We know the landscape of privacy compliance and laws is evolving and changing at a rapid pace. We work hard not only to keep pace with these laws, but also to provide information and solutions for our customers to do so as well.

Thus, we provide the below answers to common questions that our customers ask – we hope you find them useful, and we are always available to confer with our customers about privacy and compliance solutions.

‍

1. Question: Does GDPR apply to Retention.com?

No. Our database of personal information only contains profiles that have been matched to US home addresses, and we use IP ringfencing to only resolve US traffic. In legal-speak, we do not have a product that is intentionally or deliberately focused on providing marketing intelligence to the European or U.K. market.

2. Question: What about U.S. state privacy laws, like the California CCPA and CPRA, and similar laws in Colorado, Virginia, Connecticut and other states? Do those apply to me, and what do they require?

These state laws may apply to you, if you handle substantial amounts of data, have sufficient revenue, and have consumers in the relevant states.

These laws provide consumers a number of rights, and require a variety of disclosures. For instance, California law requires:

• Website disclosures to indicate that you’re “sharing” personal information – which under California law means that you’re engaging in behavioral or “cross-contextual” advertising, such as our service or other types of retargeting. You can learn more about these disclosures at https://oag.ca.gov/privacy/ccpa/iconsdownload, and other linked pages.
• Also, a way for consumers to “delete” or “access” the data you have about them.
• And sometimes, particular contractual terms that apply to your “third parties” or “service providers.” (We provide template terms that do this, which we also describe below.)
• You should also describe in your privacy policy how you use your customer’s information, and your website cookies, to advertise and market. We have provided recommended language to insert into your privacy policy below. (We of course advise that you talk to your own privacy counsel – our recommendations aren’t a substitute for customized legal advice that you might require.)

‍

“When you visit or log in to our website, cookies and similar technologies may be used by our online data partners or vendors to associate these activities with other personal information they or others have about you, including by association with your email or online profiles. We (or service providers on our behalf) may then send communications and marketing to these emails or profiles. You may opt out of receiving this advertising by visiting https://app.retention.com/optout”.

‍

3. Question: How does Retention.com help its customers comply with California’s privacy laws (CCPA/CPRA), and similar state privacy laws?

Retention.com provides a consumer “opt out” page, which its customers can easily link to, at https://app.retention.com/optout. We also provide a Data Protection Addendum, as required by some state privacy laws, which sets out the parties’ respective rights and obligations under those laws. As noted above, we also provide sample language for our customers to insert into their privacy policy, which describes our service.

4. Question: Am I required to comply with the CCPA/CPRA, and other state laws?

You might not be. These laws don’t apply to every company – each of them contain “small business” exemptions, that in many (not all) cases exempt companies below a particular revenue threshold. In California, for instance, many companies with under $25 million in revenue are not subject to most of the California “CCPA” and “CPRA” privacy requirements. (But even if these laws don’t apply, some companies implement privacy disclosures and consumer choice options, to ensure transparency to consumers, and simply for consumer courtesy reasons.)

‍

5. Question: so, is Retention.com “permission-based” marketing?

The objective of Retention.com is to help companies market to consumers who have shown interest in their products. We consider that interest-based marketing. It’s also true that consumers in our database have agreed to provide their information for third party marketing, as a general matter – and many consider that “permission-based” as well.

But even with an “opt-in” at our disposal, we still think it’s important that consumers whose data we release have shown interest in a brand, generally by visiting their website, placing a product in their cart, or some similar activity. Consumers who have done that have shown a level of interest and trust in a brand, product or service, and are unlikely to be put off by a continuation of that marketing conversation.

‍

6. Question: We try to be legally conservative – we don’t like getting consumer complaints and want to be “privacy-forward.” Anything else I should do to comply with privacy laws and consumer expectations?

As we’ve noted about, some customers include a website banner notice, to explain to their site visitors in a robust way how data cookies and technologies are used for marketing. Thus, we provide recommended language for these customers to use, and also to insert into their privacy policies (see #2).

‍

7. Who can answer any additional privacy questions and we (or our lawyers) may have?

You can contact our support any time at support@retention.com. We also have outside privacy counsel available to consult with your own attorney, regarding contracting, privacy and disclosure matters.

‍

1. SERVICES

‍

1.1 Subject to the terms of this Data Services Agreement (the “Agreement”), Company will use commercially reasonable efforts to provide Customer with the services described in the order form (the “Services”). As part of the registration process, Customer will identify an administrative username and password for Customer’s Company account. Your use of the services via the administrative account will be governed by the terms found here: https://retention.com/terms-of-use/.

