Embark POPI Policy

At Embark PTY Ltd we value and respect your privacy and would like to assure youthat we are committed to keeping your personal information secure and confidential.With the Protection of Personal Information Act (POPIA) having come intofull effect on 1 July 2021, we would like to draw your attention to ourupdated Privacy Policy that outlines how we are collecting, storing andusing your personal information on our systems. What is POPIA?POPIA is South Africa’s equivalent of the EU GDPR and is intended toprotect your personal information and privacy. With most organisationsnowadays collecting personally identifiable data to run their businesses, itis important that the way this data is being processed is regulated by agoverning body. At Embark PTY Ltd we fully support POPIA and the need for theconditions set out therein. All the information that is obtained or held on behalf by Embark PTY Ltd can be requested to be deleted. If a customer would like this to be done, an email for this request can be sent to accounts@embark.co.za or steve@embark.co.za. A confirmation email will be sent in return once the data has been deleted from the following third party systems: Embark registration database: www.typeform.comEmbark accounting system for invoicing: www.xero.comEmbark online payments: www.payfast.co.zaEmbark website and online shop: www.shopify.comEmbark communication through WhatsApp: www.whatsapp.comEmbark online programs: www.trainingpeaks.com If in an unlikely situation where the Embark PTY Ltd database has been breached, we will immediately contact the parties involved and will inform them of the situation. Because Embark PTY Ltd uses all the above third party companies and pay for their services the majority of the liability will sit with the above third party companies. Embark Registration data base.

By registering on the embark website, your information will be stored and protected through the Typeform.com (A Third-Party Company). Embark uses this data in case of emergencies and in means to contact to contact the customer for the first time.

Typeform | Privacy Policy

Your privacy is important to us

Effective Date: June 15, 2019. In case of new sign ups or first use of the Site, May 22, 2019.

General

1.1 This Privacy Policy describes how TYPEFORM SL (the “Company”, “we”, or “us”) collects, uses, stores, shares and protects your personal information in connection with your use of both the platform accessible through the www.typeform.com domain name (the “Site”) and the services we may offer through the Site from time to time, consisting in ‘typeform’ forms and other services (indistinctly referred to as the “Services”).

California Residents: If you reside in the State of California in the United States, please click here and refer to the ‘CCPA Notice’ section for additional California-specific privacy disclosures that address the collection, use, disclosure and other processing of personal information that supplement this Privacy Policy and may fall outside its scope.

Scope of this policy

Respondents

2.1 If you are a respondent, please note that we are not the entity responsible for the processing of data, but a mere provider rendering services to the person or company that sent you the typeform to fill out. We suggest you carefully read the terms and conditions and privacy policy of the company or person that sent you the typeform, as those are the ones governing the processing of your personal data. If you have any doubts, please contact that person or company. Also, depending on how the person or company that sent you a typeform configure that typeform, your data may be shared or made public. To find out more, please contact the entity or person sending you the typeform.

If you use our Services or Site

2.2. If you use our Services or Site, this Privacy Policy sets forth how we are processing your personal data, and how are we processing personal data on your behalf. You are not required to provide any personal information when using the Site, unless you choose to access features that require such information (as, by way of example, subscribing to any newsletter). The use of the Services, however, require that you sign up and create an account on the Site as described in more detail in the Service Terms and Conditions.

2.3. Personal information you provide us when using the Site and/or the Services is subject to this Privacy Policy, and you will be prompted to read and accept it.

How is your data being processed?

3.1. Who processes personal information? (who is the ‘Data controller’)

Personal information is processed by us, an entity incorporated in accordance with the laws of Spain and with following contact details:

TYPEFORM SL

C/Bac de Roda, 163 (Local), 08018 – Barcelona (Spain)

Contact email: support@typeform.com

Contact details for our Data Protection Officer: gdpr@typeform.com

3.2. What are we processing your data for and why are we processing it? (‘Purposes of data processing’, ‘legal basis of the data processing’ and ‘storage periods’)

We will process your data when we have to perform a contract, and we will be processing your data as long as the contractual relationship with you is in force and during the five years following the end of said relationship. This results in us having to process your data for purposes of providing you with both the Services, as well as to perform our obligations under the Services Terms and Conditions.

Subject to obtaining your consent, and as long as you do not withdraw any such consent, we may also process your data for the following purposes:

a) To send you electronic commercial communications (if you subscribe to a newsletter) or to answer the requests you may address us when contacting us;

b) To process information obtained through cookies, as described in more detail in the Cookie Policy, and subject to the terms set forth therein;

c) If you opt to sign in by means of a third party social media platform, we may obtain ID confirmation and other information from that third party, as mentioned in each case;

d) For profiling purposes based on your behavior and how you browse the Site and use the Services, which pages you have visited, and to build audiences. Please note that we may profile users by means of cookies. In those cases, your acceptance of the installation and use of cookies results in a data processing for profiling purposes, as described in this paragraph.

e) We may enrich the data we have about you by obtaining information from a select third party for data enrichment purposes, provided that you have given us prior permission. Enriching data allows us to analyze a deeper subset of data from which we may present personalized content.

When we have to comply with a legal obligation applicable to us from time to time, such as those set forth in tax and anti-money laundering laws and regulations (such as Act no. 58/2003, dated December 17, on Taxes; Act no. 27/2014, dated November 27, on corporate taxes; Act no. 10/2010, dated April 28, for the prevention of money laundering and financing or terrorism; or Organic Act no. 10/1995, dated November 23, on Criminal Code). In any such cases, the data will be processed only during the periods set forth by said laws, being deleted thereafter.

Finally, we may also process your data to protect our legitimate interests, as long as said data is strictly necessary to fulfil the goals set forth below, namely:

a) To review, monitor, investigate, and analyze how to improve the Services and/or the Site, as well as to keep our Services and the Site secure and operational and prevent abusive activity (e.g. fraud, spam, phishing activities, etc.). This may include sending you typeforms to assess any problems in the service or know how to improve your user experience. The interests at stake are ensuring a correct and safe environment for both other users and us, taking those interests prevalence over your legitimate interests (we need to create and maintain an environment which is in accordance with the law, the legitimate interests of other parties, what other users may expect from our end, and to protect other users’ security when accessing the Site and using the Services);

b) Besides any commercial electronic and non-electronic commercial communication sent when we have obtained your consent as mentioned above, we may also send you those kind of communications when you are our client. In this last case, we will only send you information belonging to us and concerning services and/or products identical or similar to the ones you have contracted with us. In these cases, we have a legitimate interest in processing your contact information to keep you informed about any of our products and services, prevailing this interest over your right to personal data given the non-sensitive nature of the data in question and the fact that the contractual relationship built with our clients results in those clients expecting these kinds of communications; and

c) Upon dissociating the data we have so as to be impossible to be associated to you or any other person, to perform statistical and other analysis on information we collect (technical and metadata) to analyze and measure user behavior and trends, to understand how people use our services, in order to improve and optimize our performance of such services.

3.3. To which extent do we require to have access to your personal data?

We need to process your personal data to perform the legal and contractual obligations mentioned in section 3.2 above. Otherwise, we are not able to provide you with the Services and/or access to the Site. On the other hand, for data processing which depends on your consent or on our legitimate interests, the data processing is not legally required.

3.4. Which companies will have access to your personal information?

We share your information with our service providers who help us to provide the Services to you, in which case those third parties are required to comply with our internal standards, policies, and technical and organizational measures that ensure that your data is protected and kept confidential at all times, and only in accordance with and to the extent authorized by this Privacy Policy.

When you authorize us to do so, we may also share your data with other companies so that they can process the data for other purposes, as explained more in detail when we request your prior consent. In addition, if you provide consent for the installation of cookies, your data may be processed by third companies for the purposes and in the territories mentioned in the Cookie Policy.

We may also share your information with competent courts and authorities, when we are legally required to do so (for instance, to allow such bodies to investigate, prevent, or take action against illegal activities), or we have to take action to protect our rights or any third party rights.

Finally, please note that you may opt for creating a typeform in which the results are displayed not in an aggregated manner but by providing the particular answers provided by respondents. In those cases, if you opt to create a typeform having this functionality, the results will be shared with those third parties you opt to share them with. Please bear in mind that, depending on what you intend to do with your data, you may be required to inform or comply with further legal requirements vis-à-vis respondents.

3.5. In which territories may your personal information be processed?

Your information (not third parties’ information collected through typeforms, which is subject to section 4.10 below) may be transferred, processed, and stored in countries that do not have data protection laws as protective as those in your jurisdiction. Your agreement to the terms of this Privacy Policy, followed by your submission of information in connection with the Service, represents your agreement to this international transfer of personal data.

3.6. Your rights

You have the right to withdraw your consent at any time. You also have the right to request access to, and rectification of, or erasure of your personal data, or restriction of processing, or to object to processing, as well as the right to data portability. Please note that if you choose to cancel your data, your account will be deleted and all data in your account will be permanently deleted from our systems. You may lodge a complaint at any time with the Spanish Data Protection Agency.

We allow you to exercise the above-mentioned rights at any time by opening a support ticket via the Help Center, by contacting our Support Center (support@typeform.com), or by sending a letter to c/ Bac de Roda, 163 (local), 08018 – Barcelona (Spain).

3.7. Updating your information. Emails and commercial communications.

You can update any information we may have from you by means of the account settings area or by sending us a written communication as described in section 3.6 above. Please remember that it is your duty to keep information updated so we can correctly provide you with the Services, and you undertake to verify the information you have handed us from time to time to make sure that it is accurate.

As explained in section 3.6 above, you are entitled to ask us, now or at any moment, not to send you any kind of emails or commercial communications. To that extent, you can either change the communication preferences in your account settings page or contact us as described in section 3.6 above. Note that this will not prevent the sending of emails or other communications related to the Services, as those communications are necessary to perform the relationship we have with you.

How is the data we collect on your behalf being processed?

4.1. In order to provide you with the Services, we may need to process on your behalf third parties’ personal data. This is the case, for instance, when a person files out a typeform (the forms we made available to you in the Services), in which case the data is collected, stored, and processed on your behalf. For clarification purposes, the subject-matter of the processing is the provision of said Services, and the type of personal data and categories of data subjects depends on the information uploaded into the Service.

4.2. We will only process any personal data we may have access to as a result of the provision of the Services in accordance with the instructions included in the Service Terms and Conditions and any other that you may provide us from time to time in writing. Should we have reasonable grounds to believe that any of your documented instructions infringes European data protection laws, we will inform you punctually, so that you can confirm in writing that instruction. Please, note that in case of any such reconfirmation, you shall bear any consequences arising out of that instruction being contrary to law, and you shall defend, indemnify, and hold us harmless of any and all costs (including attorney’s fees), fines, or sanctions, or any damages deriving from our performance of the challenged instruction.

4.3. We will ensure that all employees authorized to process personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.4. To provide you with the Services, we may need to use some service providers we already rely on, as well as hire new ones in the future. Those companies will only process the data to the extent necessary to render the Services, and we will enter into written agreements with them to make sure that said companies comply with the obligations included in this section 4 and implement all necessary security measures to ensure adequate protection of the data.

In this respect, by entering into the Service Terms and Conditions you accept that we seek the assistance of our affiliate TYPEFORM US LLC, having registered address at 370 Brannan Street, San Francisco, CA 94107 (United States of America). Additionally, we will also continue to engage other service providers for carrying out the Services, as those subprocessors are listed here.

