Privacy Policy

Protecting your personal information is our top priority, which is why we only use your data in strict compliance with applicable data protection principles. The provisions of the EU General Data Protection Regulation (“GDPR”) become enforceable throughout the European Union on 25 May 2018. We want to keep you fully informed now about how Toby & Ace's processes personal data in accordance with this new regulation (see Article 13 ff. GDPR). Please read our privacy policy carefully. If you have any questions or comments about our privacy policy, you can always contact us at the e-mail address below.

1. Overview

The following privacy policy informs you about the nature and extent of the processing of personal data by Toby & Ace LLC., 3422 Old Capitol Trail, Suite 1719808 WilmingtonDelaware, USA (hereinafter “Toby & Ace”, “we”, “us” or “our”). Personal data is any information that allows an individual to be identified directly or indirectly. The use of our app, products, services, technologies or features, and all related pages, applications and services (collectively referred to as the “Services”), is governed by this Privacy Policy.

When you register for the first time, or log on in the case of existing customers, you declare by means of a simple notification that you accept this privacy policy and expressly consent to the handling, use and disclosure of your personal data in the manner described herein.

The data gathered by Toby & Ace can be divided primarily into two categories:

  • All data required for the processing, preparation and performance of an agreement with Toby & Ace. If other service provides are involved in the performance of the agreement, e.g. payment services, optimization services or hosts, your data will be forwarded to them to the extent required.
  • When you access our Services, some information is exchanged between your device and our server, or the server of the services we use. This may include personal information. One of the ways in which the information gathered in this way will used is to further improve our Service.

Under the GDPR, you have various rights that you can assert with us. These include the right to selectively object to the use of data, particularly for advertising purposes. The option to object is highlighted in print. Further information on your rights can be found in the additional section below and in the individual descriptions of the respective data uses.

Our Services are only available to users who are 18 years of age or older. If you are not at least 18 years old, you may only use our Services if your parents have given their consent herein, and you have provided sufficient proof of this consent.

If you have any questions about our Privacy Policy, you may contact our data privacy officer by email at:  support@tobyandace.com.

2. Name and Contact Information for the Person Responsible for Data Processing and of the Company’s Data Privacy Officer

This privacy policy applies to the use of data by 3422 Old Capitol Trail, Suite 1719808 WilmingtonDelaware, USA, as the responsible party under the GDPR for the following services: www.tobyandace.com. The company may be reached at the aforementioned address or by email at  support@tobyandace.com. The designated representative within the EU, pursuant to Art. 3, paragraph 2, in conjunction with Art. 27, paragraph 1(3), of the GDPR.

3. Purposes of Data Collection, Legal Basis and Legitimate Interests Pursued by Us or a Third Party, and Categories of Recipients

3.1. Accessing our Service

If you access our Services, especially by visiting our website or app, the app or the browser used on your device automatically sends information to our server and temporarily stores it in a log file. The following information is collected without your intervention and stored until it is automatically or manually deleted in the log file:

  • Your device’s IP address
  • Date and time of access
  • The name and URL of the retrieved file, the website/app from which access was made (referrer URL)
  • Your browser’s unique identifier
  • The name of your Internet provider

The processing of the aforementioned data is based on Article 6(1) f) of the GDPR. Our legitimate interest arises from the uses listed below. At this point, we note that we are unable and do not attempt to draw any conclusions about your identity from the data collected. Your device’s IP address and the other information listed above are used by us for the following purposes:

  • To ensure that a trouble-free connection can be established
  • To ensure the convenient use of our Services
  • To evaluate system security and stability
  • Other administrative purposes

The data is stored in compliance with legally established data retention periods and then deleted automatically. We also use cookies, tracking tools, targeting methods and interfaces to other services such as social media platforms, payment processors or app store providers. The exact procedures, and how your data will be used for this purpose, are explained in more detail in Section 4 below.

3.2. Concluding, Performing or Terminating an Agreement

Data Collected when concluding an agreement

We primarily define our Services as those of a veterinarian: Based on your interests, we prepare your plans, recommend nutrition, and a broad variety of other information about your pet and their well-being. To do this, we collect the information required to conclude, perform or terminate an agreement. This includes:

  • E-mail address
  • First and last name
  • Billing and payment information
  • Information you enter yourself and that is generated during the use of our Services, such as age, mailing address, etc

The legal basis for this is Art. 6(1) a) and b) and Art. 9(2) a) of the GDPR. Unless we use your contact information for customer support or customer service (see details under Section 3.3), the information required to conclude the agreement is stored until it is no longer needed for this purpose and/or until the rights under any guarantee or warranty expire. Subsequently, we retain the required personal information for the periods established by law. During this retention period (usually six to 10 years after conclusion of the agreement), the information is used only in the case of an audit by the tax authority.

