Privacy Policy

*Effective Date: February 21, 2024

Privacy is important to Smarsh Inc. ("Smarsh"). This Privacy Notice ("Privacy Notice") describes who we are, what Personal Information (defined below) we gather from you and how we plan to use, share, and protect that Personal Information, and how you can exercise your data protection rights. All users of our Website, Smarsh Social Media, and participants of Smarsh Events ("Users") must read and agree to our Privacy Notice to ensure they are fully informed about how Smarsh collects, processes, and stores Personal Information. For the purposes of this Privacy Notice, the Website, Smarsh’s Social Media, and Smarsh Events are the "Services."

For a helpful, quick summary of our privacy practices, please read Smarsh’s Privacy Notice - Quick Summary (below) and Smarsh’s Cookie Disclosure (found here - Smarsh’s Cookie Disclosure). You can also bookmark Smarsh’s Email Preference Dashboard (found here - Smarsh's Email Preference Dashboard) to manage your email preferences.

If you have any specific questions about our Privacy Notice, please send an email to privacy@smarsh.com.

PRIVACY NOTICE - QUICK SUMMARY

This Quick Summary provides a summary of Smarsh’s Privacy Notice. If you wish to find more detailed information with respect to any of the questions answered in this Quick Summary, please read the Privacy Notice - More Information Section that is located below this Quick Summary.

Does this Privacy Notice apply to me?

This Privacy Notice applies to the collection and processing of Personal Information by Smarsh from visitors and users of (i) our website (www.smarsh.com) ("Website"), (ii) our corporate social media pages (for example, LinkedIn, Facebook, or other similar service) ("Smarsh Social Media") , and (iii) attendees and participants of events, webinars, or contests related to Smarsh ("Smarsh Events"). For more detailed information, please make sure that you read our entire Privacy Notice. This Privacy Notice does not apply to the processing of Personal Information by Smarsh on behalf of our clients in connection with the provision of services to such clients via a separate, direct agreement.

Definitions & What is Personal Information?

Generally, "Personal Information" means any information relating to a natural identified or identifiable person or household, such as name, email, residential address, phone number, device ID, or zip code.

Who is Smarsh?

Smarsh is a New York Corporation and a software company. While Smarsh’s headquarters are in Portland, Oregon, Smarsh has offices, affiliates, and subsidiaries throughout the United States, as well as in Canada, Costa Rica, India, Israel, Germany, Northern Ireland, Singapore, and the United Kingdom (for the purposes of this Privacy Notice, "Smarsh", "We", "Us" and "our" shall refer to Smarsh and its affiliates and subsidiaries)

For more information about Smarsh, please see our "About Us" page - About Us - Smarsh.

What Personal Information is Smarsh collecting under this Privacy Notice?

Smarsh may passively (automatically) collect Personal Information when you use our Website or your social media accounts through the use of automated methods, such as tracking cookies or data analytics tools.

Smarsh may directly collect Personal Information from you when you sign up for events, participate in webinars, request information from Smarsh about its services, or participate in in-person meetings.

How do you use my Personal Information under this Privacy Notice?

Generally, we collect Personal Information to provide better services or functionality to you. For example, we use data analytics tools to improve and optimize our Website. We leverage automated cookies to tailor our marketing and sales activities to provide better, more focused, content to you. Our Website intake forms collect certain Personal Information in order to respond to your request(s) for information, or to provide future updates with respect to our services, products, or upcoming events. We also use your Personal Information when we need to comply with a legal obligation, upon your consent, to perform under a contract with you, or in connection with our legitimate business interests

When, and with whom, do you share my Personal Information under this Privacy Notice?

We may share your Personal Information with our affiliates, our third-party service providers, our business partners, or with any competent law enforcement or regulatory body for our own internal business purposes

How do you protect my Personal Information?

Smarsh uses commercially reasonable technical and organizational measures to protect your Personal Information from unauthorized access, use, or disclosure. To learn more about Smarsh’s information security program in general, please go here - Smarsh’s Information Security Program.

Still, no system can be guaranteed to be 100% secure. If you have questions about the security of your Personal Information, or if you have reason to believe that the Personal Information that we hold about you is no longer secure, please contact us immediately by sending an email to privacy@smarsh.com or as otherwise described in this Privacy Notice.

What are my rights with respect to my Personal Information under this Privacy Notice?

Smarsh provides you with the ability to choose how we collect, use, and share your Personal Information. To manage your communication preferences with respect to marketing, please go here to manage your Email Preferences. You may also wish to correct, update, amend, or delete any of your Personal Information maintained by Smarsh under this Privacy Notice. You may submit a general request to correct, update, amend, or delete your Personal Information by submitting a request through this webform here.

Please note that (i) in some cases, we may not be able to remove your Personal Information, in which case, we will let you know if we are unable to do so and why, and (ii) in order to protect your privacy and security, we will also take reasonable steps to verify your identify, before taking any steps with respect to providing access to, amending, or deleting your Personal Information.

UK & EU individuals

General information about Data Subject Rights is located in the Notice to Certain Residents of Data Subject Rights section below. Please go to the Notice to Individuals in the European Economic Area and the UK section if you are located in the EU or are located in the UK.

