service, the Product and Business Services, or in response when you provide feedback. We may also use your information to send administrative emails regarding the Services or to inform you of any changes to this Privacy Policy, our Terms, or our third-party partner’s Terms. [CONSENT; LEGITIMATE INTEREST]
- Lead Generation. We may use your Personal Data to generate your interest in the Product and Business Services or other products and services offered by Orson. [CONSENT; LEGITIMATE INTEREST]
- Support Business Operations. We may use your Personal Data to support our internal and business operations, including marketing, security, and advertising. [CONSENT; LEGITIMATE INTEREST]
- Enforce Agreements. We may use your Personal Data to enforce separate agreements between you and us, enforce this Privacy Policy, our Terms, or our third-party partner’s Terms of Use, or in connection with a transaction with a similar effect. [CONSENT; CONTRACT]
- Fulfill Other Purposes. We may use your Personal Data to fulfill: (a) any other purpose for which you provide it; (b) any legal or regulatory requirements and any of our internal policies; (c) other purposes disclosed at the time of collection; (d) any other purpose with your consent; and (e) any other purposes set forth in this Privacy Policy. [CONSENT; LEGITIMATE INTEREST]
4. DISCLOSURE OF PERSONAL DATA
Except as otherwise described in this Privacy Policy, Orson will not sell, share, rent, or otherwise disclose Personal Data that we collect from the Services to any third party for monetary or other valuable consideration, unless stated below or with your consent:
- Subsidiaries and Affiliates. We may disclose Personal Data about you to our subsidiaries and affiliates.
-
Business Partners. We may share your Personal Data with our business partners to provide you with a product or service (i.e. StoryStrips as defined under the applicable StoryShop Terms of Use) you may have requested. We may also share your Personal Data to business partners with whom we jointly offer any products, or services.
- StoryStrips. Orson creates customized StoryStrips tailored to our business partners’ needs and generating powerful unscripted Episode (as defined in the StoryShop Terms of Use) for users. We may share the automated StoryStrips, Episodes, and any related Personal Data with our business partners to add value to their platform and create new revenue streams.
- Service Providers & Contractors. To help us provide superior service, your Personal Data may be shared with our service providers, contractors, and other third parties we use to support our business and who will safeguard it in accordance with this Privacy Policy. Such third parties may help us with lead generation, providing customer service, maintaining and analyzing data, and sending customer communications on our behalf. These third parties are bound by contractual obligations to keep your Personal Data confidential and use it only for the purposes for which we disclose it to them. Without such information being made available, it would be difficult for you to use the Product, receive customer service, provide us feedback to improve the Product and Business Services, or access certain services, offers, and content on the Services.
- Marketing Partners. We may share your Personal Data with entities that perform marketing, lead generation, or data aggregation services on Orson’s behalf, or with which Orson or an affiliate has joint marketing arrangements.
- Advertising Partners. We may share your Personal Data with third party advertising partners, such as Facebook, LinkedIn, YouTube, Instagram, Microsoft, and Google Display Advertising and Remarketing services. These advertising partners may use first- and third-party cookies together to inform, optimize, and serve ads based on your past visits to the Services. You can opt out of these services using the Ads Preferences Manager or you can use the Google Analytics opt-out browser add-on. These advertising partners may use this information (and similar information collected from other services) for purposes of delivering personalized advertisements to you when you visit digital properties within their networks, commonly referred to as “interest-based advertising.”
- Other Users. We may share your Personal Data with other users in the same Slack channel to collaborate or communicate.
- Authorized Representatives. If another individual is managing your account with us or your email account which the Services connect to on your behalf (for example, a manager managing the account of an employee), as authorized by you or as a personal representative under applicable law, that person can view all Personal Data about you on the Services.
- In the Event of Merger, Sale, Divestitures, or Change of Control. Orson reserves the right to transfer Personal Data to a buyer or other successor in interest that acquires rights to that data as a result of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of Orson or substantially all of its assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which Personal Data held by us about you is among the assets transferred.
- With Your Consent. We may share your data for other purposes pursuant to your consent or at your direction.