3.3. Data Processing for Customer Support or Customer Service

3.3.1. Informational purposes

If you have signed up for our Services, we manage you as an existing customer. In this case, we process your contact information in order to send you information about new, enhanced or improved features, products and services, etc.

3.3.2. Personalized ads

To ensure that you receive only information that corresponds to your interests, we classify and add information to your customer profile. For this purpose, both statistical information as well as information about you (such as basic or historical data from your customer profile) are used. The goal is to optimize our Services by adapting them to your actual or perceived interests and/or needs, and to send you the appropriate recommendations and not bother you with useless ads.

The legal basis for each of the aforementioned data uses is Art. 6(1) b) and f) of the GDPR and Art. 9(2) a) of the GDPR. The use of existing customer data for the company’s own advertising purpose is recognized as a legitimate interest under Recital 47 of the GDPR.

3.3.3. Customer Support

Gorgias

On the basis of Art. 6(1) b) of the GDPR, we use the ticket system of Gorgias, 768 Harrison St, San Francisco, CA 94107, USA (“Gorgias”) for service, support and other user queries. If you send us a support request over one of our channels (e.g. our contact form, live chat, e-mail, etc.), the following data will be processed over Gorgias’ servers, depending on the content and the selected contact channel:

  • The information you enter
  • Name
  • Email address
  • Browser information
  • IP address

For more information on Gorgias data processing, see https://www.gorgias.io/privacy/gdpr. You may also send questions directly to the Gorgias at: support@tobyandace.com.

3.3.4. Newsletters

One of our Services is to offer prospective customers the opportunity to sign up for our newsletter. We use the double opt-in process to confirm that the email address entered actually corresponds to the prospective customer. After the email address is entered, we send you a confirmation link. Your email address will only be included on our mailing list after you click on this confirmation link. We store the information collected during this process only for purposes of documentation and proof. This includes:

  • The email address you provide
  • Your IP address
  • The date and time of registration
  • Form of address
  • The date, content, and time of the confirmation email
  • The IP address of the device used for the confirmation
  • The date and time of your confirmation

The legal basis for this is Art. 6(1) a) GDPR. We store this information until the contract relationship ends as proof of the legality of sending the newsletter. After the contract relationship ends, we retain the required personal information for the period specified by law. During this period (usually 10 years from the conclusion of the agreement), the data will only be processed again in the event of a tax audit. You can revoke your consent at any time with effect for the future. Simply click on the unsubscribe button in the respective e-mail or send a short note by email. Please use the options to contact the company’s data privacy officer for this purpose.

3.3.5. Right to Object

You may object to the use of your data for the aforementioned purposes at any time free of charge for each communication channel and with effect for the future. An email or a letter sent using the contact information shown under Section 2 is sufficient for this purpose.

Once you submit your objection, we will block the relevant contact address for future advertising data processing. We will process your objection as soon as possible and implement the appropriate blocking measures immediately after it is confirmed. Please note that in some exceptional cases the relevant information or product recommendations may still be received even after receipt of your objection. This is simply due to technical reasons and does not mean your objection has not been processed. Thank you very much for your understanding.

4. Data Processing for the Provision of our Services

In this section, we inform you about the data processing necessary for the provision of our Services:

4.1. Online Presence and Website Optimization

We will not sell or lease your information to third parties for their marketing purposes without your explicit consent. We only disclose certain information to third parties from time to time to be able to offer the best possible product to our customers, improve the quality of our Services and protect the interests of our customers. However, this disclosure will always be subject to strict limitations, which are described in more detail below.

4.1.1. Cookies – General Information

We use cookies on our website in compliance with Art. 6(1) f) of the GDPR. Our interest in improving our Services is recognized as legitimate in the aforementioned provision. Cookies are small files generated automatically by your browser and stored on your device (laptop, tablet, smartphone, etc.) when you use our Services. Cookies do not harm your device, and do not contain viruses, Trojans or other malware. Cookies contain information downloaded by the specific device. This does not mean, however, that we receive direct knowledge of your identity. We use session cookies to track your use of the individual pages of our website. When you use our Services again at a later time, the cookie automatically recognizes your previous visit to the website. To make the site more user friendly, we also use temporary cookies, which are stored on your device for a predetermined period of time. 

