Services Privacy Policy

Last updated Feb 15, 2021

Introduction & What this Policy Outlines

Thank you for choosing to be part of our community at InReality, LLC (“Company”, “we”, “us”, or “our”). InReality is committed to protecting your personal information and your right to privacy. If you have any questions or concerns about our policy, or our practices with regards to your personal information, please contact us at privacy@inreality.com.

This Privacy Policy covers the InReality software platform (“InReality” or the “Service”), which includes sensors, cameras and components such as our Safe Space web app as well as our Cloud Platform.

In this Privacy Policy, we seek to explain to you in the clearest way possible what information we collect, how we use it, and what rights you have in relation to it.

The Service is designed to operate as described in this Privacy Policy, however, our customers who use the Service (“Customers”) in Venues can customize the Service to collect, use and retain information beyond the default settings described below. Therefore, we encourage you to keep this in mind as you review this Privacy Policy and to contact the Venue directly to ask how they have decided to implement the Service.

By using and/or interacting with the Services, you acknowledge you are aware of the terms of this Privacy Policy and your continued use shall be constituted as your consent to our collection, processing, and sharing of information for the purposes set forth herein.

We may change this Privacy Policy from time to time. If we make changes, we will provide notice by revising the date at the top of this policy and posting to our websites and apps, and in some cases, we may provide additional notice (such as via our websites or by sending an email notification to account holders).

What is InReality’s software platform?

InReality, LLC is a data analytics platform company that utilizes sensors (primarily camera vision) to collate data for venue marketing and tracking. Our platform processes detailed metrics for the purpose of improving in-venue marketing and sales. Our platform was originally built for retail utilizing cameras and, as such, have been subject to strict legal and public perception challenges. As such, we have always had the utmost respect towards both views on the matter. We designed it to respect the rights and privacy sensitivities of both individuals and businesses while also ensuring the insights necessary to extract value for both. We comply with the strictest privacy laws such as GDPR and CCPA and are continuously reviewing and amending them according to the latest recommendations by governing bodies. inReality’s compliance efforts are overseen by a dedicated Privacy Officer located in Atlanta as well as the esteemed law firm Davis & Gilbert.

