California Data Privacy Addendum

Last Updated October 28, 2020

PURPOSE FOR ADDENDUM

This California Data Privacy Addendum, including any future modifications (the “Addendum“), forms a material part of the Company’s Privacy Policy and applies to any “personal information” (as defined under the CCPA) that we may “collect” (as defined under the CCPA) from a California “consumer” (as defined under the CCPA) through their use of the Services, whether as a guest or a registered user. If you are a California consumer, the purpose of this Addendum is to briefly describe: 1) your rights under California law; 2) describe how you may make a request for those rights to be enforced; 3) describe the categories of personal information that were “sold” (as defined under the CCPA and detailed below) by the Company in the preceding twelve (12) months; 4) the categories of personal information that were disclosed by the Company for “business purposes” (as defined under the CCPA and detailed below) by the Company in the preceding twelve (12) months; and 5) describe your rights pursuant to California’s “Shine the Light” law.

YOUR RIGHTS AS A CALIFORNIA CONSUMER UNDER THE CCPA

The California Consumer Privacy Act (“CCPA”) provides California consumers (essentially human beings that are California residents and are the subject of personal information) with certain data privacy rights as described below. 

RIGHT TO DISCLOSURE

The CCPA requires the Company to make affirmative disclosures to data subjects about the Company’s processing activities, including disclosures about how personal information is collected, sold, and/or otherwise disclosed to third parties. All required disclosures are contained in the main body of the Company’s Privacy Policy and/or in this Addendum, as they are amended from time to time.

RIGHT TO KNOW

The Right to Know under the CCPA grants California consumers the right to be provided with certain individualized disclosures with respect to the Company’s processing of their personal information. Upon the Company’s receipt of a verified data subject request, data subjects have the right to access information related to the Company’s:

  • Collection Practices: Data subjects are entitled to confirmation of whether the Company is currently processing the data subject’s personal information and/or whether the Company has collected the data subject’s personal information in the twelve (12) month period preceding the request. If so, the Company is also obligated to provide the data subject with:
    • A description of the data subject’s applicable data subject rights;
    • The categories of the data subject’s personal information that have been collected by the Company, specifically including the categories of personal information that were collected in the twelve (12) month period preceding the request;
    • The categories of data sources from where the personal information was collected, specifically including any data sources used by the Company in the twelve (12) month period preceding the request;
    • Any business purpose for collecting or selling the data subject’s personal information, including any business purpose that existed in the twelve (12) month period preceding the request;
    • Any commercial purpose for collecting or selling the data subject’s personal information, including any commercial purpose that existed in the twelve (12) month period preceding the request;
    • The categories of recipients that the data subject’s personal information has been shared with, specifically including categories of recipients that have received access to the data subject’s personal information in the twelve (12) month period preceding the request; and
    • the specific pieces of personal information that the company has collected about the data subject, including those specific pieces collected in the twelve (12) month period preceding the request.
  • Sales Practices: Data subjects are entitled to confirmation of whether the Company is currently selling the data subject’s personal information and/or whether the company has done so in the twelve (12) month period preceding the request. If the Company has not sold any of the data subject’s personal information, the Company must make a disclosure to that effect. If the Company has sold the data subject’s personal information, the Company is also obligated to provide the data subject with:
    • The categories of the data subject’s personal information that were collected by the Company in the preceding twelve (12) month period; 
    • The categories of the data subject’s personal information that were sold by the Company in the preceding twelve (12) month period; and
    • The categories of recipients to whom the data subject’s personal information was sold in the twelve (12) month period preceding the request, including a breakdown of what categories of personal information were sold by the Company to each category of recipient.
  • Disclosure Practices: Data subjects are entitled to confirmation of whether the Company is currently disclosing the data subject’s personal information for business purposes and/or whether the Company has disclosed the data subject’s personal information for business purposes in the twelve (12) month period preceding the request. If the Company has not disclosed any of the data subject’s personal information for a business purpose, the Company will make a disclosure to that effect upon receipt of a verified request. If the Company has disclosed your personal information for a Business Purpose, the company is also obligated to provide you with:
    • The categories of the data subject’s personal information that were collected by the Company in the preceding twelve (12) month period; 
    • The categories of the data subject’s personal information that the Company disclosed to a third-party for a Business Purpose in the twelve (12) month period preceding the request; and
    • The categories of recipients to whom the data subject’s personal information was disclosed to for a business purpose in the twelve (12) month period preceding the request, including a breakdown of what categories of personal information were disclosed by the Company to each category of recipient.