Another reason we use cookies is to gather statistics on the use of our Services and evaluate them in order to optimize your experience and to display information tailored to you. These cookies allow us to automatically recognize that you have visited our site before. The cookies are automatically deleted after a predefined period. Most browsers accept cookies automatically. However, you can disable cookies on your browser or choose to be notified when a new cookie is created. However, disabling cookies completely may mean that not all features of our Services will be available to you. The storage period of cookies depends on their purpose and may vary.

4.1.2. Klaviyo

To design and continuously improve our customer engagement efforts in compliance with Art. 6(1) a) of the GDPR, we use the Email Marketing Platform Klaviyo, 225 Franklin St floor 10, Boston, MA 02110, United States, (hereinafter “Klaviyo”). We use Klaviyo for our email marketing campaigns and to reach out to our opted-in users. For this purpose, when you double opt-in to Toby & Ace's email list, we send the following information to Klaviyo:

  • Name
  • Email address
  • Time zone
  • Device information (screen resolution, browser information and operating system)
  • IP address
  • Location
  • Language used

You can object to this data processing at any time by either clicking the unsubscribe button of the respective newsletter or simply informing us that you no longer wish to have such processing in the future. Please use the contact options of our company data privacy officer for this purpose.

4.1.3. Facebook Pixel

To set up, continuously improve, and track the conversion of our Facebook campaigns as required, in compliance with Art. 6(1) f) of the GDPR, we use the individual visitor action pixel of Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (hereinafter “Facebook”). This pixel is integrated into our website’s code. This helps us ensure that the Facebook ads we initiate are only displayed to Facebook users who have shown interest in our Services. In this way we know that our Facebook ads correspond to the potential interest of the respective users and not bothering them. It also allows us to track the actions of Facebook users after they have viewed or clicked on one of our Facebook ads. At the same time, it helps us track the conversion of the respective campaign for statistical, market-research and billing purposes. The following information is collected during its use:

  • Time stamp
  • URL
  • Campaign-related information (particularly impression, form field and activated button specifications)

Information collected in this way is anonymous to us and therefore does not provide us with any information about the identity of the respective user. Such processing for behavioural and interest-based advertising purposes is recognized as in our legitimate interest under Recital 47 of the GDPR. The data is stored in accordance with the legally established retention periods and then automatically deleted.

You should be aware that when you log on after placing the pixel on your Facebook account, or you visit our website while logged on, Facebook may store and process this information. Facebook can connect this data with your Facebook account and use it for its own advertising purposes, in accordance with Facebook’s data policy: https://www.facebook.com/about/privacy/. You can find more information about the Facebook pixel here. You can enable Facebook and its partners to display ads on and off Facebook. You can object to this special data processing at any time by changing your Facebook settings accordingly or by simply informing us that you no longer want this processing in the future. Please use the contact options for our company’s data privacy officer for this purpose. Please be aware that the objection only applies to the device being used in each case. For further information, see the Facebook Privacy Policy and information on protecting your personal privacy.

4.1.4. Facebook Lookalike Audiences

To optimize targeting and track the conversion of our Facebook campaigns, in compliance with Art. 6(1) a) of the GDPR, we use the option of developing Facebook lookalike audiences offered to us by Facebook. You can find more information about the Facebook Lookalike Audiences at: https://www.facebook.com/business/help/365463786964246.

The data processing for advertising on the basis of behaviour and interests is recognized as in our legitimate interest under Recital 47 of the GDPR. If you belong to the Facebook Lookalike Audience, we send your email address and your device’s ID to Facebook. You can object to this special data processing at any time by changing your Facebook settings at https://www.facebook.com/settings/?tab=ads or simply inform us that you no longer want this processing in the future. Please use the contact options for our company’s data privacy officer for this purpose.

4.1.5. Pinterest Tag

To set up, continuously improve, and track the conversion of our Pinterest campaigns as required, in compliance with Art. 6(1) f) of the GDPR, we use a Pinterest Tag, an individual code snippet, from Pinterest Inc., 635 High Street, Palo Alto, CA, USA, (hereinafter “Pinterest”), which is integrated in our website. This helps us ensure that the Pinterest ads we initiate are only displayed to Pinterest users who have shown interest in our Services. In this way we know that our Pinterest ads correspond to the potential interest of the respective users and not bothering them. It also allows us to track the actions of Pinterest users after they have viewed or clicked on one of our Pinterest ads. At the same time, it helps us track the conversion of the respective campaign for statistical, market-research and billing purposes. The following information is collected during its use:

  • Device information (e.g. type, brand)
  • Device operating system (e.g. iOS 11),
  • IP address of the device
  • Date and time our Services are accessed
  • Type of campaign and content
  • Response to the respective campaign (e.g. clicking on a button)

Information collected in this way is anonymous to us and therefore does not provide us with any information about the identity of the respective user. Such processing for behavioural and interest-based advertising purposes is recognized as in our legitimate interest under Recital 47 of the GDPR. The data is stored in accordance with the legally established retention periods and then automatically deleted.