In the event that we want to change any of those service providers by another, or that we need to hire new companies, you will have the right to reasonably oppose to such changes or new appointments in the non-extendable term of 15 calendar days. ‘Reasonably oppose’ shall be interpreted as any challenge based on the failure to meet the legal requirements set forth by the European data protection laws by the new entity to be hired. In any event, we reserve the right to terminate the relationship with you should we cannot hire a subprocessor which is essential or needed for providing the service.

The Company shall enter into written agreements with any subprocessors engaged in the provision of the Services including the safeguards and guarantees required by the General Data Protection Regulation (EU Regulation no. 679\2016, the “GDPR”), particularly in respect of implementing the security measures required in the GDPR. For those subprocessors located in a country not considered by European authorities as having the same level of protection than European data protection laws, you agree to comply with the requirements set forth in 4.10 below.

4.5. At your request and expense, we shall assist you by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of your obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR, if applicable. For avoidance of doubt, we shall convey you any request data subjects may address directly to us together with all relevant information, if any, so that you can contact and answer to data subjects, but we shall not take care of responding data subjects.

4.6. We will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. At your request and expense and taking into account the nature of processing and the information available to us, we shall reasonably assist you in compliance with the security obligations set forth by Article 32 of the GDPR.

4.7. We will also provide, at your request and expense and subject to the nature of processing and information available to us, assistance in complying with obligations set forth in Articles 33 to 36 of the GDPR, if applicable.

With respect to data breaches, we will notify you without undue delay upon we confirm that a data breach affecting personal data has taken place. We will provide you with sufficient information to allow you to meet any obligations to report or inform competent authorities or data subjects. We will reasonably cooperate with you and take such reasonable commercial steps as are directed by you to assist in the investigation, mitigation, and remediation of each such data breach. For avoidance of doubt, you shall be responsible for both filing any reports required under applicable law and notifying data subjects, and you shall defend, indemnify and hold us harmless of any and all costs (including attorney’s fees), fines, or sanctions, or any damages that lack of action on your side may cause.

4.8. Upon termination of the Service Terms and Conditions, we shall delete personal data, unless otherwise required by law.

4.9. We will make available to you all information necessary to demonstrate compliance with the obligations laid down in this Section 4 and allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you who is not any of our competitors. You accept that you may only conduct up to one (1) audit per year, except if there are reasonable grounds to believe that we are not performing the obligations included in this section 4. Audits shall only be carried out during normal business hours, and you shall bear all costs except that we are found to be in a material breach of this section 4.

4.10. For the provision of the Services or because you want to process data from a given location or hand it to another company, data may be transferred outside the European Economic Area to a country which has not been declared to offer a level of protection equal to the one provided by European data protection regulations.

In those cases, you shall ensure that said transfer is possible in accordance with European data protection regulations or any other requirements set forth by law without having to sign Standard Contractual Clauses. Should this not be possible—and only to this extent—and with respect to any subprocessors hired by us, you (as ‘data exporter’) and we (as ‘data importer’) hereby agree to enter into the Standard Contractual Clauses in respect of any such transfers of data. You fully agree with the contents of the Standard Contractual Clauses (available here) and—given that the contractual relationship set forth in the Service Terms and Conditions cannot exist without international transfers of data—you further warrant and represent that you will not question the execution of Standard Contractual Clauses in the future, being their signature a mere act evidencing their agreement to the same as set forth herein.

How to contact us

5.1. Send a request via our Help Center. Click the Contact Support link at the bottom of any article.

Changes to the privacy policy

6.1. We may amend this Privacy Policy from time to time. You may be required to accept the amended Privacy Policy upon logging in to your TYPEFORM Account in order to keep using the Service. Alternatively, we may post any non-material changes to this Privacy Policy on the Site with a notice advising of the changes in advance of the effective date of the changes. We may also notify you of material changes to this Privacy Policy, before the effective date of the changes, by sending an email or otherwise. If you do not agree to any non-substantial change to this Privacy Policy, you may terminate the Service Terms and Conditions.

Prevalence

7.1. This policy is drafted both in plain and legal versions. In case of any discrepancies, the legal version included herein shall prevail and take precedence with respect to the plain version.

The Embark Website and online shop.

The Embark website domain and operational system is through Shopify PTY LTD. All online purchases and customer information is process and protected by the Shopify Privacy Policy. Embark PTY Ltd will only use the information provided to dispatch online orders placed by the customer.

Shopify values

Trust is the foundation of the Shopify platform and includes trusting us to do the right thing with your information. Three main values guide us as we develop our products and services. These values should help you better understand how we think about your information and privacy.

Your information belongs to you

We carefully analyze what types of information we need to provide our services, and we try to limit the information we collect to only what we really need. Where possible, we delete or anonymize this information when we no longer need it. When building and improving our products, our engineers work closely with our privacy and security teams to build with privacy in mind. In all of this work our guiding principle is that your information belongs to you, and we aim to only use your information to your benefit.

We protect your information from others

If a third party requests your personal information, we will refuse to share it unless you give us permission or we are legally required. When we are legally required to share your personal information, we will tell you in advance, unless we are legally forbidden.

We help merchants and partners meet their privacy obligations

Many of the merchants and partners using Shopify do not have the benefit of a dedicated privacy team, and it is important to us to help them meet their privacy obligations. To do this, we try to build our products and services so they can easily be used in a privacy-friendly way. We also provide detailed FAQs, documentation and whitepapers covering the most important privacy topics, and respond to privacy-related questions we receive.

Why we process your information

We generally process your information when we need to do so to fulfill a contractual obligation (for example, to process your subscription payments to use the Shopify platform), or where we or someone we work with needs to use your personal information for a reason related to their business (for example, to provide you with a service). European law calls these reasons “legitimate interests.” These “legitimate interests” include:

preventing risk and fraud

answering questions or providing other types of support

helping merchants find and use apps through our app store

providing and improving our products and services

providing reporting and analytics

testing out features or additional services

assisting with marketing, advertising, or other communications

We only process personal information for these “legitimate interests” after considering the potential risks to your privacy—for example, by providing clear transparency into our privacy practices, offering you control over your personal information where appropriate, limiting the information we keep, limiting what we do with your information, who we send your information to, how long we keep your information, or the technical measures we use to protect your information.

One of the ways in which we are able to help merchants using Shopify is by using techniques like “machine learning” (European law refers to this as “automated decision-making”) to help us improve our services. When we use machine learning, we either: (1) still have a human being involved in the process (and so are not fully automated); or (2) use machine learning in ways that don’t have significant privacy implications (for example, reordering how apps might appear when you visit the app store).

Your rights over your information

We believe you should be able to access and control your personal information no matter where you live. Depending on how you use Shopify, you may have the right to request access to, correct, amend, delete, port to another service provider, restrict, or object to certain uses of your personal information (for example, direct marketing). We will not charge you more or provide you with a different level of service if you exercise any of these rights.

If you buy something from a Shopify-powered store and wish to exercise these rights over information about your purchase, you need to directly contact the merchant you interacted with. We are only a processor on their behalf, and cannot decide how to process their information. As such, we can only forward your request to them to allow them to respond. We will of course help our merchants to fulfill these requests by giving them the tools to do so and by answering their questions.

Please note that if you send us a request relating to your personal information, we have to make sure that it is you before we can respond. In order to do so, we may ask to see documentation verifying your identity, which we will discard after verification.

If you would like to designate an authorized agent to exercise your rights for you, please email us from the email address we have on file for you. If you email us from a different email address, we cannot determine if the request is coming from you and will not be able to accommodate your request. In your email, please include the name and email address of your authorized agent.

If you are not happy with our response to a request, you can contact us to resolve the issue. You also have the right to contact your local data protection or privacy authority at any time.

Finally, because there is no common understanding about what a “Do Not Track” signal is supposed to mean, we don’t respond to those signals in any particular way.

Where we send your information

We are a Canadian company, but we work with and process data about individuals across the world. To operate our business, we may send your personal information outside of your state, province, or country, including to the United States. This data may be subject to the laws of the countries where we send it. When we send your information across borders, we take steps to protect your information, and we try to only send your information to countries that have strong data protection laws.

Transfers outside of Europe and Switzerland

If you are in Europe or Switzerland, your personal information is controlled by our Irish affiliate, Shopify International Ltd. Your information is then sent to other Shopify locations and to service providers who may be located in other regions, including Canada (where we are based) and the United States. When we send your personal information outside of Europe, we do so in accordance with European law.

If you are in Europe or Switzerland, when we send your personal information to Canada it is protected under Canadian law, which the European Commission has found will adequately protect your information. If we then send this personal information outside of Canada (for example, when we send this information to our Subprocessors), this information is protected by contractual commitments that are comparable to those provided in Standard Contractual Clauses.

Finally, while we do what we can to protect your information, we may at times be legally required to disclose your personal information (for example, if we receive a valid court order). For information about how we respond to such orders, please review our Guidelines for Legal Requests.

How we protect your information

Our teams work tirelessly to protect your information, and to ensure the security and integrity of our platform. We also have independent auditors assess the security of our data storage and systems that process financial information. However, we all know that no method of transmission over the Internet, and method of electronic storage, can be 100% secure. This means we cannot guarantee the absolute security of your personal information. You can find more information about our security measures at https://www.shopify.com/security.

How we use “cookies” and other tracking technologies

We use cookies and similar tracking technologies on our website and when providing our services. For more information about how we use these technologies, including a list of other companies that place cookies on our sites, a list of cookies that we place when we power a merchant’s store, and an explanation of how you can opt out of certain types of cookies, please see our Cookie Policy.

How you can reach us

If you would like to ask about, make a request relating to, or complain about how we process your personal information, you can contact us by email at privacy [at] shopify.com, or at one of the addresses below. If you would like to submit a legally binding request to demand someone else’s personal information (for example, if you have a subpoena or court order), please review our Guidelines for Legal Requests.

Shopify Inc.

ATTN: Chief Privacy Officer

151 O’Connor Street

Ground floor,

Ottawa, ON K2P 2L8

Canada

If you are located in Europe, the Middle East, South America, or Africa:

Shopify International Ltd.

Attn: Data Protection Officer

c/o Intertrust Ireland

2nd Floor 1-2 Victoria Buildings

Haddington Road

Dublin 4, D04 XN32

Ireland

If you are located in Asia, Australia, or New Zealand:

Shopify Commerce Singapore PTE. LTD.

Attn: Data Protection Officer

77 Robinson Road,

#13-00 Robinson 77,

Singapore 068896

Embark online payments

Embark customers have the option to make an EFT payment or pay through an online payment system. Embark PTY ltd uses Payfast PTY ltd to process all online card payments.

PayFast respects your privacy. Callouts like this are a summary of our privacy policy and contain

the most important and relevant points for you. Please read the full privacy policy because it

applies to you.

Introduction

Welcome to our privacy policy. We are PayFast (Registration number 2007/011558/07) and this is our

plan of action when it comes to protecting your privacy. We respect your privacy and take the protection

of personal information very seriously. The purpose of this policy is to describe the way that we collect,

store, use, and protect information that can be associated with you or another specific natural or juristic

person and can be used to identify you or that person (personal information).

The purpose of this policy is to be transparent and describe the way that we handle your personal

information.

Audience

This policy applies to you if you are:

a visitor to our website; or
a user/customer/merchant who registers for an account on PayFast by completing the appropriate

form in order to access the services provided.