Note: THE COMPANY DOES NOT SELL THE PERSONAL INFORMATION ANY CALIFORNIA CONSUMERS AS DEFINED BY THE CCPA, INCLUDING MINORS UNDER SIXTEEN (16) YEARS OF AGE.

RIGHT TO OPT-OUT OF THE SALE OF PERSONAL INFORMATION

The Right to Opt-Out of the Sale of Personal Information, subject to certain exceptions, enables data subjects to prohibit the Company from selling their personal information to third parties. Once the Company receives an opt-out request, the Company is prohibited from selling the data subject’s personal information to any third party unless the data subject subsequently provides the Company with express authorization stating otherwise. Once a data subject has opted out, the Company must wait at least twelve (12) months before requesting to sell a data subject’s personal information again. The Company is prohibited from discriminating against data subjects that exercise their right to opt-out (e.g., charging them more for products or services). However, the Company is not currently selling Data Subjects’ personal information. If you wish to exercise this right, please send an e-mail sufficiently detailing such request to: privacy@daicompanies.com (alternatively you can utilize one of the other methods described under the “How to Exercise Rights Under the CCPA” section of this Addendum. Such a request must include your name, telephone number, physical address, and email address.

RIGHT TO DELETION 

Under very specific circumstances, the CCPA entitles data subjects to have the Company stop processing their personal information and destroy such data. This right is commonly referred to as the “Right to Deletion,” the “Right to Erasure,” and/or the “Right to be Forgotten.” Generally, the Right to Deletion requires the Company to delete any personal information that the Company has collected about a data subject that is not necessary for at least one of the purposes enumerated under the CCPA. Common exceptions to the Right to Deletion include the processing of personal information that is necessary for: completion of a transaction, provision of goods and services, performance of a contract, exercising free speech rights, internal uses that are reasonably aligned with a data subject’s expectations based on their relationship with the Company, internal uses that are lawful and compatible with the context in which a data subject provided their personal information, and/or uses of personal information that are necessary for the Company to comply with legal obligations. 

RIGHT TO NON-DISCRIMINATION 

Under the CCPA, the Company is prohibited from discriminating against data subjects that exercise their rights, including the Right to Opt-Out of the Sale of Personal Information. Specifically, the Company cannot deny data subjects goods or services, charge data subjects different prices or rates (or otherwise impose a penalty), or provide data subjects a different quality or level of goods or services if a data subject requests to enforce their rights. 

HOW TO EXERCISE RIGHTS UNDER THE CCPA

If you wish to exercise available rights detailed below, please access the Company’s Data Subject Request web portal at https://origin.daicompanies.com/ccpa/#/request. Please note that if we receive a request from you to exercise your rights, the Company has the right to have you take reasonable steps to confirm your identity. Generally, we will attempt to match identifying information that you have already provided to us. At minimum, the Company will require you to submit your name, telephone number, physical address, and email address. The Company is not obligated to, and will not, provide any individualized information or give effect to data subject rights unless the Company can reasonably verify that the request is a “verified request” (as defined under the CCPA). 

Alternatively, you may submit a Data Subject Request by calling the Company at (833) 401-0196. As another option, you may submit a Data Subject Request by employing an authorized agent to submit a request on your behalf. In order to do this, you must provide an authorized agent with written permission to submit a request. If the Company does not receive proof from an authorized agent that you have given them permission to submit a Data Subject Request on your behalf, the Company will deny the request. 

BUSINESS PURPOSES & COMMERCIAL PURPOSES FOR COLLECTING OR SELLING PERSONAL INFORMATION 

Under the CCPA, the Company is required to describe its “business purposes” or “commercial purposes” for collecting or selling personal information. Under the CCPA, “collects,” “collected,” or “collection” means buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. “Sell,” “selling,” “sale,” or “sold,” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration. THE COMPANY IS NOT CURRENTLY SELLING PERSONAL INFORMATION TO THIRD PARTIES AND HAS NOT SOLD SUCH INFORMATION IN THE TWELVE (12) MONTH PERIOD PRECEDING THE EFFECTIVE DATE OF THIS ADDENDUM.