When you log in to your Pinterest account after visiting our website while logged on, Pinterest might store and process this information, which is why we would like to inform you about this. Pinterest can link this data with your Pinterest account and use it for its own advertising purposes. You can read more about Pinterest’s data policy at https://policy.pinterest.com/de/privacy-policy. You can object to this special data processing at any time by disabling the relevant settings in your Pinterest account https://help.pinterest.com/de/articles/edit-your-settings#Web under “Personalization” or enabling the “Do not track” setting in your browser.

4.1.6. Google Analytics

For the custom design and continuous improvement of our Services, in compliance with Art. 6(1) f) of the GDPR, we use the web analytics service of Google Analytics of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter “Google”). Using cookies, Google creates pseudonymised user profiles. The information generated by the cookies for users includes:

  • Browser type/version
  • Operating system
  • Referrer URL (previously visited page)
  • Host name of the accessing computer (IP address)
  • Time of the server request

This information is sent to a Google server in the U.S. and stored there. The information is used to evaluate the use of our Services, to compile reports on the activities, and to provide other related services for purposes of market research and customized design. This information may also be sent to third parties if required by law or if third parties process this data on behalf of Google. Under no circumstances will your IP address be merged with any other Google data. The IP addresses are anonymised so that assignment is not possible (IP masking).

You can prevent the installation of the cookies in advance by configuring your browser software accordingly or object to the continued processing of your data with the cookies by clicking on the opt-out link. Please note that if you disable cookies, it will not be possible to fully take advantage of all of the features of our Services. You can also prevent Google from collecting and processing the data generated by the cookies and related to your usage (including your IP address) by downloading and installing this browser add-on. On mobile devices, we recommend using private mode. You can find more information on protecting your privacy in relation to Google Analytics on the Google Analytics website.

4.1.7. Google Tag Manager

We manage website tags (website code) with Google Tag Manager. These tags helps us manage and continuously improve our Services and reduce your loading time. Google Tag Manager only implements website code. Google Tag Manager itself does not generate cookies or collect any personal information. It merely integrates website code that we have stored elsewhere that may be used to collect data. It is therefore only used to facilitate the management of the respective code, but does not itself access the data processed by the code. In this privacy policy, we inform you about all tags that are integrated in this way. Consult the relevant Google pages for more information about Google Tag Manager and user guidelines.

4.1.8. Stripe Payment Service

For the fulfilment of the agreement and to process payments in particular, in compliance with Art. 6(1) a) and b) GDPR, we send your name and email address to our payment processor Stripe Payments Europe Ltd., Block 4, Harcourt Centre, Harcourt Road, Dublin 2, Ireland (hereinafter “Stripe”). By using Stripe’s library, the information entered during the ordering process (e.g. address, account number, bank code, credit card number, invoice amount, currency and transaction number) will not be processed by us but sent directly to Stripe by your browser. The information is used by Stripe exclusively for the implementation and realization of the payment process and is securely transmitted via SSL encryption. Stripe is certified by PCI DSS. Stripe may transmit, process and store personal information outside of the EU. You can find detailed information on the Stripes privacy policy at this Link.

4.1.9. Lucky Orange 

We use Lucky Orange in order to better understand our users’ needs and to optimize this service and experience. Lucky Orange is a technology service that helps us better understand our users experience (e.g. how much time they spend on which pages, which links they choose to click, what users do and don’t like, etc.) and this enables us to build and maintain our service with user feedback. Lucky Orange uses cookies and other technologies to collect data on our users’ behavior and their devices (in particular device's IP address (captured and stored only in anonymized form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), preferred language used to display our website). Neither Lucky Orange nor we will ever use this information to identify individual users or to match it with further data on an individual user. For further details, please see Hotjar’s privacy policy by clicking on this link.

You can opt-out to the creation of a user profile, Hotjar’s storing of data about your usage of our site and Lucky Orange’s use of tracking cookies on other websites by following this opt-out link.

4.1.10 SMSBump & Other Providers

We use SMSBump and other providers to provide an alert when a customer abandons their cart before checking out. Neither SMSBump nor we will ever use this information to identify individual users or to match it with further data on an individual user. SMSBump solely collects:

  • Name
  • Phone Number
  • Message Delivery Status
  • Link Interactions

If you would like to view SMSBump’s Privacy Policy, please click the following link. If you would like to opt-out of receiving any SMS Messaging, we provide a way to unsubscribe on every text message pushed. If you have any additional questions, please contact support@tobyandace.com.

