PRIVACY STATEMENT

Last updated on July 13, 2020

INTRODUCTION

Efficient Collaborative Retail Marketing Company, LLC (together with its affiliates, "ECRM", "we", "us", and "our") respects individual privacy and values the confidence of its clients, customers, employees, and business partners. ECRM complies with the principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality, lawfulness of processing, notice, choice, onward transfer, security, access, rectification, erasure, portability and enforcement required under applicable laws, rules and regulations, including the GDPR.

This Privacy Statement (the "Statement") sets forth the privacy principles that ECRM follows.

SCOPE

This Statement applies to personal data received by ECRM in any format, including electronic, paper, or verbal.

PRIVACY PRINCIPLES

The privacy principles of ECRM are:

Lawfulness, Fairness, and Transparency
When ECRM collects personal data, it will be processed lawfully, fairly, and in a transparent manner in relation to the data subject.

Purpose Limitation
When ECRM collects personal data, it will be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

Data Minimization
When ECRM collects personal data, it will be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.

Accuracy
When ECRM collects personal data, it will be accurate and, where necessary, kept up to date; reasonable steps will be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, is erased or rectified without unreasonable delay.

Storage Limitation
When ECRM collects personal data, it will be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

Integrity and Confidentiality
When ECRM collects personal data, it will take measures designed to protect against unauthorized or unlawful processing and against accidental loss, destruction or damage.

Lawfulness of Processing
Any and all processing will be done lawfully. ECRM will process personal data only if and to the extent that at least one of the following applies: (1) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; (2) processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract; (3) processing is necessary for compliance with a legal obligation to which the data controller is subject; (4) processing is necessary in order to protect the vital interests of the data subject or of another natural person; (5) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and (6) processing is in the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

INFORMATION COLLECTED

As you interact with ECRM, there may be opportunities for you to provide us with your information. Additionally, we may collect certain information about you as further described below.

You may provide us with information about you through a number of sources: ECRM websites, applications, tradeshows, events, surveys, social media platforms, sweepstakes entries, and through our customer contact centers. We also receive information about you through third party event coordinators where you have registered for certain services.

The types of information that ECRM collects about you may include, but are not limited to:

HOW WE USE AND DISCLOSE INFORMATION

We use and disclose personal information you provide to us as described to you at the point of collection. We also use and transfer personal information from or about you:

In addition, we use and disclose personal information as we believe to be necessary or appropriate: (a) as permitted by applicable law, including laws outside your country of residence; (b) to comply with any legal process; (c) to respond to requests from public and government authorities, including public and government authorities outside your country of residence; (d) to enforce our website Terms of Use; (e) to protect our operations or those of any of our affiliates; (f) to protect our rights, privacy, safety, or property, and/or that of our affiliates, you, or others; and (g) to allow us to pursue available remedies or limit the damages that we may sustain.

We also use and disclose information that is not in personally identifiable form (such as anonymized, masked or de-identified information) for any purpose. If we combine information that is not in personally identifiable form with information that is (such as combining your name with your geographical location), we will treat the combined information as personal information as long as it is combined.

CHOICE

ECRM will give individuals the opportunity to affirmatively and explicitly consent (opt in) to the disclosure of certain sensitive personal data to a third party or the use of the personal data or sensitive personal data for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. ECRM will provide individuals with readily available, affordable and reasonable mechanisms to exercise their choices.

Your California Privacy Rights

The California Consumer Privacy Act of 2018 (“CCPA”) grants California residents certain rights in regards to our collection of their personal information. These rights include:

In the preceding 12 months, we have shared personal information for business purposes as described above in this Statement. In the preceding 12 months, we have not sold any personal information.

California residents may exercise these rights by submitting a verifiable request to us using the Contact Information set forth below or by calling 877-378-0808. We do not discriminate against a consumer because the consumer has exercised any of these rights.

Additionally, under California's "Shine the Light Law", California residents who provide personal information in obtaining products or services for personal, family, or household use are entitled to request and obtain from us once a calendar year information about the customer information we shared, if any, with other businesses for their own direct marketing uses. If applicable, this information would include the categories of customer information and the names and addresses of those businesses with which we shared customer information for the immediately prior calendar year. To obtain this information on behalf of ECRM, please send an email message to privacy@ecrm.marketgate.com with "Request for California Privacy Information" on the subject line and in the body of your message. We will provide the requested information to you at your email address in the response. Please be aware that not all information is covered by the "Shine the Light " requirements and only information on covered sharing will be included in our response.

SECURITY

ECRM will take reasonable steps to protect the personal data in its possession from loss, misuse, unauthorized access, disclosure, alteration, and destruction, and will take precautions with regard to the nature of the data and the risks of the processing, to preserve the security of the data and, in particular, prevent its alteration and damage or access by non-authorized third parties. ECRM has put in place technical, physical, and organizational procedures and security measures designed to safeguard and secure the personal data from destruction, loss, alteration, unauthorized access or disclosure, or other forms of unauthorized or unlawful processing commensurate with the risks posed by the particular type of processing, the nature of the personal data and in accordance with applicable law and guidelines, if any, promulgated by authorities having jurisdiction therefor, and taking into consideration the cost of implementing such measures. ECRM cannot guarantee the security of personal data on or transmitted via the Internet.

ECRM will comply with the General Data Protection Regulation (“GDPR”) and other applicable local laws, rules and regulations with respect to data breach disclosure and notification.