Personal information

Personal information includes:

certain information that we collect automatically when you visit our website or;
make use of our services by means of a merchants website;
certain information collected on registration (see below);
certain information collected on submission; and
optional information that you provide to us voluntarily.

but excludes:

information that has been made anonymous so that it does not identify a specific person;

2007-2021 PayFast (www.Payfast.co.za).

Page 1 of 10

permanently de-identified information that does not relate or cannot be traced back to you

specifically;

non-personal statistical information collected and compiled by us; and
information that you have provided voluntarily in an open, public environment or forum including any

blog, chat room, community, classifieds, or discussion board (because the information has been

disclosed in a public forum, it is no longer confidential and does not constitute personal information

subject to protection under this policy).

Personal information includes information we collect (i) automatically when you visit our website

or make use of our services by means of a merchants website, (ii) on registration, (iii) on

submission, and (iv) from you voluntarily. It excludes (i) anonymous, (ii) de-identified, (iii)

non-personal statistical, and (iv) public information

Common examples

Common examples of the types of personal information which we may collect and process include your:

identifying information – such as your name, date of birth, or identification number of any kind;
contact information – such as your phone number or email address;
address information – such as your physical or postal address; or

Sensitive personal information

Depending on the goods or services that you require, we may also collect sensitive personal information

including your:

financial information – such as your bank account details.

Acceptance

Acceptance required

You must accept all the terms of this policy when you register for an account or request the use of our

services. If you do not agree with anything in this policy, then you should not register for an account or

make use of PayFast’s services.

Legal capacity

You may not access our website or request our services if you are younger than 18 years old or do not

have legal capacity to conclude legally binding contracts.

PayFast shall not process any personal information relating to a person under the age of 18 years unless

it has obtained consent from that person’s parent or legal guardian. If PayFast services are being used by

the parent or guardian of a child under the age of 18 years, and personal information pertaining to that

child is being provided by the parent or guardian, then they hereby expressly consent to PayFast

processing such information according to the further provisions of this Privacy Policy.

Deemed acceptance

By accepting this policy, you are deemed to have read, understood, accepted, and agreed to be bound by

all of its terms.

2007-2021 PayFast (www.Payfast.co.za).

Page 2 of 10

Your obligations

You may only send us your own personal information or, if you are sharing the information of another data

subject, where you have their permission to do so.

Notification of changes

PayFast may change the terms of this policy at any time by updating this web page. We will notify you of

any changes by placing a notice in a prominent place on the website. If you do not agree with the

changes, then you must stop using the website and our services. If you continue to use the website and

our services following notification of a change to the policy, the changed terms will apply to you and you

will be deemed to have accepted those updated terms.

PayFast is, however, under no obligation to inform the User of such changes when they happen, although

it is assumed that any changes will be minor and will not fundamentally impact the User. Should the

change be deemed by PayFast to be significant, we will endeavour to inform the User of these changes

through whatever means we deem necessary (banner on home page, email notification etc.) in a timely

manner.

Information we collect

On registration

In the course of service provision to the User we may collect certain forms of information. The types of

information that we may collect are detailed below:

Information you provide:

When you register for an account on PayFast by completing the appropriate form, we ask you for

personal information. We may combine the information you submit under your account with information

from other services or third parties in order to provide you with a better experience and to improve the

quality of our service.

Financial information:

In the course of providing a service to you, PayFast may ask for financial information (bank account

details, credit card details etc.). Such information will be treated with the utmost privacy, will be stored

encrypted on our systems, will only be communicated across a secure link and will not be provided to any

third parties except where necessary to provide PayFast‘s service to you.

Once you register on our website, you will no longer be anonymous to us. You will provide us with certain

personal information when you register on our website.

This personal information will include:

your name and surname;
your email address;
your telephone number;
ID number and ID type;
Photo on ID;
Country of Registration;
Bank Account details;
Credit Card details;
your company name, company registration number, and VAT number;
your postal address or street address; and
your username and password.

2007-2021 PayFast (www.Payfast.co.za).

Page 3 of 10

We will use this personal information to fulfil your account, provide additional services and information to

you as we reasonably think appropriate, and for any other purposes set out in this policy.

PayFast collects and records certain Log information your browser sends.

Log information

When you use PayFast, our server automatically records information that your browser sends whenever

you visit a website. These server logs may include information such as your web request, Internet

Protocol address, browser type, browser language, the date and time of your request and one or more

cookies that may uniquely identify your browser.

PayFast collects certain information from your web browser, including your Internet usage

information when you visit our website.

When you visit PayFast, we may send one or more cookies – a small file containing a string of characters

– to your computer that uniquely identifies your browser. We use cookies to improve the quality of our

service by storing user preferences or storing session information. Most browsers are initially set up to

accept cookies, but you can reset your browser to refuse all cookies or to indicate when a cookie is being

sent. However, this is not advised as some features (and indeed our service itself) may not function

correctly if your cookies are disabled.

PayFast collects certain information from web beacons on our website to compile anonymous

information about our website.

2007-2021 PayFast (www.Payfast.co.za).

Page 4 of 10

Web beacons

Our website may contain electronic image requests that allow us to count page views and to access

cookies. Any electronic image viewed as part of a web page (including an ad banner) can act as a web

beacon. Our web beacons do not collect, gather, monitor or share any of your personal information. We

merely use them to compile anonymous information about our website.

User communications

When you send email or other communication to PayFast, we may retain those communications in order

to process your enquiries, respond to your requests and improve our services.

Links

PayFast may present links in a format that enables us to keep track of whether these links have been

followed and who followed them, either on the website or in electronic communications. We use this

information to improve the quality of our service, customised content and advertising.

Other sites

This Privacy Policy only applies to PayFast. PayFast does not exercise control over any third party sites

who we have partnered with to deliver a service to you. These other sites may place their own cookies or

other files on your computer, collect data or solicit personal information from you, over which PayFast has

no control.

Recording calls

PayFast may monitor and record any telephone calls that you make to our Customer Support Teams. All

call recordings are kept for quality assurance and will only be retained as necessary and in line with

PayFast policy on retention of data.

Purpose for collection

We may use or process any goods or services information, or optional information that you provide to us

for the purposes that you indicated when you agreed to provide it to us. Processing includes gathering

your personal information, disclosing it, and combining it with other personal information. We generally

collect and process your personal information for various purposes, including:

goods or service purposes – supply our services including providing our payments processing

services to our merchants and consumers;

marketing purposes – such as pursuing lawful related marketing activities;
business purposes – such as internal audit, accounting, business planning, other proposed and

actual transactions; and better understand our data subjects’ needs when doing so;

legal purposes – such as handling claims, complying with regulations, or pursuing good

governance.

We may use your usage information for the purposes described above and to:

remember your information so that you will not have to re-enter it during your visit or the next time

you access the website;

monitor website usage metrics such as total number of visitors and pages accessed; and
track your entries, submissions, and status in any promotions or other activities in connection with

your usage of the website.

2007-2021 PayFast (www.Payfast.co.za).

Page 5 of 10

We may use any of your personal information that you provide to us for the purposes that you

indicated when you agreed to provide it to us. PayFast processes personal information on web

hosting servers which may not be in your present country.

Consent to collection

PayFast collects information from the User at several different points on the Site. PayFast is the sole

owner of the information collected on PayFast‘s website “the Site”. We will not sell, share, or rent this

information to others in ways different from what is disclosed in this statement.

Consent can be express (e.g. signing an agreement) or implied (e.g. if the User is given an opportunity to

opt-out of a specific form of information sharing, but chooses not to do so, PayFast implies that the User

chooses to share this information with us).

We will obtain your consent to collect personal information:

in accordance with applicable law;
when you provide us with any registration information or optional information.

We will get your consent to collect your personal information in accordance with applicable law or

when you provide us with registration or optional information.

How information is used

Our obligations

We may use your personal information to fulfil our obligations to you.

PayFast collects user information for the purposes described below:

providing a service to our users, including the display of customised content and advertising;
auditing, research and analysis in order to maintain, protect and improve our service;
ensuring the technical functioning of our equipment and resources;
developing new services.

While mostly this information will be used to provide a service to our users, it may also be used to provide

our own services.

We will not collect or use sensitive information for purposes other than those described in this Privacy

Policy unless we have obtained your prior consent.

We may use your information to send you administrative messages and email updates to you

regarding service announcements and for marketing purposes where lawful.

Communications

PayFast may send the User, site and service announcement updates on an irregular basis. Users are not

able to unsubscribe from service announcements, which contain important information about our service.

On occasion PayFast will email newsletters to provide the User with information that we think the User will

find useful, including information about new products and services. We might also contact the User by

2007-2021 PayFast (www.Payfast.co.za).

Page 6 of 10

email to see if the User is interested in participating in market research regarding PayFast. We may also

contact the User by email to respond to customer-service complaints that the User has submitted, to

address a problem affecting the User’s use of the service or to verify the User’s account information if the

User submits a password request.

We may use your information for targeted content in certain, specified instances.

Disclosure

Information sharing

We may also share your personal information with:

PayFast may share de-identified aggregated demographic information with our advertisers or

information collection companies, but will not reveal any personally identifiable information in

these instances. These companies do not retain, share, store or use personally identifiable

information for any secondary purposes. We may also partner with third parties to provide specific

services. When the User signs up for these services, we will only share the information that is

necessary for the third party to provide these services. These parties are not allowed to use

personally identifiable information except for the purpose of providing these services;

PayFast may share a User’s contact information with other registered Users for the purposes of

resolving support queries relating to PayFast or the service provided to a User by another User.

This contact information includes, but is not limited to, name, surname, email address and phone

number. Typically, this would be providing a buyer’s contact details to a seller or vice versa,

where PayFast has the necessary information to assist, but cannot actually resolve a support

query;

PayFast will not voluntarily disclose any information about individual users, except as described

in this Privacy Policy, or to comply with applicable laws or valid legal process, or to protect the

rights or property of PayFast or others, to assist our email vendor with resolving complaints about

unsolicited email, or as otherwise described in this Privacy Policy;

Other divisions or companies within the group of companies to which we belong so as to provide

joint content and services like registration, for transactions and customer support, to help detect

and prevent potentially illegal acts and violations of our policies, and to guide decisions about our

products, services, and communications (they will only use this information to send you marketing

communications if you have requested their goods or services);

An affiliate, in which case we will seek to require the affiliates to honour this privacy policy;
Our goods or services providers under contract who help provide certain goods or services or

help with parts of our business operations, including fraud prevention, bill collection, marketing,

technology services (our contracts dictate that these goods or services providers only use your

information in connection with the goods or services they supply or services they perform for us

and not for their own benefit);

Banking partners as required by credit card association rules for inclusion on their list of

terminated merchants (in the event that you utilise the services to receive payments and you

meet their criteria)

We may share your personal information with third parties for the purposes of fulfilling our

obligations to you among other purposes.

2007-2021 PayFast (www.Payfast.co.za).

Page 7 of 10

Regulators

We may disclose your personal information as required by law or governmental audit.

Law enforcement

We may disclose personal information if required:

by a subpoena or court order;
to comply with any law;
to protect the safety of any individual or the general public; and
to prevent violation of our customer relationship terms.

We may generate and disclose personal information to third parties if required for legal reasons.

No selling

We will not sell personal information. No personal information will be disclosed to anyone except as

provided in this privacy policy.

