Effective April 11, 2020
We use information about you provided to us by our Customers that you provide voluntarily and that is collected automatically when visiting Customer Sites to provide our Services to our Customers; respond to your requests, resolve problems, improve the quality of our Services, and market our products or services and those of third parties to you. With respect to any information that we collect or receive, we may also anonymize such information by removing identifying characteristics (if any) and aggregating it with the information of others. We may use such information to create compilations of aggregated data and/or statistics and reports, and any other uses without restriction. We may use all information about you provided to us by our Customers that is collected when visiting Customer Sites to comply with our legal and regulatory obligations, policies and procedures, and for internal administrative purposes.
If you are a Customer, you are responsible for gathering and maintaining the consent for any individual personal information that you share with us. The sharing of your end customer’s personal information must be made with their informed and unambiguous consent.
Our Site and Services do not respond to browser “Do Not Track” (DNT) features that tell the sites you visit that you do not wish to be tracked. Our Customer Sites determine and respond to any DNT features of your browser.
We will offer you the opportunity to choose whether your personal information is to be used for a purpose materially different from the purpose for which it was originally collected or subsequently authorized by you. Attribution will not sell or share your personal information except as provided below.
Sharing Personal Information with Our Customers. Attribution collects and processes your personal information for the purposes identified above. We may merge your information with data from other individuals into anonymized group data that is shared with our Customers to provide our Services to our Customers. We do not aggregate or share information with third parties other than our Customers.
As Required by Law. We reserve the right to disclose your personal information as required by law and when we believe that disclosure is necessary to enforce our policies and practices, comply with existing laws or a court order, or in response to legal process served on us.
Emergency. We also reserve the right to disclose your personal information when we believe it’s necessary to prevent imminent and serious bodily harm or financial loss to a person, to prevent fraud, or to protect our rights or property or the rights and property of you or third parties or if we believe in good faith that such disclosure is necessary to (a) resolve disputes, investigate problems, or enforce our Terms or (b) comply with relevant laws or to respond to requests from law enforcement or other government officials relating to investigations or alleged illegal activity or in connection with our own investigation of suspected or actual illegal activity, in which case we may (and you hereby authorize us to) disclose personal information without subpoenas or warrants served on us.
Where we collect or receive personal information about you directly from you, we will explain the purposes for which we collect and use such personal information, the types of third parties to which we disclose that information, and the choices and means, if any, we offer you for limiting the use and disclosure of personal information about you. This explanation will be provided as soon as practicable and, in any event, before we disclose your personal information or use such information for a purpose materially different than that for which it was originally collected or processed.
Where we collect or receive personal information about you from our Customers, which occurs when we are acting as a provider of Services to our Customers on Customer Sites, we do so as a processor (under GDPR) and/or service provider (under CCPA) of personal information on behalf of our Customers. We will use such information in accordance with the notices provided to you by our Customers and in accordance with the choices you made with respect to such personal information, as communicated to us by our Customers.
All data collected through our Site and Services are stored at Amazon Web Services (“AWS”) (https://aws.amazon.com/) and Heroku (https://www.heroku.com/). We use data processing agreements to govern the processing and security of your information stored at these services.
We have adopted reasonable administrative, physical, and technical safeguards to protect against accidental, unauthorized or unlawful access, disclosure, loss, modification, processing or use of your information. This includes, for example, firewalls, password protection and other access and authentication controls. We use SSL technology to encrypt data during transmission through public internet, and we also employ application-layer security features to further anonymize Personal Information. However, no method of transmission over the Internet, or method of electronic storage, is 100% secure. We cannot guaranty the security of any information you transmit to us or that we stored on our Services (including information stored at the third-party services referred to above), and you do so at your own risk. We also cannot guarantee that such information may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards. If you believe your personal information has been compromised, please contact us as set forth in the “Contact Us” section.
Our Site and Services may contain links to other third party websites (“Other Sites”) that we do not control. You acknowledge that Attribution has no control over Other Sites, their content, or privacy practices. Accordingly, you acknowledge and agree that access to any Other Sites is at your own risk and you indemnify Attribution for any event arising from your visit.
We not responsible for the accuracy, reliability or completeness of any information, data, opinions, advice or statements made on Other Sites. We may provide these links as a convenience and do not endorse, sponsor, or recommend any Other Site, or its products and services.
Other Sites have their own privacy practices and policy independent of Attribution. We highly recommend you review these for each website you visit.
In compliance with the requirements of COPPA (Children’s Online Privacy Protection Act), our Site and Services are not directed to, or permitted for use by, persons under the age of 13. We have no actual knowledge that personal information is collected from anyone under the age of 13. If we learn that information has been collected from a child under age 13, we will delete it promptly and without notice. If you believe that we might have any information from or about a child under 13, please contact our Privacy Officer as described below.
We will retain your personal information for as long as necessary to fulfill the purpose(s) for which it was collected and comply with all applicable laws. In that regard, your consent to such retention of your personally identifiable information by Attribution may remains valid after termination of our relationship. However, you may request to have your personally identifiable information deleted by contacting the Privacy Officer as described in Section 14 below.
We respect that the personal information we collect and process is yours and you may have legal rights.