ACCESS

Upon request by the individual, if required by applicable law, ECRM will grant individuals reasonable access to their personal data. Such access will include: (1) confirmation as to whether or not personal data concerning him or her are being processed; (2) the purposes of the processing; (3) the categories of personal data concerned; (4) the recipients or categories of recipient to whom the processing data have been or will be disclosed, in particular recipients in third countries or international organizations; (5) if possible, the period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (6) the existence of the right to request from ECRM rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; (7) the right to lodge a complaint with a supervisory authority; (8) information about the source of the data, if not directly from the data subject; (9) whether the personal data will be subject to automated processing, including profiling and, if so, the logic and potential consequences involved; and (10) if the data is transferred to a third country or international organization, information about the safeguards that apply.

RECTIFICATION

If the data subject requests, their personal data collected by ECRM will be corrected and incomplete personal data completed based on information provided by the data subject. Where necessary, ECRM will take steps to validate the information by the data subject to ensure that it is accurate before amending it.

ERASURE

If the data subject requests, their personal data collected by ECRM will be erased without undue delay provided that one of the following applies: (1) the personal data are no longer necessary for the purposes for which they were collected; (2) the data subject withdraws consent and there is no other legal ground for processing; (3) the data subject objects to the processing of the personal data; (4) the personal data have been unlawfully processed; (5) the personal data have to be erased for compliance with a legal obligation of ECRM; or (6) where the personal data was relevant to the data subject as a child.

PORTABILITY

If the data subject requests, their personal data collected by ECRM will be provided to them in a structured, commonly-used and machine readable or the personal data transferred to another party.

ENFORCEMENT

ECRM will use a self-assessment approach to verify compliance with this Statement and periodically verify that the Statement is accurate, comprehensive for the information intended to be covered, prominently displayed, implemented and accessible, and in conformity with this Statement.

ECRM encourages interested persons to raise any concerns using the contact information provided in this Statement. ECRM will investigate and attempt to resolve any complaints and disputes regarding use and disclosure of personal data in accordance with this Statement. Any employee of ECRM that ECRM determines is in violation of this Statement will be subject to disciplinary action up to and including termination of employment.

ECRM will (1) provide recourse to data subjects with respect to enforcement of this Statement; (2) provide follow up procedures for verifying that the attestations and assertions ECRM has made about its privacy practices are true; and (3) remedy problems arising from the failure of ECRM to comply with this Statement.

INTERNATIONAL DATA SUBJECTS

While this Statement applies to personal information generally, the local laws, rules and regulations of jurisdictions that are applicable to ECRM ("Local Laws") may require standards which are stricter than this Statement and, in such event, ECRM will comply with applicable Local Laws. Specific privacy policies may be adopted to address the specific privacy requirements of particular jurisdictions. Your personal information may be stored and processed in any country where we have facilities or service providers. Irrespective of which country your personal data is transferred, we would only share your personal data under a "need to know" basis. In these circumstances we will, as required by applicable law, ensure that your privacy rights are adequately protected by organizational, technical, contractual and/or other lawful means.

EU Data Subjects

In the European Economic Area and Switzerland ("EU"), "Personal Data" is defined very broadly and includes any information about a natural person, who can be identified, directly or indirectly, from data that we hold about them or from data that is combined with other information. EU data protection law requires us to have a legal basis before processing any Personal Data about you. The legal basis for us processing your Personal Data for the above purposes may be because: (i) you have provided your consent; (ii) it is necessary to for the performance of a contract with you; (iii) the processing is necessary for our compliance with a legal obligation; or (iv) the processing is in our legitimate interests. Personal Data regarding individuals who reside in a member state of the EU is controlled by ECRM Europe BV and processed on its behalf by ECRM. To the extent provided by applicable law, you may withdraw any consent you previously provided to us, or object at any time on legitimate grounds, to the processing of your Personal Data. In some circumstances, withdrawing your consent to ECRM's use or disclosure of your Personal Data will mean that you cannot take advantage of certain ECRM products or services.

We may transfer your Personal Data outside the EU to the United States or any country that ECRM or its service providers may have operations. Such countries do not have the same data protection laws as the EU. While the European Commission has not given a formal decision that such countries provide an adequate level of data protection similar to those which apply in the EU, any transfer of your personal information will be subject to a European Commission approved contract (as permitted under the General Data Protection Regulation) that are designed to help safeguard your privacy rights and give you remedies in the unlikely event of a misuse of your personal information. To obtain a copy of the such safeguards please contact us.

Under the General Data Protection Regulation you have a number of important rights free of charge. In summary, those include rights to:

For further information on each of those rights, including the circumstances in which they apply, see the Guidance from the UK Information Commissioner's Office (ICO) on individuals rights under the General Data Protection Regulation.

If you would like to exercise any of those rights, please:

If you would like to unsubscribe from any email newsletter you can also click on the unsubscribe button at the bottom of the email newsletter. It may take a few days for this to take place.

How to Complain

The General Data Protection Regulation also gives you right to lodge a complaint with a supervisory authority, in particular in the European Union (or European Economic Area) state where you work, normally live, or where any alleged infringement of data protection laws occurred.

DISPUTE RESOLUTION

In compliance with this Statement, ECRM commits to resolve complaints about the privacy, collection and use of personal data. Persons with inquiries or complaints about this Statement are encouraged to first contact ECRM.

CHANGES TO THIS STATEMENT

This Statement may be amended from time to time, consistent with the requirements of applicable law. A notice will be posted by ECRM on ECRM’s Internet website located at https://ECRM.MarketGate.com when this Statement is changed.

OTHER POLICIES

ECRM has other policies that may be applicable to personal data including the website Privacy Policy.

CONTACT INFORMATION

If you have any questions about this Statement, please contact us via one of these methods:

by phone please call (440) 498-0500 (Monday to Friday, 8am - 5pm EST);

or by e-mail at privacy@ecrm.marketgate.com;
or please write to the following address:

Attn: Privacy Compliance
Efficient Collaborative Retail Marketing Company, LLC
27070 Miles Road, Suite A
Solon, OH 44139