- Other Disclosures. We may disclose your Personal Data if we have a good faith belief that disclosure of such data is helpful or reasonably necessary to: (a) conform to legal requirements and comply with any court order, law, or legal process, including responding to any government, law enforcement, or regulatory request; (b) enforce the Orson Terms of Service, other agreements, including between you and us, and any other documents included or referenced therein (all of which are incorporated into and made a part of this Privacy Policy by reference); (c) fulfill the purpose for which you provide it; (iv) detect, prevent, or otherwise address fraud or security issues; or (v) protect against harm to our, your, or third parties’ rights, property, or safety.
We may share and disclose de-identified and/or aggregate analytics with third-party partners for the purposes described in this Privacy Policy or where it is collected, or any other legal purpose, including, when and where applicable, sharing and disclosing non-personally identifiable data combined with Personal Data.
5. CHOICES
We strive to provide you with choices regarding how we use the Personal Data you provide to us. Please understand that if you choose not to disclose data to us, it may affect your ability to use some features of the Services. We have created mechanisms to provide you with the following control over your data:
-
Advertising
We may also use third-party advertisers, ad networks, and other advertising, marketing, and promotional companies, to serve advertisements about the Product and Business Services. Such third parties may gather data about your visit to the Services, monitor your access or market our products and services to you, monitor the ads you view, click-on, or interact with, when they were delivered, and the screens and pages that they are on. If you wish to not have this data used for the purpose of serving you targeted ads, you may opt out by clicking here. Please note this does not opt you out of being served advertising. You will continue to receive generic ads.
We and our service providers may use data about your interactions with the Services to predict your interests and select the ads you see on and off the Services. This is known as interest-based advertising. In providing interest-based ads, we follow the Self-Regulatory Principles for Online Behavioral Advertising developed by the Digital Advertising Alliance ("DAA"). For more information about interest-based advertising and how you can opt out,
visit:
- Digital Advertising Alliance (DAA): http://www.aboutads.info/choices
- Network Advertising Initiative (NAI): http://www.networkadvertising.org/choices/
-
Marketing
From time to time if you have supplied your email address, Orson and its affiliates may send you marketing or informational emails. If you prefer not to receive any or all of our marketing and promotional communications, you may opt-out of these communications by following the opt-out prompts on these communications. You also may ask us not to send you other marketing or informational communications by contacting us as specified in the Contact Information section below, and we will honor your request. Please note that even after you are removed from our marketing lists, we may still send you non-promotional communications, such as responding to your support requests.
-
Do Not Track
Some browsers have a “Do Not Track” (DNT) feature that lets you tell websites and online services that you do not want to have your online activities tracked. Such browser features and industry standards are not uniform. As such, Orson does not monitor or respond to DNT browser requests. If a standard is adopted that we must follow in the future, then we will inform you about that practice in a revised version of this Privacy Policy.
6. THIRD-PARTY LINKS AND WEBSITES
The Services may contain links to third-party services, websites, mobile applications, and/or contain advertisements from third parties that are not affiliates with us – and which may link to other websites, services, or applications. While we endeavor to work with third parties that share our respect for user privacy, we are not responsible for the privacy policies or privacy practices of such third parties. Any data collected by third parties are not covered by this Privacy Policy. You are responsible for knowing when you are leaving the Services to visit a third-party website, service, or application and for reading and understanding the terms of use and privacy policy statements for each such third party. This Privacy Policy only governs data collected through the Services.
7. CHILDREN
The Services, Product, and Business Services provided by Orson are not directed to persons under 16. We do not knowingly collect Personal Data from children under 16. If you become aware that your child is accessing the Services and providing Personal Data without your consent, please contact us by using the data provided in the Contact Information section below. We will take steps to remove Personal Data from Orson’s servers and terminate the account should we determine that a child under 16 has accessed the Services, Product, and Business Services.
8. PUBLIC FORUMS
We may provide public areas on the Services, such as forums, blogs message boards, and chat rooms (“Public Forum”), where you can post information about yourself and others. Please exercise discretion and use caution with respect to your data, especially in such public areas. We do not control who reads postings on the Services, or how they may use or disclose such information. If you choose to voluntarily disclose information on Public Forums, that information will be publicly available and can be collected and used by other users.
9. CONFIDENTIALITY AND SECURITY
We take the security of your Personal Data seriously and have implemented appropriate technical and organizational measures to protect it from unauthorized access, disclosure, or destruction. While we implement these measures, please note that 100% security is not possible, and we cannot guarantee that the security measures we have in place to safeguard Personal Data will never be defeated or fail, or that those measures will always be sufficient or effective.