Glossary of Terms
  • Aggregated Data:
    • De-identified aggregated metrics: Data that cannot be reasonably used to infer information about or otherwise linked to a particular consumer, computer, or other device, e.g., five percent of the store’s visitors today were seen at some point in the past week
  • Anonymized Data:
    • De-personalized Data: Data that cannot be reasonably used to infer information about a particular consumer, but that may be associated with a particular computer or device, e.g, a hashed MAC address
  • AOI (Area of Interest): A defined area of your venue, such as an entrance or exit, POS (point of sale), digital signage location, interactive promotion, etc.
  • API (Application Programming Interface): A standard computer interface that allows users to access data from a system. InReality’s API is the messenger that delivers your requests to our Analytics application, and returns the response (data) back to you
  • CCPA: California Consumer Privacy Act
  • Data Collected: Any useful information that is tracked by a Sensor and interpreted on the Platform
  • GDPR: General Data Protection Regulation
  • InReality Online Platform: https://app.inreality.com/v3/
  • Personally Identifiable Information (PII): information that specifically identifies you as an individual. Personally Identifiable Information includes identity data (e.g., name or other similar identifiers) and contact data (e.g. address, email address, telephone number)
  • Sensor: Any device in a venue that generates data for InReality’s platform
  • Temp Screening: The process of screening an individual for elevated temperature via a temperature screening hardware solution.
  • The Company: InReality, LLC (also referenced: “We”, “Our”, “InReality”)
  • Third Party: Any partner or affiliate associated with InReality’s data, and any other persons or group that provide InReality with data or resources
  • Venue: one store / location within a Customer’s subscription that contains the AOIs and sensors that generate data
What Information is Collected and How it is Collected
  • Data Captured In Venue
    • InReality, and its Customers, capture data in-venue to provide more information about in-venue behavior and performance through a variety of sensors and other means. By default, all of the data collected is non-personal, meaning that no Personally Identifiable Information (PII) is captured, or stored, but only reports on Anonymized and/or Aggregated data which cannot be connected to any individual. Examples include:
      • No PII possible: Sensors are unable to collect any data that would be considered personal data
        • Product interaction/pick-up (RFID or NFC or Infrared) data
          • Venue Location
          • Location in Venue
          • Product ID
          • Count
          • Timestamp
        • Traffic counting (Infrared, Laser, sensor mats)
          • Venue Location
          • Location in Venue
          • Count
          • Timestamp
      • PII possible, but anonymized
        • In certain cases, Anonymous Video Analytics (using cameras) are employed to detect individual bodies/faces from a real-time camera feed that is not recorded or stored. Although individual records are created, all data is anonymized. Each body or face is assigned an anonymous ID or tag, and no visual data, including photos or video, is stored at any time. No data can be reasonably used to infer information about a specific visitor.
          • Venue Location
          • Location in Venue
          • Information in Person
            • Count
            • Body Gesture(s)
            • Estimated Age/Age Group
            • Estimated Gender
            • Estimated Mood
            • Dwell Time or Gaze Time
          • Timestamp
      • PII possible, but aggregated
        • In other cases, data can be collected from other sensors, such as Mobile Device Detection beacons (or similar). In these situations, no individual information is retained, but rather is aggregated into counts (or ratios) for a period of time (e.g., 15 mins, 1 hour, 1 day, 1 week, etc.). Data is transmitted only in an aggregated manner and no individual records are created or kept (e.g., 120 visitors seen in Venue A on Monday between 2 PM-3 PM).
          • Venue Location
          • Location in Venue
          • Device Identifier
          • Count (Max, min, and/or total)
          • Dwell Time
          • Time Period
      • PII possible, but anonymized & aggregated
        • In other cases, data can be collected from various sensors and can be both anonymized and aggregated. This occurs when sensors are used to collectively gain an aggregated list of PII, which is anonymized immediately. This is useful for collecting anonymized data from aggregated data from multiple persons or a group of people that would otherwise show PII. The data for a group of people is aggregated over a given time period and also anonymized so no PII is developed.
      • Repeat Visitor
        • Employee Exclusion is opt-in (storing image/s): Employees are automatically anonymously tracked so that the data does not count them as separate unique visitors. There must be a distinguishable difference between employees and Customers.
        • Repeat Visitor Customer: Sensors may track unique visitors for repeat visits, but this is still anonymized data. We do not store images or specific device IDs and instead use anonymous IDs or tags. We store facial pattern information and look back against that information. That information is still not image-based and cannot be reasonably reverse-engineered or linked to an individual person.