BUSINESS PURPOSES & CATEGORIES OF INFORMATION DISCLOSED FOR BUSINESS PURPOSES

Under the CCPA, “business purpose” means “the use of personal information for a business’s or a service provider’s operational purposes, or other notified purposes, provided that the use of personal information shall be reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed or for another operational purpose that is compatible with the context in which the personal information was collected.” The business purposes for which the Company may use/share personal information include: 

  •  The Company may use/share personal information to audit current interactions with a consumer and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.
  •  The Company may use/share personal information to detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, and prosecute those responsible for that activity.
  •  The Company may use debugging processes to identify and repair errors that impair existing intended functionality.
  •  The Company may use personal information for short–term, transient uses, provided personal information is not disclosed to another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer’s experience outside the current interaction, including, but not limited to, the contextual customization of ads shown as part of the same interaction.
  •  The Company may use personal information to undertake internal research for technological development and demonstration.
  •  The Company may use/share personal information to perform services on behalf of a business or service provider, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of a business or service provider.
  •   The Company may use/share personal information to undertake activities to verify or maintain the quality or safety of a service, product, or device that is owned, manufactured, manufactured for, or controlled by the Company, and to improve, upgrade, or enhance the service, product, or device that is owned, manufactured, manufactured for, or controlled by the Company.

The categories of personal information that the Company disclosed about consumers for a business purpose during the preceding twelve (12) months were: (a) identifiers; (b) personal information; (c) protected classification characteristics; (d) internet activity; (e) geolocation data; (f) professional or employment-related information; and (h) inferences.

COMMERCIAL PURPOSES & CATEGORIES OF INFORMATION DISCLOSED FOR COMMERCIAL PURPOSES

Under the CCPA, “commercial purpose” means “to advance a person’s commercial or economic interests, such as by inducing another person to buy, rent, lease, join, subscribe to, provide, or exchange products, goods, property, information, or services, or enabling or effecting, directly or indirectly, a commercial transaction.” “Commercial purposes” do not include purposes of engaging in speech that state or federal courts have recognized as noncommercial speech (including political speech and journalism). The commercial purposes for which the Company may use/share personal information include: 