10. INTERNATIONAL TRANSFER OF DATA
The Sites are hosted in the United States and is intended solely for visitors located within the United States. If you do not reside in the United States and provide Personal Data to us, please note that your Personal Data will be transferred, processed, collected, use, accessed, and/or stored in the United States, a country and jurisdiction that may not have the same data protection laws or rights as the country in which you reside, and subject to U.S. laws. Please do not provide your Personal Data to us if you do not want this data to be transferred or processed outside of your country, or if the laws in your country restrict such transfers.
11. RETENTION PERIOD
We may retain certain data as required by law or for necessary business purposes. We are under no obligation to store such Personal Data indefinitely and, to the extent permitted by law, disclaim any liability arising out of, or related to, the destruction of such Personal Data. d. As an Episode may contain sensitive, biometric information, these will be deleted from our systems one (1) year after you last accessed the provided Episode link.
12. EEA AND UK PRIVACY RIGHTS
Individuals (“Data Subjects”) in the European Economic Area (EEA) and the United Kingdom (UK) have certain privacy rights under EU and UK law, including the General Data Protection Regulations (the “GDPR”) and UK Data Protection Act 2018. In the event, we collect Personal Data (as defined in the GDPR) that is subject to the GDPR, this section shall apply. Terms in this section are to be understood in a manner consistent with the GDPR including the definitions of such terms in the GDPR. Such terms may have a different definition or meaning in other portions of this Privacy Policy because the GDPR may not apply to those sections.
-
Data Controller
The Data Controller is Orson.
-
Processing Purposes and Legal Bases
Orson processes your Personal Data for the lawful purposes, and under the legal bases set forth in the Collection of Personal Data section above.
-
Onward Transfer
Orson will not disclose Personal Data to a third party except as stated below:
We may disclose Personal Data to subcontractors and third-party agents. Before disclosing Personal Data to a subcontractor or third-party agent, we will obtain assurances by contractual agreement from the recipient that it will: (i) transfer such data only for limited and specified purposes; (ii) ascertain that the subcontractor or third-party agent is obligated to provide at least the same level of privacy protection as is required by the GDPR; (iii) take reasonable and appropriate steps to ensure that subcontractors and third-party agents effectively process the Personal Data transferred in a manner consistent with the organization’s obligations under the GDPR; (iv) require subcontractors and third-party agents to notify the organization if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the GDPR; (v) upon notice, including under (iv), take reasonable and appropriate steps to stop and remediate unauthorized processing; and (vi) provide a summary or a representative copy of the relevant privacy provisions of its contract with subcontractors and third-party agents to the Supervisory Authorities upon request.
We also may be required to disclose, and may disclose, Personal Data in response to lawful requests by public authorities, including for the purpose of meeting national security or law enforcement requirements, or in the event of a merger or acquisition.
-
Rights under the GDPR
Data Subjects have the following privacy rights under the GDPR:
- Right of Access. You have the right to obtain confirmation from us as to whether or not we process Personal Data from you, and you also have the right to at any time obtain access to your Personal Data stored by us.
- Right to Rectification. If we process your Personal Data, we use reasonable measures to ensure that your Personal Data is accurate and up-to-date for the purposes for which your Personal Data was collected. If your Personal Data is inaccurate or incomplete, you have the right to require us to correct it.
- Right to Erasure. You may have the right to require us to delete your Personal Data.
- Right to Restrict Processing. You may have the right to request the restriction or suppression of Personal Data.
- Right to Withdraw Consent. If you have given your consent to the processing of your Personal Data, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on the consent before the withdrawal.
- Right to Data Portability. You may have the right to receive the Personal Data concerning you and which you have provided to us, in a structured, commonly used and machine-readable format or to transmit this data to another controller.
- Right to Object. You may have the right to object to the processing of your Personal Data as further specified in this Privacy Policy and you may have the right to object to decisions being made with your Personal Data based solely on automated decision making or profiling.
- Right to Lodge a Complaint with Supervisory Authority. You have the right to lodge a complaint with a data protection supervisory authority located in the European Union or UK. Further information about how to contact your local data protection authority is available at the website of the European Commission.