1.2 Company hereby grants Customer a non-transferrable, non-sublicensable, non-assignable (except as set forth herein), world-wide, non-exclusive, limited license to access, store and use the Output Data for Customer’s own marketing purposes and internal purposes for the Term. Following the term, Customer shall not be required to delete the Output Data, and Company shall grant Customer a perpetual, non-transferrable, non-sublicensable, non-assignable (except as set forth herein) license to continue to access, store, retain and otherwise the Output Data or for Customer’s own marketing purposes.

‍

‍

2. RESTRICTIONS

‍

2.1 Customer will not, directly or indirectly: (i) reverse engineer, decompile, disassemble or otherwise attempt to discover the source code, object code or underlying structure, ideas, know-how or algorithms relevant to the Services or any software, documentation, or data related to the Services including without limitation Output Data (“Software”) (ii) copy, modify, translate, save or create derivative works based on the Services, or any Software (except to the extent expressly permitted by Company or authorized within the Services); (iii) use the Services or any Software for timesharing or service bureau purposes or otherwise for the benefit of a third party; or (iv) remove any proprietary notices or labels. Customer shall be responsible for obtaining and maintaining any equipment and ancillary services needed to connect to, access or otherwise use the Services, including modems, hardware, servers, software, operating systems, networking, web servers and the like (collectively, “Equipment”). Company shall also be responsible for maintaining the security of the Equipment and any Customer accounts or passwords (including administrative and user passwords). Customer agrees to delete the Software, including any and all component parts thereof, including the Output Data, upon the expiration of this Agreement.

‍

‍

3. CONFIDENTIALITY; PROPRIETARY RIGHTS; CUSTOMER DATA; DATA SECURITY; DATA USAGE

‍

3.1 Each party (the “Receiving Party”) understands that the other party (the “Disclosing Party”) has disclosed or may disclose business, technical or financial information relating to the Disclosing Party’s business (hereinafter referred to as “Proprietary Information” of the Disclosing Party). Proprietary Information of Company includes non-public information regarding features, functionality and performance of the Service. Proprietary Information of Customer includes non-public data provided by Customer to Company to enable the provision of the Services, including suppression files (“Customer Data”) and otherwise proprietary information obtained by Company or its employees in the performance of this Agreement, including information related to the business activities of Customer, information about the individual users of the Services and their use of the Services, and information that is confidential to the Customer’s clients or to third parties to which the Customer owes a duty of confidentiality. The Receiving Party agrees: (i) to take commercially reasonable precautions to protect such Proprietary Information, and (ii) not to use (except in performance of the Services or as otherwise permitted herein) or divulge to any third person any such Proprietary Information. The Disclosing Party agrees that the foregoing shall not apply with respect to any information that the Receiving Party can document (a) is or becomes generally available to the public, or (b) was in its possession or known by it prior to receipt from the Disclosing Party without breach of any agreement or obligation of confidentiality, or (c) was rightfully disclosed to it without restriction by a third party, or (d) was independently developed without use of any Proprietary Information of the Disclosing Party or (e) is required to be disclosed by law, statute, rule, a regulator or regulation, court order or legal process, provided that the Receiving Party promptly informs the Disclosing Party of any such requirement (unless prohibited by applicable law from so notifying the Disclosing Party) and discloses no more information than is so required. At the request and option of the Disclosing Party, and in any event upon termination or expiration of this Agreement, the Receiving Party shall promptly return, or destroy or permanently erase, all Proprietary Information in the possession or control of the Receiving Party.

‍

3.2 Customer shall own all right, title and interest in and to the Customer Data, as well as any data that is based on or derived from the Customer Data and provided to Customer as part of the Services. Company shall own and retain all right, title and interest in and to (a) the Services and Software, all improvements, enhancements or modifications thereto, (b) any software, applications, inventions or other technology developed in connection with Onboarding Services that do not contain, and are not based on any reference to any Customer Data, and (c) all intellectual property rights related to any of the foregoing. All Output Data and technology and data, methodologies and technology used to create and deliver it (including pixel tags and underlying code used to deliver the Services) shall (as between Customer and Company) remain the exclusive property of Company.

‍

3.3 Company and Customer shall each implement and maintain reasonable and appropriate administrative, technical, physical, and organizational safeguards designed to: (i) ensure the security and confidentiality of the Customer Data, and Services; (ii) protect against any anticipated threats or hazards to the security or integrity of the Customer Data, and Services; and (iii) protect against unauthorized or unlawful access to or use of the Customer Data, and Services and against accidental loss or destruction of, or damage to, the Customer Data, and Services. Company shall promptly notify Customer of any unauthorized access to any Customer Data, and Services and of any other breaches of security and shall reasonably cooperate with Customer to ensure that Customer is not negatively affected by any such occurrences or to mitigate the effects of same on Customer. No rights or licenses are granted except as expressly set forth herein. Company will cooperate with any law enforcement authorities or court order requiring the disclosure of Customer Data provided that (to the extent permissible under law) Company will provide at least 5 days’ notice to Customer prior to providing any Customer Data in response to a subpoena or other legal process.

‍

3.4 Notwithstanding anything to the contrary, and subject to Section 3.2, Company shall have the right to collect and analyze data and other information relating to the provision, use and performance of various aspects of the Services and related systems and technologies (including information concerning Customer Data and data derived therefrom), and Company will be free (during and after the term hereof) to (i) use such information and data to improve and enhance the Services and for other development, diagnostic and corrective purposes in connection with the Services and other Company offerings, and (ii) disclose such data solely in aggregate or other de-identified form in connection with its business. Customer hereby grants to Company (on a worldwide, perpetual, and royalty-free basis) all rights, licenses and permissions necessary to effectuate the foregoing. In the interest of clarity, Company may not, and never will, use Customer Data to add to, “bulk up”, or expand its own databases that are used to produce the Output Data. Customer Data shall remain segregated from the databases used to produce the Output Data. Additionally, we will never share the Customer Data with your competitors or any of our other customers.

‍

3.5 To the extent that Company acts and exercises its privileges with respect to personal information collected pursuant to the preceding section 3.4, each party (Customer in providing and Company in receiving such personal information) is (a) an independent “business” pursuant to the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), and (b) an independent “controller” pursuant to the respective state laws that recognize a distinction between data “controllers” and data “processors.” As to Company’s collection of personal information pursuant to that section, the provisions of the CPRA regulations governing “third parties,” set forth in section 7052 of such regulations, shall apply. Without limitation of other requirements of such regulations, Customer shall in a timely manner provide Customer with the respective personal information of all California residents who have “opted out” of the sale of their personal information, or requested “deletion” of their personal information, where Customer has previously provided such personal information to Company.

‍

3.6 To the extent that Company receives and handles personal information for the purpose of providing its Services set forth in Exhibit A, Company is (a) a “service provider” to Customer pursuant to the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) and (b) a “processor” pursuant to the respective state laws that recognize a distinction between data “controllers” and data “processors.” As to Company’s collection of personal information as a “service provider” or “processor,” and shall handle personal information received from Customer pursuant to the provisions set forth in Section 7050 of the CPRA regulations. Notwithstanding the foregoing (and as further described in Exhibit A), as to data collected through pixel tags on Customer Properties (as defined in Exhibit A), including Cookie Data (as defined in Exhibit A), Company is a “business” or “controller” with respect to such data, in that it is deploying or processing such information (or instructing others as to such deployment or processing) for purposes of cross-contextual advertising.

‍

3.7 The Software may be subject to US export control laws, including the US Export Administration Act and its associated regulations. Licensee will not directly or indirectly, export, re-export, or release the Software to, or make the Software accessible from, any country, jurisdiction or Person to which export, re-export, or release is prohibited by applicable Law. Licensee will comply with all applicable Laws and complete all required undertakings (including obtaining any necessary export license or other governmental approval) prior to exporting, re-exporting, releasing, or otherwise making the Software available outside the US.

‍

3.8 Customer & Company both additionally agrees to the limitations and restrictions on data usage described in Exhibit A – Data Usage Terms.

‍

‍

4. PAYMENT OF FEES

‍

4.1 Customer will pay Company the fees described in the Order Form for the Services (the “Fees”). When you sign this Agreement, the payment method indicated on your Order Form will be charged for the full amount due (the “Initial Payment”), as detailed on your Order Form, plus any applicable taxes. This Initial Payment is equivalent to your first monthly subscription cost and will apply to your first full month of Services. Your subscription will be billed as an upfront monthly payment, meaning invoices will be generated on the first day of each billing cycle and will cover the Services period for your first month of Service following the completion of the onboarding period.

‍

4.2 Thereafter, Company shall bill through an invoice and full payment for invoices must be received by Company thirty (30) days after Customer’s receipt of such invoice. Unpaid amounts are subject to a finance charge of 1.5% per month on any outstanding balance, or the maximum permitted by law, whichever is lower. Should your payment(s) be more than 30 days’ late, you will be liable for all of our expenses of collection, including reasonable attorneys fees we expending in collection efforts. In such event, we may additionally terminate your access to the Services immediately.

‍

‍

5. TERM AND TERMINATION

‍

5.1 Subject to earlier termination as provided below, this Agreement is for the Service Term as specified in the Order Form. In addition to any other remedies it may have, either party may also terminate this Agreement upon written notice if the other party materially breaches any of the terms or conditions of this Agreement and does not cure such breach within thirty (30) days of receipt of written notice explaining the breach in reasonable detail. Customer will pay in full for the Services up to and including the last day on which the Services are provided and Company shall refund to Customer the pro rata unused portion of any prepaid fees for the remainder of the Term. Upon any termination, Company will make all Customer Data available to Customer for electronic retrieval for a period of thirty (30) days All sections of this Agreement which by their nature should survive termination will survive termination, including accrued rights to payment, confidentiality obligations, warranty disclaimers, indemnification obligations and limitations of liability.

