Effective date: 11/30/2022

Carbon Arc Corporation and its affiliates (collectively, “Carbon Arc,” “we,” “us,” or “our”) respect the privacy of the visitors to our digital properties, the individuals whose personal information we collect, purchase or receive from third-party sources, and the users of our products and services.  We are committed to protecting individuals’ privacy through our compliance with this Global Privacy Policy.  We have created this Global Privacy Policy to inform you of our practices in relation to the collection, use, and disclosure of personal information as well as the rights and choices you have associated with that information.

This Global Privacy Policy describes how Carbon Arc collects, stores, receives, uses, and safeguards personal information when you use our website at https://www.carbonarc.co/ (the “Site”), when we obtain data sets that may contain your personal information, and through any other websites, pages, features or content owned and operated by Carbon Arc that direct to this Privacy Policy (collectively, the “Services”).

By using our Services, you understand and agree that collection and use of your personal information will be made in accordance with this Privacy Policy.  If you do not feel comfortable with any part of this Privacy Policy, please discontinue use of the Services or engaging with Carbon Arc immediately, or contact us to be removed from our systems.

This Global Privacy Policy consists of:

• this front section, which sets out the general guiding principles applied by Carbon Arc when processing personal information;
• an addendum for personal data that (i) originates from or (ii) is processed in the European Union, United Kingdom, Iceland, Liechtenstein, Norway, and Switzerland (the “EU Addendum”); and
• an addendum for personal information that (i) originates from or (ii) is processed in California  (the “CA Addendum”).

With respect to personal data processed in or from the EEA (as defined below) or UK (as defined below), the EU Addendum shall apply, which contains important additional information about the processing by Carbon Arc of personal data originating from or processed in those countries. *However, please note that Carbon Arc does not presently process personal data originating from or processed in the EEA and/or the UK.

With respect to personal information processed in or from California, the CA Addendum shall apply, which contains important additional information about the processing by Carbon Arc of personal information originating from or processed in California.

TABLE OF CONTENTS

Section 1:  Scope

Section 2: Updates to this Global Privacy Policy

Section 3: Definitions

Section 4: Collection of Personal Information

Section 5: Categories of Personal Information Collected

Section 6: Purposes of the Processing

Section 7: Privacy Principles

• Notice and Consent
• Data Integrity
• Data Access Control, Policy Application and Audits
• Disclosure and Transfer to Third Parties
• Cross-Border Transfers Originating from the EEA or UK
• Cross-Border Transfers Not Originating from the EEA or UK
• Security
• Governance

Section 8: Tracking Technologies

Section 9: Access, Correction and Deletion of Your Personal Information

Section 10: Communications Preferences

Section 11: Children’s Privacy

Section 12: Contact Us 

EU Addendum

California Addendum

This Global Privacy Policy applies to any and all forms of “processing” (as defined below) of personal information in any format or medium.

We may update this Global Privacy Policy from time to time as we update or expand our Services. If we make material changes, we will post the updated Global Privacy Policy on this page with a “Last Updated” effective date of the revisions. We encourage you to look for updates and changes to this Global Privacy Policy by checking this page when you access our Services. If you have any questions about this Privacy Policy, please reach out to us anytime at privacy@carbonarc.co or as described in the contact information included within the “Contact Us” section below.

For purposes of this Global Privacy Policy, the following definitions shall apply:

“European Economic Area” or “EEA” means the Member States of the European Union plus Iceland, Liechtenstein, Norway, and Switzerland.

“Personal information” or “personal data” means any information or set of information, whether alone or in combination with other personal information , processed by Carbon Arc, which is sufficient to identify an individual. The definition of personal information (used interchangeably in this Global Privacy Policy with the term “personal data”) depends on the applicable law based on your physical location. Only the definition that applies to your physical location will apply to you under this Global Privacy Policy. Personal information does not include information that is anonymous, nor does it include publicly available information that has not been combined with non-public personal information. For personal data originating from or processed in the EEA and/or UK, personal data shall have the meaning given to it in the EU Addendum. For personal information originating from or processed in California, personal information shall have the meaning given to it in the CA Addendum.

“Processing” shall mean any operation or set of operations that is performed upon personal information or sets of personal information, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction and the verb “to process” shall be construed accordingly.

“UK” means The United Kingdom of Great Britain and Northern Ireland.

As used in this Global Privacy Policy, “Carbon Arc” means Carbon Arc Corporation and its affiliates.