If you would like to exercise your EEA and UK privacy rights, please contact us as specified in the Contact Information section with a reference to “EEA and UK.”
-
Choices under the GDPR
Data Subjects have the right to opt out of (i) disclosures of their Personal Data to third parties not identified at the time of collection or subsequently authorized, and (ii) uses of Personal Data for purposes materially different from those disclosed at the time of collection or subsequently authorized. Data Subjects who wish to limit the use or disclosure of their Personal Data should submit that request to our Data Protection Officer. We will cooperate with Data Subjects’ instructions regarding Data Subjects’ choices.
All of our general emails also contain an unsubscribe link at the bottom and you can unsubscribe to such emails at any time by clicking on that link.
-
Security
See Confidentiality and Security section above for more information about our security practices.
-
Retention of Personal Data
For more information, please refer to the Retention Period section above.
-
Transfers to the United States
In using the Services, your Personal Data will be transferred to the United States, which is not recognized as a country having adequate safeguards for the protection of Personal Data. Orson relies on your consent or Article 49 of the GDPR for transfers of data collected from Data Subjects in the EU and EEA. Transfers are made to Orson only if the Data Subject has explicitly consented to the proposed transfer after having been informed of the possible risks of such transfers. Additionally, we transfer data as necessary for the performance of a contract between you as the Data Subject and Orson as the Controller, to Data Processors who have an agreement with us that includes protecting your privacy and the security of your data, and in cases where your Personal Data is necessary for the implementation of pre-contractual measures taken in accordance with your requests.
13. CALIFORNIA PRIVACY RIGHTS
This section explains how we collect, use, and disclose Personal Data about users, customers, and visitors who reside in California (“consumers” or “you”). It also explains certain rights afforded to consumers under California’s Shine the Light law and the California Consumer Privacy Act of 2018 (“CCPA”), as revised and updated by the California Privacy Rights Act (“CPRA”). This section uses certain terms that have the meaning given to them in the CCPA including Personal Data.
-
Shine the Light
Under California Civil Code Section 1798.83 (“Shine the Light”), California residents have the right to request in writing from businesses with whom they have an established business relationship, (a) a list of the categories of Personal Data, such as name, e-mail and mailing address and the type of services provided to the customer, that a business has disclosed to third parties (including affiliates that are separate legal entities) during the immediately preceding calendar year for the third parties’ direct marketing purposes; and (b) the names and addresses of all such third parties. To request the above information, please contact us as directed in the Contact Information section below with a reference to California Disclosure Information.
-
Categories of Personal Data Collected
We may collect (and have collected during the 12-month period prior to the “Last Modified” date of this Privacy Policy) the above categories of Personal Data about you in the Collection of Personal Data section above.
-
Purpose of Collection
We may use (and may have used during the 12-month period prior to the “Last Modified” date of this Privacy Policy) your Personal Data for the business or commercial purposes described in the Purpose of Collection section above.
-
Sources of Personal Data
During the 12-month period prior to the “Last Modified” date of this Privacy Policy, we may obtain (and may have obtained) Personal Data about you from the sources identified in the Collection of Personal Data section above.
-
Selling and Sharing Personal Data
We do not sell or share your Personal Data in exchange for monetary consideration; however, we may use tools described above such as Google Analytics, which may be interpreted as sharing your Personal Data. As such, please see the above Personal Data Automatically Collected and Choices sections for more information regarding opting out of use of these tools.