California, Colorado, Connecticut, Utah, and Virginia Residents

If you are a resident of California, Colorado, Connecticut, Virginia, or Utah, please go to the Notice to Certain Residents of Data Subject Rights section for more information on your rights under the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 ("CPRA") (collectively, "CCPA"), Virginia Consumer Data Protection Act ("VCDPA"), Colorado Privacy Act ("CPA"), Connecticut Act Concerning Personal Data Privacy and Online Monitoring ("CTDPA"), or Utah Consumer Privacy Act ("UCPA").

How do I get in contact with you?

If you have any questions about how your Personal Information is collected, stored, shared, or used, or if you wish to exercise any of your data rights, or if you have a disability and need to access this notice in another format, please contact us using one of the methods below

EMAIL: privacy@smarsh.com

SUBMIT A REQUEST THROUGH THIS WEB FORM - HERE.

GLOBAL HEADQUARTERS

Call us: 1-866-SMARSH-1

Write us: Attn: Legal Data Subject Request

851 SW 6th Avenue - Portland, Oregon 97204

EEA & UK:

Call us: +44 (0) 20 3608 1209

Write us: Attn: Legal Data Subject Request

One Canada Square, Level 39 - London, E14 5AB

PRIVACY NOTICE - MORE INFORMATION

This Section describes Smarsh’s data collection practices with respect to Personal Information in more detail than in the Privacy Notice - Quick Summary.

PERSONAL INFORMATION SMARSH COLLECTS

Smarsh collects Personal Information from you directly and indirectly. The Personal Information that we collect from you directly may include the following:

· Individual Identifiers, such as:

- Contact Information, when you submit an online form or survey, subscribe to a newsletter, sign up for an event, webinar, or contest, or use our online chat feature, such as name, job title, company name, address, phone number, or email address.

- Contact Information, when you request information about Smarsh services or products using the Services, such as name, job title, company name, address, phone number, or email address.

- Event Visitor Information, if you attend a Smarsh sponsored event, we may collect visitor information, such as name, company name, job title, address, email address, location, phone number, and potentially, events in which you participated.

- Office Visitor Information, if you visit us at our offices, we may collect visitor information, such as name, company name, job title, address, email address, location, phone number, photograph, time and date of arrival and departure.

· Communications with us, preferences, and other Information you provide to us, such as any messages (including via online chat feature), opinions, and feedback that you provide to us, your user preferences (such as in receiving updates or marketing information), and other Information that you share with us when you contact us directly.

The Personal Information that we may collect from you automatically or indirectly may include the following:

· Device and geolocation data when you visit our Website, such as your IP address, device type, browser, broad geographic location, and other technical information. We may also collect information about your interaction with our Website, including pages accessed and links clicked.

· Data captured via cookies when you visit and interact with our Website. For example, Smarsh uses cookies to collect technical and analytical data, like webpages accessed or viewed, your browser type and the language of your browser, or linked clicked. For specific information on our cookies, please see our Cookie Disclosure.

· If you access the Services through a mobile device, we may also automatically collect Information about your device, your phone number, and your physical location.

The Personal Information that we may collect from you from third parties:

· Third Party Event Visitor Information. If you attend an event, tradeshow, or conference (or online variation) in which Smarsh participates or to which Smarsh provides content, we may collect or be provided with, visitor information, such as name, company name, job title, address, email address, location, phone number, and potentially, events in which you participated.

· Third Party Resellers, Referrals, and Partners. We may receive business contact information from our resellers and strategic partners to sell our services. For example, business contact information, including mailing addresses, job titles, email addresses, phone numbers, and details about the potential customers’ software environment to tailor the purchase of services.

· Third Party Websites and Social Media Sites. Smarsh may collect additional Information about you from third-party websites and Social Media Sites and/or sources providing publicly available information to help us provide services to you and for marketing and advertising purposes.

This Privacy Notice only applies to Information collected by our Website or through our Socia Media Account or Smarsh Event. We are not responsible for the privacy and security practices of those other websites or social media sites, or the Personal Information they may collect (which may include IP address). You should contact such third parties directly to determine their respective privacy policies. Links to any other websites or content do not constitute or imply an endorsement or recommendation by us of the linked website, social media platform, and/or content.

HOW SMARSH USES PERSONAL INFORMATION

In most cases, we use your Personal Information to respond to requests made by you, including those to obtain more information about our products or services or services or events using the Services. Collecting Personal Information enables us to better understand those individuals who visit our Website and aids us with improving our Website, its content and functionality, as well as its ease of use.

We may also use your Personal Information for the following business and commercial purposes:

· To deliver functionality on our Website, including responding to technical problems;

· To analyze, develop, improve or optimize the functionality or performance of our Website;

· To manage the security of our Website and related infrastructure,

· To comply with applicable laws, rules, and regulations ,

· To respond to your requests for information, such as communications about events, surveys, or contest entries in accordance with your communication preferences;

· To communicate with you about new contests, promotions or rewards, upcoming events, trade shows or conferences, changes to the Website or the services that Smarsh provides, or other news about products and services in accordance with your communication preferences;

· To tailor our marketing and sales activities to your company’s interests and to confirm or update your communication and marketing preferences.