In addition, you agree to our Messaging Terms (https://terms.pscr.pt/legal/shop/toby-ace/terms_of_service) and Messaging Privacy Policy (https://terms.pscr.pt/legal/shop/toby-ace/privacy-policy).

4.2. Mobile App

4.2.1. Apple Health Kit and Google Fit

To improve fitness tracking and health management, you have the option of transmitting the data collected by our Services via the interface provided by the respective providers into the Apple Health Kit or the Google Fit app. This only happens if you explicitly agree to the process via your device settings. If you consent to this transfer, we store the following personal data on our servers:

  • Start time of the steps taken
  • Distance in meters of the steps taken
  • Number of steps taken

We have no control over nor are we aware of how the health information is used in the Apple Health Kit or the Google Fit app. You can object to the processing of this data anytime by disabling the feature in your device settings. Before enabling the respective feature, we recommend reading the privacy policy of Apple or Google.

5. Recipients outside the EU

As indicated above under 3.4 and 3.5, data may also be sent to recipients located outside the European Union or the European Economic Area. This applies in particular to the aforementioned processing of analysis and/or targeting technologies, which can result in data transmission to the servers of the service providers. Other recipients may be affiliated service providers that we need in order to provide our services, e.g. hosts, CRM tools, analytical service providers. These servers may be outside the EU, especially in the US. We make absolutely sure that these service providers guarantee data protection standards equivalent to those of the GDPR and that they comply with the applicable directives. In case number C(2016) 4176), the European Commission established the suitability of this data protection level for certification in compliance with Art. 45 of the GDPR. The use of these certified service providers thus meets European standards for lawful data processing. In addition, we have obtained suitable contractual guarantees from all service providers based in other EU countries that they are in compliance with these EU standards and protect the rights of affected persons, for example by using the standard contractual clauses of the European Commission.

6. Your Rights

6.1. Overview

In addition to the right at any time to withdraw any consent you have given us, you are also entitled to the following if the respective legal conditions are met:

  • The right to be informed about your personal data that is stored with us, pursuant to Art. 15 of the GDPR
  • In the event of transmissions covered by Art. 46, 47 or 49(1) 2) of the GDPR, the right to information, or references to suitable or appropriate guarantees that a copy of them can be obtained, or where they are available
  • The right to correct inaccurate or incomplete data, pursuant to Art. 16 of the GDPR
  • The right to the deletion of your personal information that is stored with us, pursuant to Art. 17 GDPR
  • The right to limit the processing of your data, pursuant to Art. 18 of the GDPR
  • The right to data portability, pursuant to Art. 20 of the GDPR.

6.2. Right to Object

Under the provisions of Art. 21(1) GDPR, the data subject has the right to object, on grounds relating to his or her particular situation, at any time to the processing of personal data.

The foregoing general right to object applies to all processing purposes described in this Privacy Policy that are based on Article 6(1) f) GDPR. Unlike the special right to object to data processing for commercial purposes (see above under Section 3.3), we are only obliged to implement such a general objection under the GDPR if you state reasons of overriding importance (e.g. a potential risk to life or health). Furthermore, you may contact the supervisory authority responsible for us, which is the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragten für Datenschutz und Informationsfreiheit), Friedrichstraße 219, 10969 Berlin.

7. Data Security

We apply the highest standards to data security for our infrastructure and the processing of your data. For example, we use protection mechanisms for computers such as firewalls and data encryption. Our buildings and data are subject to physical access controls. Access to the personal information of our customers is only possible for those employees who need them to carry out their activities.

All personal data sent by you, including your payment information, is also transmitted using the generally accepted and secure SSL (Secure Socket Layer) standard. SSL is a secure and proven standard, e.g. it is also used for online banking. You will recognize a secure SSL connection with the placement of an “s” at the end of http (i.e. https: // …) in the address bar of your browser, or with the lock icon at the bottom of the browser.

We also apply suitable technical and organizational security measures to protect your personal data stored with us against manipulation, partial or complete loss, and against unauthorized access by third parties. Our security measures are continuously monitored using the latest technology, and regularly adapted to the relevant risk, and improved if necessary.

In the event that personal data is compromised as a result of a breach of security, we will promptly notify those persons whose personal data has been compromised, in accordance with the notification procedures set forth in this Privacy Policy, or as otherwise required by applicable law.