  • Data Collected from Third Parties
    • InReality, and its Customers, collect and transmit data that is relevant to in-venue analytics that can come from Third Parties (Weather, Event Calendar, etc.), other sensor data, or from InReality’s Customers (POS data, Loyalty data, etc.). In most cases, this data is non-PII (Weather or Event). In cases where the information may have PII information, that data is collected, initially stored, and transmitted to InReality by the InReality Customer. InReality considers this data to be given by the Customer with appropriate consent, and InReality will ensure it stores and protects the data appropriately.
      • No PII possible
        • Weather conditions (High, Low, Conditions)
        • Event calendar (Concert, Game, Sale, Marketing Calendar)
      • PII Possible (Covered by InReality Customer’s Privacy Policy: they have to notify us to do any deletion/purging)
        • Employee Schedule
        • POS Data
        • Loyalty Data
  • Data Collected from the InReality Cloud Platform
    • InReality may collect PII when you sign up, purchase, or evaluate our products and services at the InReality Cloud Platform. We collect information about you such as your name, Company name, email address, billing address and role/title. We may gather additional information (personal or non-personal) in the future. The purpose of this data is to appropriately create and administer logins to our Cloud Platform by users. This data is used to verify your identity for security reasons, provide you with support and services, and provide you with information about other services and features of our platform. For more information, please reference our InReality Platform (Website and App) Privacy Policy.
Anonymization Clause
  • Anonymization is a technique applied to personal data in order to achieve irreversible de-identification. Any personal data obtained through the use of cameras, sensors, or other instruments is collected and processed for anonymity in compliance with the applicable legislation on the retention of data in an identifiable format.
  • In order to obtain truly anonymous data, every sensor used by The Customer under The Company’s guidelines will retrieve generic information and immediately delete any non-generic information. Any sensor will not retain any specific information. Information is defined as any piece of knowledge that may be exclusive to 1 individual person or group of persons and may be traced as evidence of proof of said person or group of persons.
  • No visual data is captured or stored at any time. Each body or face detected is assigned an anonymized ID or tag. No Personally identifiable information (PII) is collected.
  • The Company demonstrates the need to keep personal data in a form which permits identification for no longer than is necessary for the purposes of further processing; The Company defines the necessary time as no longer than required for the API to correctly initiate and evaluate the camera, sensor, or other instrument data. Usually this initiation and evaluation occurs in less than three-hundredths of a second. After such time has passed, all collected data is either deleted or anonymized immediately and unequivocally.
  • The Company is accountable for all means that are likely reasonably used for identification by the controllers and third parties.
  • The likelihood of risk through anonymisation of data has been assessed and determined to be inherently low by The Company.
  • The optimal solution for anonymity is decided on a case-by-case basis, possibly by using a combination of different techniques, while taking into account the practical recommendations developed in this Policy.
How We Protect Data & Individual Privacy
  • For camera based analytics, all video processing is performed locally in real time so that images or videos do not need to be recorded or transmitted. No video images are stored locally or transmitted via network to the InReality Cloud Platform.
  • All the anonymous audience & engagement measurement data generated by our software is securely encrypted & streamed (SSL / TLS) to our cloud, which only our clients can access via secure log-ins. No PII information, if provided by clients, is available to be downloaded by clients from the InReality Cloud Platform.
  • Aggregated anonymous “metadata” (non-PII) information is sent to our Cloud (AWS)
  • Wifi & Bluetooth Broadcast Beacons: Collected PII data is never sent over the network or saved in long term storage. When collected, the data is immediately de-personalized in-memory by hashing the PII. This is a one-way process that cannot be reasonably reversed. The original data is discarded, while only the new de-personalized data is sent over the network for further processing on our servers. We cannot reasonably and will not identify the individual persons.
  • Camera Images: Camera images are never sent over the network or saved in long term storage. When collected, the image is immediately processed in-memory. The original image is discarded, while only the de-identified aggregated metrics are sent over the network for further processing on our servers. We cannot and will not retrieve the original images or identify individual persons.
How Long Data is Stored