· For general or targeted marketing and advertising purposes, including sending you promotional material or special offers on our behalf or on behalf of our marketing partners and/or their respective affiliates and subsidiaries and other third parties, provided that you have not already opted-out of receiving such communications;

· To provide or improve the Services, including requesting feedback about your experience with the Services, or to conduct research in which you agree to participate;

· To otherwise fulfill the purpose for which the Information was provided;

· Link or combine or supplement Personal Information about you with other Personal Information that we get from third-parties, such as our advertising partners, to provide you with better and more personalized services, or just to better understand your needs.

HOW SMARSH SHARES OR DISCLOSES PERSONAL INFORMATION

We may share or disclose your Personal Information to the following categories of recipients for our business purposes:

· To third-party service providers that perform certain functions or services on our behalf (such as hosting the Website, manage databases, perform analyses, provide customer service, or send communications for us). These third-party service providers are authorized to use your Personal Information only as necessary to provide these services to us.

· To those third-party presenters or sponsors of a Smarsh Event in which you participate;

· To our partners and affiliates that support our business operations or the provision of services;

· To a buyer (actual or potential) or its agent(s) in connection with a divestiture, merger, acquisition, sale, or similar transaction, in part or in whole of our business;

· To any competent law enforcement body, regulatory, government agency, court, or other legal body with valid jurisdiction over Smarsh, where we believe it is necessary (i) to protect your vital rights or the rights of a third party, (ii) as a matter of applicable law or regulation, or (iii) to establish, protect, or exercise our legal rights or the legal rights of our partners, affiliates, or third-party service providers.

· With your consent, or to fulfill the purpose for which you provided the Information.

LEGAL BASIS FOR PROCESSING PERSONAL INFORMATION

Smarsh takes care to use your Personal Information carefully and in an appropriate way. Use of Personal Data under certain data protection laws, including GDPR, must be based on legal grounds. Smarsh uses or shares your Personal Data:

1.to comply with a legal obligation, including responding to a legal request for information, subpoena, warrant, or other request from a competent legal or regulatory authority.

2.Where you consented to such use. For example, if you provided consent to receive marketing material. You may withdraw your consent at any time as described below

3.Where it is necessary under a contract between you and Smarsh, or because something needed to be completed in order for you to enter into a contract with us (e.g., due diligence).

4.Where its use is in accordance with our legitimate interests, such as for our legitimate business interests, those interests do not override your fundamental rights. For example, monitoring our Website, preventing illegal activities, or pursuant to a sale or merger (for the purposes of due diligence or to effect such sale or merger post closing)

DATA RETENTION - PERSONAL INFORMATION

We retain Personal Information we collect from you so long as we need it to provide you the Services and/or comply with our legal obligations (i.e., to comply with applicable laws, tax or accounting reasons, provide services). When we no longer have an ongoing need to maintain your Personal Information, we will delete or anonymize it as required by our record keeping policies.

TRACKING COOKIES & ADVERTISING & ANALYTICS

We and/or certain service providers operating on our behalf may collect Information about your activity, or activity on devices associated with you over time, on our Website and applications, and across non-affiliated websites or online applications. We may collect this Information by using certain technologies, such as cookies, web beacons, pixels, and other similar technologies. Smarsh uses cookies consistent with its Cookie Disclosure. In general, Smarsh uses cookies and analytics tools to:

· manage content, analyze trends, monitor page visits and content downloads on our Website;

· administer our Website, track users’ movements around our Website, and;

· gather demographic information about visitors to our Website and Social Media Accounts.

We may partner with third party ad networks to either display advertising on our Website or to manage our advertising on other websites. Those ad network partners may use cookies and web beacons to collect non-personally identifiable information about your activities on our Website to provide you with targeted advertising based upon your interests. You can learn more about your rights to opt out of targeted advertising in the Your Choices section below.

Our use of online tracking technologies may be considered a "sale" or "sharing" under certain laws. To the extent that these online tracking technologies are deemed to be a "sale" or "sharing" under certain laws, you can opt out of these online tracking technologies by submitting a request through this webform here. or by broadcasting an opt-out preference signal, such as the Global Privacy Control (GPC). Please note that some features of our Website may not be available to you as a result of these choices.

YOUR CHOICES

Marketing Communications. If you do not want to receive marketing and promotional emails from us, you may click on the "unsubscribe" link in the email or visit Smarsh’s Email Preference Dashboard - Smarsh's Email Preference Dashboard to unsubscribe and opt-out of marketing email communications, or get in touch with us using the contact information located in the Contact Us Section herein.

Text Messages. You may sign up to receive text messages from Smarsh or third-party service providers on our behalf (e.g., text message marketing). By using our Website, signing up for text messaging services or otherwise opting in to receive text messages (opting in via short code or entering your phone number into an on-site collection widget), you agree that you have provided Smarsh or its third-party service providers with prior express written consent to be contacted by text message, including recurring automated promotional and personalized marketing text messages.

Cookie Preferences. You may change or modify your cookie settings by broadcasting an opt-out preference signal, such as the Global Privacy Control (GPC), or by updating your cookie settings on the Website.

THIRD PARTY WEBSITES & SOCIAL MEDIA WIDGETS

This Website may contain links to websites or content sponsored or provided by third parties as a convenience for our users. Our provision of a link to any other website or location does not signify our endorsement of such other website or location or its contents. When you click on such a link, you will leave our Website and you will go to another website. During this process, a third party may collect Personal Information from you. We do not control the actions of these third parties, nor do we control, review, or monitor these outside websites or their content. We are not responsible for these third parties, their websites, or their content. The terms of this Privacy Notice do not apply to these third parties or their websites.