Personal data may be collected whenever Carbon Arc:

• purchases or otherwise acquires a data set;
• interacts with individuals who are prospective and existing customers/suppliers;
• interacts with individuals who are representatives or contact persons of prospective and existing customers/suppliers that are legal entities (e.g. for the selling/ordering of products or for marketing related purposes); or
• uses public databases to acquire information.

Carbon Arc may collect or otherwise acquire:

• basic identification information, such as name, title, position, company name, device ID, email and/or postal address and the fixed and/or mobile phone number;
• financial information (e.g., credit card information);
• demographic information;
• information regarding the status of direct marketing emails (e.g. not delivered, delivered, opened); and
• any additional information voluntarily provided by an individual, including geolocation and other data (e.g. by filling in a form or downloading an application and agreeing to the collection of data through the application).

This information may either be directly provided by the above individuals, provided by the legal entity for whom they work, and/or provided to Carbon Arc by a data vendor.

Carbon Arc, and service providers, vendors or processors acting on its behalf, process personal information for a specific purpose and only process the personal information that is relevant to achieve that purpose.

We process personal information to:

• undertake sales and procurement activities relating to our products and services;
• market our products and services;
• administer our customers and suppliers (e.g. user registration, account opening, credit checks);
• manage and enhance the relationship with our customers and suppliers;
• supply our products and services to our customers;
• prepare and manage contracts with our customers and suppliers;
• measure consumer interest in our various products and services;
• improve our existing products and services (or those under development) by means of customer and non-customer surveys, statistics and tests, or requesting feedback on products and services;
• improve the quality of services taking into account preferences in terms of means of communication (phone, email, etc.) and frequency;
• monitor activities at our facilities, including compliance with applicable policies as well as security, health and safety rules in place;
• manage and monitor our IT resources, including infrastructure management & business continuity;
• manage our archiving and records;
• track our activities (measuring sales, number of calls, etc.);
• preserve the company’s economic interests;
• reply to an official request from a public or judicial authority with the necessary authorization; and
• manage legal and regulatory requirements, defend our legal rights and prevent and detect crime, including regular compliance monitoring.

When processing personal information, Carbon Arc shall follow these principles:

• Notice and consent

Carbon Arc endeavors to collect, purchase, and/or use only personal information that has been collected in accordance with applicable notice and consent requirements. This includes notice and consent requirements related to (i) the purposes for which the collector collects and uses the personal information, (ii) the types of third parties to which the collector discloses (or may disclose) that personal information, and (iii) the choices and means the collector offers the subjects of the personal information for limiting the use and disclosure of their personal information.

Unless permitted by applicable law, no personal information is collected, purchased, or otherwise processed by Carbon Arc without first obtaining either (i) the consent of the individual for the collection, use and disclosure of that personal information or (ii) an enforceable contractual warranty or representation from the source of the personal information that such personal information has been collected in accordance with applicable notice and consent requirements. In some circumstances the consent for Carbon Arc to collect personal information may arise from the nature of the relationship between Carbon Arc and an individual or company, or an individual’s or company’s interaction with Carbon Arc, such as by using a Carbon Arc website or engaging in a transaction with Carbon Arc.

Carbon Arc, and third parties on its behalf, shall only use personal information for its business, products, and research purposes.

We may collect personal information from you directly, such as when you provide us information voluntarily or when information is collected automatically about your use of our Services (such as traffic data, IP address, system information and log file data), or we may collect the information indirectly, such as through a relationship with a business partner or data vendor.

The information that you voluntarily may provide to us includes contact information, information you provide by filling in forms that we make available, information you provide when you report an issue with our Site, or records or copies of your correspondence (including email addresses) if you contact us.

We may receive information about you from other sources and combine that information with the personal information we collect directly from you.   In addition, we may purchase data from our data vendor partner(s), and analyze that data using advanced statistical methods, so as to provide reports for our customers to run targeted advertising campaigns by activating audiences through third parties. We rely on contractual assurances that specifies that the personal information is disclosed by the business pursuant to any legally required consents and only for limited and specified purposes, and to provide the same level of privacy protection as is required by this policy.

• DATA INTEGRITY

Subject to any stricter requirements under applicable law, Carbon Arc will endeavor to use personal information only in ways that are compatible with the purposes for which the personal information was collected or in ways that are authorized by law. Carbon Arc will endeavor to take reasonable steps to ensure that personal information is relevant to its intended use.