  • Any raw data we do collect is kept locally for 30 days and is configurable. After the 30 day period, the raw data is deleted forever. Any raw data we do collect is also kept on the InReality cloud platform for 90 days and is configurable. After the 90 day period, the raw data is deleted forever. The results, metrics, and key insights derived from the raw data on the InReality cloud platform are accessible indefinitely and are configurable.
How We Use and Share the Data
  • We use any captured data to provide de-identified aggregated metrics of the movement and behavior of the visitors in a venue. The venue owner or operator will often use this for the purposes of enhancing the user experience, conducting internal audits, optimizing revenue generating activities, and more. A good example of a report we provide is: N number of individuals were seen at Location A between time X and time Y; we have seen a subset of those individual tags in the past and on average the N individuals spent Z minutes at the location.
  • All data collected by InReality is anonymised and is not shared with or sold to any other company or persons except as described in this Privacy Policy.
Employee Exclusion Clause
  • By default, InReality’s data analytics and platform do not use Employee Exclusion. Employee Exclusion is defined as keeping the data of an individual employee’s facial recognition or other attribute in order to exclude him/her from any KPI (Key Performance Indicators) or other results. If the customer chooses to use Employee Exclusion, then there is an opt-in for each individual employee OR they may choose to use a unique identifier (such as uniform color) to strip their data out anonymously. The form opt-in option allows the individual employee to understand and agree or disagree to opt-in to using InReality’s platform and services.
Consent
  • You are not legally obligated to provide us information, and you hereby confirm that providing us information is at your own free will. By using our platform and services, you acknowledge you are aware of the terms of this Privacy Policy and your continued use shall be constituted as your consent to our collection, processing, and sharing of information for the purposes set forth herein. If you do not agree to this Privacy Policy, please do not access or otherwise use our platform or products. We reserve the right, at our discretion, to change this Privacy Policy at any time.
  • Consent is not required for consumers who are anonymously tracked by our sensors because it is anonymous information. The consumer gives up certain rights while on public commercial property; if the consumer does not want to be included in the anonymous data, then he/she should not enter the venue.
BIPA Compliance Clause
  • BIPA (Biometric Information Privacy Act) has been recently instituted for the State of Illinois. InReality and its data analytics and products successfully comply with BIPA. By anonymizing and aggregating the data we collect, we do not directly or inherently collect or link any medical, financial, government, or other important, unique, confidential, and sensitive data to the users. We also comply with the BIPA duration period. We keep any raw data for no more than 30 days, after which the raw data is deleted forever. We keep raw data on our cloud platform for no more than 90 days, after which the raw data is deleted forever. This time period is less than the 3 year period as stated in BIPA. Also, as stated in BIPA: “‘Biometric identifier’ means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. Biometric identifiers do not include…demographic data”. Since all data under InReality’s platform, services, and products is collected for demographic purposes only, InReality successfully complies with all BIPA regulations and therefore does not use any Biometric Identifiers.
  • For more information, BIPA may be found online at http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57
California Privacy Rights
  • California Privacy Rights: California Civil Code Section 1798.83 permits our Customers who are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. To make such a request, please send an email to support@inreality.com. Please note that we are only required to respond to one request per Customer each year.
California Do Not Track Notice
  • We do not track consumers over time and across third party websites and therefore do not respond to Do Not Track signals. We do not allow third parties to collect PII about an individual consumer’s online activities over time and across different websites when a consumer uses the Services.
Deletion of Content from California Residents
  • If you are a California resident under the age of 18 and a registered user, California Business and Professions Code Section 22581 permits you to remove content or Personal Information you have publicly posted. If you wish to remove such content or Personal Information and you specify which content or Personal Information you wish to be removed, we will do so in accordance with applicable law. Please be aware that after removal you will not be able to restore removed content. In addition, such removal does not ensure complete or comprehensive removal of the content or Personal Information you have posted and that there may be circumstances in which the law does not require us to enable removal of content. This clause does not pertain to anonymized data, since we cannot trace any anonymous data back to individual users.
GDPR