8. Children’s Privacy

Protecting the privacy of young children is especially important. For that reason, we do not knowingly collect or solicit personal information from anyone under the age of 16 or knowingly allow such persons to register. If you are under 16, please do not send any information about yourself to us, including your name, address, telephone number, or email address. No one under age 16 is allowed to provide any personal information to or on the Services. In the event that we learn that we have collected personal information from a child under age 16 without verification of parental consent, we will delete that information as quickly as possible. If you believe that we might have any information from or about a child under 16, please contact us at  support@tobyandace.com.

9. Changes to Our Privacy Policy

If we change our Privacy Policy and procedures, we will post those changes on our website to keep you aware of what information we collect, how we use it and under what circumstances we may disclose it. Changes to this Privacy Policy are effective when they are posted on our website.

This Privacy Policy was last modified on November 4th 2019.

Notwithstanding anything else in this policy, we and/or our partners may use pixels and pixel tags, and place, read or use cookies the collect information from your device and/or Internet browser. These cookies do not contain personally identifiable information, however, it may be possible for our third-party business partners to combine it with other information in order to identify your email address or other personally identifiable information about you. For example, the cookies may reflect de-identified demographic or other data linked to data you voluntarily have submitted to us, e.g., your email address, which we may share with a data provider solely in hashed, non-human readable form.


By using our Service, you agree that us and our third-party partners may store, sell, port, combine with other data, monetize, utilize and otherwise use either (i) the personally indefinable information about you that we share with them, or (ii) the personally identifiable information they discover and/or identify as described above. Visitors can also express their choices for display advertising, through the following platforms: Digital Advertising Alliance opt-out platform or the Network Advertising Initiative opt-out platform. We and/or our partners may also use cookies for delivering personalized advertising emails. These cookies are used to identify the visitors of our advertisers’ websites and send personalized emails based on the visitors’ browsing experience.

We and/or our partners use cookies, pixels and other tracking technology to associate certain Internet-related information about you, such as your Internet Protocol address and what Web browser you are using, with certain of your online behaviors, such as opening emails or browsing websites. Such information is used to customize ads or content and may be shared with our partners

GetEmails, LLC dba Retention.com (“We,” “Our,” “Retention.com”) provides data marketing services (the “Services”) designed to help for-profit and not-profit organizations, and companies that work with them, to market their goods and services in a relevant and efficient way. Our solutions, many of which are described on this website, are used principally to support email marketing.

We take very seriously the privacy interests of the individuals whose information we handle and maintain in our database. We provide this Privacy Policy (“Privacy Policy”) to explain how we use and manage information, and what rights consumers have to control how their information is used in marketing.

To review the “Addendum” we have created specifically to address disclosures required under the California Consumer Privacy Act, please see our “ADDENDUM FOR CALIFORNIA RESIDENTS” below.

ADDENDUM FOR CALIFORNIA RESIDENTS

Last Modified:  May 3, 2022

NOTICE TO CALIFORNIA RESIDENTS [CONSUMERS] – CALIFORNIA CONSUMER PRIVACY PROTECTION ACT 
The California Consumer Privacy Act of 2018 (“CCPA”) provides certain rights to residents of California. This section of the Privacy Policy applies if you are a natural person who is a resident of California (“California Consumer”) and uses our Services. This Addendum supplements the information in the Privacy Policy. However, this Addendum is intended solely for, and is applicable only as to, California Consumers: if you are not a California Consumer (or a resident of California), this does not apply to you and you should not rely on it.

In the below tables and sections, we describe (as required by the CCPA):

  1. Our Collection of Personal Information— the types of Personal Information (which the CCPA defines broadly) that we collect, the types of sources we collect it from,
  2. Our Disclosure and Sale of Personal Information— the types of recipients to whom we disclose or sell Personal Information.
  3. Our Business Purposes —  our business purposes for (a) collecting and (b) sharing Personal Information, which are generally the same.
  4. Your California Privacy Rights and Choices— what rights you have under the CCPA, for instance, to request that we “opt out” your information from our marketing database (also called “do not sell” rights), or to request categories and personal information that we may have collected about you.

The following sets forth the categories of information we collect and purposes for which we may use California Consumers’ personal information:

  1. OUR COLLECTION OF PERSONAL INFORMATION

Depending on how you interact with us, we may collect about you the categories of information summarized in the table below. The following table also describes how we collect and use such categories of information.