Marketing purposes

We may generate and disclose anonymized and aggregated statistics and data about personal

information to Payfast’s customers and partners regarding transactional patterns, fraud and other trends.

Employees

We may need to disclose personal information to our employees that require the personal information to

do their jobs. These include our responsible management, human resources, accounting, audit,

compliance, information technology, or other personnel.

Change of ownership

If PayFast undergoes a change in ownership, or a merger with, acquisition by, or sale of assets to another

entity, we may assign our rights to the personal and customer information we process to a successor,

purchaser, or separate entity. While we will endeavour to maintain this Privacy Policy we cannot

guarantee that this policy will remain in effect after such a corporate action. If you are concerned about

your personal information migrating to a new owner, you may request us to delete your personal

information.

Information security

We take the security of personal information very seriously and always do our best to comply with

applicable data protection laws. Our hosting company will host our website in a secure server

environment that uses a firewall and other advanced security measures to prevent unauthorized access,

disclosure and destruction of data from internal or external threats..

PayFast adheres and complies to the Payment Card Industry Data Security Standard ("PCI-DSS")

requirements and maintains such to the best of its abilities in its possession, storage, processing and/or

transmission of cardholder data on behalf of our merchants and customers.

In the unlikely event of personal information about a User being inadvertently leaked or PayFast’s security

being unlawfully breached by any unauthorised party, PayFast shall as soon as reasonably possible

identify the relevant Users who may be affected by the security breach, and shall attempt to contact them

at their last known email address or contact details or by the quickest means possible.

2007-2021 PayFast (www.Payfast.co.za).

Page 8 of 10

PayFast shall provide sufficient information to the User to allow him or her to take the necessary

protective measures against the potential consequences of the compromise, or shall advise Users of the

steps to be taken by them and the possible consequences that may ensue from the breach for them.

Our website is hosted on a secure server and uses security measures to prevent unauthorized

access, disclosure and destruction of data from internal or external threats.

We will try to keep the personal information we collect as accurate, complete and up to date as is

necessary for the purposes defined in this policy. From time to time we may request you to update your

personal information on the website. You are able to review or update any personal information that we

hold on you by accessing your account online, emailing us, or phoning us. Please note that in order to

better protect you and safeguard your personal information, we take steps to verify your identity before

granting you access to your account or making any corrections to your personal information.

Please keep your personal information accurate and up to date by accessing your account online,

emailing us, by phoning us.

Retention

We will only retain your personal information for as long as it is necessary to fulfil the purposes explicitly

set out in this policy, unless:

retention of the record is required or authorised by law; or
you have consented to the retention of the record.

During the period of retention, we will continue to abide by our non-disclosure obligations and will not

share or sell your personal information.

We will only retain your personal information for as long as is necessary.

Transfer to another country

We process personal information outside of South Africa. We will only transfer data to other countries who

have similar privacy laws to South Africa’s, or recipients who can guarantee the protection of personal

information to the same standard we must protect it. You consent to us processing your personal

information in a foreign country whose laws regarding processing of personal information may be to the

same standard as what we must protect.

You consent to us processing your personal information in a foreign country whose laws

regarding processing of personal information may be to the same standard as what we must

protect.

Updating or removing

You may choose to correct or update the personal information you have submitted to us, by editing your

Profile menu under your logged in session on our website or contacting us by phone or email.

2007-2021 PayFast (www.Payfast.co.za).

Page 9 of 10

You may choose to update or remove the personal information you have submitted to us.

Limitation

We are not responsible for, give no warranties, nor make any representations in respect of the privacy

policies or practices of linked or any third party websites.

Enquiries and contact information

If you have any questions or concerns arising from this privacy policy or the way in which we handle

personal information, please contact us at info@payfast.co.za

TERMS

The terms “The User” and “User” are used interchangeably and refer to all individuals and/or

entities accessing this web site for any reason whatsoever.

The terms “we” and “PayFast” are used interchangeably and refer to PayFast itself and all

individuals and/or entities acting directly on behalf of PayFast.

The term “the Site” are used interchangeably and refer to the PayFast web site that are being

accessed by individuals or entities.

Embark invoicing and accounting system.

The embark accounts is managed through an external accounting system called Xero PTY LTD. The information shared on this platform is the basic information needed to generate an invoice under the customer’s name.

Who are ‘we’?

When we refer to ‘we’ (or ‘our’ or ‘us’), that means Xero Limited and all its wholly owned subsidiaries. Our headquarters are in New Zealand but we operate and have offices all over the world. Address details for all Xero offices are available on our Contact us page.

We provide an easy-to-use global online platform for small businesses and their advisors. At the core of our platform is our beautiful cloud accounting software. If you want to find out more about what we do, see the About Xero page.

For European Union data protection purposes, when we act as a controller in relation to your personal data, Xero (UK) Limited (company number 06071722) is our representative in the European Union.

Our principles of data protection

Our approach to data protection is built around four key principles. They’re at the heart of everything we do relating to personal data.

Transparency: We take a human approach to how we process personal data by being open, honest and transparent.

Enablement: We enable connections and efficient use of personal data to empower productivity and growth.

Security: We champion industry leading approaches to securing the personal data entrusted to us.

Stewardship: We accept the responsibility that comes with processing personal data.

How we collect your data

When you visit our websites or use our services, we collect personal data. The ways we collect it can be broadly categorised into the following:

Information you provide to us directly: When you visit or use some parts of our websites and/or services we might ask you to provide personal data to us. For example, we ask for your contact information when you sign up for a free trial, respond to a job application or an email offer, participate in community forums, join us on social media, take part in training and events, contact us with questions or request support. If you don’t want to provide us with personal data, you don’t have to, but it might mean you can’t use some parts of our websites or services.

Information we collect automatically: We collect some information about you automatically when you visit our websites or use our services, like your IP address and device type. We also collect information when you navigate through our websites and services, including what pages you looked at and what links you clicked on. This information is useful for us as it helps us get a better understanding of how you’re using our websites and services so that we can continue to provide the best experience possible (e.g., by personalising the content you see).

Some of this information is collected using cookies and similar tracking technologies. If you want to find out more about the types of cookies we use, why, and how you can control them, take a look at our cookie notice.

Information we get from third parties: The majority of information we collect, we collect directly from you. Sometimes we might collect personal data about you from other sources, such as publicly available materials or trusted third parties like our marketing and research partners. We use this information to supplement the personal data we already hold about you, in order to better inform, personalise and improve our services, and to validate the personal data you provide.

Where we collect personal data, we’ll only process it:

to perform a contract with you, or

where we have legitimate interests to process the personal data and they’re not overridden by your rights, or

in accordance with a legal obligation, or

where we have your consent.

If we don’t collect your personal data, we may be unable to provide you with all our services, and some functions and features on our websites may not be available to you.

If you’re someone who doesn’t have a relationship with us, but believe that a Xero subscriber has entered your personal data into our websites or services, you’ll need to contact that Xero subscriber for any questions you have about your personal data (including where you want to access, correct, amend, or request that the user delete, your personal data).

How we use your data

First and foremost, we use your personal data to operate our websites and provide you with any services you’ve requested, and to manage our relationship with you. We also use your personal data for other purposes, which may include the following:

To communicate with you. This may include:

providing you with information you’ve requested from us (like training or education materials) or information we are required to send to you

operational communications, like changes to our websites and services, security updates, or assistance with using our websites and services

marketing communications (about Xero or another product or service we think you might be interested in) in accordance with your marketing preferences

asking you for feedback or to take part in any research we are conducting (which we may engage a third party to assist with).

To support you: This may include assisting with the resolution of technical support issues or other issues relating to the websites or services, whether by email, in-app support or otherwise.

To enhance our websites and services and develop new ones: For example, by tracking and monitoring your use of websites and services so we can keep improving, or by carrying out technical analysis of our websites and services so that we can optimise your user experience and provide you with more efficient tools.

To protect: So that we can detect and prevent any fraudulent or malicious activity, and make sure that everyone is using our websites and services fairly and in accordance with our terms of use.

To market to you: In addition to sending you marketing communications, we may also use your personal data to display targeted advertising to you online – through our own websites and services or through third party websites and their platforms.

To analyse, aggregate and report: We may use the personal data we collect about you and other users of our websites and services (whether obtained directly or from third parties) to produce aggregated and anonymised analytics and reports, which we may share publicly or with third parties.

How we can share your data

There will be times when we need to share your personal data with third parties. We will only disclose your personal data to:

other companies in the Xero group of companies

third party service providers and partners who assist and enable us to use the personal data to, for example, support delivery of or provide functionality on the website or services, or to market or promote our goods and services to you

regulators, law enforcement bodies, government agencies, courts or other third parties where we think it’s necessary to comply with applicable laws or regulations, or to exercise, establish or defend our legal rights. Where possible and appropriate, we will notify you of this type of disclosure

an actual or potential buyer (and its agents and advisors) in connection with an actual or proposed purchase, merger or acquisition of any part of our business

other people where we have your consent.

data transfers

International Data Transfers

When we share data, it may be transferred to, and processed in, countries other than the country you live in – such as to the United States, where our data hosting provider’s servers are located. These countries may have laws different to what you’re used to. Rest assured, where we disclose personal data to a third party in another country, we put safeguards in place to ensure your personal data remains protected.

For individuals in the European Economic Area (EEA), this means that your data may be transferred outside of the EEA. Where your personal data is transferred outside the EEA, it will only be transferred to countries that have been identified as providing adequate protection for EEA data (like New Zealand), or to a third party where we have approved transfer mechanisms in place to protect your personal data – i.e., by entering into the European Commission’s Standard Contractual Clauses. For further information, please contact us using the details set out in the Contact us section below.

Security

Security is a priority for us when it comes to your personal data. We’re committed to protecting your personal data and have appropriate technical and organisational measures in place to make sure that happens. For more information about security, check out Xero’s security pages.

If you want more detailed information, we’ve produced a Service Organisation Control (SOC 2) report, which is available on request. The SOC 2 report was produced after an independent auditor’s examination of our service controls.

To keep up to date on known phishing and other scams targeting our community, and for information on how to protect yourself from them, sign up to our security noticeboard.

Retention

The length of time we keep your personal data depends on what it is and whether we have an ongoing business need to retain it (for example, to provide you with a service you’ve requested or to comply with applicable legal, tax or accounting requirements).

We’ll retain your personal data for as long as we have a relationship with you and for a period of time afterwards where we have an ongoing business need to retain it, in accordance with our data retention policies and practices. Following that period, we’ll make sure it’s deleted or anonymised.

Your rights

It’s your personal data and you have certain rights relating to it. When it comes to marketing communications, you can ask us not to send you these at any time – just follow the unsubscribe instructions contained in the marketing communication, or make your request from the Privacy at Xero page.

You also have rights to:

know what personal data we hold about you, and to make sure it’s correct and up to date

request a copy of your personal data, or ask us to restrict processing your personal data or delete it

object to our continued processing of your personal data

You can exercise these rights at any time by making a request from the Privacy at Xero page.

If you’re not happy with how we are processing your personal data, please let us know by getting in touch from the Privacy at Xero page. We will review and investigate your complaint, and try to get back to you within a reasonable time frame. You can also complain to your local data protection authority. They will be able to advise you how to submit a complaint.

How to contact us

We’re always keen to hear from you. If you’re curious about what personal data we hold about you or you have a question or feedback for us on this notice, our websites or services, please get in touch.