inReality is considered a “data processor” under the guidelines of the GDPR. Our customers are primarily considered to be “data controllers”, and are responsible for meeting additional privacy or consent gathering requirements for their individual use case.

The GDPR specifies that biometric data is to be considered a special category of personal data that can not be used for the purposes of an individual’s identification. inReality uses facial detection, not facial recognition, and does not capture or store images.

An inReality Partner, using Camera Analytics, in October 2019 hired the Grant Thornton firm to perform a GDPR audit. Below were the results.

Mandatory Documents Reviewed Corresponding GDPR Articles Descriptions
Personal Data Article 24 Top-level document for managing privacy on
Protection Policy Platform, which defines what is to be achieved and how
Privacy Notice Articles 12, 13, and 14 Explains in simple words how the Platform processes personal data from the customers, website visitors, and others
Data Retention Policy Articles 5, 13, 17, and 30 Describes the process of deciding how long a particular type of personal data is kept, and how it is securely destroyed.
Data Subject Consent Form Articles 6, 7, and 9 Obtain consent from a data subject to process his/her personal data
DPIA Register Article 35 Record all the results from the Data Protection Impact Assessment.
Data Breach Response and Notification Procedure Article 4, 33 and 34 Describes what to do before, during, and after a data breach
Data Breach Register Article 33 Describes where data breaches will be recorded
Our Contact Information
  • If you have questions or comments about this policy in relation to our venue analytics, you may email us at support@inreality.com.
Safe Space Privacy Policy
What is InReality Safe Space?