We will retain your personal information only for as long as is necessary for the purposes set out in this Global Privacy Policy. We will retain and use your personal information to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data or the information you provided to us to comply with applicable laws), resolve disputes and enforce our legal agreements and policies. We will retain your marketing contact information until you unsubscribe from our marketing communications. We will also retain Services usage data for internal analysis purposes.

• DATA ACCESS CONTROL, POLICY APPLICATION, AND AUDITS

Carbon Arc implements access controls and in-house personal information management for the purpose of (i) controlling and monitoring employee access to personal information; (ii) masking, redacting, and deleting personal information when required by this Global Privacy Policy or applicable law; and (iii) auditing access to and use of personal information by employees.

• DISCLOSURE AND TRANSFER TO THIRD PARTIES

Carbon Arc may share masked/redacted personal information with customers and Carbon Arc and/or its customers may use personal information in connection with targeted advertising campaigns in accordance with applicable laws.

We may disclose personal information to a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by us about our Services users is among the assets transferred. You agree to and do hereby consent to our assignment or transfer of rights to your personal information.

We may also share personal information with our customers, subsidiaries and affiliates in order to provide our Services and to take actions based on your requests or the request of our customers, as well as for the purpose of management and analysis. 

We may employ other companies and individuals to facilitate our Services, provide services on our behalf, perform service-related business activities, or assist us in analyzing how our Services are used.  Such third-party service providers, vendors and processors include:

• our IT service providers, cloud service providers and database providers;
• our consultants, suppliers and service providers that assist Carbon Arc in promoting and marketing its products and services; store and analyze the personal data; conduct user and consumer ratings, reviews and surveys; communicate with individuals on Carbon Arc’s behalf; process and fulfill transactions; and as otherwise necessary to provide promotional communications or services to customers.

We may disclose your information if we believe that the disclosure is required by law, if we believe that the disclosure is necessary to enforce our agreements or policies, in response to valid requests by public authorities (e.g., a court or a government agency), or if we believe that the disclosure will help us protect the rights, property, or safety of Carbon Arc or our customers.

We may disclose your personal information for any purpose with your consent.

• CROSS-BORDER TRANSFERS ORIGINATING FROM THE EEA/UK

For personal information originating from or processed in the EEA and/or UK, please refer to the EU Addendum. Please note that Carbon Arc is not presently in the business of processing personal data originating from or processed in the EEA and/or the UK.

• CROSS-BORDER TRANSFERS NOT ORIGINATING FROM THE EEA/UK

Because Carbon Arc may conduct business in many countries, personal information collected by Carbon Arc in one country may be processed in another country, the laws of which may provide different levels of protection from those in the country where the personal information was first collected. personal information gathered in one country may be subject to access by and disclosure to law enforcement agencies of jurisdictions other than the country where the personal information was first collected. As noted above, Carbon Arc also may share personal information with customers or with organizations and entities that perform services on its behalf, and these customers, organizations, and entities may be located in countries other than the country in which the personal information was first collected.

Carbon Arc will endeavor to obtain appropriate and reasonably enforceable assurances from third parties, including its data vendors, customers, subsidiaries and affiliates, to which it discloses or transfers personal information that these third parties safeguard personal information in a manner consistent with this Global Privacy Policy. When Carbon Arc becomes aware that a third party is using or disclosing personal information in a manner contrary to this Global Privacy Policy, Carbon Arc will endeavor to take reasonable steps to prevent or stop such use or disclosure. To the extent applicable law requires an individual’s consent before disclosing personal information to third parties, Carbon Arc will endeavor to obtain either (i) a legally enforceable representation from the applicable data vendor or other data source that consent has been received with respect to such personal information or (ii) the consent of the individual prior to such transfer. There may be circumstances where Carbon Arc is required to transfer personal information without obtaining prior consent, including (i) where required by a court order; (ii) where Carbon Arc believes, upon reasonable grounds, that it is necessary to protect the rights, privacy, or safety or property of a person or group of persons; (iii) where it is necessary to establish or collect monies owing to Carbon Arc or to complete a transaction with a third party; (iv) where it is necessary to permit Carbon Arc to pursue available remedies or limit any damages Carbon Arc may sustain; or (v) where the information is public.

• SECURITY

Carbon Arc has implemented reasonable measures designed to secure the personal information we hold from accidental loss and from unauthorized access, use, alteration, and disclosure.