As a technology company, we prefer to communicate with you by email – this ensures that you’re put in contact with the right person, in the right location, and in accordance with any regulatory time frames.

Embark communication through WhatsApp

Embark hosts WhatsApp groups for communicational purposes. All groups were notified on the 30 June 2021 with the following message:

Part of the changes brought about as a result of the Protection of Personal Information Act, 4 of 2013 is that, from 1 July 2021, the administrators of WhatsApp Groups will be required to obtain the consent of all participants for purposes of being part of the Group. Accordingly, you are hereby notified that you are entitled to refuse such consent and that you may exercise such right by leaving this Group. Should you however elect to remain in this Group, it will be accepted that you have consented to being a part of the Group and to your personal information (i.e. your cell phone number, name and profile picture) being noticeable to any person in this Group. We further urge that all members of this Group do not make use of such personal information for whatever reason, without obtaining the consent of the relevant person.

Images shared in this groups are being used by Embark for marketing, promotions and social media. If this does not suit you, please exclude yourself from group pics and please do not upload pictures to the group.

WhatsApp if an encrypted app with security and protection policy in place, you can read all about it here: https://www.whatsapp.com/legal/updates/privacy-policy/?lang=en

Embark hard drive protection.

As Embark PTY Ltd uses third party and online system, on the odd occasion an export of these databases will be done and downloaded onto a hard drive which is protected by McAFee Virus protection software.

McAfee Privacy Notice
Effective Date: January 1, 2020

This Notice provides information about data we collect, use, and share, and our commitment to using the personal data we collect in a respectful fashion.

We at McAfee, LLC, including our affiliates (“McAfee”, “we”, “us”, “our”), care deeply about privacy, security, and online safety, all of which are a significant part of our essential mission: to protect users of our products and services (“you” and “your”) from the risks of theft, disruption, and unauthorized access to their online information and activities. This Privacy Notice (“Notice”) is designed to inform you about how we collect, use, and share your personal data through our website (our “Site”), products, services, and web-based and mobile applications (collectively, the “Services”) or when you interact with us.

McAfee sells products and services directly to consumers (you can find more information about those products here,“Consumer Products”), as well as to corporations and business customers (you can find more information about those products here, “Enterprise Products”). This Privacy Notice applies both to the information we collect from you or your device when you download one of our Services and to the information we collect when one of our distribution partners or business customers installs our Services on your device.

When you access or use our Services, you acknowledge that you have read this Notice and understand its contents. Your use of our Services and the Site and any dispute over privacy is subject to this Notice, any applicable Terms of Service (including any applicable limitations on damages and the resolution of disputes) and any applicable End User License Agreement.

As McAfee grows, our business changes, and we may update this Notice at any time as we deem appropriate to reflect those changes. If there are any material changes to this Privacy Notice, we will notify you by email, in-product notification, or as otherwise required by applicable law. It is important that you check back and make sure that you have reviewed the most current version of this Notice.

This Notice applies to all users of our Services across the world. Some users, including residents of the European Economic Area, may have additional rights depending on where they are located, which are described in this Notice.

What Kinds of Information Do We Collect?

In order to provide our Services, we collect information. Some information you provide directly to us, some we collect automatically through our Services, and some is collected from third parties. In this Notice, “Personal Data” refers to data that could be used, alone or in combination with other data, to identify you as an individual.

We collect information you provide to us. For example, we collect information when you purchase a product or service, create an account, fill out a form, participate in a contest or promotion, request customer service, or otherwise communicate with us.

The types of Personal Data you may provide includes:

Contact information (such as name, email address, mailing address, and phone number);
Payment information (including payment card numbers and associated identifiers, billing address, and bank account information); and
Account log-in credentials (which for some Services may include social network credentials).

We may also collect other information from or about you, such as information about what products you purchased, your interests, demographic information, photographs and videos, and biometric data such as fingerprints or voice prints. You may also provide us with additional data. For example, when you use our identity theft protection services, you will have the option to provide your social media log-in information so that we can monitor your social media accounts.

We automatically collect information about your interactions with the Services as well as devices on which the Services are installed. In some cases, we automatically collect information about other devices connected to the same network as the device on which the Services are installed.

For example, we may collect and use the following:

Information about the products you looked at or searched for and the Services you used, including time spent and other statistical information.
Details about your computers, devices, applications, and networks, including internet protocol (IP) address, cookie identifiers, mobile carrier, Bluetooth device IDs, mobile device ID, mobile advertising identifiers, MAC address, IMEI, Advertiser IDs, and other device identifiers that are automatically assigned to your computer or device when you access the Internet, browser type and language, language preferences, battery level, on/off status, geo-location information, hardware type, operating system, Internet service provider, pages that you visit before and after using the Services, the date and time of your visit, the amount of time you spend on each page, information about the links you click and pages you view within the Services, and other actions taken through use of the Services such as preferences. We may collect this information through our Services or through other methods of web analysis.
When you use our products to protect your mobile device, we collect geolocation data of the device on which the product is installed.
Details about your internet, app, or network usage (including URLs or domain names of websites you visit, information about the applications installed on your device, or traffic data); and performance information, crash logs, and other aggregate or statistical information.

In order to provide you our Services, including to detect and evaluate malware and spam, we may scan, collect, and store data from your files, including emails, attachments, email addresses, metadata, and URLs and traffic data.

We collect this information through our Services and through technologies such as cookies, web beacons or web bugs, and clear GIFs. Please see our Cookie Notice for more information about the cookies and similar technologies that we use and the choices available to you.

Information We Collect from Third Parties
We may receive information about you from other sources and combine that information with the information we collect directly. Examples of information we may receive from other sources include: updated delivery or payment information used to correct our records; purchase or redemption information; and customer support and enrollment information. For our identity protection Consumer Products, we also may collect credit or identity information which we use to help prevent and detect fraud.

Location Information
Certain Services may request permission to access your location. Where you grant this permission, we will collect information about your location using GPS, wireless, or Bluetooth technology. You can control access to precise location information through your mobile device settings. We also may look up your IP address to determine your general location.

How Do We Use the Information We Collect?

To Help Protect You
When you install or use one of our Services, it will run in the background of your device or environment to help predict threats and better protect you, your devices, and your information. For example, McAfee may use information to:

Analyze data sent to/from your device(s) to isolate and identify threats, vulnerabilities, viruses, suspicious activity, spam, and attacks, and communicate with you about potential threats;
Participate in threat intelligence networks, conduct research, and adapt products and services to help respond to new threats;
Encrypt your data, lockdown a device, or back-up or recover your data;
Check for Service updates and create performance reports on our Services, to ensure they are performing properly; and
Look for misuses of your data when you use our identity monitoring products.

To Run Our Business
We also use the information we collect for other business purposes, including to:

Authenticate your identity and prevent fraud with your biometric data;
Analyze your behavior to measure, customize, and improve our Site and Services, including developing new products and services;
Advertise McAfee products and services that we think may be of interest to you;
Establish and manage accounts and licenses, including by collecting and processing payments and completing transactions;
Provide customer support, troubleshoot issues, manage subscriptions, and respond to requests, questions, and comments;
Communicate about, and administer participation in, special events, programs, surveys, contests, sweepstakes, and other offers and promotions;
Conduct market and consumer research and trend analyses;
Enable posting on our blogs, forums, and other public communications;
Perform accounting, auditing, billing, reconciliation, and collection activities;
Prevent, detect, identify, investigate, and respond to potential or actual claims, liabilities, prohibited behavior, and criminal activity; and
Comply with and enforce legal rights, requirements, agreements, and policies.

Third-Party Advertising

We work with third-party advertising companies to display or deliver ads to you while you are on our Site or using some Services. These third-party advertisers may collect data about your interaction with the Site or Services or others’ sites or services to measure the effectiveness of their ads and to personalize advertising content. See our Cookie Notice to learn more about how McAfee and these advertising partners use tracking technologies like cookies and the choices available to you.

If you have consented to allow our Services to access to your location, our mobile advertising partners may use your location to target advertisements to you. You may use the location settings on your device to withdraw access to information about your location.

Other Uses
We may use Personal Data for which we have a legitimate interest, such as direct marketing, individual or market research, anti-fraud protection, or any other purpose disclosed to you at the time you provide Personal Data or with your consent.

Who Do We Share Personal Data With?

Generally, we disclose the information we collect to provide the Services, to communicate with you, to advertise or promote our Services, to facilitate changes to or transfers of our business, as required by law, or with your consent.

We may share Personal Information in the following ways:

With current and future members of the McAfee family of companies for the purposes described in this Notice;
With service providers who perform services for us (see the list of our sub-processors, available here for Consumer Products, and here for Enterprise Products);
If we believe disclosure is necessary and appropriate to prevent physical, financial, or other harm, injury, or loss, including to protect against fraud or credit risk;
To legal, governmental, or judicial authorities as instructed or required by those authorities and applicable laws, or in relation to a legal activity, such as in response to a subpoena or investigation of suspected illicit or illegal activities, or where we believe in good faith that users may be engaged in illicit or illegal activities, or where we are bound by contract or law to enable a customer or business partner to comply with applicable laws;
In connection with, or during negotiations for, an acquisition, merger, asset sale, or other similar business transfer that involves all or substantially all of our assets or functions where Personal Data is transferred or shared as part of the business assets (provided that such party agrees to use or disclose such Personal Data consistent with this Notice or gains your consent for other uses or disclosures);
With your consent or at your direction, such as when you choose to share information or publicly post content and reviews (for example, social media posts); and
With persons of your choosing and at your discretion, should the product you are subscribed to allow that functionality.We may also share aggregate data that does not identify you or any specific device with third parties.

How Do We Protect Your Data?

We use administrative, organizational, technical, and physical safeguards to protect the Personal Data we collect and process. Our security controls are designed to maintain data confidentiality, integrity, and an appropriate level of availability.

What Choices Do You Have About Your Personal Data?

McAfee Accounts
If you register a McAfee Consumer Product, you can access and correct the Personal Data in your profile at any time by visiting My Account or contacting us as described below.

If you have not registered a McAfee product but one of our products is installed on your device, you may stop McAfee’s collection of Personal Data from your device by uninstalling that product.

To close your account and for other support questions, please visit the McAfee Contact Us page and click on “Support” tab and then select your "Country".

Marketing Communications
To stop receiving marketing communications, click on the unsubscribe link in the email, or click here for Enterprise marketing or here for Consumer marketing.

If you choose to no longer receive marketing information, McAfee may still communicate with you regarding transactional, legal or administrative topics, such as security updates, product functionality, and service requests.

Individual Rights in Personal Data
In accordance with applicable law, you may have the right to: (i) request confirmation of whether we are processing your Personal Data; (ii) obtain access to or a copy of your Personal Data; (iii) receive a portable copy of your Personal Data, or ask us to send that information to another organization (the “right of data portability”); (iv) seek correction or amendment of inaccurate, untrue, incomplete, or improperly processed Personal Data; (v) restrict our processing of your Personal Data; (vi) object to our processing of your Personal Data; and (vii) request erasure of Personal Data held about you by us, subject to certain exceptions prescribed by law.

If you would like to exercise any of these rights, please visit our Individual Data Request Form available at https://www.mcafee.com/enterprise/en-us/about/legal/gdpr-data-request.html or contact us as set forth below. We will process such requests in accordance with applicable laws. To protect your privacy, we may take steps to verify your identity before fulfilling your request. For some requests and where permitted by law, an administrative fee may be charged. We will advise you of any applicable fee prior to performing your request.

How Long Does McAfee Retain the Personal Data it Collects?

McAfee will keep your Personal Data for the minimum period necessary for the purposes set out in this Notice, namely (i) for as long as you are a registered subscriber or user of our products or (ii) for as long as your Personal Data are necessary in connection with the lawful purposes set out in this Notice, for which we have a valid legal basis or (iii) for as long as is reasonably necessary for business purposes related to provision of the Services, such as internal reporting and reconciliation purposes, warranties or to provide you with feedback or information you might request. Where required by law, we will delete your biometric data within three years of your last interaction with the Services.

In addition, if any relevant legal claims are brought, we may continue to process your Personal Data for such additional periods as are necessary in connection with that claim.

Once the abovementioned periods, each to the extent applicable, have concluded, we will either permanently delete, destroy, or de-identify the relevant Personal Data so that it can no longer reasonably be tied to you.

Children’s Privacy

Some of McAfee’s Services provide security features that parents may use to monitor their child’s activity online, physical location, or use of a registered device. These Services require parental consent, and we do not knowingly use the Personal Data we collect from children’s devices for any purpose except to deliver the Services. These products allow parents to delete their child’s profile at any time. If you believe we have collected information from your child in error or have questions or concerns about our practices relating to children, please contact us as described below. If you are under the age of 18, you must have your parent’s permission to access the Services. McAfee urges parents to instruct their children never to give out their real names, addresses, or phone numbers, without parental permission. If you learn that your child has provided us with Personal Data without your consent, you may alert us by contacting us as described below. If we learn that we have collected any Personal Data from children under 13 (and in certain jurisdictions under the age of 16), we will promptly take steps to delete such information and terminate the child’s account.

Data Transfers
McAfee is headquartered in the United States (see Contact Us for addresses), and we have operations, entities, and service providers in the United States and throughout the world. As such, we and our service providers may transfer your Personal Data to, or store or access it in, jurisdictions that may not provide equivalent levels of data protection as your home jurisdiction. We will take steps to ensure that your Personal Data receives an adequate level of protection in the jurisdictions in which we process it.

Residents of the European Economic Area

If you are in the European Economic (EEA), the following additional disclosures apply.

Data Controller
Where you purchase one of McAfee’s consumer products, McAfee Ireland Limited acts as the Controller of your Personal Data.

Legal Basis for Processing
When we process your Personal Data, we will only do so in the following situations:

We need to use your Personal Data to perform our responsibilities under our contract with you (e.g. processing payments for and providing the Services you purchase or request).
We have a legitimate interest in processing your Personal Data. For example, we have a legitimate interest in processing your Personal Data to provide, secure, and improve our Services, in communicating with you about changes to our Services, and in informing you about new services or products.
We have your consent to do so.We need to process your Personal Data to comply with our legal obligations.

Data Transfers
We transfer Personal Data to countries outside of the EEA or Switzerland through a series of intercompany agreements based on the Standard Contractual Clauses in accordance with EU law and applicable EU regulations.

Individual Rights Requests and Withdraw Consent
You may submit a request to exercise your rights in Personal Data using the mechanisms explained under “What Choices Do You Have About Your Personal Data?” above. If you initially consented to our processing of your Personal Data, you may withdraw your consent using those mechanisms or by contacting us using the contact information below.

For Enterprise/Business Customers Only
Sometimes McAfee products and services are offered through a third party such as an employer. In these instances, McAfee acts as a data processor and only processes Personal Data in line with instructions received from its customers.

Any requests relating to the exercise of individual rights in Personal Data processed as part of a service offered by a third party should be made by an authorized individual using the Individual Data Request Form available at https://www.mcafee.com/enterprise/en-us/about/legal/gdpr-data-request.html. If you require further information about the Personal Data processed by the McAfee offered through a third party, please contact your account manager.

Supervisory Authority and Complaints

If you are an EU/EEA Data Subject and have a concern about our practices concerning the processing of Personal Data that we are not able to resolve, you have the right to lodge a complaint with the data protection authority where you reside or in which you work, or in which the alleged infringement occurred, each as applicable, or by contacting the Irish supervisory authority for data protection issues, at https://www.dataprotection.ie/docs/Home/4.htm, or +353 57 868 4800.

Residents of Japan, Argentina, and Canada

If you are a resident of Japan, Argentina, or Canada and you have an inquiry regarding your personal information held by McAfee, including your personal information collected through your use of our products you may request further information using the Individual Data Request Form available at https://www.mcafee.com/enterprise/en-us/about/legal/gdpr-data-request.html.

Residents of California

Your California Privacy Rights - Shine the Light Law
McAfee does not share information that identifies you personally with non-affiliated third parties for their own marketing use without your permission.

California Consumer Privacy Act
If you are a resident of California, you may submit a request to exercise your rights in Personal Data using the Individual Data Request Form available at https://www.mcafee.com/enterprise/en-us/about/legal/gdpr-data-request.html. For purposes of the California Consumer Privacy Act, McAfee does not “sell” your Personal Data.

Residents of Nevada

McAfee does not sell information that identifies you personally with non-affiliated third parties. If you would like to make a request that we not sell identifying information about you in the future, you may make a request using the contact information below.

Links to Other Websites

Our Site and Services may contain links to other websites for your convenience and information. These websites may be operated by companies not affiliated with McAfee. Linked websites may have their own privacy policies or notices, which we strongly suggest you review if you visit those websites. We are not responsible for the content, privacy practices, or use of any websites that are not affiliated with McAfee.

Click here to contact us regarding this Privacy Notice or other related Privacy issues. You can also write to us as follows:

In the US by registered mail:
McAfee
Attn: Legal Department – Privacy Office
5000 Headquarters Drive
Plano TX 75024 USA

or call us at +1 (888) 847-8766

In the European Economic Area by registered post:
McAfee
Attn: Legal Department
2000 City Gate
Mahon
Cork
Ireland
T12 RRC9

or call us at +353 21 467 2000

In Japan by registered mail:
McAfee Co. Ltd.
Attn. Legal Department
Shibuya Mark City West,
Dougenzaka 1-12-1,
Shibuya-ku,
Tokyo, 150-0043 Japan

Online training plans.

Embark uses Training Peaks PTY Ltd to create and share training programs with our athletes. If the athlete requests their Data to be deleted on this platform, then the customer can log into their profile and remove STeve Attwell as their coach. The customers complete profile will be removed.

Date of Last Revision: January 7, 2019

TrainingPeaks, LLC ("TrainingPeaks", "we," or "us") is committed to protecting your privacy and utilizing technology that gives you a powerful and safe online experience. This Privacy Policy applies to the TrainingPeaks, LLC operated websites and applications, and governs data collection and usage.

If you have questions or concerns about our privacy policy or practices, please contact us in the first instance at privacy@trainingpeaks.com.

The websites www.trainingpeaks.com, summit.trainingpeaks.com, app.trainingpeaks.com, www.bestbikesplit.com, runwithhal.com, and all related mobile applications, (hereinafter "the Site") is owned and operated by TrainingPeaks, LLC ("TrainingPeaks", "we," or "us"). The Site provides athletic training and performance programs for endurance athletes and their coaches, and other related and supporting services offered by TrainingPeaks (the "Services").

Please read carefully through all sections of this Privacy Policy. This Privacy Policy may be changed by us from time to time and the governing version will be posted on the Site. We will notify you if we make material changes to the Privacy Policy or we will provide notice to you of our changes on our website landing page. Please review this Privacy Policy on a regular basis as your use of the Site will be governed by the then-current Privacy Policy.

TrainingPeaks recognizes the importance of protecting the privacy of our customers and the users of the Site. However, some uses of such information are required for us to conduct legitimate business by providing information of interest to our customers and the users of the Site.

What this Privacy Policy Covers

Unless otherwise provided herein, this Privacy Policy covers our treatment of Personal Data that we collect through your use of the Site and when you use Services provided on the Site. This policy does not apply to the practices of companies that we do not own and/or control or to people that we do not employ or manage.

Information Collection and Use

Through your use of the Services, we may collect the following "Personal Data" from you if you choose to provide it, including:

Your name, email, address and/or telephone number ("Contact Information").

Pages and products viewed, ads that you clicked on, emails from us that you opened, browser type, operating system, IP address and device information, your mobile operating system (OS), a mobile device identifier embedded by us, or other commonly used mobile device identifier if you access the Site on a mobile device ("Analytical Information").

Data imported into the Site from third parties such as your heart-rate, blood-pressure, or other physical response data you choose to import into the Site ("Third Party Data").

Your age/birth date, username, password, primary sport, gender, then-current weight, profile picture, athlete type, country, timezone, phone number, date format preference, coach name, authorized third-party app and device connections, threshold heart rate, maximum heart rate, resting heart rate, heart rate zones, threshold power, power zones, threshold speed, speed zones, daily calorie goal, bike name, bike brand, bike model, bike wheels, bike crank length, bike purchase date, bike start distance, bike notes, shoe name, shoe brand, shoe model, shoe purchase date, shoe start distance, shoe maximum distance, shoe notes, notification preferences, layout preferences, unique identifiers, primary sport, and/or coaching emphasis ("User Data").

If you choose to link your social media accounts to the Services, we may collect information related to your social media accounts ("Social Media Information").

We may also collect publicly available information about you from third-party sources, such as the postal service for shipping address verification.

We do not collect any more Personal Data from you than what we have determined is needed for us to provide the Services or that you have decided to share with us to personalize the Services, and to comply with applicable laws.

TRAININGPEAKS IS NOT A HEALTHCARE PROVIDER OR A BUSINESS ASSOCIATE OF ANY HEALTHCARE PROVIDER AND IS NOT SUBJECT TO THE PRIVACY RULE OF THE HEALTH INFORMATION PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA).

How Your Personal Data May Be Used

We may use Analytical Information to improve the performance or layout of our website; to develop new services and ideas; to target advertisements to you on the websites of others, and to better administer and troubleshoot our systems.

We use your Contact information for the following purposes:

Name - Your name is used for identification within the application and personalization of emails or notifications.

Email - Your email may be used for purposes of password reset assistance and transactional emails such as sales, payments, and recurring subscription processing.

Physical Address - TrainingPeaks requires billing address when collecting payment using a credit card. It is also possible to optionally store mailing address for each account via application settings, to help coaches manage their athletes.

Phone Number - TrainingPeaks requests phone number when creating a coach account so we can contact you for onboarding and education.

We use your User Data for the following purposes:

Unique Identifiers - We generate a unique identifier for your account as part of account creation in order to distinguish your data from other users within TrainingPeaks.

Age & Birth Month/Year - TrainingPeaks stores birth month/year (and calculates age from this data) to assist with training zone creation, improving accuracy of analysis and tracking for your workouts and training. This information is not required.

We use your User Data to provide you the Services. You may choose to provide more User Data to generate a more personalized experience and to maximize the functionalities of the Services.

We use your Social Media Information for the following purposes:

Social Media Information - Social Media Information is optionally stored at your discretion for blog post author bios and coach profile contact methods.

We may also use Contact Information, Third Party Data, User Data and other Personal Data to provide you the Services on the Site; to evaluate and improve the Services; to fulfill your requests for information; and to contact you about TrainingPeaks products or services and those of our affiliates, based on the preferences you have indicated.