Our Website includes certain social media widgets, such as a "share this" button, or "like this" button, and other mini-programs that run on our Website. These third-party social media widgets are governed by the privacy policy of the company providing such social media widget.

CHILDREN

This Website is not intended to provide content to children and Smarsh does not intentionally gather Personal Information about visitors who are under the age of sixteen (16). If you learn that anyone younger than 16 (or such higher age as applicable under the laws of your jurisdiction) has provided Smarsh with Personal Information, please contact us at privacy@smarsh.com. If we learn that we have collected such Information, we will take steps to delete it as soon as reasonably possible.

INTERNATIONAL TRANSFERS

Smarsh’s global headquarters are located within the United States. Your Personal Information may be transferred to, and processed in, countries other than the country in which you are located. These countries may have data protection laws that are different to the laws of your country. If you are in the European Economic Area or United Kingdom, please note that your Personal Information may be accessed by Smarsh employees and suppliers, transferred, and/or stored outside the European United and the United Kingdom, including within the United States, and other countries which have different data protection laws that may not be as comprehensive as those in your own country.

SECURITY OF PERSONAL INFORMATION

We use commercially reasonable technical and organizational measures to help protect your Personal Information from unauthorized access, use, or disclosure. However, no data transmitted over the Internet or stored by us, or our third-party service providers can be 100% secure. Therefore, we do not promise or guarantee, and you should not expect, that your Personal Information or private communications will always remain private or secure. We do not guarantee that your Personal Information will not be misused by third parties and are not responsible for the circumvention of any privacy settings or security features. You agree that we will not have any liability for misuse, access, acquisition, deletion, or disclosure of your Information. To learn more about Smarsh’s information security program in general, please go here - Smarsh’s Information Security Program.

NOTICE TO CERTAIN RESIDENTS OF DATA SUBJECT RIGHTS

A.NOTICE TO CALIFORNIA RESIDENTS

To the extent any California data privacy law applies to the collection of your Personal Information, this supplemental section of our Privacy Notice outlines the rights that California residents may have, and how they can exercise those rights. This notice applies solely to California residents. We provide the supplemental section below to comply with the California Consumer Privacy Act as amended by the California Privacy Rights Act (referred to collectively hereinafter as CCPA) and any terms defined in the CCPA have the same meaning when used below.

1.Your Rights under CCPA

· Right to Know and Access Specific Information. You have the right to request that we disclose certain information to you about our collection and use of your Personal Information over the past twelve (12) months. Once we receive and confirm a verifiable consumer request from you, we will disclose to you, to the extent permitted by law:

- The categories of Personal Information we collected about you, and whether we sell or share your information with third parties.

- The specific pieces of Personal Information we hold about you.

- The categories of Personal Information sold within the last twelve (12) months.

- The categories of sources from which Personal Information about you is collected.

- Our business or commercial purpose for collecting, selling, or sharing your Personal Information.

- The categories of third parties with whom your Personal Information is sold, shared, or disclosed for a business purpose.

You have the right to request that the Personal Information described above be provided to you in a portable and readily useable format, to the extent technically feasible ("data portability").

· Deletion Request Rights. You have the right to request that we delete the Personal Information that we collected from you, subject to certain exceptions. To the extent that we can delete your Personal Information, once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your Personal Information, unless an exception applies.

· Right to Correct Inaccurate Information. To the extent that we may maintain inaccurate Personal Information, you have the right to request that we correct such inaccurate Personal Information taking into account the nature of the Personal Information and the purposes of the processing of the Personal Information. Once we receive and verify your verifiable consumer request, we will use commercially reasonable efforts to correct your Personal Information.

· Sale and Sharing of Personal Information and the Right to Opt Out. You have the right to opt out of the processing of your Personal Information for the following purposes:

- Sale of your Personal Information.

- Sharing of your Personal Information for cross-context behavioral advertising.

The use of online tracking technologies may be considered a "sale" or "sharing" under California law. To the extent that these online tracking technologies are deemed to be a "sale" or "sharing" under California law, you may opt out of these online tracking technologies by submitting a request through this webform here or by broadcasting an opt-out preference signal, such as the Global Privacy Control (GPC).

· Right to Limit Use and Disclosure of Sensitive Personal Information. You have the right to request that we limit the ways we use and disclose your sensitive Personal Information (as defined by CCPA) to uses which are necessary for us to perform the Services, or deliver the goods reasonably expected by you, or and as authorized by law. Smarsh does not collect sensitive Personal Information in the normal course of operating the Website.

· Right to Non-Discrimination. You have a right to not be discriminated against in the Services or quality of Services you receive from us for exercising your rights. We may not, and will not, treat you differently because of your data subject request activity. As a result of your data subject request activity, we may not and will not deny goods or Services to you, charge different rates for goods or Services, provide a different level quality of goods or Services, or suggest that we would treat you differently because of your data subject request activity.

· Right to Disclosure of Direct Marketers. You have a right to the categories and names/addresses of third parties that have received your Personal Information for their direct marketing purposes upon simple request, and free of charge.