The safety and security of your information also depends on you. Where you have chosen a password for access to certain parts of our Services, you are responsible for keeping this password confidential. You should not share your password with anyone.

Unfortunately, the transmission of information via the Internet is not completely secure. Although we strive to protect your personal information, we cannot guarantee the security of your personal information transmitted to our Service. Any transmission of personal information is at your own risk. We are not responsible for circumvention of any privacy settings or security measures contained on the Services.  If you believe that any of your personal information held by Carbon Arc has possibly been compromised, please contact us immediately as described in the “Contact Us” section below.

• GOVERNANCE

Carbon Arc will regularly review compliance with this Global Privacy Policy. Except to the extent otherwise prohibited by applicable law, any Carbon Arc employee, associate or contractor that Carbon Arc determines is in violation of this Global Privacy Policy will be subject to appropriate disciplinary action up to and including termination of employment or engagement.

We may use cookies, embedded scripts, software development kits (“SDKs”), mobile advertising identifiers (“MAIDs”), and other similar tracking technologies (collectively, “Tracking Technologies”) to measure consumer interest in our various products and services and collect additional personal information automatically as you interact with the Services and to personalize your experience with our Services.  We also may use these technologies to collect information about your online activities over time and across third party websites or other online services.

Cookies are small web files that a site or its provider transfers to your device’s hard drive through your web browser that enables the site’s or provider’s server to recognize your browser and remember certain information.  We use first-party and third-party cookies for the following purposes: to make our Services function properly, to improve our Services, to make login to our Site or Services easier (such as by remembering your User ID), to recognize you when you return to our Site, to track your interaction with the Site, to enhance your experience with the Site, to remember information you have already provided, to collect information about your activities over time and across third party websites or other online services in order to deliver content and advertising tailored to your interests; and to provide a secure browsing experience during your use of our Site.  The length of time a cookie will stay on your browsing device depends on whether it is a “persistent” or “session” cookie. Session cookies will only stay on your device until you stop browsing. Persistent cookies stay on your browsing device until they expire or are deleted.

Your browser may provide you with the option to refuse some or all browser cookies. You may also be able to remove cookies from your browser. You can exercise your preferences in relation to cookies served on our Site by taking the steps outlined below.

• First-Party Cookies. You can use the browser with which you are viewing this Site to enable, disable or delete cookies. To do this, follow the instructions provided by your browser (usually located within the “Help”, “Tools” or “Edit” settings). Please note, if you set your browser to disable cookies, you may not be able to access secure areas of the Site. Also, if you disable cookies other parts of the Services may not work properly. You can find more information about how to change your browser cookie settings at http://www.allaboutcookies.org.
• Third-Party Cookies. To opt-out of third-party advertising networks and similar entities that use advertising cookies go to http://www.aboutads.info/choices. Once you click the link you may choose to opt-out of such advertising from all participating advertising companies or only advertising provided by specific advertising entities. For more information about third-party advertising networks and similar entities that use these technologies, please see http://www.aboutads.info/consumers.

We do not control third parties’ collection or use of your information to serve interest-based advertising.  You can decide whether to accept cookies. If you do not want us to deploy cookies in your browser, you may exercise your preference by modifying your web browser setting to either (1) refuse some or all cookies, or (2) notify you and ask for your permission when a website tries to set a cookie. If you want to learn the correct way to modify your browser settings, please use the “Help,” “Tools” or “Edit” menu in your browser or review the instructions provided by the following browsers:

• Google Chrome
• Mozilla Firefox
• Microsoft Internet Explorer

If you disable or remove cookies, some parts of the Services may not function properly. Information may still be collected and used for other purposes, such as research, online services analytics or internal operations, and to remember your opt-out preferences.

We may work with a third-party provider(s) and use MAIDs, including Apple’s “IDFAs,” Android’s “AAIDs,” and Google’s “GAIDs.” We, along with our third-party providers, may use MAIDs to measure marketing campaigns, value ads, find new app users, and segment users, or aggregate access to ads.  We may use this information to assist our customers in making better business decisions by developing customized dashboards relevant to their specific business process.  For example, if our customer is interested in evaluating consumer preference data, like who attends their sports events, in which stadium, or what food or drink they have purchased, etc., we may gather the data of users who opted-in for the personal data collection into a database so that if our customers want to re-target specific audiences, we can run an analysis on the data/device panel and send the MAIDs to our third-party provider(s) to run the campaign. 