  • We use your personal information to send information to you about your account, products and services, and to notify you about issues with, or changes to, the Services or our policies.  We generally communicate with users via email, web chat, and/or by telephone.  By using the Services, you agree that the Company and/or our agents may email, call, or text you regarding the Services, including communicating with you about your account, your interactions with the Services, and/or your transactions. 
  • : As the Company is part of a larger group of related companies, it may be necessary for the Company to transmit your personal information within the organizational group. Processing is necessary so that data can be shared amongst our affiliates so that each entity can carry out their legal, regulatory, and/or contractual responsibilities and/or coordinate/implement business plans, logistics, and/or operations. This is especially true because the Company may perform critical services for its Affiliates, such as services related to: accounting, human resources, security, legal, etc. 
  •  Processing your personal information is necessary to facilitate the day-to-day operation of our business and to allow for business planning for strategic growth. This includes: managing our relationship with you, our employees, other users/clients, vendors, business partners, and/or others; sharing intelligence with internal stakeholders; implementing training procedures; planning and allocating resources and budgets; performing data modelling; facilitating internal reporting; analyzing growth strategies; aggregating analytics; and/or processing personal information to create anonymized data (e.g., for product improvement, analytics, etc.).
  •  Processing your personal information may be necessary for the Company to:
  •  Processing your personal information is necessary to enable the Company’s business operations to run more efficiently, e.g., establishing how to allocate resources or to predict future demand.
  •  Processing your personal information may be necessary to respond to a Data Subject Request that you submit to the Company (e.g., the Company needs to process your personal information to respond to a request related to the Right to Access).
  •  Processing your personal information is necessary for the Company to deliver and/or improve our products and services. This includes processing your personal information to determine whether a product or service is working as intended, monitoring usage and conduct, and identifying and troubleshooting issues.
  •  The Company has a need to conduct market intelligence so that we can create a better understanding of our users’ preferences. This could include using diagnostic analytics to optimize products, services, and/or recruiting efforts by assessing/monitoring users’ usage of the products or services and/or conduct while using the Services. Common metrics for evaluation could include monitoring pages and links accessed, ad performance and conversion tracking, number of posts, number of page views, patterns of navigation, time at a page, devices used, where users are coming from, hardware used, operating system version, unique application identifiers, unique device identifiers, browser types, languages, wireless or mobile network information, etc. These metrics could be used to: personalize communications; determine which users should receive specialized communications; create aggregate trend reports; determine the most effective messaging; and/or measure the audience for a certain communication.
  •  The Company may use your personal information to aggregate and/or anonymize the data for various purposes. Once aggregated or anonymized, the information will no longer be considered personal information because it will no longer be able to identify you and/or any of your devices used to access the Services. Once aggregated or anonymized, the Company may use such information for any purpose (e.g., research and development purposes), including sharing such information with third parties
  •  The Company processes your personal information in order to determine your access rights. In visiting, registering, and/or subscribing to the Services, you are given different levels of access. The Company uses this information in order to determine what you should be able to access. 
  •  We process personal information in order to enhance and personalize the “consumer experience” we offer our current and/or prospective users/visitors in our products and services.
  •  Processing your personal information may be necessary to verify the accuracy of your user data and to create a better understanding of our past, present, and/or prospective users. 
  • : In order to identify recurring problems and/or analyze the patterns of behavior of users and/or customers, it is necessary for the Company to monitor your performance/behavior on our Services.
  •  Processing your personal information may be necessary for the Company to help detect and prevent fraud.
  •  Processing your personal information may be necessary for the purposes of ensuring our network and information security, e.g., monitoring users’ access to our network for the purpose of preventing cyber-attacks, inappropriate use of data, corporate espionage, hacking, system breaches, etc. This could include preventing unauthorized access to electronic communications networks and malicious code distribution and stopping “denial of service” attacks and damage to computer and electronic communication systems. 
  •  The Company processes your personal information because it is necessary to allow for the backup and protection of your information (e.g., utilizing cloud-based services to archive/protect data) in order to ensure that such information is not improperly lost or modified. Such processing is also necessary to archive/protect data in accordance with legal, regulatory, organizational, and/or contractual obligations.
  •  In processing your personal information, the Company may process your data utilizing an algorithm that helps to streamline organizational processes.
  •  The Company needs to process personal information in the context of processing the information of a business contact in order to conduct business operations.
  •  It may be necessary for the Company to process your personal information for the purposes of conducting due diligence. This could include, for example, monitoring official watch-lists, sanction lists, and “do-not-do-business-with” lists published by governments and other official bodies globally. This could also include keyword searches of industry and reputable publications to determine if companies and individuals have been involved in or convicted of relevant offenses, such as fraud, bribery, and/or corruption.
  •  Several of the Company’s Affiliates are part of various industry self-regulatory organizations, including organizations that focus on data privacy and security. Such organizations were formed in order to address various concerns, including: developing industry standards and best practices to protect the industry; sharing intelligence or concerns about individuals (e.g., industry-specific watch lists); sharing intelligence or concerns that may have a negative or detrimental impact on the industry; and/or ensuring that participants in the industry are following agreed-upon standards. We may be required to process personal information so that we may stay in compliance with these self-regulatory schemes.
  •  The Company may need to use personal information to report possible criminal acts or threats to public security/safety that we identify as part of our processing activities to a competent authority.
  • The Company is subject to binding legal or regulatory obligations and may need to process your personal information in order to comply with such laws or regulations. Examples could include: complying with reporting obligations; complying with screening obligations; responding to law enforcement requests; and/or responding to judicial/regulatory agency requests.
  • Your personal information will also be used to fulfill any other purpose for which you provide the information or otherwise provide your consent for the Company and/or other third parties to use such information.

The categories of personal information that the Company disclosed about consumers for a commercial purpose during the preceding twelve (12) months were: (a) identifiers; (b) personal information; (c) protected classification characteristics; (d) internet activity; (e) geolocation data; (f) professional or employment-related information; and (h) inferences.

YOUR RIGHTS AS A CALIFORNIA CONSUMER UNDER CALIFORNIA’S SHINE THE LIGHT LAW

Pursuant to California’s “Shine the Light” law, California residents may opt-out of the Company’s disclosure of personal information to third parties for such third parties’ direct marketing purposes. However, the Company does not currently disclose personal information to third parties for direct marketing purposes.