You may make an authenticated consumer request exercising your Right to Know and Access Specific Information including Right to Know what Personal Information is being sold or shared or under the CCPA twice within a twelve (12) month period. To exercise the rights described above, see the Exercising Your Rights section below.

2.Authorized Agent

You may use an authorized agent to submit verifiable consumer requests on your behalf provided that the authorized agent is a natural person or a business entity that you have authorized to act on your behalf. If you use an authorized agent, we will require: (1) proof of written permission for the authorized agent to make requests on your behalf, and identity verification from you; or (2) proof of power of attorney pursuant to California Probate Code sections 4000 to 4665. We may deny a request from an authorized agent that does not submit proper verification proof.

3. Categories of Information Collected and Processed

We may collect and share (as that term is defined in the CCPA) the below categories of Personal Information for the purposes of targeted advertising. For purposes of this section, "sell," "sold," or "sale" has the meaning set forth in the CCPA.

Category of Information	Examples of Information Disclosed
Identifying Information	Name, mailing address, email address, phone number, date of birth, and other identifiers
Payment Information	Your name and billing totals for payment and invoice processing. Note that we use third-party payment processors to facilitate your payments and do not store your payment card information.
Usage and Technical Information	Information about your interaction with our Website and content on third-party sites or platforms, such as social networking sites (e.g. IP address; browsing history; search history; device information; information about user’s interaction with the Website, such as scrolling, clicks, and mouse-overs via cookies, pixel tags, web beacons, transparent GIFs; browser information; operating system and platform; geolocation information; user content (e.g. photos, videos, audio, images, social media /online posts, first-party works).

YOU MAY OPT OUT OF THE SHARING OF YOUR PERSONAL INFORMATION BY CONTACTING PRIVACY@SMARSH.COM, SUBMITTING AN OPT OUT REQUEST THROUGH THIS WEBFORM HERE OR UPDATING YOUR PRIVACY CHOICES ON OUR WEBSITE.

4.Additional Information

To the extent permitted by applicable law, we may charge a reasonable fee to comply with your request.

B.NOTICE TO VIRGINIA RESIDENTS

To the extent any Virginia data privacy law applies to the collection of your Personal Information, this supplemental section of our Privacy Notice outlines the individual rights guaranteed to Virginia residents and how to exercise those rights and applies solely to Virginia residents. We provide the supplemental section below to comply with the Virginia Consumer Data Protection Act ("VCDPA") and any terms defined in the VCDPA have the same meaning when used below

1. Your Rights under VCDPA

Subject to certain exceptions you may be entitled to the following rights:

· Right to Access & Data Portability. You have the right to request that we disclose certain information to you about our collection and use of your Personal Information at any time. Once we receive and confirm an authenticated consumer request from you, we will, subject to certain exceptions:

- Disclose whether we are processing your Personal Information.

- Provide you with access to your Personal Information.

Where the processing is carried out by automated means, and subject to certain exceptions, you have the right to request and obtain a copy of your Personal Information that you previously provided to us in a portable and, to the extent technically feasible, readily usable format that allows you to transmit the Personal Information to another data controller without hindrance.

· Right to Correct Inaccurate Information. To the extent that we may maintain inaccurate Personal Information, you have the right to request that we correct such inaccurate Personal Information taking into account the nature of the Personal Information and the purposes of the processing of the Personal Information. Once we receive and verify your authenticated consumer request, we will use commercially reasonable efforts to correct your Personal Information.

· Right to Delete. You have the right to request that we delete certain of your Personal Information provided by or obtained about you. To the extent that we can delete your Personal Information, once we receive and confirm your authenticated consumer request, we will delete (and direct our service providers to delete) your Personal Information, subject to certain exceptions.

· Sale of Personal Information, Targeted Advertising, Profiling, and the Right to Opt Out. You have the right to opt out of the processing of your Personal Information for the following purposes:

- Targeted advertising.

- Sale of your Personal Information.

- Profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.

· Right to Appeal. You have the right to appeal our denial of any request you make under this section. To exercise your right to appeal, please submit an appeals request via the information in the How To Contact Us section below. Within sixty (60) days of receipt of your appeal, we will inform you in writing of any action taken or not taken in response to your appeal, including a written explanation of the reasons for the decisions. If we deny your appeal, you may contact the Virginia Office of the Attorney General by:

- Contacting Online: https://www.oag.state.va.us/consumer-protection/index.php/file-a-complaint

- Calling:

§ If calling from Virginia, call the Consumer Protection Hotline at 1-800-552-9963.

§ If calling from the Richmond area or from outside Virginia, call the Consumer Protection Hotline at 1-804-786-2042.

· Right to Non-Discrimination. You have a right to not be discriminated against in the Services or quality of Services you receive from us for exercising your rights. We will not discriminate against you for exercising any of your rights in this section including denying goods or Services, charging different prices or rates for goods or Services, or providing a different level of quality of goods and Services. However, we may offer a different price, rate, level, quality, or selection of goods or Services, including offering goods or Services for no fee, if you have exercised your right to opt out or the offer is related to your voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program.

You may make an authenticated consumer request under the VCDPA twice within a twelve (12) month period. To exercise the rights described above, see the Exercising Your Rights section below.

2.Additional Information

To the extent permitted by applicable law, we may charge a reasonable fee to comply with your request.

C.NOTICE TO COLORADO RESIDENTS

To the extent any Colorado data privacy law applies to the collection of your Personal Information, this supplemental section of our Privacy Notice outlines the individual rights guaranteed to Colorado residents and how to exercise those rights and applies solely to Colorado residents. We provide the supplemental section below to comply with the Colorado Privacy Act ("CPA") and any terms defined in the CPA have the same meaning when used below

1. Your Rights under CPA

Subject to certain exceptions you may be entitled to the following rights:

- Disclose whether we are processing your Personal Information.

- Provide you with access to your Personal Information where we process it.

Where exercising your right to access, you have the right to request and obtain a copy of your Personal Information that you previously provided to us in a portable and, to the extent technically feasible, readily usable format that allows you to transmit the Personal Information to another data controller without hindrance ("data portability").

· Right to Correct Inaccurate Information. To the extent that we may maintain inaccurate Personal Information, you have the right to request that we correct such inaccurate Personal Information taking into account the nature of the Personal Information and the purposes of the processing of the Personal Information. Once we receive and verify your authenticated consumer request, we will use commercially reasonable efforts to correct your Personal Information.

· Right to Delete. You have the right to request that we delete certain of your Personal Information provided by or obtained about you. To the extent that we can delete your Personal Information, once we receive and confirm your authenticated consumer request, we will delete your Personal Information, subject to certain exceptions.

· Sale of Personal Information, Targeted Advertising, Profiling, and the Right to Opt Out. You have the right to opt out of the processing of your Personal Information for the following purposes:

- Targeted advertising.

- Sale of your Personal Information.

- Profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.

· Right to Appeal. You have the right to appeal our denial of any request you make under this section. To exercise your right to appeal, please submit an appeals request via the information in the How To Contact Us section below. Within forty-five (45) days of receipt of your appeal, we will inform you in writing of any action taken or not taken in response to your appeal, including a written explanation of the reasons for the decisions. If you have concerns regarding the results of your appeal, you may contact the Colorado Office of the Attorney General by:

- Contacting Online: https://complaints.coag.gov/s/contact-us

- Calling: (720) 508-6000

You may make an authenticated consumer request free of charge under the CPA once within a twelve (12) month period. We reserve the right to charge a reasonable fee for a second or subsequent request within the same twelve (12) month period. To exercise the rights described above, see the Exercising Your Rights section below.

2. Sensitive Data

We do not process sensitive data including sensitive data inferences. If we ever were to process sensitive data, we do so with your consent.

3. Authorized Agent

You may use an authorized agent to submit verifiable consumer requests on your behalf. An authorized agent is a natural person or a business entity that you have authorized to act on your behalf. If you use an authorized agent, we will require: (1) proof of written permission for the authorized agent to make requests on your behalf, and identity verification from you; or (2) proof of power of attorney pursuant to Colo. Rev. Stat. § 15-14-705. We may deny a request from an authorized agent that does not submit proper verification proof.

D.NOTICE TO CONNECTICUT RESIDENTS

To the extent any Connecticut data privacy law applies to the collection of your Personal Information, this supplemental section of our Privacy Notice outlines the individual rights guaranteed to Connecticut residents and how to exercise those rights and applies solely to Connecticut residents. We provide the supplemental section below to comply with the Connecticut Act Concerning Personal Data Privacy and Online Monitoring ("CTDPA") and any terms defined in the CTDPA have the same meaning when used below

1.Your Rights under CTDPA

Subject to certain exceptions you may be entitled to the following rights:

- Disclose whether we are processing your Personal Information.

- Provide you with access to your Personal Information where we process it.

· Right to Correct Inaccurate Information. To the extent that we may maintain inaccurate Personal Information, you have the right to request that we correct such inaccurate Personal Information taking into account the nature of the Personal Information and the purposes of the processing of the Personal Information. Once we receive and verify your authenticated consumer request, we will use commercially reasonable efforts to correct your Personal Information.

· Sale of Personal Information, Targeted Advertising, Profiling, and the Right to Opt Out. You have the right to opt out of the processing of your Personal Information for the following purposes:

- Targeted advertising.

- Sale of your Personal Information.

- Profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.

· Right to Non-Discrimination. You have a right to not be discriminated against in the Services or quality of Services you receive from us for exercising your rights. We will not discriminate against you for exercising any of your rights in this section including denying goods or Services, charging different prices or rates for goods or Services, or providing a different level of quality of goods and Services. However, we may offer a different price, rate, level, quality, or selection of goods or Services, including offering goods or services for no fee, if you have exercised your right to opt out or the offer is related to your voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program.

· Right to an Appeal. You have the right to appeal our denial of any request you make under this section. To exercise your right to appeal, please submit an appeals request to us by either:

- Emailing us at privacy@smarsh.com

- Calling us at 1-866-SMARSH-1

Within sixty (60) days of receipt of your appeal, we will inform you in writing of any action taken or not taken in response to your appeal, including a written explanation of the reasons for the decisions. If we deny your appeal, you may contact the Connecticut Office of the Attorney General by:

- Contacting Online: https://www.dir.ct.gov/ag/complaint/e-complaint.aspx?CheckJavaScript=1

- Calling: The Consumer Assistance Unit at 860-808-5420.

You may make an authenticated consumer request under the CTDPA once within a twelve (12) month period. To exercise the rights described above, see the Exercising Your Rights section below.