During the 12-month period prior to the “Last Modified” date of this Privacy Policy, we may have shared or disclosed the following categories of Personal Data about you for a business or commercial purpose with certain categories of third parties, as described below:
Categories of Personal Data that May Be Sold, Shared, or Disclosed Categories of Third Parties to whom Personal Data May Be Sold, Shared, or Disclosed Business or Commercial Purpose of Selling, Sharing, or Disclosing Personal Data Identifiers - Subsidiaries and Affiliates
- Service Providers and Contractors
- Business Partners
- Marketing Partners
- Advertising Partners
- Provide the Product, Business Services, and Services
- Communicate with you
- Monitor the Services
- Respond to Inquiries and Fulfill Requests
- Improve the Services
- Support Business Operations
- Fulfill Other Purposes
Personal Data Categories Listed in The California Customer Records Statute (Cal. Civ. Code §1798.80(e)) - Subsidiaries and Affiliates
- Service Providers and Contractors
- Business Partners
- Marketing Partners
- Advertising Partners
- Provide the Product, Business Services, and Services
- Communicate with you
- Monitor the Services
- Respond to Inquiries and Fulfill Requests
- Process payment
- Improve the Services
- Support Business Operations
- Fulfill Other Purposes
Contact Information - Subsidiaries and Affiliates
- Service Providers and Contractors
- Business Partners
- Marketing Partners
- Advertising Partners
- Provide the Product, Business Services, and Services
- Communicate with you
- Monitor the Services
- Respond to Inquiries and Fulfill Requests
- Improve the Services
- Support Business Operations
- Fulfill Other Purposes
Biometric Data - Subsidiaries and Affiliates
- Service Providers and Contractors
- Business Partners
- Provide the Product, Business Services, and Services
- Improve the Services
Financial Data - Subsidiaries and Affiliates
- Service Providers and Contractors
- Business Partners
- Provide the Product, Business Services, and Services
- Process payment
Sensitive Personal Data - Subsidiaries and Affiliates
- Service Providers and Contractors
- Business Partners
- Provide the Product, Business Services, and Services
- Communicate with you
- Monitor the Services
- Respond to Inquiries and Fulfill Requests
- Improve the Services
- Support Business Operations
- Fulfill Other Purposes
Internet or Other Electronic Network Activity - Subsidiaries and Affiliates
- Service Providers and Contractors
- Business Partners
- Marketing Partners
- Advertising Partners
- Provide the Services
- Monitor and maintain the Services
- Improve the Services
- Support Business Operations
- Fulfill Other Purposes
-
California Consumer Privacy Rights
Under CCPA, consumers have certain rights regarding their Personal Data, as described below.
-
Right of Access: You have the right to request, twice in a 12-month period, that we disclose to you the following information about you, limited to the preceding twelve (12) months:
- The categories of Personal Data that we collected about you;
- The categories of sources from which the Personal Data is collected;
- The business or commercial purpose for collecting or selling Personal Data;
- The categories of third parties with whom we share Personal Data;
- The specific pieces of Personal Data that we have collected about you;
- The categories of Personal Data that we disclosed about you for a business purpose or sold to third-parties; and
- For each category of Personal Data identified, the categories of third parties to whom the information was disclosed or sold.
- Right of Deletion: You have the right to request that we delete any Personal Data about you which we have collected from you, subject to exceptions within the law.
- Right to Opt-Out: You have the right to opt-out of the disclosure of Personal Data about you for monetary or other valuable consideration. However, we do not sell any Personal Data.
- Right to Opt-In: We do not have actual knowledge that we collect, share, or sell the Personal Data of minors under the age of 16.
- Right to Limit Use and Disclosure of Sensitive Personal Data: You may request specific limitations on further sharing, use, or disclosure of your Sensitive Personal Data that is collected or processed for “the purpose of inferring characteristics about a consumer.” However, we do not collect or process Sensitive Personal Data for this purpose.
- Right to Correction: You have the right to request that we maintain accurate Personal Data about you and correct any Personal Data about you which we have collected from you, subject to exceptions within the law.
If you would like to exercise your California privacy rights, please refer to the Consumer Requests and Verification section below.
-
Right of Access: You have the right to request, twice in a 12-month period, that we disclose to you the following information about you, limited to the preceding twelve (12) months:
14. VIRGINIA, COLORADO, CONNECTICUT, AND UTAH PRIVACY RIGHTS
This section is applicable to residents of Virginia, Colorado, Connecticut, or Utah. If you are a resident of Virginia, Colorado, Connecticut, or Utah, you have certain rights described below. The following do not apply to individuals who do not live in Virginia, Colorado, Connecticut, or Utah on a permanent basis, individuals we do not collect Personal Data about, or individuals for whom all of the information we collect is exempt from the statutes. “Personal Data,” for purposes of this section regarding the rights of residents, means any information that is linked or reasonably linkable to an identified or identifiable natural person and does not include de-identified information or publicly available information.
This section applies only to Virginia, Colorado, Connecticut residents to the extent their Personal Data is subject to the Virginia Consumer Data Protection Act (VCDPA), or the Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), Utah Consumer Privacy Act (UCPA) or any amendments or acts thereto upon their effective dates. The categories of Personal Data processed, the purposes of processing, the categories of Personal Data shared, and the categories of third parties to which Personal Data is shared are provided in the above sections of this Policy, including the chart depicted in the above section California Privacy Rights.