We provide you the opportunity to consent to receive commercial email from us related to the Services or information that we deem you may be interested in when you seek more information from us. We will give you the opportunity to "opt out" of receiving any unsolicited information from us or to limit the unsolicited information you receive from us to information regarding the Services or information you specifically request or information we determine you may find useful as a result of your use of the Site.

Information Sharing and Disclosure

Except as otherwise described in this Privacy Policy, we will not share your Personal Data with any other person or company. We will share your Personal Data to other companies or people when:

We need to share your information to provide a product or service you have requested;

We need to send the information to companies who work on behalf of TrainingPeaks to provide a product or service to you. Unless we tell you differently, we only provide these companies the minimum amount of information that is necessary for them to assist us and these companies do not have any right to use the Personal Data we provide to them beyond what is necessary to assist us;

We find that your actions on our website violate the Terms and Conditions of Use, any of our usage guidelines for specific services or any agreement; and

As required to respond to or initiate subpoenas, court orders, or legal process.

Third Party Processors

To ensure that your Personal Data receives an adequate level of protection, we have put in place appropriate procedures with the third parties we share your Personal Data with to ensure that your Personal Data is treated by those third parties in a way that is consistent with and which respects the applicable laws on data security and privacy.

How long do we keep your information?

We will store your information for as long as you have an account with TrainingPeaks. We may keep records of transactions with you for a period of up to seven (7) years to comply with the IRS requirements.

Google Analytics

We use Google Analytics, a web analytics service provided by Google, Inc. Google Analytics uses Cookies or other tracking technologies to help us analyze how users interact with the Site and Services, compile reports on their activity, and provide other services related to their activity and usage. The technologies used by Google may collect information such as your IP address, time of visit, whether you are a returning visitor, and any referring website. The technologies used by Google Analytics do not gather information that personally identifies you. The information generated by Google Analytics will be transmitted to and stored by Google and will be subject to Google's privacy policies. To learn more about Google's partner services and to learn how to opt-out of tracking of analytics by Google, click here.

Use of Cookies

TrainingPeaks uses "cookies," a small text file transferred to your device, along with similar technologies (e.g., internet tag technologies, web beacons and embedded scripts) to help provide you a better, more personalized user experience.

The Options/Settings section of most internet browsers will tell you how to manage the cookies and other technologies that may be transferred to your device, including how to disable such technologies. You can disable our cookies or all cookies through your browser settings. Please be advised that disabling cookies through either method may impact many of the Site's features.

Instructions for blocking or allowing cookies in common web browsers are provided at the links below:

Internet Explorer

Firefox

Google Chrome

Apple Safari

Aboutcookies.org

We use the following cookies:

Strictly necessary cookies. These are cookies that are required for the operation of our websites. They include, for example, cookies that enable you to log into secure areas of our websites, use a shopping cart or make use of e-billing services.

Analytical/performance cookies. They allow us to recognize and count the number of visitors and to see how visitors move around our websites when they are using it. This helps us to improve the way our websites works, for example, by ensuring that users are finding what they are looking for easily.

Targeting cookies. These cookies record your visit to our websites, the pages you have visited and the links you have followed. We will use this information to make our websites and the advertising displayed on it more relevant to your interests. We may also share this information with third parties for this purpose.

Cookie name Cookie Category Purpose

TPAUTH Strictly necessary Used to authenticate and track a logged-in user throughout our website and applications.

TOtosAgreed Strictly necessary Used to authenticate and track a logged-in user throughout our website and applications.

Google Analytics Analytical / Performance Used to track user activity over different browsing sessions.

AdRoll Targeting Used to track your use of the website and to send you targeted ads on the website or third-party website based upon the pages you have visited.

Google Tag Manager Analytical / Performance Used for event tracking to monitor user behavior.

Facebook Targeting Used for advertising and retargeting through Facebook.

We also allow third parties to place cookies on your device through the Services to:

Help us understand and improve how visitors use our websites, including which of our pages and products are viewed most frequently.

More effectively market our products and services and advertise other products and services that may be of interest to you.

Obtain your feedback on our products and the Services.

Allow you to engage in our social media offerings (e.g., clicking the "Like" button on our website).

The use of third-party cookies is not covered by our Privacy Notice. We do not have access or control over these cookies. If you continue to use our websites, we will assume you agree to the use of these cookies.

Interest-Based Ads

Unaffiliated third parties may use cookies and other technologies on our website to collect information about your online activities over time and across different websites you visit in order to provide you with interest-based advertising. You can generally opt-out of receiving interest-based advertisements from members of the Network Advertising Initiative or the Digital Advertising Alliance by visiting their opt-out pages: ( http://www.networkadvertising.org/choices/) and ( http://www.aboutads.info/choices/). When you opt-out using these links, please note that you may still receive advertisements. They just will not be personalized based on your interests.

Do Not Track

Some internet browsers incorporate a "Do Not Track" feature that signals to websites you visit that you do not want to have your online activity tracked. Given that there is not a uniform way that browsers communicate the "Do Not Track" signal, the Site does not currently interpret, respond to or alter its practices when it receives "Do Not Track" signals.

Security

We will take reasonable and appropriate measures to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction of your Personal Data, taking into due account the risks involved in the processing and the nature of the personal data. However, no electronic storage method or data transmission over the Internet can be guaranteed to be 100% secure.

Commitment to Children's Privacy

In compliance with the Children's Online Privacy Protection Act, 15 U.S.C., 6501-06 and 16 C.F.R., 312.1-312.12, the Site does not collect information from children under 16 years of age, and we do not intentionally collect information from persons under sixteen (16) years of age. Use of the Site is limited to users that are sixteen (16) years of age and older. By using the Site, you represent that you are sixteen (16) years of age or older.

Changes to this Privacy Policy

We reserve the right to change, modify or otherwise update this policy at any time. These changes or updates will be effective immediately. We may provide you notice of such changes when they are material, such notice may be given by posting on the Site, by electronic or conventional mail or by any other means by which you obtain notice of the changes or updates.

Policies of Other Websites

The Site may contain links to third-party websites not owned or controlled by TrainingPeaks. TrainingPeaks is not responsible for the privacy policies of any third-party websites which user may access through a third-party link. Further, these third-party websites may have privacy policies that differ from this Privacy Policy. TrainingPeaks disclaims all responsibility for the privacy practices of such other third-party websites. You should read the privacy policies of each third-party website you visit to determine what information each third-party website may be collecting about you and how they intend to use such information.

Notice to Utah Residents

Except as expressly identified below, we do not disclose a user's personal data to any third-party for such third-party's direct marketing purposes.

Notice to Nevada Residents

Nevada law allows Nevada residents to opt-out of the sale of certain types of personal information. Subject to a number of exceptions, Nevada law defines "sale" to mean the exchange of certain types of personal information for monetary consideration to a person for the person to license or sell the information to additional persons. We do not currently sell personal information as defined in the Nevada law. However, if you are a Nevada resident, you still may submit a verified request to opt-out of sales and we will record your instructions and incorporate them in the future if our policy changes. Opt-out requests may be sent to privacy@trainingpeaks.com.

Notice to Residents of the U.S. (Other than California) and Canada:

You may access Personal Data held by us about you, as well as information about how we are using your data and you can request that we rectify any inaccurate personal data held by us about you.

Notice to California Residents

The California Consumer Privacy Act (CCPA) requires that we provide California residents with a privacy policy that contains a comprehensive description of our online and offline practices regarding the collection, use, disclosure, and sale of personal information and of the rights of California residents regarding their personal information.

The CCPA defines "personal information" to mean information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information does not include information that is publicly available, deidentified or aggregate information. For purposes of this "Notice to California Residents" section we will refer to this information as "Personal Information."

RIGHT TO KNOW ABOUT PERSONAL INFORMATION COLLECTED, DISCLOSED, OR SOLD

Your Right

If you are a California resident, you have the right to request that we disclose what Personal Information we have collected about you in the 12-month period preceding your request. This right includes the right to request any or all of the following:

Specific pieces of Personal Information that we have collected about you;

Categories of Personal Information we have collected about you;

Categories of sources from which the Personal Information was collected;

Categories of Personal Information that we sold (if applicable) or disclosed for a business purpose about you;

Categories of third parties to whom the Personal Information was sold (if applicable) or disclosed for a business purpose; and

The business or commercial purpose for collecting or, if applicable, selling Personal Information.

The CCPA defines "sell" to mean selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a California resident's Personal Information to another business or a third party for monetary or other valuable consideration.

How to Submit a Request to Know

You may submit a request to know at privacy@trainingpeaks.com.

Our Process for Verifying a Request to Know

If we determine that your request is subject to an exemption, we will notify you of our determination. If we determine that your request is not subject to an exemption, we will comply with your request upon verification of your identity and, to the extent applicable, the identity of the California resident on whose behalf you are making such request. Our verification process may differ depending on whether you maintain a password-protected account with us. If you maintain a password-protected account, we may verify your identity through existing authentication practices available through your account. Prior to disclosing the requested information, we will ask you to re-authenticate yourself with respect to that account. If you do not maintain a password-protected account, or if you are an account-holder but we suspect fraudulent or malicious activity with your account, we will verify your identity to a "reasonable degree of certainty" or a "reasonably high degree of certainty" using methods we have determined are reliable for the purpose of verifying identities depending on the sensitivity of the Personal Information and the risk of harm to you by unauthorized access. In addition, you may be required to submit a signed declaration under penalty of perjury stating that you are the individual whose Personal Information is being requested.

Collection of Personal Information

The following table presents the categories of Personal Information that we have collected, the categories of sources from which that information was collected, and the categories of third parties with whom we shared that Personal Information for the 12 months preceding the Effective Date of this Privacy Policy.

Categories of Personal Information Collected Categories of Sources from which Personal Information was Collected Business or Commercial Purpose for the Collection Categories of Third Parties with whom We Share Personal Information

Name Information provided by you when making a transaction or registering with the Site. To deliver products and services to you. To identify you as a user of the Services. Service providers

Postal address Information provided by you when making a transaction or registering with the Site. To deliver products and services to you. Service providers

Email address Information provided by you when making a transaction or registering with the Site. To communicate with you regarding a transaction and products you may be interested in. Service providers

Telephone # Information provided by you when using the Services. To communicate with you regarding the Services. Service providers

Physical Characteristics Information provided by you to access functionalities of the Services To provide you improved feedback and functionalities when using the Services. Service providers

IP Address We collect your IP address when you log into the Services To deliver products and services to you. Service providers

Customer Number, unique pseudonym, or user alias Information provided by you when using the Services. To identify you as the owner of the account and/or to process payments. Service providers

Geolocation We receive this information from your input, or by a third-party device linked to your account. To provide you improved feedback and functionalities when using the Services. Service providers

Image of face in photos You provide any images. To provide you the ability to personalize your account when using the Services Service providers

Gait patterns/rhythms We receive this information from your input, or by a third-party device linked to your account. To provide you improved feedback and functionalities when using the Services. Service providers

Sleep, health or exercise data We receive this information from your input, or by a third-party device linked to your account. To provide you improved feedback and functionalities when using the Services. Service providers

Gender You provide this information when using the Site. To provide you improved feedback and functionalities when using the Services. Service providers

Age You provide this information when using the Site. To provide you improved feedback and functionalities when using the Services. Service providers

Disability You may provide this information when using the Site. To provide you or your coach with improved feedback when using the Services. Service providers

Records of products or services purchased, obtained or considered Information we generate through your use of the Site and purchases made, and navigation of our Site. To determine our revenue and calculate taxes, to provide you a record of your transactions, and to determine products or services that may be of interest to you. Service providers

Purchasing or consuming histories or tendencies Information we generate through your use of the Site and purchases made, and navigation of our Site. To determine our revenue and calculate taxes, to provide you a record of your transactions, and to determine products or services that may be of interest to you. Service providers

Medical Conditions You may provide this information when using the Site. To provide you or your coach with improved feedback when using the Services. Service providers

Inference drawn from information above to create a user profile To provide you improved feedback and functionalities when using the Services. Service providers

RIGHT TO REQUEST DELETION OF PERSONAL INFORMATION

Your Right

If you are a California resident, you have the right to request that we delete the Personal Information about you that we have collected or maintain. However, a business is not required to comply with a request to delete if it is necessary for the business to maintain the Personal Information in order to, for example, complete a transaction, detect security incidents, comply with a legal obligation, or otherwise use the Personal Information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.