Category Categories of Sources
Identifiers, e.g., name; alias; postal address; mobile ad or cookie identifiers; IP address; telephone number; email address; social network handles Data compilers and consumer data resellers, informational and retail websites (“Commercial Source Categories”)Public records and other publicly available sourcesGovernment entitiesSocial networks
Commercial or transactions informationE.g., products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. Commercial Source CategoriesPublic records and other publicly available sources
Internet or other electronic network activity informationE.g., browsing history; online interests. Commercial Source Categories
Professional or employment-related informationE.g., current or past job history or job title. Public records and other publicly available sourcesCommercial Source Categories
Inference DataE.g., consumer information or preferences. Commercial Source Categories
  1. OUR DISCLOSURE AND SALE OF PERSONAL INFORMATION

We will share the information collected from and about you as discussed above for various business purposes, with service providers and with third parties including our customers. The chart below how and with whom we share or disclose personal information, and whether (based on the CCPA’s definition of “sell”) we believe we have “sold” a particular category of information in the prior 12 months.

Category Categories of Third Parties We Share With Whether We “Sold” This Category of Personal Information in the Last 12 Months
Identifiers, e.g., name; alias; postal address; mobile ad identifiers; IP address; telephone number; email address; social network handles Data compilers and consumer data resellers, consumer goods retailers, informational and retail websites, content publishers, non-profit organizations, business-to-business services and organizations, consumer surveys and survey companies, affiliate networks (“Commercial Recipient Categories”)Advertising networks and media platforms, political campaigns, internet service providers, data analytics providersSocial networks Yes
Commercial or transactions informationE.g., products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. Commercial Recipient CategoriesAdvertising networks and media platforms, political campaigns, internet service providers, data analytics providersSocial networks Yes
Internet or other electronic network activity informationE.g., browsing history; online interests. Commercial Recipient CategoriesAdvertising networks and media platforms, political campaigns, internet service providers, data analytics providers, and social networks  Yes
Inference DataE.g., consumer information or preferences. Commercial Recipient CategoriesAdvertising networks and media platforms, political campaigns, internet service providers, data analytics providersSocial networks Yes
Inference DataE.g., consumer information or preferences. Commercial Recipient Categories Advertising networks and media platforms, political campaigns, internet service providers, data analytics providersSocial networks Yes

We also may share any of the personal information we collect as follows:

Sharing for Legal Purposes:  In addition, we may share personal information with third parties in order to: (a) comply with legal process or a regulatory investigation (e.g. a subpoena or court order); (b) enforce our Terms of Service, this Privacy Policy, or other contracts with you, including investigation of potential violations thereof; (c) respond to claims that any content violates the rights of third parties; and/or (d) protect the rights, property or personal safety of us, our platform, our customers, our agents and affiliates, its users and/or the public. We likewise may provide information to other companies and organizations (including law enforcement) for fraud protection, and spam/malware prevention, and similar purposes.

Sharing In Event of a Corporate Transaction:  We may also share personal information in the event of a major corporate transaction, including for example a merger, investment, acquisition, reorganization, consolidation, bankruptcy, liquidation, or sale of some or all of our assets, or for purposes of due diligence connected with any such transaction.

Sharing With Service Providers:  We share any personal information we collect with our service providers, which may include (for instance) providers involved in tech or customer support, operations, web or data hosting, billing, accounting, security, marketing, data management, validation, enhancement or hygiene, or otherwise assisting us to provide, develop, maintain and improve our services.

Sharing of Aggregate Information:  We may aggregate and/or de-identify any information collected so that such information can no longer be linked to you or your device (“Aggregate/De-Identified Information”). We may use Aggregate/De-Identified Information for any purpose, including without limitation for research and marketing purposes, and may also share such data with any third parties, including advertisers, promotional partners, and sponsors, at our discretion.

  1. OUR BUSINESS PURPOSES FOR COLLECTING AND SHARING PERSONAL INFORMATION

Generally speaking, we collect and share the Personal Information that we collect for the following purposes, as we also have described in our Privacy Policy and/or our website.

Our Purposes for collecting, using and sharing Personal Information
Data marketing services, for example:Generally, creating data marketing tools and products for our marketer clients, as more fully described in our Privacy Policy (and on our websites).   This includes our provision of datasets, data “appends” (connecting data across datasets), data “scoring” (providing inferences about potential identifiers), data hygiene services (helping customers to evaluate, validate and correct personal information they hold), and security and anti-fraud services (helping customers to identify potentially fraudulent activity).Helping our Clients identify and understand their consumers better, by providing insights about them and managing loyalty programs, as well as providing financial and other scoring products.Assisting our Clients through our Services to provide their current and prospective customers with better service, generally related to the above.
Creating “identity” graphs or associations between data points, to help locate users across various channels, such as based on common personal, device-based, or network-based identifiers (e.g., IP address, cookie or device identifiers, email address).
Additional marketing services, for example (which may overlap with “data marketing services” above):Assisting in targeting and optimizing of direct mail and email campaigns, display, mobile, and social media marketing.Measuring the effectiveness of online or offline ad campaigns by determining which messages are most likely to be seen or opened by which types of consumers, or which types of ads are most likely to lead to purchases.Analyzing and optimizing our Clients’ (or their service providers’) proprietary databases, or helping Clients to identify and mitigate potential fraud.Providing “hygiene” or “verification” services, which is how companies update and/or “clean” their databases by either verifying or removing or correcting old, incorrect, or outdated information.
Operating our Services, for example: Testing, improving, updating and verifying our own database.Developing new products.Operating, analyzing, improving, and securing our Services.
Other internal purposes, for example:For internal operations, auditing, research, detecting security incidents, debugging, short-term and transient use, quality control, and legal compliance.We sometimes use the information collected from our own website,  from social networks, from other “business to business” interactions (such as information we collect at trade shows) or from data compilers for the above, as well as for our own marketing purposes.
  1. YOUR CALIFORNIA RIGHTS AND CHOICES