(For visitors to Customer Sites) When acting as a provider of our Services to our Customers on Customer Sites, Attribution is a Data Processor in respect of personal information about visitors to Customer Sites that Customers provide us. We have no direct relationship with visitors to Customer Sites, and in such cases if you seek access, or seek to correct, amend, or delete your personal information, you should direct your inquiries to the relevant Customer which has transferred such personal information to us for processing. We will assist our Customers in fulfilling their obligations under applicable law to respond to such requests by individuals to access or correct, amend or delete their personal information.
When we process personal information as a Data Controller, you may have certain rights under law. Please work with our Privacy Officer if you have any questions about your rights or how to exercise them.
|YOUR RIGHT||What Attribution does to protect your rights|
|The right to access||You have the right to access your personal information. Please contact our Privacy Officer if you wish to access the personal information we have about you.|
|The right to rectification||You have the right to request us to rectify any of your personal information that is inaccurate or incomplete. We will extend this responsibility to any third parties with whom we have shared your personal information. Please contact our Privacy Officer if you need us to rectify your personal information.|
|The right to erasure||You have the right to request us to erase all of your personal information that we do not have a legal reason to continue to process and hold it. Please contact our Privacy Officer if you would like us to erase your personal information.|
|The right to restrict processing||You have the right to restrict how we process your personal information. However, we may have a legal reason for denying your request. This means we may be permitted to store the information, but no longer process it. If this is necessary, we may keep just enough information to make sure we are able to respect your request in the future. Please contact our Privacy Officer if you want us to restrict the processing and use of your information.|
|The right to data portability||You have the right to obtain and reuse your personal information for your own purposes. Please contact our Privacy Officer if you need help porting your data.|
|The right to object||You have the right to object to our processing of your personal information. Please contact our Privacy Officer if you wish to object.|
|The right to withdraw consent||If you have given us your consent to process your personal information, you have the right to withdraw your consent at any time. We will stop processing any of your information where our use is based on your consent. Please contact our Privacy Officer if you want to withdraw your consent.|
|The right to complain to the appropriate Data Protection Authority||If you are located in a Member State of the European Union, you have the right to submit a complaint to the appropriate Data Protection Authority if you feel that we have not responded to your request to exercise a right listed here. Please contact our Privacy Officer if you have questions about your Data Protection Authority.|
|Opt Out of Marketing Communications||If you receive marketing or promotional emails from us, you may unsubscribe at any time by following the instructions contained within the email or by sending an email to the address provided in the “Contacting Us” section.|
We use model contractual clauses and other mechanisms approved by the European Union and Switzerland, respectively, for transfers of personal information from the European Economic Area and Switzerland.
Information We Collect
Our Site and our Services collect personal information. In particular, our Site and our Services have collected the following categories of personal information from consumers within the last twelve (12) months:
|Category||Examples||Personal Information that we collect via our Site?||Personal Information that we do not collect directly, but that we may access or receive from our Customers via their use of our Services?|
|A. Identifiers||A real name, Internet Protocol address, email address, or other similar identifiers.||[ X ]||[ X ]|
|B: Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e))||A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some Personal Information included in this category may overlap with other categories.||[ X ]||[ X ]|
|C: Protected classification characteristics under California or federal law||Examples: Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).|
|D. Commercial information||Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.|
|E. Biometric information||Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.|
|F. Internet or other similar network activity||Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement.||[ X ]||[ X ]|
|G. Geolocation data||Physical location or movements.|
|H. Sensory data||Audio, electronic, visual, thermal, olfactory, or similar information.|
|I. Professional or employment-related information.||Current or past job history or performance evaluations.|
|J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).||Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.|
|K. Inferences drawn from other Personal Information.||Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.||[ X ]|
Personal information does not include:
We obtain the categories of personal information listed above from the following sources:
Use Of Personal Information
We may use or disclose the personal information we collect for one or more of the following business purposes:
We will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice.
Sharing Personal Information
We may disclose your personal information to a third party for a business purpose. When we disclose personal information for a business purpose, we enter a contract that describes the purpose and requires the recipient to keep that personal information confidential and not use it for any purpose except performing the contract.
In the preceding twelve (12) months, we have disclosed the following categories of personal information for a business purpose:
Categories A [Identifiers], B [Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e))] D [Commercial information], F [Internet or other similar network activity], I [Professional or employment-related information] and K [Inferences drawn from other Personal Information].
We disclose your personal information for a business purpose to the following categories of third parties:
In the preceding twelve (12) months, we have not sold any personal information within the meaning of “sale” under the CCPA.
YOUR RIGHTS AND CHOICES
The CCPA provides California residents with specific rights regarding their personal information. This section describes your CCPA rights and explains how to exercise those rights.
Access to Specific Information and Data Portability Rights
You have the right to request that we disclose certain information to you about our collection and use of your Personal Information over the past 12 months. Once we receive and verify your request, we will disclose to you:
Deletion Request Rights
You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies.
We may deny your deletion request if retaining the information is necessary for us or our service providers to:
Exercising Access, Data Portability, and Deletion Rights
To exercise the access, data portability, and deletion rights described above, please submit a verifiable consumer request to us by either:
Only you or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your Personal Information. You may also make a verifiable consumer request on behalf of your minor child.
You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:
We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.
Response Timing and Format
We endeavor to respond to a verifiable consumer request within 45 days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.
We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not: