fbpx

 Privacy Policy 

Updated 17th June 2020

We are very delighted that you have shown interest in our enterprise. Data protection is of a particularly high priority for the management of Nicki Byrne Photography. The use of the Internet pages of Nicki Byrne Photography is possible without any indication of personal data; however, if a data subject wants to use special enterprise services via our website, processing of personal data could become necessary. If the processing of personal data is necessary and there is no statutory basis for such processing, we generally obtain consent from the data subject.

The processing of personal data, such as the name, address, e-mail address, or telephone number of a data subject shall always be in line with the General Data Protection Regulation (GDPR), and in accordance with the country-specific data protection regulations applicable to Nicki Byrne Photography. By means of this data protection declaration, our enterprise would like to inform the general public of the nature, scope, and purpose of the personal data we collect, use and process. Furthermore, data subjects are informed, by means of this data protection declaration, of the rights to which they are entitled.

As the controller, Nicki Byrne Photography has implemented numerous technical and organizational measures to ensure the most complete protection of personal data processed through this website. However, Internet-based data transmissions may in principle have security gaps, so absolute protection may not be guaranteed. For this reason, every data subject is free to transfer personal data to us via alternative means, e.g. by telephone.

1. Definitions

The data protection declaration of Nicki Byrne Photography is based on the terms used by the European legislator for the adoption of the General Data Protection Regulation (GDPR). Our data protection declaration should be legible and understandable for the general public, as well as our customers and business partners. To ensure this, we would like to first explain the terminology used.

In this data protection declaration, we use, inter alia, the following terms:

  • a)    Personal data
    Personal data means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  • b) Data subject
    Data subject is any identified or identifiable natural person, whose personal data is processed by the controller responsible for the processing.
  • c)    Processing
    Processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • d)    Restriction of processing
    Restriction of processing is the marking of stored personal data with the aim of limiting their processing in the future.
  • e)    Profiling
    Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
  • f)     Pseudonymisation
    Pseudonymisation is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
  • g)    Controller or controller responsible for the processing
    Controller or controller responsible for the processing is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
  • h)    Processor
    Processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
  • i)      Recipient
    Recipient is a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
  • j)      Third party
    Third party is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
  • k)    Consent
    Consent of the data subject is any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

2. Name and Address of the controller

Controller for the purposes of the General Data Protection Regulation (GDPR), other data protection laws applicable in Member states of the European Union and other provisions related to data protection is:

Nicki Byrne Photography

19 Birch drive

B75 6HY Birmingham

Uk

Phone: 07850087754

Email: Nickibyrnephotography@outlook.com

Website: Www.nickibyrnephotography.co.uk

3. Collection of general data and information

The website of Nicki Byrne Photography collects a series of general data and information when a data subject or automated system calls up the website. This general data and information are stored in the server log files. Collected may be (1) the browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system reaches our website (so-called referrers), (4) the sub-websites, (5) the date and time of access to the Internet site, (6) an Internet protocol address (IP address), (7) the Internet service provider of the accessing system, and (8) any other similar data and information that may be used in the event of attacks on our information technology systems.

When using these general data and information, Nicki Byrne Photography does not draw any conclusions about the data subject. Rather, this information is needed to (1) deliver the content of our website correctly, (2) optimize the content of our website as well as its advertisement, (3) ensure the long-term viability of our information technology systems and website technology, and (4) provide law enforcement authorities with the information necessary for criminal prosecution in case of a cyber-attack. Therefore, Nicki Byrne Photography analyzes anonymously collected data and information statistically, with the aim of increasing the data protection and data security of our enterprise, and to ensure an optimal level of protection for the personal data we process. The anonymous data of the server log files are stored separately from all personal data provided by a data subject.

4. Comments function in the blog on the website

Nicki Byrne Photography offers users the possibility to leave individual comments on individual blog contributions on a blog, which is on the website of the controller. A blog is a web-based, publicly-accessible portal, through which one or more people called bloggers or web-bloggers may post articles or write down thoughts in so-called blogposts. Blogposts may usually be commented by third parties.

If a data subject leaves a comment on the blog published on this website, the comments made by the data subject are also stored and published, as well as information on the date of the commentary and on the user’s (pseudonym) chosen by the data subject. In addition, the IP address assigned by the Internet service provider (ISP) to the data subject is also logged. This storage of the IP address takes place for security reasons, and in case the data subject violates the rights of third parties, or posts illegal content through a given comment. The storage of these personal data is, therefore, in the own interest of the data controller, so that he can exculpate in the event of an infringement. This collected personal data will not be passed to third parties, unless such a transfer is required by law or serves the aim of the defense of the data controller.

5. Routine erasure and blocking of personal data

The data controller shall process and store the personal data of the data subject only for the period necessary to achieve the purpose of storage, or as far as this is granted by the European legislator or other legislators in laws or regulations to which the controller is subject to.

If the storage purpose is not applicable, or if a storage period prescribed by the European legislator or another competent legislator expires, the personal data are routinely blocked or erased in accordance with legal requirements.

6. Rights of the data subject

  • a) Right of confirmation
    Each data subject shall have the right granted by the European legislator to obtain from the controller the confirmation as to whether or not personal data concerning him or her are being processed. If a data subject wishes to avail himself of this right of confirmation, he or she may, at any time, contact any employee of the controller.
  • b) Right of access
    Each data subject shall have the right granted by the European legislator to obtain from the controller free information about his or her personal data stored at any time and a copy of this information. Furthermore, the European directives and regulations grant the data subject access to the following information:
    • the purposes of the processing;
    • the categories of personal data concerned;
    • the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
    • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
    • the existence of the right to request from the controller rectification or erasure of personal data, or restriction of processing of personal data concerning the data subject, or to object to such processing;
    • the existence of the right to lodge a complaint with a supervisory authority;
    • where the personal data are not collected from the data subject, any available information as to their source;
    • the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject.
  • Furthermore, the data subject shall have a right to obtain information as to whether personal data are transferred to a third country or to an international organisation. Where this is the case, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer.
    If a data subject wishes to avail himself of this right of access, he or she may, at any time, contact any employee of the controller.
  • c) Right to rectification
    Each data subject shall have the right granted by the European legislator to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
    If a data subject wishes to exercise this right to rectification, he or she may, at any time, contact any employee of the controller.
  • d) Right to erasure (Right to be forgotten)
    Each data subject shall have the right granted by the European legislator to obtain from the controller the erasure of personal data concerning him or her without undue delay, and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies, as long as the processing is not necessary:
    • The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
    • The data subject withdraws consent to which the processing is based according to point (a) of Article 6(1) of the GDPR, or point (a) of Article 9(2) of the GDPR, and where there is no other legal ground for the processing.
    • The data subject objects to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) of the GDPR.
    • The personal data have been unlawfully processed.
    • The personal data must be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
    • The personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.
  • If one of the aforementioned reasons applies, and a data subject wishes to request the erasure of personal data stored by Nicki Byrne Photography, he or she may, at any time, contact any employee of the controller. An employee of Nicki Byrne Photography shall promptly ensure that the erasure request is complied with immediately.
    Where the controller has made personal data public and is obliged pursuant to Article 17(1) to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform other controllers processing the personal data that the data subject has requested erasure by such controllers of any links to, or copy or replication of, those personal data, as far as processing is not required. An employees of Nicki Byrne Photography will arrange the necessary measures in individual cases.
  • e) Right of restriction of processing
    Each data subject shall have the right granted by the European legislator to obtain from the controller restriction of processing where one of the following applies:
    • The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data.
    • The processing is unlawful and the data subject opposes the erasure of the personal data and requests instead the restriction of their use instead.
    • The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims.
    • The data subject has objected to processing pursuant to Article 21(1) of the GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.
  • If one of the aforementioned conditions is met, and a data subject wishes to request the restriction of the processing of personal data stored by Nicki Byrne Photography, he or she may at any time contact any employee of the controller. The employee of Nicki Byrne Photography will arrange the restriction of the processing.
  • f) Right to data portability
    Each data subject shall have the right granted by the European legislator, to receive the personal data concerning him or her, which was provided to a controller, in a structured, commonly used and machine-readable format. He or she shall have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, as long as the processing is based on consent pursuant to point (a) of Article 6(1) of the GDPR or point (a) of Article 9(2) of the GDPR, or on a contract pursuant to point (b) of Article 6(1) of the GDPR, and the processing is carried out by automated means, as long as the processing is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
    Furthermore, in exercising his or her right to data portability pursuant to Article 20(1) of the GDPR, the data subject shall have the right to have personal data transmitted directly from one controller to another, where technically feasible and when doing so does not adversely affect the rights and freedoms of others.
    In order to assert the right to data portability, the data subject may at any time contact any employee of Nicki Byrne Photography.
  • g) Right to object
    Each data subject shall have the right granted by the European legislator to object, on grounds relating to his or her particular situation, at any time, to processing of personal data concerning him or her, which is based on point (e) or (f) of Article 6(1) of the GDPR. This also applies to profiling based on these provisions.
    Nicki Byrne Photography shall no longer process the personal data in the event of the objection, unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.
    If Nicki Byrne Photography processes personal data for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing. This applies to profiling to the extent that it is related to such direct marketing. If the data subject objects to Nicki Byrne Photography to the processing for direct marketing purposes, Nicki Byrne Photography will no longer process the personal data for these purposes.
    In addition, the data subject has the right, on grounds relating to his or her particular situation, to object to processing of personal data concerning him or her by Nicki Byrne Photography for scientific or historical research purposes, or for statistical purposes pursuant to Article 89(1) of the GDPR, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
    In order to exercise the right to object, the data subject may contact any employee of Nicki Byrne Photography. In addition, the data subject is free in the context of the use of information society services, and notwithstanding Directive 2002/58/EC, to use his or her right to object by automated means using technical specifications.
  • h) Automated individual decision-making, including profiling
    Each data subject shall have the right granted by the European legislator not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her, or similarly significantly affects him or her, as long as the decision (1) is not is necessary for entering into, or the performance of, a contract between the data subject and a data controller, or (2) is not authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, or (3) is not based on the data subject’s explicit consent.
    If the decision (1) is necessary for entering into, or the performance of, a contract between the data subject and a data controller, or (2) it is based on the data subject’s explicit consent, Nicki Byrne Photography shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and contest the decision.
    If the data subject wishes to exercise the rights concerning automated individual decision-making, he or she may, at any time, contact any employee of Nicki Byrne Photography.
  • i) Right to withdraw data protection consent
    Each data subject shall have the right granted by the European legislator to withdraw his or her consent to processing of his or her personal data at any time.
    f the data subject wishes to exercise the right to withdraw the consent, he or she may, at any time, contact any employee of Nicki Byrne Photography.

7. Data protection provisions about the application and use of Facebook

On this website, the controller has integrated components of the enterprise Facebook. Facebook is a social network.

A social network is a place for social meetings on the Internet, an online community, which usually allows users to communicate with each other and interact in a virtual space. A social network may serve as a platform for the exchange of opinions and experiences, or enable the Internet community to provide personal or business-related information. Facebook allows social network users to include the creation of private profiles, upload photos, and network through friend requests.

The operating company of Facebook is Facebook, Inc., 1 Hacker Way, Menlo Park, CA 94025, United States. If a person lives outside of the United States or Canada, the controller is the Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

With each call-up to one of the individual pages of this Internet website, which is operated by the controller and into which a Facebook component (Facebook plug-ins) was integrated, the web browser on the information technology system of the data subject is automatically prompted to download display of the corresponding Facebook component from Facebook through the Facebook component. An overview of all the Facebook Plug-ins may be accessed under https://developers.facebook.com/docs/plugins/. During the course of this technical procedure, Facebook is made aware of what specific sub-site of our website was visited by the data subject.

If the data subject is logged in at the same time on Facebook, Facebook detects with every call-up to our website by the data subject—and for the entire duration of their stay on our Internet site—which specific sub-site of our Internet page was visited by the data subject. This information is collected through the Facebook component and associated with the respective Facebook account of the data subject. If the data subject clicks on one of the Facebook buttons integrated into our website, e.g. the “Like” button, or if the data subject submits a comment, then Facebook matches this information with the personal Facebook user account of the data subject and stores the personal data.

Facebook always receives, through the Facebook component, information about a visit to our website by the data subject, whenever the data subject is logged in at the same time on Facebook during the time of the call-up to our website. This occurs regardless of whether the data subject clicks on the Facebook component or not. If such a transmission of information to Facebook is not desirable for the data subject, then he or she may prevent this by logging off from their Facebook account before a call-up to our website is made.

The data protection guideline published by Facebook, which is available at https://facebook.com/about/privacy/, provides information about the collection, processing and use of personal data by Facebook. In addition, it is explained there what setting options Facebook offers to protect the privacy of the data subject. In addition, different configuration options are made available to allow the elimination of data transmission to Facebook. These applications may be used by the data subject to eliminate a data transmission to Facebook.

8. Data protection provisions about the application and use of Instagram

On this website, the controller has integrated components of the service Instagram. Instagram is a service that may be qualified as an audiovisual platform, which allows users to share photos and videos, as well as disseminate such data in other social networks.

The operating company of the services offered by Instagram is Instagram LLC, 1 Hacker Way, Building 14 First Floor, Menlo Park, CA, UNITED STATES.

With each call-up to one of the individual pages of this Internet site, which is operated by the controller and on which an Instagram component (Insta button) was integrated, the Internet browser on the information technology system of the data subject is automatically prompted to the download of a display of the corresponding Instagram component of Instagram. During the course of this technical procedure, Instagram becomes aware of what specific sub-page of our website was visited by the data subject.

If the data subject is logged in at the same time on Instagram, Instagram detects with every call-up to our website by the data subject—and for the entire duration of their stay on our Internet site—which specific sub-page of our Internet page was visited by the data subject. This information is collected through the Instagram component and is associated with the respective Instagram account of the data subject. If the data subject clicks on one of the Instagram buttons integrated on our website, then Instagram matches this information with the personal Instagram user account of the data subject and stores the personal data.

Instagram receives information via the Instagram component that the data subject has visited our website provided that the data subject is logged in at Instagram at the time of the call to our website. This occurs regardless of whether the person clicks on the Instagram button or not. If such a transmission of information to Instagram is not desirable for the data subject, then he or she can prevent this by logging off from their Instagram account before a call-up to our website is made.

Further information and the applicable data protection provisions of Instagram may be retrieved under https://help.instagram.com/155833707900388 and https://www.instagram.com/about/legal/privacy/.

9. Data protection provisions about the application and use of Twitter

On this website, the controller has integrated components of Twitter. Twitter is a multilingual, publicly-accessible microblogging service on which users may publish and spread so-called ‘tweets,’ e.g. short messages, which are limited to 140 characters. These short messages are available for everyone, including those who are not logged on to Twitter. The tweets are also displayed to so-called followers of the respective user. Followers are other Twitter users who follow a user’s tweets. Furthermore, Twitter allows you to address a wide audience via hashtags, links or retweets.

The operating company of Twitter is Twitter, Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, UNITED STATES.

With each call-up to one of the individual pages of this Internet site, which is operated by the controller and on which a Twitter component (Twitter button) was integrated, the Internet browser on the information technology system of the data subject is automatically prompted to download a display of the corresponding Twitter component of Twitter. Further information about the Twitter buttons is available under https://about.twitter.com/de/resources/buttons. During the course of this technical procedure, Twitter gains knowledge of what specific sub-page of our website was visited by the data subject. The purpose of the integration of the Twitter component is a retransmission of the contents of this website to allow our users to introduce this web page to the digital world and increase our visitor numbers.

If the data subject is logged in at the same time on Twitter, Twitter detects with every call-up to our website by the data subject and for the entire duration of their stay on our Internet site which specific sub-page of our Internet page was visited by the data subject. This information is collected through the Twitter component and associated with the respective Twitter account of the data subject. If the data subject clicks on one of the Twitter buttons integrated on our website, then Twitter assigns this information to the personal Twitter user account of the data subject and stores the personal data.

Twitter receives information via the Twitter component that the data subject has visited our website, provided that the data subject is logged in on Twitter at the time of the call-up to our website. This occurs regardless of whether the person clicks on the Twitter component or not. If such a transmission of information to Twitter is not desirable for the data subject, then he or she may prevent this by logging off from their Twitter account before a call-up to our website is made.

The applicable data protection provisions of Twitter may be accessed under https://twitter.com/privacy?lang=en.

10. Payment Method:

Bank Transfer

Sum Up Card Reader – please see Sum Up’s privacy policy in Appendix 1

Data protection provisions about the use of PayPal as a payment processor

On this website, the controller has integrated components of PayPal. PayPal is an online payment service provider. Payments are processed via so-called PayPal accounts, which represent virtual private or business accounts. PayPal is also able to process virtual payments through credit cards when a user does not have a PayPal account. A PayPal account is managed via an e-mail address, which is why there are no classic account numbers. PayPal makes it possible to trigger online payments to third parties or to receive payments. PayPal also accepts trustee functions and offers buyer protection services.

The European operating company of PayPal is PayPal (Europe) S.à.r.l. & Cie. S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg, Luxembourg.

If the data subject chooses “PayPal” as the payment option in the online shop during the ordering process, we automatically transmit the data of the data subject to PayPal. By selecting this payment option, the data subject agrees to the transfer of personal data required for payment processing.

The personal data transmitted to PayPal is usually first name, last name, address, email address, IP address, telephone number, mobile phone number, or other data necessary for payment processing. The processing of the purchase contract also requires such personal data, which are in connection with the respective order.

The transmission of the data is aimed at payment processing and fraud prevention. The controller will transfer personal data to PayPal, in particular, if a legitimate interest in the transmission is given. The personal data exchanged between PayPal and the controller for the processing of the data will be transmitted by PayPal to economic credit agencies. This transmission is intended for identity and creditworthiness checks.

PayPal will, if necessary, pass on personal data to affiliates and service providers or subcontractors to the extent that this is necessary to fulfill contractual obligations or for data to be processed in the order.

The data subject has the possibility to revoke consent for the handling of personal data at any time from PayPal. A revocation shall not have any effect on personal data which must be processed, used or transmitted in accordance with (contractual) payment processing.

The applicable data protection provisions of PayPal may be retrieved under https://www.paypal.com/us/webapps/mpp/ua/privacy-full.

11. Legal basis for the processing

Art. 6(1) lit. a GDPR serves as the legal basis for processing operations for which we obtain consent for a specific processing purpose. If the processing of personal data is necessary for the performance of a contract to which the data subject is party, as is the case, for example, when processing operations are necessary for the supply of goods or to provide any other service, the processing is based on Article 6(1) lit. b GDPR. The same applies to such processing operations which are necessary for carrying out pre-contractual measures, for example in the case of inquiries concerning our products or services. Is our company subject to a legal obligation by which processing of personal data is required, such as for the fulfilment of tax obligations, the processing is based on Art. 6(1) lit. c GDPR. In rare cases, the processing of personal data may be necessary to protect the vital interests of the data subject or of another natural person. This would be the case, for example, if a visitor were injured in our company and his name, age, health insurance data or other vital information would have to be passed on to a doctor, hospital or other third party. Then the processing would be based on Art. 6(1) lit. d GDPR. Finally, processing operations could be based on Article 6(1) lit. f GDPR. This legal basis is used for processing operations which are not covered by any of the above-mentioned legal grounds, if processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. Such processing operations are particularly permissible because they have been specifically mentioned by the European legislator. He considered that a legitimate interest could be assumed if the data subject is a client of the controller (Recital 47 Sentence 2 GDPR).

12. The legitimate interests pursued by the controller or by a third party

Where the processing of personal data is based on Article 6(1) lit. f GDPR our legitimate interest is to carry out our business in favour of the well-being of all our employees and the shareholders.

13. Period for which the personal data will be stored

The criteria used to determine the period of storage of personal data is the respective statutory retention period. After expiration of that period, the corresponding data is routinely deleted, as long as it is no longer necessary for the fulfilment of the contract or the initiation of a contract.

14. Provision of personal data as statutory or contractual requirement; Requirement necessary to enter into a contract; Obligation of the data subject to provide the personal data; possible consequences of failure to provide such data

We clarify that the provision of personal data is partly required by law (e.g. tax regulations) or can also result from contractual provisions (e.g. information on the contractual partner). Sometimes it may be necessary to conclude a contract that the data subject provides us with personal data, which must subsequently be processed by us. The data subject is, for example, obliged to provide us with personal data when our company signs a contract with him or her. The non-provision of the personal data would have the consequence that the contract with the data subject could not be concluded. Before personal data is provided by the data subject, the data subject must contact any employee. The employee clarifies to the data subject whether the provision of the personal data is required by law or contract or is necessary for the conclusion of the contract, whether there is an obligation to provide the personal data and the consequences of non-provision of the personal data.

15.  Mailing Lists

Nicki Byrne Photography now offers a subscription to emails for special offers and important blog posts/newsletters.  The mailing list is hosted and run by Mailchimp – please see Appendix 2 for Mailchimp’s privacy policy.  

All information stored, ie names and email addresses, will not be passed over to third party companies.  Only email addresses of people who opt in to subscribe will be contacted.  Contact will be made initially when someone subscribes, a maximum of once a week newsletter (explained when they subscribe) and everyone has the opportunity to subscribe and opt-out at any point by changing their preference settings.

16. Existence of automated decision-making

As a responsible company, we do not use automatic decision-making or profiling.

This Privacy Policy has been generated by the Privacy Policy Generator of the External Data Protection Officers that was developed in cooperation with RC GmbH, which sells used notebooks and the Media Law Lawyers from WBS-LAW.

Appendix 1 – Privacy Policy for Sum Up

Updated on March 18th 2018 to include GDPR requirements

Your privacy is very important to us. We, SumUp Payments Limited, 32 – 34 Great Marlborough St, W1F 7JB, London, UK, registered as a data controller with the Information Commissioner’s Office under registration number ZA265663, commit to only collecting information about you that is critical for offering and improving our products and services to you and to comply with all legal obligations.

This Privacy Policy applies to information we collect when you sign up for SumUp, when you access or use any of our websites, mobile applications and products, when you speak to our staff, or when you otherwise interact with us (collectively, the “Services”). This policy also applies to information we collect if you have not signed up for our Services, but if you are making payment transactions through our Services.

We may change this Privacy Policy from time to time by posting the updated version on our website. We advise you to review this page regularly to stay informed and to make sure that you are happy with any changes. If we make material changes to this Privacy Policy we will notify you by email or through posting a notification when you log into our website or when you open our mobile application.

In order to use our Services you must accept all terms of this Privacy Policy.

1. Collecting Information About You

1.1. When you register for a SumUp Account (“Account”) we collect personal information about you including your full name, address, date of birth, email address and telephone number. We also collect information about your business including your company name, legal form, business type, nature and purpose of your business, business address, business telephone number, the directors and ultimate beneficial owners.

1.2. In order to perform payouts to you based on the transactions that you perform we collect your bank account details.

1.3. For research surveys or marketing purposes we may from time to time collect other information when you register including your preferences and interests.

1.4. In order to verify your identity as required by applicable anti-money laundering laws and in order to prevent fraud we may collect information about you from third party agencies including, but not limited to your credit rating, financial history, court judgements, share capital, VAT number, company registration number, date of registration and board of directors.

1.5. When you use our Services we collect information relating to your transactions including time, location, transaction amount, payment method and cardholder details.

1.6. When you access our website or use any of our mobile applications we may automatically collect information including, but without limitation, your IP address, operating system, browser type, identifiers for your computer or mobile device, your visit date and time and your visit behaviour.

2. Processing Information About You

2.1. We use information collected about you in order to provide our Services and to deliver all relevant information to you including transaction receipts, payout reports, security alerts and support messages.

2.2. We also use information collected about you in order to improve and personalise our Services. For instance, we may enable features in our mobile applications specific to your business.

2.3. We may use information collected about you to communicate with you about news and updates to our Services and to inform you about any promotions, incentives and rewards offered by us and/or our partners, our SumUp Group partners, unless you choose to opt out of such communications.

You can choose to opt out of receiving such communications via the dashboard or by emailing your request to revoke this consent to DPO@sumup.com. We can continue to offer you the SumUp service without this additional service.

2.4. We may also use information collected about you through cookies and web beacons (see section 7 for more details) to track and analyse usage behaviour and any actions relevant for promotions, incentives and rewards in connection with our Services.

2.5. We may use information collected about you to protect our rights and to investigate and prevent fraud or other illegal activities and for any other purpose disclosed to you in connection with our Services.

3. Using Your Personal Information

3.1. We may share information collected about you with any member of our group of companies, including subsidiaries, our ultimate holding company and its subsidiaries. This data will be transferred in order to allow us to provide a full service to you, where other companies within our group perform components of the full service offering. These other services include customer support, anti money laundering, settlements and internal audit.

3.2. We may disclose information to the extent necessary with third parties who perform functions on our behalf in order to process payment transactions for you including fraud prevention and verification service providers, financial institutions, processors, payment card associations and other entities that are part of the payment and collections process.

3.3. We may also share information collected about you with third parties who we partner with for advertising campaigns, contests, special offers or other events or activities in connection with our Services, unless you choose to opt out of such communications.

3.4. We may disclose information collected about you with third parties in connection with any merger, sale of company shares or assets, financing, acquisition, divestiture, or dissolution of all or a portion of our business.

3.5. We may also disclose information collected about you if (i) disclosure is necessary to comply with any applicable law or regulation; (ii) to enforce applicable terms and conditions or policies; (iii) to protect the security or integrity of our Services; and (iv) to protect our rights.

3.6. In any case, we will always ensure that your information will only be processed in connection with the Services and in accordance with this Privacy Policy and applicable data protection legislation.

4. Transferring Information Internationally

4.1 We may transfer information collected about you to members of our group of companies and third parties acting on our behalf that may be located in countries outside of the European Economic Area (“EEA”) or countries deemed by the European Commission to have satisfactory data protection. These other countries may not offer the same level of protection for the information collected about you, although we will at all times continue to collect, store and use your informationin accordance with this Privacy Policy and the General Data Protection Regulation (GDPR). SumUp will ensure they share data only with those organisations that satisfy an adequate level of data protection in line with applicable data protection legislation and that satisfactory contractual agreements are in place with any such parties.

5. Data Security

5.1. We are committed to ensuring that the information collected about you is secure. We take reasonable measures including administrative, technical and physical procedures to protect your information from loss, theft, misuse, unauthorised access, disclosure, alteration, and destruction. When you are logged into your account, all Internet communication is secured using Secure Socket Layer (“SSL”) technology with high security 128bit encryption.

5.2. This high level of security can only be effective if you follow certain security practices yourself including never sharing your Account or login details with anyone. If you believe that any of your Account login details have been exposed, you can change your password at any time through our website or mobile application, but you should always also immediately contact customer service.

5.3. Transmission of information via the Internet is not completely secure. Therefore, we cannot guarantee the security of the transmission of your information to us. Any transmission is at your own risk. Once we have received your information, we will use strict procedures and security structures to prevent unauthorised access.

6. Cardholder Data Security

6.1. SumUp is responsible for the security of cardholder data which is processed, transmitted and stored within our systems. To this end, SumUp is certified as compliant under the Payment Card Industry Data Security Standard (PCI-DSS). SumUp applies best industry practice to safeguard this sensitive data and to ensure that it operates in line with these requirements, and to this end SumUp undergoes annual audits to ensure that we continue to meet this high standard.

6.2. SumUp is required to maintain all Transactional Data for AML purposes for a minimum period of 5 years after the relationship with you, our Customer, ends. We maintain your Cardholder customers information, in some instances name, email or telephone number which is used for receipt issuing purposes, in line with this legal requirement.

7. Retention

7.1. We are required by law to retain certain records of the information collected about you for a period of at least five (05) years after termination of your Account. Otherwise, we reserve the right to delete and destroy all of the information collected about you upon termination of your Account unless you request otherwise. If agreed we shall continue to store your information, for example your transaction history, which you may require for accounting purposes.

7.2. Notwithstanding the above, you have the right to request the deletion of your data. Depending on the services that have been undertaken by SumUp to enable the relationship to proceed, we may be required to hold certain data for five years from the date of request of deletion of data, for legal purposes. We cannot continue to provide the SumUp service to you if you request the deletion of your data.

7.3. You can request the deletion of your data via the dashboard or by emailing this request to DPO@sumup.com.

8. Cookies & Web Beacons

8.1. We use a number of cookies and web beacons within our website and applications. Cookies are small data files which are placed on your computer, mobile device or any other device as you browse our website or use any of our applications or web-based software. Web beacons are small graphic images or other web programming code which may be included in the website and any of our email messages.

8.2. We may use cookies and web beacons for the following purposes: (i) To personalise our Services to you as an individual and to tailor our Services to you based on the preferences you may choose; (ii) to facilitate the effective operation of our websites and applications; (iii) to track website traffic or application usage for statistical purposes and to monitor which pages or features users find useful or not; (iv) to identify you upon Account login and to assist you when resetting your password; (v) to assist in meeting our regulatory obligations, such as anti-money laundering and anti-fraud obligations, and prevent your Account from being hijacked; or (vi) to enable us to link to our group companies’ websites.

8.3. Some cookies may not be related to SumUp. When you visit a page on our website with content embedded from, for example, YouTube or Facebook, cookies may be stored on your computer from these websites. We do not control the dissemination of such third party cookies and you should check these third party websites for more information about these cookies and their privacy policy.

8.4. The cookies or web beacons will never enable us to access any other information about you on your computer, mobile device or any other device other than the information you choose to share with us.

8.5. Most web browsers automatically accept cookies but you may modify your browser settings to decline cookies. Rejecting cookies used by our website, mobile application or web-based software may prevent you from taking full advantage of them and may stop them from operating properly when you use them.

8.6. If you do not consent to our use of the cookies, you must disable the cookies by deleting them or changing your cookie settings on your computer, mobile device or other device or you must stop using the Services. Information on deleting or controlling cookies is available at www.aboutcookies.org.

9. Linking to Other Websites

If you access links on our website to third party websites which are not owned by SumUp please be aware that these websites have their own privacy policies. We do not accept any responsibility or liability for these privacy policies. You should check and review these privacy policies before you submit any information about you to these websites.

10. Your Right to Data Access and Privacy Choices

You have the right to request access to the personal data that we hold about you and you may always direct us not to perform any of the procedures of collecting, storing or sharing the information about you as described in this Privacy Policy. If you request that we no longer process your data, we will no longer be able to provide the SumUp service to you. You have the right to obtain from us: – Right to Access Your Data: You can ask us for a copy of your personal data and can ask for a copy of personal data you provided in machine readable format. – Object to, or Limit or Restrict, Use of Data: You can ask us to stop using all or some of your personal data or to limit our use of it. – Amend Data: You can request the correction or update of personal data that we hold about you. – Delete Data: You can ask us to erase or delete all or some of your personal data. – Data Portability: You have the right to transmit the data to another controller without hindrance from SumUp.

If you would like to request a copy of your personal data, or to amend, delete or update certain personal data or withdraw your consent to the processing of data from us, you can do so on the dashboard or alternatively contact us at DPO@sumup.com with your request.

If you are not satisfied, you have the right to lodge a complaint with the relevant data protection authority. SumUp will cooperate fully with any such investigation and endeavor to satisfy all queries as fully as possible. The relevant authority for each country can be found on the European Commission website:

http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080

11. Revoking Consent

If you choose to withdraw your consent to our further processing as described in this Privacy Policy, please note that we may no longer be able to provide you with the services you have requested and may therefore terminate relevant agreements with you. In addition, we may be required to continue to hold your personal data to fulfill legal and regulatory obligations.

12. Governing Law

12.1. This Privacy Policy shall be governed by and construed under and in accordance with English Law.

12.2. The English language version of this Privacy Policy shall be binding. Any translation or other language version of this Privacy Policy shall be provided for convenience only. In the event of a conflict between the English version and any translation or other language version of this Privacy Policy, the English-language version shall prevail.

12.3. This Privacy Policy (including, if applicable, our Terms and Conditions) specify the entire agreement between you and us and supersede any and all prior agreements, terms, warranties and/or representations to the fullest extent permitted by the Law.

13. Contact

Feedback or questions regarding this Privacy Policy are welcomed and can be addressed to:

Email: DPO@sumup.com

Post: Data Protection Officer, SumUp Payments Limited, 32 – 34 Great Marlborough St, W1F 7JB, London, UK

Appendix 2 – Privacy policy for Mailchimp

Effective February 7, 2020

Mailchimp takes data privacy seriously. This privacy policy explains who we are, how we collect, share and use Personal Information, and how you can exercise your privacy rights.

We recommend that you read this privacy policy in full to ensure you are fully informed. However, to make it easier for you to review the parts of this privacy policy that apply to you, we have divided up the document into sections that are specifically applicable to Members (Section 2), Contacts (Section 3), and Visitors (Section 4). Sections 1 and 5 are applicable to everyone.

If you have any questions or concerns about our use of your Personal Information, then please contact us using the contact details provided at the end of Section 5.

To the extent we provide you with notice of different or additional privacy policies, those policies will govern such interactions.

1. The Basics

A. About Us

Mailchimp is an online marketing platform operated by The Rocket Science Group LLC, a company headquartered in the State of Georgia in the United States (“we,” “us,” “our,” and “Mailchimp”).

Our Service enables our Members to, among other things, send and manage email campaigns across channels, serve advertisements, and create Websites and Landing Pages. We also provide other related services, such as real-time data analytics and insights to help our Members track and personalize their marketing activities. Find out more about our Service here.

B. Key Terms

In this privacy policy, these terms have the following meanings:

“Mobile App(s)” means any one or all of the Mailchimp applications available for Members to use on their mobile devices.

“Contact” is a person a Member may contact through our Service. In other words, a Contact is anyone on a Member’s Distribution List or about whom a Member has given us information. For example, if you are a Member, a subscriber to your email marketing campaigns would be considered a Contact.

“Distribution List” is a list of Contacts a Member may upload or manage on our platform and all associated information related to those Contacts (for example, email addresses).

“Member” means any person or entity that is registered with us to use the Service.

“Personal Information” means any information that identifies or can be used to identify an individual directly or indirectly. Examples of Personal Information include, but are not limited to, first and last name, date of birth, email address, gender, occupation, or other demographic information.

“Service” has the meaning given to it in our Standard Terms of Use.

“Mailchimp Site(s)” has the meaning given to it in our Standard Terms of Use.

“Visitor” means, depending on the context, any person who visits any of our Mailchimp Sites, offices, or otherwise engages with us at our events or in connection with our marketing or recruitment activities.

“you” and “your” means, depending on the context, either a Member, a Contact, or a Visitor.

2. Privacy for Members

This section applies to the Personal Information we collect and process from a Member or potential Member through the provision of the Service. If you are not a Member, the Visitors or Contacts section of this policy may be more applicable to you and your data. In this section, “you” and “your” refer to Members and potential Members.

A. Information We Collect

The Personal Information that we collect depends on the context of your interactions with Mailchimp, your Mailchimp account settings, the products and features you use, your location, and applicable law. However, the Personal Information we collect broadly falls into the following categories:

(i) Information you provide to us: You (or your organization) may provide certain Personal Information to us when you sign up for a Mailchimp account and use the Service, consult with our customer service team, send us an email, integrate the Service with another website or service (for example, when you choose to connect your e-commerce account with Mailchimp), or communicate with us in any other way.

This information may include:

  • Business contact information (such as your name, job title, organization, location, phone number, email address, and country);
  • Marketing information (such as your contact preferences);
  • Account log-in credentials (such as your email address or username and password when you sign up for an account with us);
  • Troubleshooting and support data (which is data you provide or we otherwise collect in connection with support queries we receive from you. This may include contact or authentication data, the content of your chats and other communications with us, and the product or service you are using related to your help inquiry); and
  • Payment information (including your credit card numbers and associated identifiers and billing address).

(ii) Information we collect automatically: When you use the Service, we may automatically collect or receive certain information about your device and usage of the Service (collectively “Service Usage Data”). In some (but not all) countries, including countries in the European Economic Area (“EEA”), this information is considered Personal Information under applicable data protection laws. We use cookies and other tracking technologies to collect some of this information. If you are using our Mobile App, we may collect this information using our software development kits (“SDKs”) or APIs the first time the SDK or API is initiated on your Mobile App. For further information, please review the section below and our Cookie Statement available here.

Service Usage Data may include:

  • Device information: We collect information about the device and applications you use to access the Service, such as your IP address, your operating system, your browser ID, and other information about your system and connection. If you are using our Mobile App, we may also collect information about the cellular network associated with your mobile device, your mobile device’s operating system or platform, the type of mobile device you use, your mobile device’s name and unique device ID, and information about the features of our Mobile App that you accessed. 
  • Log data: Our web servers keep log files that record data each time a device accesses those servers and the nature of each access, including originating IP addresses and your activity in the Service (such as the date/time stamps associated with your usage, pages and files viewed, searches and other actions you take (for example, which features you used)), device event information (such as system activity, error reports (sometimes called ‘crash dumps’)), and hardware settings. We may also access metadata and other information associated with files that you upload into our Service.
  • Usage data: We collect usage data about you whenever you interact with our Service, which may include the dates and times you access the Service and your browsing activities (such as what portions of the Service you used). We also collect information regarding the performance of the Service, including metrics related to the deliverability of emails and other communications you send through the Service. If you are using our Mobile App, we may collect information about how often you use the Mobile App and other performance data. This information allows us to improve the content and operation of the Service, and facilitate research and analysis of the Service.

(iii) Information we collect from other sources: From time to time, we may obtain information about you from third-party sources, such as public databases, social media platforms, third-party data providers, and our joint marketing partners.

Examples of the information we receive from other sources include demographic information (such as age and gender), device information (such as IP addresses), location (such as city and state), and online behavioral data (such as information about your use of social media websites, page view information and search results and links). We use this information, alone or in combination with other Personal Information we collect, to enhance our ability to provide relevant marketing and content to you and to develop and provide you with more relevant products, features, and service.

B. Use of Personal Information

We may use the Personal Information we collect or receive through the Service (alone or in combination with other data we source) for the purposes and on the legal bases identified below:

  • To bill and collect money owed to us by you to perform our contract with you for the use of the Service or where we have not entered into a contract with you, in accordance with our legitimate interests to operate and administer our Service. This includes sending you emails, invoices, receipts, notices of delinquency, and alerting you if we need a different credit card number. We use third parties for secure credit card transaction processing, and those third parties collect billing information to process your orders and credit card payments. To learn more about the steps we take to safeguard that data, see the “Our Security” section of this privacy policy.
  • To send you system alert messages in reliance on our legitimate interests in administering the Service and providing certain features. For example, we may inform you about temporary or permanent changes to our Service, such as planned outages, or send you account, security or compliance notifications, such as new features, version updates, releases, abuse warnings, and changes to this privacy policy.
  • To communicate with you about your account and provide customer support to perform our contract with you for the use of the Service or where we have not entered into a contract with you, in reliance on our legitimate interests in administering and supporting our Service. For example, if you use our Mobile Apps, we may ask you if you want to receive push notifications about activity in your account. If you have opted in to these push notifications and no longer want to receive them, you may turn them off through your operating system.
  • To enforce compliance with our Standard Terms of Use and applicable law, and to protect the rights and safety of our Members in reliance on our legitimate interest to protect against misuse or abuse of our Service and to pursue remedies available. This may include developing tools and algorithms that help us prevent violations. For example, sometimes we review the content our Members send or display to ensure it complies with our Standard Terms of Use. To improve that process, we have software that helps us find content that may violate our Standard Terms of Use. We may or our third-party service provider may also review content that our Members send or display. This benefits all Members who comply with our Standard Terms of Use because it reduces abuse and helps us maintain a reliable platform. Please do not use Mailchimp to send or display confidential information.
  • To meet legal requirements, including complying with court orders, valid discovery requests, valid subpoenas, and other appropriate legal mechanisms.
  • To provide information to representatives and advisors, including attorneys and accountants, to help us comply with legal, accounting, or security requirements in reliance on our legitimate interests.
  • To prosecute and defend a court, arbitration, or similar legal proceeding.
  • To respond to lawful requests by public authorities, including to meet national security or law enforcement requirements.
  • To provide, support and improve the Service to perform our contract with you for the use of the Service or where we have not entered into a contract with you, in reliance on our legitimate interests in administering and improving the Service and providing certain features. For example, this may include sharing your information with third parties in order to provide and support our Service or to make certain features of the Service available to you. When we share your Personal Information with third parties, we take steps to protect your information in a manner that is consistent with our obligations under applicable privacy laws. For further information about how we share your information, refer to Section 5 below.
  • To provide suggestions to you and to provide tailored features within our Service that optimize and personalize your experience in reliance on our legitimate interests in administering the Service and providing certain features. This includes adding features that compare Members’ email campaigns, using data to suggest other publishers your Contacts may be interested in, or using data to recommend products or services that you may be interested in or that may be relevant to you or your Contacts. Some of these suggestions are generated through analysis of the data used in our data analytics projects, as described below.
  • To perform data analytics projects in reliance on our legitimate business interests in improving and enhancing our products and services for our Members. Our data analytics projects use data from Mailchimp accounts, including Personal Information of Contacts, to provide and improve the Service. We use information like your sending habits and your Contacts’ purchase history, so we can make more informed predictions, decisions, and products for our Members. For example, we use data from Mailchimp accounts to enable product recommendation, audience segmentation, and predicted demographics features for our Members. If you or your Contact prefers not to have their data used for this purpose, you can alter the settings on your account (as described here) to opt out of data analytics projects, or your Contact can opt out of data analytics projects at any time by emailing us at personaldatarequests@mailchimp.com. As always, we take the privacy of Personal Information seriously, and will continue to implement appropriate safeguards to protect this Personal Information from misuse or unauthorized disclosure.
  • To personalize the Service, content and advertisements we serve to you in reliance on our legitimate interests in supporting our marketing activities and providing certain features within the Service. We may use your Personal Information to serve you specifically, such as to deliver marketing information, product recommendations and non-transactional communications (e.g., email, telemarketing calls, SMS, or push notifications) about us, in accordance with your marketing preferences and this privacy policy.

C. Third-Party Integrations

We may use the Personal Information we collect or receive through the Service, as a processor and as otherwise stated in this privacy policy, to enable your use of the integrations and plugins you choose to connect to your Mailchimp account. For instance, if you choose to connect a Google integration to your Mailchimp account, we’ll ask you to grant us permission to view and/or download, as applicable, your Google Sheets, Google Contacts, Google Analytics and Google Drive. This allows us to configure your Google integration(s) in accordance with your preferences. For example, if you wanted to use the Google Contacts integration to share the templates in your Mailchimp account with contacts in your Google address book, we would need to access your Google Contacts to share your templates.

D. Cookies and Tracking Technologies

We and our third-party partners may use various technologies to collect and store Service Usage Data when you use our Service (as discussed above), and this may include using cookies and similar tracking technologies, such as pixels, web beacons, and if you use our Mobile Apps, through our SDKs deployed on your mobile device. For example, we use web beacons in the emails we send on your behalf, which enable us to track certain behavior, such as whether the email sent through the Service was delivered and opened and whether links within the email were clicked. Both web beacons and SDKs allow us to collect information such as the recipient’s IP address, browser, email client type and other similar data as further described above details. We use this information to measure the performance of your email campaigns, to provide analytics information, enhance the effectiveness of our Service, and for other purposes described above. Reports are also available to us when we send email to you, so we may collect and review that information.

Our use of cookies and other tracking technologies is discussed in more detail in our Cookie Statement available here.

E. Member Distribution Lists

In order to send an email campaign or use certain features in your account, you need to upload a Distribution List that provides us information about your Contacts, such as their names and email addresses. We use and process this information to provide the Service in accordance with our contract with you or your organization and this privacy policy.

A Distribution List can be created in a number of ways, including by importing Contacts, such as through a CSV or directly from your email client. We do not, under any circumstances, sell your Distribution Lists. If someone on your Distribution List complains or contacts us, we might then contact that person. You may export (download) your Distribution Lists from Mailchimp by accessing the “Audience” tab from within your account.

If we detect abusive or illegal behavior related to your Distribution List, we may share your Distribution List or portions of it with affected ISPs or anti-spam organizations to the extent permitted or required by applicable law.

If a Contact chooses to use the Forward to a Friend (FTF) link in an email campaign a Member sends, it will allow the Contact to share the Member’s email content with individuals not on the Member’s Distribution List. When a Contact forwards an email to a friend, we do not store the Contact’s email address or their friend’s email address, and no one is added to any Distribution List as a result of the FTF link. The Member who created the email campaign only sees an aggregate number of times their email campaign was forwarded by a Contact and does not have access to the email addresses used to share or receive that forwarded content.

F. Your Data Protection Rights

Depending on the country in which you reside, you may have the following data protection rights:

  • To access; correct; update; port; delete; restrict; or object to our processing of your Personal Information.
  • You can manage your individual account and profile settings within the dashboard provided through the Mailchimp platform, or you may contact us directly by emailing us at personaldatarequests@mailchimp.com. You can also manage information about your Contacts within the dashboard provided through the Mailchimp platform to assist you with responding to requests to access, correct, update, port or delete information that you receive from your Contacts. Note, if any of your Contacts wish to exercise any of these rights, they should contact you directly, or contact us as described in the “Privacy for Contacts” section below. You can also contact us at any time to update your own marketing preferences (see Section 5. General Information, C. Your Choices and Opt-Outs below). Mailchimp takes reasonable steps to ensure that the data we collect is reliable for its intended use, accurate, complete and up to date.
  • The right to complain to a data protection authority about the collection and use of Personal Information. For more information, please contact your local data protection authority. Contact details for data protection authorities in the EEA and UK are available here and Switzerland are available here.
  • Similarly, if Personal Information is collected or processed on the basis of consent, the data subject can withdraw their consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect the processing of your Personal Information conducted in reliance on lawful processing grounds other than consent. If you receive these requests from Contacts, you can segment your lists within the Mailchimp platform to ensure that you only market to Contacts who have not opted out of receiving such marketing.

We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection law. We may ask you to verify your identity in order to help us respond efficiently to your request. If we receive a request from one of your Contacts, we will either direct the Contact to reach out to you, or, if appropriate, we may respond directly to their request.

3. Privacy for Contacts

This section applies to the information we process about our Members’ Contacts as a data controller. Our Service is intended for use by our Members. As a result, for much of the Personal Information we collect and process about Contacts through the Service, we act as a processor on behalf of our Members. Mailchimp is not responsible for the privacy or security practices of our Members, which may differ from those set forth in this privacy policy. Please check with individual Members about the policies they have in place. For purposes of this section, “you” and “your” refer to Contacts.

A. Information We Collect

The Personal Information that we may collect or receive about you broadly falls into the following categories:

(i) Information we receive about Contacts from our Members: A Member may provide Personal Information about you to us through the Service. When a Member uploads their Distribution List or integrates the Service with another website or service (for example, when a Member chooses to connect their e-commerce account with Mailchimp), or when you sign up for a Member’s Distribution List on a Mailchimp or other signup form, the Member may provide us with certain contact information or other Personal Information about you such as your name, email address, address, or telephone number. You may have the opportunity to update some of this information by electing to update or manage your preferences via an email you receive from a Member.

(ii) Information we collect automatically: When you interact with an email campaign that you receive from a Member or browse or purchase from a Member’s connected store, we may collect information about your device and interaction with an email. We use cookies and other tracking technologies to collect some of this information. Our use of cookies and other tracking technologies is discussed more below and in more detail in our Cookie Statement available here.

  • Device information: We collect information about the device and applications you use to access emails sent through our Service, such as your IP address, your operating system, your browser ID, and other information about your system and connection.
  • Usage data: It is important for us to ensure the security and reliability of the Service we provide. Therefore, we also collect usage data about your interactions with campaigns (and/or emails) sent through the Service, which may include dates and times you access campaigns (and/or emails) and your browsing activities (such as what pages are viewed and which emails are opened). This information also allows us to ensure compliance with our Standard Terms of Use and Acceptable Use Policy, to monitor and prevent service abuse, and to ensure we attain certain usage standards and metrics in relation to our Service. We also collect information regarding the performance of the Service, including metrics related to the deliverability of emails and other electronic communications that our Members send through the Service. This information allows us to improve the content and operation of the Service and facilitate research and perform analysis into the use and performance of the Service.

(iii) Information we collect from other sources: From time to time, we may obtain information about you from third-party sources, such as social media platforms, and third-party data providers.

B. Use of Personal Information

We may use the Personal Information we collect or receive about you in reliance on our (and where applicable, our Members’) legitimate interests for the following purposes:

  • To enforce compliance with our Standard Terms of Use and applicable law. This may include utilizing usage data and developing tools and algorithms that help us prevent violations.
  • To protect the rights and safety of Members, third parties, or Mailchimp. For example, sometimes we review the content of our Members’ email campaigns to make sure they comply with our Standard Terms of Use. To improve that process, we have software that helps us find email campaigns that may violate our Standard Terms of Use. We, or our third-party service provider, may review those particular email campaigns, which may include your contact information. This reduces the amount of spam being sent through our servers and helps us maintain high deliverability.
  • To meet legal requirements, including complying with court orders, valid discovery requests, valid subpoenas, and other appropriate legal mechanisms.
  • To provide information to representatives and advisors, including attorneys and accountants, to help us comply with legal, accounting, or security requirements.
  • To prosecute and defend a court, arbitration, or similar legal proceeding.
  • To respond to lawful requests by public authorities, including to meet national security or law enforcement requirements.
  • To provide, support and improve the Service. For example, this may include sharing your information with third parties in order to provide and support our Service or to make certain features of the Service available to our Members. When we share Personal Information with third parties, we take steps to protect your information in a manner that is consistent with applicable privacy laws. For further information about how we share information, refer to Section 5 below.
  • To perform data analytics projects. Our data analytics projects use data from Mailchimp accounts, including your Personal Information, to provide and improve the Service. We use information, like your purchase history, provided to us by Members, so we can make more informed predictions, decisions, and products for our Members. For example, we use data from Mailchimp accounts to enable product recommendation, audience segmentation, and predicted demographics features for our Members. If you prefer your data not to be used in this manner, you can opt out of data analytics projects at any time by completing this form or emailing us at personaldatarequests@mailchimp.com.
  • To carry out other business purposes. To carry out other legitimate business purposes, as well as other lawful purposes about which we will notify you.

C. Cookies and Tracking Technologies

We and our third-party partners may use various technologies to automatically collect and store certain device and usage information (as discussed above) when you interact with a Member’s email campaign or connected store, and this may include using cookies and similar tracking technologies, such as pixels and web beacons or if a Member is using our Mobile App, we may collect this information through our SDKs deployed on our Members mobile device. For example, we use web beacons in the emails we send on behalf of our Members. When you receive and engage with a Member’s campaign, web beacons track certain behavior such as whether the email sent through the Mailchimp platform was delivered and opened and whether links within the email were clicked. Both web beacons and SDKs allow us to collect information such as your IP address, browser, email client type, and other similar data as further described above. We use this information to measure the performance of our Members’ email campaigns, and to provide analytics information and enhance the effectiveness of our Service, and for the other purposes described above.

Our use of cookies and other tracking technologies is discussed in more detail in our Cookie Statement available here.

D. Your Data Protection Rights

Depending on the country in which you reside, you may have the following data protection rights:

  • To access; correct; update; port; delete; restrict or object to our processing of your Personal Information.
  • For more information about how you can exercise these rights, please see our Data Subject Requests form. You also have the right to complain to a data protection authority about our collection and use of your Personal Information. For more information, please contact your local data protection authority. Contact details for data protection authorities in the EEA are available here.

As described above, for much of the Personal Information we collect and process about Contacts through the Service, we act as a processor on behalf of our Members. In such cases, if you are a Contact and want to exercise any data protection rights that may be available to you under applicable law or have questions or concerns about how your Personal Information is handled by Mailchimp as a processor on behalf of our individual Members, you should contact the relevant Member that is using the Mailchimp Service, and refer to their separate privacy policies.

If you no longer want to be contacted by one of our Members through our Service, please unsubscribe directly from that Member’s newsletter or contact the Member directly to update or delete your data. If you contact us directly, we may either forward your request to the relevant Member or provide you with the identity of the Member to enable you to contact them directly.

We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws. We may ask you to verify your identity in order to help us respond efficiently to your request.

4. Privacy for Visitors

This section applies to Personal Information that we collect and process when you visit the Mailchimp Sites, and in the usual course of our business, such as in connection with our recruitment, events, sales and marketing activities or when you visit our offices. In this section, “you” and “your” refer to Visitors.

A. Information We Collect

(i) Information you provide to us on the Mailchimp Sites or otherwise: Our Mailchimp Sites offer various ways to contact us, such as through form submissions, email or phone, to inquire about our company and Service. For example, we may ask you to provide certain Personal Information when you express an interest in obtaining information about us or our Service, take part in surveys, subscribe to marketing, apply for a role with Mailchimp, or otherwise contact us. We may also collect Personal Information from you in person when you attend our events or trade shows, if you visit our offices (where you will be required to register as a visitor and provide us with certain information that may also be shared with our service providers) or via a phone call with one of our sales representatives. You may choose to provide additional information when you communicate with us or otherwise interact with us, and we may keep copies of any such communications for our records.

The Personal Information we collect may include:

  • Business contact information (such as your name, phone number, email address and country);
  • Professional information (such as your job title, institution or company);
  • Nature of your communication;
  • Marketing information (such as your contact preferences); and
  • Any information you choose to provide to us when completing any ‘free text’ boxes in our forms.

(ii) Information we collect automatically through the Mailchimp Sites: When you visit our Mailchimp Sites or interact with our emails, we use cookies and similar technologies such as pixels or web beacons, alone or in conjunction with cookies, to collect certain information automatically from your browser or device. In some countries, including countries in the EEA, this information may be considered Personal Information under applicable data protection laws. Our use of cookies and other tracking technologies is discussed more below, and in more detail in our Cookie Statement available here.

The information we collect automatically includes:

  • Device information: such as your IP address, your browser, device information, unique device identifiers, mobile network information, request information (speed, frequency, the site from which you linked to us (“referring page”), the name of the website you choose to visit immediately after ours (called “exit page”), information about other websites you have recently visited and the web browser you used (software used to browse the internet) including its type and language)
  • Usage data: such as information about how you interact with our emails, Mailchimp Sites, and other websites (such as the pages and files viewed, searches, operating system and system configuration information and date/time stamps associated with your usage).

B. Use of Personal Information

We may use the information we collect through our Mailchimp Sites and in connection with our events and marketing activities (alone or in combination with other data we collect) for a range of reasons in reliance on our legitimate interests, including:

  • To provide, operate, optimize, and maintain the Mailchimp Sites.
  • To send you marketing information, product recommendations and non-transactional communications (e.g., email, telemarketing calls, SMS, or push notifications) about us, in accordance with your marketing preferences, including information about our products, services, promotions or events as necessary for our legitimate interest in conducting direct marketing or to the extent you have provided your prior consent.
  • For recruitment purposes if you have applied for a role with Mailchimp.
  • To respond to your online inquiries and requests, and to provide you with information and access to resources or services that you have requested from us.
  • To manage the Mailchimp Sites and system administration and security.
  • To manage event registrations and attendance, including sending related communications to you.
  • To register visitors to our offices for security reasons and to manage non-disclosure agreements that visitors may be required to sign.
  • To improve the navigation and content of the Mailchimp Sites.
  • To identify any server problems or other IT or network issues.
  • To process transactions and to set up online accounts.
  • To compile aggregated statistics about site usage and to better understand the preferences of our Visitors.
  • To help us provide, improve and personalize our marketing activities.
  • To facilitate the security and continued proper functioning of the Mailchimp Sites.
  • To carry out research and development to improve our Mailchimp Sites, products and services.
  • To conduct marketing research, advertise to you, provide personalized information about us on and off our Mailchimp Sites, and to provide other personalized content based on your activities and interests to the extent necessary for our legitimate interests in supporting our marketing activities or advertising our Service or instances where we seek your consent.
  • To carry out other legitimate business purposes, as well as other lawful purposes, such as data analysis, fraud monitoring and prevention, identifying usage trends and expanding our business activities in reliance on our legitimate interests.
  • To cooperate with public and government authorities, courts or regulators in accordance with our legal obligations under applicable laws to the extent this requires the processing or disclosure of Personal Information to protect our rights or is necessary for our legitimate interest in protecting against misuse or abuse of our Mailchimp Sites and Service, protecting personal property or safety, pursuing remedies available to us and limiting our damages, complying with judicial proceedings, court orders or legal processes, or responding to lawful requests.

C. Public Information and Third-Party Websites

  • Blog. We have public blogs on the Mailchimp Sites. Any information you include in a comment on our blog may be read, collected, and used by anyone. If your Personal Information appears on our blogs and you want it removed, contact us here. If we are unable to remove your information, we will tell you why.
  • Social media platforms and widgets. The Mailchimp Sites include social media features, such as the Facebook Like button. These features may collect information about your IP address and which page you are visiting on our Mailchimp Site, and they may set a cookie to make sure the feature functions properly. Social media features and widgets are either hosted by a third party or hosted directly on our Mailchimp Site. We also maintain presences on social media platforms, including Facebook, Twitter, and Instagram. Any information, communications, or materials you submit to us via a social media platform is done at your own risk without any expectation of privacy. We cannot control the actions of other users of these platforms or the actions of the platforms themselves. Your interactions with those features and platforms are governed by the privacy policies of the companies that provide them.
  • Links to third-party websites. The Mailchimp Sites include links to other websites, whose privacy practices may be different from ours. If you submit Personal Information to any of those sites, your information is governed by their privacy policies. We encourage you to carefully read the privacy policy of any website you visit.
  • Contests and sweepstakes. We may, from time to time, offer surveys, contests, sweepstakes, or other promotions on the Mailchimp Sites or through social media (collectively, “Promotions”). Participation in our Promotions is completely voluntary. Information requested for entry may include Personal Information such as your name, address, date of birth, phone number, email address, username, and similar details. We use the information you provide to administer our Promotions. We may also, unless prohibited by the Promotion’s rules or law, use the information provided to communicate with you, or other people you select, about our Service. We may share this information with our affiliates and other organizations or service providers in line with this privacy policy and the rules posted for our Promotions.

D. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect and use Personal Information about you, including to serve interest-based advertising. For further information about the types of cookies and tracking technologies we use, why, and how you can control them, please see our Cookie Statement available here.

E. Other Data Protection Rights

Depending on the country in which you reside, you may have the following data protection rights:

  • To access; correct; update; port; delete; restrict or object to our processing of your Personal Information. You can exercise these rights by emailing personaldatarequests@mailchimp.com.
  • You may also have the right to complain to a data protection authority about our collection and use of your Personal Information. For more information, please contact your local data protection authority. Contact details for data protection authorities in the EEA are available here.
  • Similarly, if we have collected and processed your Personal Information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect the processing of your Personal Information conducted in reliance on lawful processing grounds other than consent. You can also contact us at any time to update your marketing preferences (see Section 5. General Information, C. Your Choices and Opt-Outs below).

We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws. We may ask you to verify your identity in order to help us respond efficiently to your request.

5. General Information

A. How We Share Information

We may share and disclose your Personal Information to the following types of third parties for the purposes described in this privacy policy (for purposes of this section, “you” and “your” refer to Members, Contacts, and Visitors unless otherwise indicated):

(i) Our service providers: Sometimes, we share your information with our third-party service providers working on our behalf for the purposes described in this privacy policy. For example, companies we’ve hired to help us provide and support our Service or assist in protecting and securing our systems and services and other business-related functions.

Other examples include analyzing data, hosting data, engaging technical support for our Service, processing payments, and delivering content.

We use YouTube’s API services in connection with our Service to provide certain features. As such, you acknowledge and agree that by signing up for an account and using the Service, you are also bound by Google’s Privacy Policy. In addition to the rights set forth in Section 2, you may manage your YouTube API data by visiting Google’s security settings page at https://security.google.com/settings/security/permissions.

In connection with our Service, we also use a third-party service provider, Twilio, Inc. We use Twilio’s API, which allows us to build features into our Mailchimp application to enable us to communicate with our Members through texting and calling, and their “Authy” product, which we use for two-factor authentication for our application. If you are a Member, Twilio may need to collect and process certain Personal Information about you as a controller to provide such services. To learn more about Twilio’s privacy practices, please visit https://www.twilio.com/legal/privacy.

(ii) Advertising partners: We may partner with third-party advertising networks, exchanges, and social media platforms (like Facebook) to display advertising on the Mailchimp Sites or to manage and serve our advertising on other sites, and we may share Personal Information of Members and Visitors with them for this purpose. We and our third-party partners may use cookies and other similar tracking technologies, such as pixels and web beacons, to gather information about your activities on the Mailchimp Sites and other sites in order to provide you with targeted advertising based on your browsing activities and interests. For more information, please see our Cookie Statement available here.

(iii) Any competent law enforcement body, regulatory body, government agency, court or other third party where we believe disclosure is necessary (a) as a matter of applicable law or regulation, (b) to exercise, establish, or defend our legal rights, or (c) to protect your vital interests or those of any other person.

(iv) A potential buyer (and its agents and advisors) in the case of a sale, merger, consolidation, liquidation, reorganization, or acquisition. In that event, any acquirer will be subject to our obligations under this privacy policy, including your rights to access and choice. We will notify you of the change either by sending you an email or posting a notice on our Mailchimp Site.

(v) Any other person with your consent.

B. Legal Basis for Processing Personal Information (EEA and UK Persons Only)

If you are located in the EEA or UK, our legal basis for collecting and using the Personal Information described above will depend on the Personal Information concerned and the specific context in which we collect it.

However, we will normally collect and use Personal Information from you where the processing is in our legitimate interests and not overridden by your data-protection interests or fundamental rights and freedoms. Our legitimate interests are described in more detail in this privacy policy in the sections above titled “Use of Personal Information”, but they typically include improving, maintaining, providing, and enhancing our technology, products, and services; ensuring the security of the Service and our Mailchimp Sites; and supporting our marketing activities.

If you are a Member, we may need the Personal Information to perform a contract with you. In some limited cases, we may also have a legal obligation to collect Personal Information from you. If we ask you to provide Personal Information to comply with a legal requirement or to perform a contract with you, we will make this clear at the relevant time and advise you whether the provision of your Personal Information is mandatory or not, as well as of the possible consequences if you do not provide your Personal Information.

Where required by law, we will collect Personal Information only where we have your consent to do so.

If you have questions or need further information concerning the legal basis on which we collect and use your Personal Information, please contact us using the contact details provided in the “Questions and Concerns” section below.

C. Your Choices and Opt-Outs

Members and Visitors who have opted in to our marketing emails can opt out of receiving marketing emails from us at any time by clicking the “unsubscribe” link at the bottom of our marketing messages.

Also, all opt-out requests can be made by emailing us using the contact details provided in the “Questions and Concerns” section below. Please note that some communications (such as service messages, account notifications, billing information) are considered transactional and necessary for account management, and Members cannot opt out of these messages unless you cancel your Mailchimp account.

D. Our Security

We take appropriate and reasonable technical and organizational measures designed to protect Personal Information from loss, misuse, unauthorized access, disclosure, alteration, and destruction, taking into account the risks involved in the processing and the nature of the Personal Information. For further information about our security practices, please see our Security page available here. If you have any questions about the security of your Personal Information, you may contact us at privacy@mailchimp.com.

Mailchimp accounts require a username and password to log in. Members must keep their username and password secure, and never disclose it to a third party. Because the information in a Member’s Mailchimp account is private, account passwords are hashed, which means we cannot see a Member’s password. We cannot resend forgotten passwords either. We will only provide Members with instructions on how to reset them.

E. International Transfers

(i) We operate in the United States

Our servers and offices are located in the United States, so your information may be transferred to, stored, or processed in the United States. While the data protection, privacy, and other laws of the United States might not be as comprehensive as those in your country, we take many steps to protect your privacy, including offering our Members a Data Processing Agreement available here.

(ii) Data transfers from Switzerland, United Kingdom, or the EEA to the United States

Mailchimp participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. We are committed to subjecting all Personal Information received from EEA member countries, United Kingdom, and Switzerland, respectively, in reliance on each Privacy Shield Framework, to each Framework’s applicable Principles. To learn more about the Privacy Shield Frameworks, and to view our certification, visit the U.S. Department of Commerce’s Privacy Shield website available here.

A list of Privacy Shield participants is maintained by the Department of Commerce and is available here.

Mailchimp is responsible for the processing of Personal Information we receive under each Privacy Shield Framework and subsequently transfer to a third party acting as an agent on our behalf. We comply with the Privacy Shield Principles for all onward transfers of Personal Information from the EEA, United Kingdom, and Switzerland, including the onward transfer liability provisions.

With respect to Personal Information received or transferred pursuant to the Privacy Shield Frameworks, we are subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, we may be required to disclose Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third-party dispute resolution provider (free of charge to you) at https://feedback-form.truste.com/watchdog/request. Under certain conditions, more fully described on the Privacy Shield website, here, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.

Members located in Switzerland, United Kingdom, and the EEA are subject to our Data Processing Addendum available here, as described in our Standard Terms of Use.

(iii) Members, Contacts and Visitors located in Australia

If you are a Member, Contact or Visitor who accesses our Service in Australia, this section applies to you. We are subject to the operation of the Privacy Act 1988 (“Australian Privacy Act”). Here are the specific points you should be aware of:

  • As stated in our Acceptable Use Policy available here, sensitive personal information is not permitted on Mailchimp’s platform and Members are prohibited from importing or incorporating any sensitive personal information into their Mailchimp accounts or uploading any sensitive personal information to Mailchimp’s servers.
  • Please note that if you do not provide us with your Personal Information or if you withdraw your consent for us to collect, use and disclose your Personal Information, we may be unable to provide the Service to you.
  • Where we collect Personal Information of our Visitors, the Personal Information we ask you to provide will be information that is reasonably necessary for, or directly related to, one or more of our functions or activities. Please see Section 4 of this privacy policy for examples of the types of Personal Information we may ask Visitors to provide.
  • Where we say we assume an obligation about Personal Information, we will also require our contractors and subcontractors to undertake a similar obligation.
  • We will not use or disclose Personal Information for the purpose of our direct marketing to you unless:
    • you have consented to receive direct marketing;
    • you would reasonably expect us to use your personal details for marketing; or
    • we believe you may be interested in the material but it is impractical for us to obtain your consent.

You may opt out of any marketing materials we send to you through an unsubscribe mechanism. If you have requested not to receive further direct marketing messages, we may continue to provide you with messages that are not regarded as “direct marketing” under the Australian Privacy Act, including changes to our terms, system alerts, and other information related to your account as permitted under the Australian Privacy Act and the Spam Act 2003 (Cth).

  • Our servers are located in the United States. In addition, we or our subcontractors may use cloud technology to store or process Personal Information, which may result in storage of data outside Australia. It is not practicable for us to specify in advance which country will have jurisdiction over this type of offshore activity. All of our subcontractors, however, are required to comply with the Australian Privacy Act in relation to the transfer or storage of Personal Information overseas.
  • We may also share your Personal Information outside of Australia to our business operations in other countries. While it is not practicable for us to specify in advance each country where your Personal Information may be disclosed, typically we may disclose your Personal Information to the United States, Canada and the European Union.
  • You may access the Personal Information we hold about you. If you wish to access your Personal Information, please contact us directly by emailing us at personaldatarequests@mailchimp.com. We will respond to all requests for access within a reasonable time.

If you think the information we hold about you is inaccurate, out of date, incomplete, irrelevant, or misleading, we will take reasonable steps, consistent with our obligations under the Australian Privacy Act, to correct that information upon your request. If you find that the information we have is not up to date or is inaccurate or incomplete, please contact us in writing at dpo@mailchimp.com, so we can update our records. We will respond to all requests for correction within a reasonable time.

  • If you are unsatisfied with our response to a privacy matter, you may consult either an independent advisor or contact the Office of the Australian Information Commissioner for additional help. We will provide our full cooperation if you pursue this course of action.

F. Retention of Data

We retain Personal Information where we have an ongoing legitimate business or legal need to do so. Our retention periods will vary depending on the type of data involved, but, generally, we’ll refer to these criteria in order to determine retention period:

  • Whether we have a legal or contractual need to retain the data.
  • Whether the data is necessary to provide our Service.
  • Whether our Members have the ability to access and delete the data within their Mailchimp accounts.
  • Whether our Members would reasonably expect that we would retain the data until they remove it or until their Mailchimp accounts are closed or terminated.

When we have no ongoing legitimate business need to process your Personal Information, we will either delete or anonymize it or, if this is not possible (for example, because your Personal Information has been stored in backup archives), then we will securely store your Personal Information and isolate it from any further processing until deletion is possible.

G. California Privacy

The California Consumer Privacy Act (“CCPA”) provides consumers with specific rights regarding their Personal Information. You have the right to request that businesses subject to the CCPA (which may include our Members with whom you have a relationship) disclose certain information to you about their collection and use of your Personal Information over the past 12 months. In addition, you have the right to ask such businesses to delete Personal Information collected from you, subject to certain exceptions. If the business sells Personal Information, you have a right to opt-out of that sale. Finally, a business cannot discriminate against you for exercising a CCPA right.

When offering services to its Members, Mailchimp acts as a “service provider” under the CCPA and our receipt and collection of any consumer Personal Information is completed on behalf of our Members in order for us to provide the Service. Please direct any requests for access or deletion of your Personal Information under the CCPA to the Member with whom you have a direct relationship.

Consistent with California law, if you choose to exercise your applicable CCPA rights, we won’t charge you different prices or provide you a different quality of services. If we ever offer a financial incentive or product enhancement that is contingent upon you providing your Personal Information, we will not do so unless the benefits to you are reasonably related to the value of the Personal Information that you provide to us.

H. Do not Track

Certain state laws require us to indicate whether we honor “Do Not Track” settings in your browser. Mailchimp adheres to the standards set out in this Privacy Policy and does not monitor or follow any Do Not Track browser requests.

I. Changes to this Policy

We may change this privacy policy at any time and from time to time. The most recent version of the privacy policy is reflected by the version date located at the top of this privacy policy. All updates and amendments are effective immediately upon notice, which we may give by any means, including, but not limited to, by posting a revised version of this privacy policy or other notice on the Mailchimp Sites. We encourage you to review this privacy policy often to stay informed of changes that may affect you. Our electronically or otherwise properly stored copies of this privacy policy are each deemed to be the true, complete, valid, authentic, and enforceable copy of the version of this privacy policy that was in effect on each respective date you visited the Mailchimp Site.

J. Questions & Concerns

If you have any questions or comments, or if you have a concern about the way in which we have handled any privacy matter, please use our contact form to send us a message. You may also contact us by postal mail or email at:

For EEA, Swiss and UK Residents:

For the purposes of EU data protection legislation, The Rocket Science Group LLC d/b/a Mailchimp is the controller of your Personal Information. Our Data Protection Officer can be contacted at dpo@mailchimp.com.

For any other Residents:

The Rocket Science Group LLC d/b/a Mailchimp

Attn. Privacy Officer

privacy@mailchimp.com

675 Ponce de Leon Ave NE, Suite 5000

Atlanta, GA 30308 USA