2.Authorized Agent

You may use an authorized agent to submit verifiable consumer requests on your behalf. An authorized agent is a natural person or a business entity that you have authorized to act on your behalf. If you use an authorized agent, we will require: (1) proof of written permission for the authorized agent to make requests on your behalf, including through technology means, and identity verification from you; or (2) proof of power of attorney. We may deny a request from an authorized agent that does not submit proper verification proof.

3.Additional Information

To the extent permitted by applicable law, we may charge a reasonable fee to comply with your request.

E. NOTICE TO UTAH RESIDENTS

To the extent any Utah data privacy law applies to the collection of your Personal Information, this supplemental section of our Privacy Notice outlines the individual rights guaranteed to Utah residents and how to exercise those rights and applies solely to Utah residents. We provide the supplemental section below to comply with the Utah Consumer Privacy Act ("UCPA") and any terms defined in the UCPA have the same meaning when used below.

1.Your Rights under UCPA

Subject to certain exceptions you may be entitled to the following rights:

· Right to Access & Data Portability. You may have the right to request that we disclose certain information to you about our collection and use of your Personal Information at any time. Once we receive and confirm an authenticated consumer request from you, we will, subject to certain exceptions:

- Disclose whether we are processing your Personal Information.

- Provide you with access to your Personal Information where we process it.

· Right to Non-Discrimination. We will not discriminate against you for exercising any of your rights in this section including denying goods or Services, charging different prices or rates for goods or Services, or providing a different level of quality of goods and services.

· Sale of your Personal Information, Targeted Advertising, and Right to Opt Out. You have the right to opt out of the processing of your Personal Information for the following purposes:

- Targeted advertising.

- Sale of your Personal Information.

- Processing of sensitive Personal Information. Smarsh does not collect sensitive Personal Information in the normal course of operating the Website.

You may make an authenticated consumer request free of charge under the UCPA once within a twelve (12) month period. We reserve the right to charge a reasonable fee for a second or subsequent request within the same twelve (12) month period. To exercise the rights described above, see the Exercising Your Rights section below.

F. NOTICE TO INDIVIDUALS IN THE EUROPEAN ECONOMIC AREA AND THE UK

This section applies only to individuals using the Services from within the European Union (EU), the European Economic Area (EEA), and the UK, and only if we collect through the Services any information from you that is considered "Personal Data," as defined in the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018.

Personal Data includes any information relating to an identified or identifiable natural person, who could be identified either directly or indirectly by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person (which may include some or all your Information as defined in this Privacy Notice).

1.Identity and Contact Details of Controller

Unless otherwise stated, we are the Data Controller for the Personal Data we process under this Privacy Notice.

GLOBAL HEADQUARTERS

Email: privacy@smarsh.com

Call us: 1-866-SMARSH-1

Write us: Attn: Legal Data Subject Request

851 SW 6th Avenue - Portland, Oregon 97204

EEA & UK:

Email: privacy@smarsh.com

Call us: +44 (0) 20 3608 1209

Write us: Attn: Legal Data Subject Request

One Canada Square, Level 39 - London, E14 5AB

2. Your Data Protection Rights

To the extent the GDPR and Data Protection Act 2018 apply, and we hold your Personal Data in our capacity as a Data Controller as defined under those laws, you may request that we:

· Restrict the way that we process and share your Personal Data;

· Transfer your Personal Data to a third party;

· Provide you with access to your Personal Data;

· Remove your Personal Data if no longer necessary for the purposes collected;

· Update your Personal Data so it is correct and not out of date; and/or

· Object to our processing of your Personal Data.

You may also revoke your consent for processing of your Personal Data. If you wish to object to the use and processing of your Personal Data or withdraw consent to this Privacy Notice, you can contact us in the following ways:

Email: privacy@smarsh.com

SUBMIT A REQUEST THROUGH THIS WEB FORM - Here.

GLOBAL HEADQUARTERS

Call us: 1-866-SMARSH-1

Write us: Attn: Legal Data Subject Request

851 SW 6th Avenue - Portland, Oregon 97204

EEA & UK:

Call us: +44 (0) 20 3608 1209

Write us: Attn: Legal Data Subject Request

One Canada Square, Level 39 - London, E14 5AB

The requests above will be considered and responded to in the time period stated by applicable law. Note, certain Personal Data may be exempt from such requests. We may require additional Personal Data from you to confirm your identity in responding to such requests.

You have the right to lodge a complaint with the supervisory authorities applicable to you and your situation, although we invite you to contact us with any concern as we would be happy to try and resolve it directly. Please contact us at:

GLOBAL HEADQUARTERS

Email: privacy@smarsh.com

Call us: 1-866-SMARSH-1

Write us: Attn: Legal Data Subject Request

851 SW 6th Avenue - Portland, Oregon 97204

EEA & UK:

Email: privacy@smarsh.com

Call us: +44 (0) 20 3608 1209

Write us: Attn: Legal Data Subject Request

One Canada Square, Level 39 - London, E14 5AB

3. Lawful Basis for Processing Your Personal Data

Smarsh takes care to use your Personal Data carefully and in an appropriate way. Use of Personal Data under certain data protection laws, including GDPR, must be based on legal grounds. Smarsh uses or shares your Personal Data where:

1. Needed to comply with a legal obligation, including responding to a legal request for information, subpoena, warrant, or other request from a competent legal or regulatory authority.