-
Rights under VCDPA, CPA, CTDPA, and UCPA
Virginia, Colorado, Connecticut, and Utah privacy law provides residents with specific rights regarding Personal Data, including:
- Right to Access. You have the right to confirm whether or not we are processing your Personal Data and to access such information.
- Right to Correction. You have the right to correct inaccuracies in your Personal Data which we have collected, taking into account the nature of the Personal Data and the purposes of processing the Personal Data.
- Right to Deletion. You have the right to request deletion of Personal Data provided by or obtained about you, subject to legal exemptions.
- Right to Data Portability. You have the right to obtain a copy of your Personal Data.
- Right to Opt-Out. You have the right to opt out of the processing of Personal Data for purposes of (1) targeted advertising; (2) the sale of Personal Data; or, if you are in Virginia or Colorado (3) profiling in furtherance of decisions that produce legal or similarly significant effects.
If you would like to exercise any of the rights provided, please refer to the Consumer Requests and Verification section below.
15. CONSUMER REQUESTS AND VERIFICATION
If you have any questions or concerns about this Privacy Policy or our privacy practices, please contact us using the information below:
-
Right to Non-Discrimination
We may not discriminate against you because you exercise any of your privacy rights contained in this Privacy Policy including, but not limited to:
- Denying goods or services to you;
- Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties;
- Providing a different level or quality of goods or services to you; or
- Suggesting that you will receive a different price or rate for goods or services or a different level or quality of goods or services.
-
Verifying Requests
You may request to exercise your rights of access, deletion, or correction by contacting us as described in the Contact Information section below. To help protect your privacy and maintain security, we will take steps to verify your identity before processing your request. If you request access to or deletion of your Personal Data, we may require you to provide any of the following information: name, date of birth, email address, telephone number, or postal address. When you make such a request, you can expect the following:
- As required under applicable law, we will verify your identity. You will need to provide us with your email address and full name. We may ask for additional information if needed.
- We will confirm that you want your information accessed, corrected, and/or deleted.
- We will confirm our receipt of your request within 10 days. If you have not received a response within a few days after that, please let us know by contacting us at the webpage or phone number listed below.
- We will respond to your request within 45 days upon receipt of your request. If necessary, we may need an additional period of time, up to another 45 days, but we will reply either way within the first 45-day period and, if we need an extension, we will explain why.
- In certain cases, a request for access, correction, or deletion may be denied. For example, if we cannot verify your identity, the law requires that we maintain the information, or if we need the information for internal purposes such as providing Services or completing an order. If we deny your request, we will explain why we denied it and delete any other information that is not protected and subject to denial.
-
Authorized Agents
You may designate an authorized agent to request any of the above rights on your behalf. You may make such a designation by providing the agent with written permission, signed by you, to act on your behalf. Your agent may contact us as described in the Contact Information section below to make a request on your behalf. Even if you choose to use an agent, we may, as permitted by law, require:
- The authorized agent to provide proof that you provided signed permission to the authorized agent to submit the request;
- You to verify your identity directly with us; or
- You to directly confirm with us that you provided the authorized agent permission to submit the request.
-
Virginia and Connecticut Appeal Process
If you have made a request to access, correct, or delete your Personal Data under VCDPA and CTDPA, and we have declined to take action, you may appeal our decision within 45 days of the denial. When you make such an appeal, you can expect the following:
- We will verify your identity. You will need to provide us with your email address and full name. We may ask for additional information if needed.
- We will review your appeal and respond in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decision, within 45 days upon receipt of your appeal. If necessary, we may need an additional period of time, up to another 45 days, but we will reply either way within the first 45-day period and, if we need an extension, we will explain why.
- In certain cases, an appeal may be denied. For example, if we cannot verify your identity, the law requires that we maintain the information, or if we need the information for internal purposes such as providing Services or completing an order. If we deny your appeal, we will explain why we denied it and provide you with a method to contact your state’s Attorney General to submit a complaint.
16. CONTACT INFORMATION
If you have any questions or concerns about this Privacy Policy or our privacy practices, please contact us using the information below:
Email: support@heyorson.com