InReality, LLC is a data analytics platform company that utilizes sensors to develop key insights for venue marketing and tracking. Our platform shows detailed metrics for the purpose of improving venue marketing and sales. InReality Safe Space is our platform that is specifically designed to enhance the safety and security of venues using our data analytics platform. InReality Safe Space powers the ThermalMirror Product, an Elo Product, a Mimo Product, the Occupancy Monitoring System, as well as our Cloud Platform, mobile app and related services.

Glossary of Terms
  • Aggregated Data: De-identified aggregated metrics: Data that cannot be reasonably used to infer information about or otherwise linked to a particular consumer, computer, or other device, e.g., five percent of the store’s visitors today were seen at some point in the past week
  • Anonymized Data: De-personalized Data: Data that cannot be reasonably used to infer information about a particular consumer, but that may be associated with a particular computer or device, e.g, a hashed MAC address or facial pattern identifier
  • Cloud Platform: InReality Venue Analytics platform, https://app.inreality.com/v3/
  • Sensor Data: Any useful information that is tracked by a sensor as part of the Service and interpreted on the Cloud Platform
  • Personally Identifiable Information (PII): information that specifically identifies you as an individual. Personally Identifiable Information includes identity data (e.g., name or other similar identifiers) and contact data (e.g. address, email address, telephone number)
  • Sensor: Any device that is part of the Service placed in a Venue that generates data
  • Venue: each individual location where a Customer has implemented the Service
  • Visitors: Individuals that choose to enter a Venue
What Information is Collected and How it is Collected
  • Data Captured In Venue
    • InReality, and its Customers, capture data in Venues to provide more information about Visitor behavior and performance through a variety of sensors and other means. Much, if not all, of the Sensor Data is non-personal, meaning that no Personally Identifiable Information (PII) is captured, or stored, but only reports on Anonymized and/or Aggregated Data which we do not connect to any individual.
    • InReality’s Safe Space program allows Customers to take temperature and images of Visitors with the ThermalMirror device.
      • By default, the temp sensor devices we power anonymize and aggregate any Sensor Data on temperature and facial recognition, so that the data and results are purely generalized data. By default, the devices do not associate any temperature or facial recognition data to a specific user or number ID. By default, they do not process any thumbnails, including the facial detection thumbnail. However, the Customer has the option to manually turn this functionality on in order to process thumbnails.
      • By default, InReality does not retain any Personally Identifiable Information (PII), which may include name, temperature results, or a picture of the person taking the test.
      • However, Customers, in accordance with their own policies and procedures, may elect to record temperature results, images of people taking the test, and/or employees or contractors to satisfy their local and individual needs. Please refer to the Customers’ privacy policies and procedures for more information on their privacy practices.
      • The data retention policy for any logs is fully configurable. For retention purposes, we have the ability to push nothing into the cloud, some information to the cloud, or all information to the cloud, depending on Customer preference. All local logs are deleted once they are posted to the cloud. All logs are protected by reasonable access and security controls.
      • Repeat Visitor
        • By default, the Cloud Platform does not retain identification data for specific individuals, such as facial recognition for employee identification. The Customer has the option to manually turn this functionality on in order to simplify access to a Venue or track repeat visits from individuals.
        • Individuals may opt-in to create an account with the Service to store images, Personally Identifiable Information (PII) or other data. In addition, Customers may configure the Service to automatically store such information for Visitors.
        • Repeat Visitors: Sensors may track unique Visitors for repeat visits, but this is still Anonymized Data. We do not store images and instead use anonymous IDs or tags. We store facial pattern information and look back against that information. That information is still not image-based and cannot be reasonably reverse-engineered or linked to an individual person.
        • If you choose to create an account with InReality, then InReality may retain your Personally Identifiable Information (PII) so that it can be easily accessed in the future as you use InReality Safe Space.
  • Data Collected from Third Parties
    • InReality collects and transmits data that is relevant to in-Venue analytics that can come from third parties unaffiliated with us (Weather, Event Calendar, etc.), other sensor data, or from Customers (POS data, Loyalty data, etc.). In most cases, this data is non-PII (Weather or Event). In cases where the information may have PII information, that data is collected, initially stored, and transmitted to InReality by the InReality Customer.
    • No Sensor Data is collected by third parties, or shared by InReality with such third parties.
  • Data Collected from the Cloud Platform
    • InReality may collect PII when you sign up, purchase, or evaluate our products and services at the Cloud Platform. We collect information about you such as your name, employer name, email address, billing address. role/title and similar information. The purpose of this data is to appropriately create and administer logins to our Cloud Platform by users. This data is used to verify your identity for security reasons, access control, provide you with support and services, and provide you with information about other services and features of our platform.
Anonymization Procedures
  • Anonymization is a technique applied to personal data in order to achieve irreversible de-identification. Any personal data obtained through the use of cameras, sensors, temp sensors, or other instruments are collected and processed in an anonymous format by default. If a Customer wishes to change the Sensor’s default settings to capture non-anonymized data, then that privacy rights matter is dealt with under their own volition and their own privacy policy.
  • In order to obtain truly anonymous data, every sensor used by the Customer under the Company’s guidelines will retrieve generic information and immediately delete any non-generic information.
  • No visual data is captured or stored at any time. Each body or face detected is assigned an anonymized ID or tag. No Personally identifiable information (PII) is collected by us by default.
  • The Company keeps Personally identifiable information (PII) in a form which permits identification for no longer than is necessary for the purposes of further processing. The Company defines the necessary time as no longer than required for the software to correctly initiate and evaluate the Sensor Data. Usually this initiation and evaluation occurs in less than three-hundredths of a second. After such time has passed, all Sensor Data is either deleted or anonymized.
How We Protect Data & Individual Privacy
  • All the anonymous Sensor Data generated by our Service is streamed through a SSL / TLS secure communication tunnel to our cloud where the data-at-rest is encrypted. Only our Customers can access via secure log-ins.
  • Aggregated anonymous “metadata” (non-PII) information is sent to our Cloud Platform
  • Wifi & Bluetooth Broadcast Beacons: Collected PII data is never sent over the network or saved in long term storage. When collected, the data is immediately de-personalized in-memory by hashing the PII. This is a one-way process that cannot be reasonably reversed. The original data is discarded, while only the new de-personalized data is sent over the network for further processing on our servers. We cannot reasonably and will not identify the individual persons.
  • Camera Images: Camera images are never sent over the network or saved in long term storage. When collected, the image is immediately processed in-memory. The original image is discarded, while only the de-identified aggregated metrics are sent over the network for further processing on our servers. We cannot and will not retrieve the original images or identify individual persons.
Data Retention – How Long Data is Stored
  • Any raw data we do collect is kept locally for 30 days and is configurable by the Customer. After the 30 day period, the raw data is deleted forever. Any raw data we do collect is also kept on the Cloud Platform for 90 days and is configurable by the Customer. After the 90 day period, the raw data is deleted by us forever. The results, metrics, and key insights derived from the raw data on the Cloud Platform are accessible indefinitely and are configurable.
How We Use and Share the Data
  • All Sensor Data is anonymized and is not shared with or sold to any other company or persons except as described in this Privacy Policy.
  • We may aggregate Sensor Data across multiple Customers and report on that data in an anonymized manner.
  • Customers may access Sensor Data and Personally Identifiable Information (PII) of their own Visitors.
  • Vendors, Consultants, and Other Third-Party Service Providers. We may share your data with third party vendors, service providers, contractors, or agents who perform services for us or on our behalf and require access to such information to do that work. We have contracts in place with our data processors. This means that they are not authorized to do anything with your information unless we have instructed them to do so. They are not authorized to share your information with any organization apart from us, and they will hold it securely and retain it for the period we instruct.
  • Legal Compliance. We may share your information in response to a legal requirement, applicable law or to protect the legal rights or interests of InReality, our Customers or other parties.
  • Business Transfers. We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company, or in connection with a bankruptcy or reorganization.
Employee Identification
  • By default, InReality’s data analytics and Cloud Platform do not use Employee Identification. Employee Identification means keeping the data of an individual employee’s facial recognition in order to exclude him/her from any KPI (Key Performance Indicators) or other results. If the Customer chooses to use Employee Identification, then there is an opt-in for each individual employee. This opt-in allows the individual employee to understand and agree or disagree to opt-in to using the Services.
California Privacy Rights