2.You consented to such use. For example, if you provided consent to receive marketing material. You may withdraw your consent at any time as described below.

3.It’s necessary under a contract between you and Smarsh, or because something needed to be completed in order for you to enter into a contract with us (e.g., due diligence).

4.Its use is in accordance with our legitimate interests, such as legitimate business interests, to those interests not overriding your fundamental rights. For example, monitoring our Website, preventing illegal activities, or pursuant to a sale or merger (for the purposes of due diligence or to effect such sale or merger post-closing).

If we ask you to provide Personal Data to comply with a legal requirement or to perform a contract with you, we will make this clear at the relevant time and advise you whether the provision of your Personal Data is mandatory or not (as well as of the possible consequences if you do not provide your Personal Data). If the processing of your Personal Data is based on your consent, the GDPR and Data Protection Act 2018 also allow users the right to access, revoke, or modify your consent at any time. Please see the Exercising Your Rights section, below on how to review or modify your consents

4. Consent to Transfer

We are operated in the United States, and we may use service providers based in the United States to operate our business and our relationship with you. Please be aware that information, including your Personal Data, that we collect will be transferred to, stored, and processed in the United States, a jurisdiction in which the privacy laws may not be as comprehensive as those in the country where you reside and/or are a citizen. We maintain measures to address the transfer of your Personal Data between our group companies and between us and our third-party providers in accordance with applicable data protection laws and regulations.

5. Retention

We will retain your Personal Data for as long as needed for the purposes described in this Privacy Notice. More specifically, the time we maintain your Personal Data depends on the following factors:

· Whether we need the Personal Data to provide the Services. We will maintain any data needed to provide you with the Services, such as contact information and payment or transaction information, for as long as needed for us to provide you with the Services, respond to your questions and requests, and/or administer your account (if applicable).

· Whether we need the Personal Data to comply with our legal obligations. We may have legal obligations to maintain your Personal Data where a legal or regulatory body may ask for it in the future, for example in response to a data subject request or complaint. This information may include contact information and location information.

· Whether we need the Personal Data for a legitimate business interest. We may store Personal Data like contact information, cookies, and location information in order to perform analytics, troubleshoot errors, or improve our Services. In any event, we delete the Personal Data when it is no longer needed for our legitimate interest.

Regardless of our reason for retaining your information, we delete all Personal Data in accordance with our routine record keeping policies.

EXERCISING YOUR RIGHTS

To exercise any of the rights described above, please submit a verifiable consumer request to us via the methods described below. The verifiable consumer request must:

· Provide sufficient information that allows us to reasonably verify you are the person about whom we collected Information, or an authorized representative; and

· Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

To help protect your privacy and maintain security, if you request access to or deletion of your Information, we will take steps and may require you to provide certain information to verify your identity before granting you access to your Personal Information or complying with your request. In addition, if you ask us to provide you with specific pieces of Personal Information, we may require you to sign a declaration under penalty of perjury that you are the consumer whose Information is the subject of the request. Only you or your authorized agent may make a verifiable consumer request related to your Personal Information. If you designate an authorized agent to make a request on your behalf, we may require you to provide the authorized agent written permission to do so and to verify your own identity directly with us (as described above). You may also make a verifiable consumer request on behalf of your minor child.

EMAIL: privacy@smarsh.com

SUBMIT A REQUEST THROUGH THIS WEB FORM - Here.

GLOBAL HEADQUARTERS

Call us: 1-866-SMARSH-1

Write us: Attn: Legal Data Subject Request

851 SW 6th Avenue - Portland, Oregon 97204

EEA & UK:

Call us: +44 (0) 20 3608 1209

Write us: Attn: Legal Data Subject Request

One Canada Square, Level 39 - London, E14 5AB

CHANGES TO THIS PRIVACY NOTICE

This Privacy Notice is subject to occasional revision, and if we make any substantial changes in the way we use your Personal Information, we will take appropriate measures to inform you, consistent with the significance of the changes we make. We will obtain your consent to any material changes in the way we use your Personal Information in accordance with applicable data protection laws. Smarsh will investigate and attempt to resolve any complaints that you may have or any disputes regarding our privacy practices and provide you with information regarding the investigation and resolution of the complaint.

This Privacy Notice is effective as of the date set out at the top of this Privacy Notice.

HOW TO CONTACT US

If you have any questions about how your Personal Information is collected, stored, shared, or used, or if you have a disability and need to access this notice in another format, please contact us at:

EMAIL: privacy@smarsh.com

SUBMIT A REQUEST THROUGH THIS WEB FORM - Here.

GLOBAL HEADQUARTERS

Call us: 1-866-SMARSH-1

Write us: Attn: Legal Data Subject Request

851 SW 6th Avenue - Portland, Oregon 97204

EEA & UK:

Call us: +44 (0) 20 3608 1209

Write us: Attn: Legal Data Subject Request

One Canada Square, Level 39 - London, E14 5AB

Privacy Policy

SOLUTIONS BY ISSUE

SOLUTIONS BY ROLE

SOLUTIONS BY REGULATION

COMPANY

RESOURCES

SUPPORT

LEGAL

Contact Us