How to Submit a Request to Delete

You may submit a request to delete by sending an email to privacy@trainingpeaks.com.

If you submit a request to delete online, you will be asked to confirm separately that you want your Personal Information deleted.

Our Process for Verifying a Request

If we determine that your request is subject to an exemption, we will notify you of our determination. If we determine that your request is not subject to an exemption, we will comply with your request upon verification of your identity and, to the extent applicable, the identity of the California resident on whose behalf you are making such request. Our verification process may differ depending on whether you maintain a password-protected account with us. If you maintain a password-protected account, we may verify your identity through existing authentication practices available through your account. Prior to deleting the Personal Information, we will ask you to re-authenticate yourself with respect to that account. If you do not maintain a password-protected account, or if you are an account-holder but we suspect fraudulent or malicious activity with your account, we will verify your identity either to a "reasonable degree of certainty" or a "reasonably high degree of certainty" depending on the sensitivity of the Personal Information and the risk of harm to you by unauthorized deletion.

If we are unable to verify your identity to the applicable standard, we will treat your request to delete as a request to opt-out of the sale of the personal information that you provided as part of processing the request to delete. See the following section for a description of the right to opt-out of the sale of personal information.

NOTICE OF RIGHT TO OPT-OUT OF SALE OF PERSONAL INFORMATION

Your Right

If you are a California resident, you have the right to direct a business that sells (or may in the future sell) your Personal Information to stop selling your Personal Information and to refrain from doing so in the future.

How to Submit a Request to Opt-Out

You may submit a request to delete by sending an email to privacy@trainingpeaks.com.

How We Process a Request to Opt-Out

We will act upon your request to opt-out within 15 days from the date that you submit the request. The CCPA does not require that we verify the identity of individuals who submit requests to opt-out of sales. However, we may deny the request if we have a good-faith, reasonable, and documented belief that the request is fraudulent. If we deny the request on this basis, we will notify the requesting party and provide an explanation why we believe the request is fraudulent.

RIGHT TO NON-DISCRIMINATION FOR THE EXERCISE OF A CALIFORNIA RESIDENT'S PRIVACY RIGHTS

We will not discriminate against California residents if they exercise any of the rights provided in the CCPA as described in this section "Notice to California Residents." As such, we will not deny goods or services to that California resident; charge different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties; provide a different level or quality of goods or services to the California resident; or suggest that the California resident will receive a different price or rate for goods or services or a different level or quality of goods or services. However, we are permitted to charge a California resident a different price or rate, or provide a different level or quality of goods or services, if that difference is reasonably related to the value provided to us by the individual's data.

AUTHORIZED AGENTS

California residents may use an authorized agent to submit a request to know, delete, or opt-out of sales on your behalf.

If you use an authorized agent to submit a request to know or request to delete, we may require that (1) the authorized agent provide proof of your written permission and (2) you verify your identity directly with us. These requirements do not apply if you have provided the authorized agent with a power of attorney pursuant to California Probate Code sections 4000 to 4465.

If you use an authorized agent to submit a request to opt-out of sales, you will need to provide that authorized agent with written permission to do so and submit written proof to us that the agent has been authorized to act on your behalf.

SHINE THE LIGHT LAW

We do not disclose personal information obtained through our Site or Services to third-parties for their direct marketing purposes. Accordingly, we have no obligations under California Civil Code 1798.83.

Accessibility

We are committed to ensuring this Privacy Policy is accessible to individuals with disabilities. If you wish to access this Privacy Policy in an alternative format, please contact us as described below.

Notice to Residents of Europe and the United Kingdom

TrainingPeaks recognizes the importance of protecting the privacy of our customers and the users of the Site. As such, we will always ensure that we have a lawful basis for processing your Personal Data.

OUR LEGAL BASIS FOR COLLECTING, STORING AND PROCESSING YOUR PERSONAL DATA

If you have subscribed to use the Site in order to obtain the Services, we collect, store and process your Personal Data out of a contractual necessity in order to provide you the Services.

In certain cases, we may store and process your Personal Data in order to comply with TrainingPeaks' legal obligations for record keeping and other compliance with laws or regulatory compliance.

The Personal Data we hold about you is processed by us on the basis of our legitimate interests in providing the Services. Based upon the type and amount of data we collect, we have made a determination that our legitimate interest in using such Personal Data is not outweighed by any detriment to you.

Under the GDPR, you have the following rights related to TrainingPeak's use of your Personal Data.

Number Description of your right

Right 1 A right to access personal data held by us about you, as well as information about how we are using your data.

Right 2 A right to require us to rectify any inaccurate personal data held by us about you.

Right 3 A right to require us to erase personal data held by us about you, and where the personal data has been made public, for other controllers processing the personal data to also erase links to, or copy or replication of, such personal data. This right will only apply where (for example): we no longer need to use the personal data to achieve the purpose we collected it for; or where you withdraw your consent if we are using your personal data based on your consent; or where you object to the way we process your data (in line with Right 6 below).

Right 4 A right to restrict our processing of personal data held by us about you. This right will only apply where (for example): you dispute the accuracy of the personal data held by us; or where you would have the right to require us to erase the personal data but would prefer that our processing is restricted instead; or where we no longer need to use the personal data to achieve the purpose we collected it for, but you require the data for the purposes of dealing with legal claims.

Right 5 A right to receive personal data, which you have provided to us, in a structured, commonly used and machine-readable format. You also have the right to require us to transfer this personal data to another organization, at your request

Right 6 A right to object to our processing of personal data held by us about you (including for the purposes of sending marketing materials to you).

Right 7 A right to withdraw your consent, where we are relying on it to use your personal data (for example, to provide you with marketing information about our services or products). If you have consented to receive communications from us, you can contact us at any time to have your details removed from lists used by us or to update your marketing preferences. Please email privacy@trainingpeaks.com and quote your email/telephone number/account number in the body of the email, telling us what you would like us to do. You can also: click "unsubscribe" on any of our emails, and we will ensure we don't send you any communications of this nature in future.

Privacy Shield Notice

We participate in and have certified our compliance with the EU-U.S. and Swiss-U.S. Privacy Shield Framework ("Privacy Shield"). This Privacy Shield notice and the TrainingPeaks Privacy policy ("Privacy Policy", located at https://www.trainingpeaks.com/privacy/) define the privacy principles we follow with respect to Personal Data received from entities in the European Economic Area ("EEA") and Switzerland. TrainingPeaks is committed to subjecting all personal information received from EEA member countries and Switzerland, respectively, in reliance on each Privacy Shield Framework to the Framework's applicable Principles for as long as we retain the personal information.

For more information about Privacy Shield, see the US Department of Commerce's Privacy Shield website at https://www.privacyshield.gov. To view TrainingPeaks' certification, please visit https://www.privacyshield.gov/list.

If your personal data is collected by TrainingPeaks via our website or via our services for our own account management, billing, or marketing purposes (e.g., as a customer of TrainingPeaks), this Privacy Policy explains how you may access or submit requests to review, correct, update, or delete personal data. We may limit or deny access to personal data when providing such access presents an unreasonable financial or labor burden, or as otherwise permitted by the Privacy Shield Principles.

If you are a subject whose data is stored by TrainingPeaks on behalf of one of our customers, you should contact that customer with your request. We will then assist that customer to fulfill your request in accordance with their instructions.

We may disclose Personal Data to trusted third parties as indicated in this Privacy Policy. TrainingPeaks requires that our agents and service providers that have access to Personal Data provide the same level of protection as those listed in the Privacy Shield Principles. We ensure that our agents process Personal Data received under Privacy Shield in a manner consistent with our obligations under the Privacy Shield, and we retain responsibility unless we can prove that we are not responsible for the breach. We may need to disclose Personal Data in response to lawful requests by public authorities, for law enforcement or national security reasons, or when such action is necessary to comply with a judicial proceeding or court order, or when otherwise required by law.

The collection and use of data is essential to the value that we provide as a service, as well as improve on the services we provide.

TrainingPeaks does not disclose information to third parties outside of the reasons listed in this Privacy Policy. Should you disagree with any of the usages, transfers of your information as listed here, or any other reason, we offer you the following choices:

Opting out. You can refuse cookies or opt-out of communications as described in this Privacy Policy.

Requesting/Updating/Correcting/Removing Information. We describe the methods that you can employ to request, remove, or update your Personal Data in this Privacy Policy.

For the avoidance of doubt, if you wish to exercise your choice to be excluded from the onward transfer of information to third parties, or if you feel like your information will be used for purposes other than what it was intended for, please request the removal of your personal data from our servers as per this Privacy Policy.

Resolving Your Privacy Shield Complaints

In compliance with the Privacy Shield principles, TrainingPeaks commits to resolve complaints about our collection or use of your personal data. If you have an inquiry or complaint regarding this Privacy Shield Policy, please contact TrainingPeaks at privacy@trainingpeaks.com.

If the dispute involves personal data collected in the context of an employment, agent, or sub-contractor relationship, we will cooperate with competent EU data protection authorities and comply with the advice of such authorities. In the event that we or such authorities determine that we did not comply with the Privacy Shield requirements, we will take appropriate steps to address any adverse effects and to promote future compliance. Further, any of our employees who are found to have violated the Privacy Shield Policy will be subject to disciplinary process.

Within the scope of this Privacy Policy, if a privacy complaint or dispute cannot be resolved through TrainingPeaks, LLC's internal processes, TrainingPeaks, LLC has agreed to participate in the VeraSafe Privacy Shield Dispute Resolution Procedure. Subject to the terms of the VeraSafe Privacy Shield Dispute Resolution Procedure, VeraSafe will provide appropriate recourse free of charge to you. To file a complaint with VeraSafe under the Privacy Shield Dispute Resolution Procedure, please submit the required information to VeraSafe here: https://www.verasafe.com/privacy-services/dispute-resolution/submit-dispute/.

Under certain circumstances, you may also invoke binding arbitration before the Privacy Shield Panel to be created by the U.S. Department of Commerce and the European Commission. Please see the Privacy Shield website for more information on conditions giving rise to binding arbitration (https://www.privacyshield.gov/article?id=G-Arbitration-Procedures).

TrainingPeaks is subject to the investigatory and enforcement powers of the US Federal Trade Commission ("FTC").

Questions

If you have any questions or comments about these Terms of Use or this Site, please contact us by email at privacy@trainingpeaks.com. You also may write to us at:

TrainingPeaks

Attn: Privacy

7007 Winchester Circle

Suite 200

Boulder, CO 80301