California law provides California residents with specific rights regarding their personal information. The California Consumer Privacy Act of 2018 (“CCPA”) defines “personal information” as information that identifies, relates to, describes, references, or is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. This section describes the rights that California residents have with respect to such personal information and explains how to exercise those rights, subject in all cases to any limitations set forth in the CCPA. Please refer to the sections above for more detail about the types of information collected, the purposes for which and sources from where we collect personal information, and the third parties with whom we share personal information.

California Specific Rights, Choices, and Opt-Outs: The CCPA provides California residents with specific rights regarding their personal information. The subsections that follow describe the rights that you have under CCPA if you are a California resident and explain how you can exercise those rights.

  1. Right to Know About Personal Information Collected, Disclosed, or Sold. You have the right to request that we disclose certain information to you about our collection, use, disclosure, or sale of your personal information over the past 12 months. Once we receive and confirm your verifiable consumer request (see Exercising Your Right to Know or Delete), and subject to certain limitations described below or set forth in the CCPA, we will disclose such information to you. You have the right to request any or all of the following:
    • The categories of personal information we collected about you.
    • The categories of sources from which the personal information is collected.
    • Our business or commercial purpose for collecting or selling that personal information.
    • The categories of personal information about you that we have sold or disclosed for a business purposes.
    • The categories of third parties to whom the information is sold or disclosed for a business purpose.
    • The specific pieces of personal information we collected about you.
  2. Deletion Request Rights. You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request (see Exercising Right to Know or Delete), we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies. However, we may retain personal information that has been de-identified or aggregated. Furthermore, we may deny your deletion request if retaining the information is necessary for us or our service provider(s) in order to perform certain actions set forth under CCPA, such as detecting security incidents and protecting against fraudulent or illegal activity.
  3. Exercising Your Right to Know or Delete. To exercise your right to know or delete, please submit a request to us by either:
  4. Only you, or a person or business entity registered with the California Secretary of State that you authorize to act on your behalf (an “authorized agent”), may make the requests set forth above. The request should include your contact information and describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it. In addition, you should provide sufficient information that allows us to reasonably verify that you are the person about whom we collected the personal information or an authorized representative of that person. For more information about verification, see Response Timing and Format immediately below.

  5. Response Timing and Format. In order to protect the security of your personal information, we will not honor a request if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. The method used to verify your identity will depend on the type, sensitivity, and value of the information, including the risk of harm to you posed by any authorized access or deletion. Generally speaking, verification will be performed by matching the identifying information provided by you to the personal information that we already have. Any disclosures we provide will only cover the 12-month period preceding our receipt of your request (and will not be made more than twice in a 12-month period). If we cannot comply with a request, or cannot fully comply with a request, the response we provide will also explain the reasons we cannot comply.
  6. Personal Information Sales. We do not “sell” personal information, as that term is used under the CCPA.
  7. Non-Discrimination. We will not discriminate against you for exercising any of your CCPA rights.
error: Content is protected !!