You have the right to access, correct, and delete your personal information that you directly shared with us on our Services or through other means.  We are committed so that your personal information is kept accurate and up to date. However, it is up to you to update it with any changes. You may also notify us via the information in the “Contact Us” section below to request access to, or to correct any personal information that you have provided to us. We may not accommodate a request to delete or change information if we believe the change would violate any law or legal requirement or cause the information to be incorrect.

If you no longer wish to have your personal information processed, you may request that we delete your personal information, subject to certain limitations, by contacting us as described below.

In order to provide service to you, we may send you communications related to your transactions, security, or the administration of this website. From time to time, we may also send you other messages or updates about Carbon Arc, our website, and our other products and offerings. If you do not wish to receive non-transaction or security-related communications from us, you may opt-out by clicking the “unsubscribe” link in the communication or by contacting us as specified in the “Contact Us” section below.

Please note that “opt-out” and “unsubscribe” requests may not take effect immediately and may take a reasonable amount of time to receive, process and apply, during which time your information shall remain subject to the prior privacy settings.

Carbon Arc Services are not directed toward children under the age of 18, and we do not knowingly collect any personal information from children under the age of 18. If a child under 18 provided our Services with personal information, we ask that a parent or guardian contact us as described below so that we may promptly delete the child’s information from our records.

Questions or comments about this Global Privacy Policy should be submitted to privacy@carbonarc.co.

This CA Addendum supplements the front section of the Carbon Arc Global Privacy Policy for personal information belonging to residents of the State of California.  As it relates to personal information processed in or from California residents, in the event of any contradictions between the front section of this Global Privacy Policy and the CA Addendum, this CA Addendum will have precedence.

The California Consumer Privacy Act (the “CCPA”), applicable in the State of California as of January 1, 2020, provides additional rights to Consumers in the State of California with regard to the information Carbon Arc gathers about them.   

Consumer: For purposes of this California Addendum, a Consumer is a natural person who is a California resident, as defined in Section 17104 of Title 18 of the California Code of Regulations. Information about a person relating to their status as an employee or prospective employee, or as a participant in a business-to-business relationship or transaction, will be considered information about a Consumer within the meaning of the California Privacy Rights Act (the “CPRA”), which becomes effective on January 1, 2023.

Personal Information: For purposes of this California Addendum, Personal Information means any information covered by the definition of “Personal Information” under the CCPA and CPRA.  Specifically, personal information shall mean any information, except Publicly Available personal information, that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.  It includes, but is not limited to:

• Identifiers, such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers
• Characteristics of protected classifications under California or federal law
• Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies
• Biometric information
• Internet or other electronic network activity information, including browsing history, search history, and information regarding a consumer’s interaction with a website, application or advertisement
• Geolocation data
• Audio, electronic, visual, thermal, olfactory, or similar information
• Professional or employment-related information
• Education information, defined as information that is not publicly-available Personally Identifiable Information as defined in the Family Educational Rights and Privacy Act
• Inferences drawn from any of this information to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

Publicly Available Information: Publicly Available information is personal information that is lawfully made available from federal, state, or local government records.

CALIFORNIA RIGHTS

California Consumers have certain rights under the CCPA & CPRA, which Carbon Arc will endeavor to comply with as required. These include:

• Right of Disclosure:  Individuals have a right to obtain information regarding personal information gathered about them over the past 12 months, the types of sources from which the personal information was obtained, the purposes for which the information was gathered, and the types of third parties with which the personal information was shared or to whom it was sold.
• Right of Access: Upon verifiable request, and within periods set by applicable law, individuals have a right to reasonable access to the personal information that is held about them, provided that he or she establishes that he or she is  the person whose personal information is requested. Companies may deny such access where the denial is permitted by applicable law and every request received by Carbon Arc from an individual will be assessed on a case-by-case basis.  In the event a request is denied, Carbon Arc will notify the individual in writing regarding the reasons for the denial. 
• Right of Correction:  Individuals have a right to correct or amend personal information that is demonstrated to be inaccurate or incomplete.
• Right of Deletion:  Individuals have a right to request and obtain the deletion of personal information that a company has gathered about him or her, except to the extent applicable law permits or requires a company to maintain that information.
• Do Not Sell Information:  Carbon Arc does not knowingly obtain or process any personal information that was not obtained in accordance with the CCPA and/or CPRA.  In furtherance thereof, Carbon Arc seeks to routinely obtain legally enforceable representations and warranties from its data vendors that any personal information contained in a data set purchased or licensed by Carbon Arc was lawfully obtained.

NON-DISCRIMINATION

Carbon Arc will not discriminate against Consumers who exercise their rights under California law. However, Carbon Arc may offer financial incentives for the collection, sale, or deletion of personal information.  Any such offer will reasonably relate to the value of the personal information.  Participation by individuals in such a financial incentive program requires prior opt-in consent, which may be revoked at any time.  

INDIVIDUAL RIGHTS

Access to Specific Information and Data Portability Rights – Subject to certain exceptions, if you are a California resident you have the right to request a copy of the personal information that we collected about you during the 12 months before your request. Once we receive your request and verify your identity, we will disclose to you:

• The categories of personal information we have collected about you;
• The categories of sources for the personal information we have collected about you;
• Our business or commercial purpose for the information collection;
• The categories of third parties with whom we share that personal information; and
• The specific pieces of personal information we collected about you.

Deletion Request Rights – You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions.

Exercising Access, Data Portability, and Deletion Rights –To exercise the access, data portability, and deletion rights described above as a California resident, please submit a verifiable consumer request to us by contacting us as described in the “Contact Us” section.

Use of an Authorized Agent to Submit a Request – Only you or a person you formally authorize to act on your behalf, may make a verifiable consumer request related to your personal information as a California consumer.  If you use an authorized agent to submit such a request, we will require written proof that the authorized agent has been authorized to act on your behalf or a copy of the power-of-attorney document granting that right. 

Direct Marketing — If you are a California resident, you can request a notice disclosing the categories of personal information we have shared with third parties for the third parties’ direct marketing purposes. To request a notice, please submit your request by email to privacy@carbonarc.co.

ADDENDUM FOR PERSONAL INFORMATION ORIGINATING FROM OR PROCESSED IN THE EUROPEAN ECONOMIC AREA AND/OR UK (“EU ADDENDUM”)

This EU Addendum supplements the front section of the Carbon Arc Global Privacy Policy for personal data originating from or processed in the European Economic Area (“EEA”). As it relates to personal data processed in or from the EEA and/or UK, in the event of any contradictions between the front section of this Global Privacy Policy and the EU Addendum, this EU Addendum will have precedence.  *Please note that Carbon Arc dos not presently process personal data originating from or processed in the EEA and/or the UK.

The purpose of this EU Addendum is to provide the information required under the General Data Protection Regulation, applicable in the EEA as from May 25, 2018 (as amended from time to time, the “GDPR”), including:

• why and how the relevant Carbon Arc entity collects, processes and stores personal data originating from or processed in the EEA and/or UK;
• what its role as “controller” of such personal data involves; and
• what our obligations are in relation to this processing.

DEFINITIONS

For the purposes of this EU Addendum, the following definitions shall apply:

“Controller” generally means the legal entity that determines the purposes (i.e. why) and the means (i.e. how) of the processing of personal data under this EU Addendum.

“Personal data” or “personal data” means any information that constitutes “personal data” under the GDPR, namely any information relating to an identified or identifiable natural person. An identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Processor” means a natural or legal person that processes personal data on behalf of the Controller. Carbon Arc’s processors may be Carbon Arc subsidiaries, affiliates or third-party suppliers and service providers.

CONTROLLER

When we mention “Carbon Arc,” “we,” “us,” or “our” in this addendum, we are referring to the relevant Carbon Arc legal entity that determines the purposes and means of processing personal data under this EU Addendum, Carbon Arc Corporation.

COLLECTION OF PERSONAL DATA

In relation to EEA/UK residents, personal data may be collected as set forth in Section 4 of the Global Privacy Policy. However, as stated above, Carbon Arc does not presently process personal data originating from or processed in the EEA and/or the UK.

CATEGORIES OF PERSONAL DATA COLLECTED

In relation to EEA/UK residents, Carbon Arc may collect or otherwise acquire personal data as set forth in Section 5 of the Global Privacy Policy. However, as stated above, Carbon Arc does not presently process personal data originating from or processed in the EEA and/or the UK.

PURPOSES OF THE PROCESSING

In relation to EEA/UK residents, if Carbon Arc, and Processors acting on its behalf, process personal data, such processing will be for a specific purpose and only such parties will only process the personal data that is relevant to achieve that purpose, as set forth in Section 6 of the Global Privacy Policy.

LEGAL BASIS OF THE PROCESSING

Carbon Arc is not allowed to process personal data without a valid legal ground. Therefore, Carbon Arc will only process personal data if:

• Carbon Arc has obtained prior consent or a legally enforceable warranty or representation from a data vendor that prior consent has been obtained. You can withdraw your consent at any time by contacting us as described in the “Contact Us” section of the Global Privacy Policy;
• the processing is necessary to perform our contractual obligations towards an individual or to take pre-contractual steps at an individual’s request;
• the processing is necessary to comply with our legal or regulatory obligations (e.g. tax or accounting requirements); or
• the processing is necessary for the legitimate interests of Carbon Arc and does not unduly affect an individual’s interests or fundamental rights and freedoms. When processing personal data on this basis, Carbon Arc seeks to maintain a balance between our legitimate interests and the privacy of individuals.
  
  Examples of such ‘legitimate interests’ are:
  • to offer our products and services to our customers or prospective customers;
  • to enhance our products and services;
  • to benefit from cost-effective services (e.g. Carbon Arc may decide to use certain platforms offered by external suppliers to process data);
  • to better manage and administer the relationships with customers and their data;
  • to enhance the quality of services to customers by taking into account their preferences in terms of means of communication (phone, e-mail, etc.) and frequency;
  • to measure customers’ interest in Carbon Arc products and gain a better understanding of customer interaction with the marketing emails, including by performing statistical and other research and analysis of data with respect to the status of the emails (e.g. not delivered, delivered, opened);
  • to enable Carbon Arc to offer advertising and offers tailored to its customers so that Carbon Arc can market its products better;
  • to prevent fraud or criminal activity, misuses of our products or services, as well as the security of our IT systems, architecture and networks;
  • to sell any part of our business or its assets or if substantially all of our assets are acquired by a third party, in which case personal data could form part of one of the assets Carbon Arc sells; and
  • to meet our corporate and social responsibility objectives.

THIRD-PARTY RECIPIENTS

Carbon Arc may transfer personal data to its subsidiaries and other affiliates. We may also disclose personal data to third-party business partners or service providers.  Such other companies will either act as another controller or only process personal data on behalf of us and pursuant to our instructions (thereby acting as a Processor).

Such third-party Processors include:

• our IT service providers, cloud service providers and database providers;
• our consultants, suppliers and service providers that assist Carbon Arc in promoting and marketing its products and services; store and analyze the personal data; conduct user and consumer ratings, reviews and surveys; communicate with individuals on Carbon Arc’s behalf; process and fulfill transactions; and as otherwise necessary to provide promotional communications or services to customers.

Personal data may also be disclosed to:

• any third party to whom we assign or novate any of our rights or obligations under a relevant agreement;
• any national and/or international regulatory, enforcement or exchange body or court where we are required to do so by applicable law or regulation or at their request; and
• any central or local government department and other statutory or public bodies.

TRANSFERS OUTSIDE THE EEA/UK

The personal data transferred within or outside Carbon Arc may also be processed in a country outside the EEA/UK.

If Carbon Arc itself (as opposed to a data vendor with whom Carbon Arc has a contractual relationship) transfers personal data outside the EEA/UK, Carbon Arc will enter into EU standard contractual clauses approved by the European Commission prior to such transfer to ensure the required level of protection for the transferred personal data.

PERSONAL DATA RETENTION

Carbon Arc will retain personal data for as long as necessary to fulfill the purposes for which Carbon Arc collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements. 

The criteria Carbon Arc uses to determine retention periods for personal data include: the purposes for which the personal data is collected, legal statutory limitation periods, retention periods imposed by law, applicable contractual requirements and relevant industry standards.

INDIVIDUAL RIGHTS

Under certain circumstances, by law you have the right to:

• Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you.
• Request correction of the personal data that we hold about you.
• Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it.
• Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party), or where we are processing your personal information for direct marketing purposes.
• Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal information about you.
• Request the transfer of your personal data to another party, when possible.
• Not be subject to automated decision-making producing legal or significant effects on an individual, which we do not engage in.

To exercise any of these rights, please contact us as set forth in the “Contact Us” section below and specify which GDPR privacy right(s) you wish to exercise.  We must verify your identity in order to honor your request, which we will respond to within 30 days of receipt.

If you have any issues with our compliance, you have the right to lodge a complaint with an EEA supervisory authority (link). We would, however, appreciate the opportunity to first address your concerns and would welcome you directing an inquiry first to us per the “Contact Us” section.