Without being discriminated against for exercising these rights, California residents have the right to request that we disclose what personal information we collect from you, to delete that information, and to opt-out of the sale of your personal information, subject to certain restrictions. You also have the right to designate an agent to exercise these rights on your behalf. This section describes how to exercise those rights and our process for handling those requests (to the extent permitted by applicable law, we may charge a reasonable fee to comply with your request).

Sometimes, we act only as a “service provider” to our clients (for instance, if they provide information to us for analytics, processing or other data management services), in which case any consumer requests for opt-out, deletion or access to data must be made through that client: we therefore will forward any such requests to a named client, as feasible, such as where a client has been identified.

1. Right to request that we “do not sell” your personal information

You may request that we not “sell” your personal information. If you wish to make such a “do not sell” (also called an “opt out” request), please go to our “Do Not Sell” web form located at https://app.retention.com/ccpa_detailsAlternatively, you may contact us by email at privacy[at]retention.com.   When you make such a request, we will retain your information on an internal “suppression” list, so that we may remove your data from our active database in the event we obtain it again at a later date.

2. Right to request deletion of your personal information

You may request that we delete any personal information that we collected from you, such as if you have been a customer of ours (Note that this is different from your right to “opt out” of us selling your personal information, which is described above; also note that we do not generally collect personal information directly from consumers).  You may make a deletion request by emailing us at support[at]retention.com. In our discretion, we may interpret your “deletion” request as a “Do Not Sell” request (and thus place it on a suppression list, as described above), if we in good faith believe that is what you are requesting.

However, we may retain personal information for certain important purposes, such as (a) to protect our business, systems, and users from fraudulent activity, (b) to address technical issues that impair existing functionality (such as de-bugging purposes), (c) as necessary for us, or others, to exercise their free speech or other rights, (d) to comply with law enforcement requests pursuant to lawful process, (e) for scientific or historical research, (f) for our own internal purposes reasonably related to your relationship with us, or to comply with legal obligations. Additionally, we need certain types of information so that we can provide our Services to you. If you ask us to delete it, you may no longer be able to access or use our Services.

3. Right to request access to your personal information

California residents also have the right to request that we disclose what categories of your personal information that we collect, use, or sell. As a California resident, you may also request the specific pieces of personal information that we have collected from you. You may make such an “access” or “right to know” request here: https://app.retention.com/request_my_data. We may withhold some personal information where the risk to you or to others’ privacy rights is too great to disclose the information. 

For security purposes (and as required under California law), we will verify your identity — in part by requesting certain information from you — when you request to exercise your California privacy rights.  For instance, if you request specific pieces of personal information we have received about you, you may need to confirm your possession of an identifier (such as an email address) that reasonably confirms you are the person you claim to be.

4. Right to nondiscrimination

We will not deny, charge different prices for, or provide a different level of quality of goods or services if you choose to exercise these rights.  

5. Right to “opt-out” of the sale of your personal information

California residents may opt out of the “sale” of their personal information. California law broadly defines what constitutes a “sale” — including in the definition making available a wide variety of information in exchange for “valuable consideration.”

6. Information about persons under the age of 16

We do not knowingly collect personal information from minors under 16 years of age in California unless we have received legal consent to do so. If we learn that personal information from such California residents has been collected, we will take reasonable steps to remove their information from our database (or to obtain legally required consent).

7. Authorized agents

You may also designate an agent to make requests to exercise your rights under CCPA as described above. We will take steps both to verify the identity of the person seeking to exercise their rights as listed above, and to verify that your agent has been authorized to make a request on your behalf through providing us with a signed written authorization or a copy of a legally sufficient power of attorney. We likewise may require that you verify your own identity, depending on the type of request you make.retentionAug