‍

‍

6. WARRANTY

‍

Company represents and warrants that it (i) subject to this agreement it has all rights, licenses, consents and authorizations necessary to grant the rights and licenses granted in this Agreement; (ii) the Services delivered under this Agreement will operate substantially in conformity with its documentation; and (iii) the Services do not contain, and will not transmit to Customer or its systems, any viruses, Trojan horses, timebombs, or any other code, programs or mechanisms that disrupt, delete, harm, or otherwise impede the operation of computer systems. Services may be temporarily unavailable for scheduled maintenance or for unscheduled emergency maintenance, either by Company or by third-party providers, or because of other causes beyond Company’s reasonable control, but Company shall use reasonable efforts to provide advance notice in writing or by e-mail of any scheduled service disruption.

‍

‍

7. INDEMNITY

‍

7.1 Customer shall indemnify, defend and hold Company, its agents, Affiliates, suppliers and licensors harmless from any claim, costs, losses, damages, liabilities, judgments and expenses, including reasonable fees of attorneys and other professionals (each a “Claim”), arising out of or in connection with any allegation by a third party that Customer has used the Services (including, without limitation, the Output Data) in a manner that violates any law, or failed to properly disclose or obtain any legally required consents for the Services such as in any online privacy policy or other required notice. Company shall indemnify, defend and hold Customer, its agents, Affiliates, and licensors harmless from any claim, costs, losses, damages, liabilities, judgments and expenses, including reasonable fees of attorneys and other professionals (each a “Claim”), arising out of or in connection with any allegation by a third party that the Services violate any intellectual property right held by any third party.

‍

7.2 To seek indemnification hereunder, the indemnified Party must (i) promptly notify the indemnifying Party in writing of the Claim; (ii) grant the indemnifying Party sole control of the defense (except that the indemnified Party may, at its own expense, assist in the defense); and (iii) provide the indemnifying Party, at the indemnifying Party’s expense, with all reasonable assistance, information and authority reasonably required for the defense of the Claim. In no event shall the indemnifying Party enter into any settlement or agree to any disposition of the indemnified claim(s) which imposes any materially new obligation on the indemnified Party (beyond requiring compliance with applicable law) without the prior written consent of the indemnified Party

‍

‍

8. DISCLAIMER OF WARRANTIES; LIMITATION OF LIABILITY

‍

COMPANY DOES NOT WARRANT (AND EXPRESSLY DISCLAIMS ANY WARRANTY) THAT THE SERVICES OR WILL BE UNINTERRUPTED OR ERROR FREE; NOR DOES IT MAKE ANY WARRANTY (AND EXPRESSLY DISCLAIMS ANY WARRANTY) AS TO THE RESULTS THAT MAY BE OBTAINED FROM USE OF THE SERVICES. THE SERVICES, THE SOFTWARE, THE OUTPUT DATA, AND THE ONBOARDING SERVICES ARE PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS AND COMPANY DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. NOTWITHSTANDING ANYTHING TO THE CONTRARY AND EXCEPT FOR ANY LIABILITY ARISING OUT OF A PARTY’S CONFIDENTIALITY OR INDEMNIFICATION OBLIGATIONS UNDER THIS AGREEMENT OR ANY FRAUD, GROSS NEGLIGENCE OR WILLFUL MISCONDUCT, NEITHER PARTY SHALL BE RESPONSIBLE OR LIABLE WITH RESPECT TO ANY SUBJECT MATTER OF THIS AGREEMENT RELATED THERETO UNDER ANY CONTRACT, NEGLIGENCE, STRICT LIABILITY OR OTHER THEORY: FOR ANY INDIRECT, EXEMPLARY, INCIDENTAL, SPECIAL OR CONSEQUENTIAL DAMAGES; OR FOR ANY DIRECT DAMAGES IN EXCESS OF THE FEE PAID BY CUSTOMER TO COMPANY IN THE PRIOR 12 MONTHS, IN EACH CASE, WHETHER OR NOT A PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

‍

‍

9. INJUNCTIVE RELIEF

‍

Customer acknowledges that its breach of the “Resale Restriction” in the Data Usage Terms at Exhibit B would result in irreparable harm and significant injury to Company, which would be difficult to ascertain. In the event of such a breach, Company therefore shall have the right to seek (in addition to and without exclusion of other remedies available to it at law or in equity) immediate injunctive relief, without posting bond; Company likewise shall be entitled to reimbursement from Client for reasonable attorneys’ fees and costs where Company is a prevailing party in any such action.

‍

‍

10. MISCELLANEOUS

‍

Subject to Customer’s approval, which shall not be unreasonably withheld, Company may use Customer’s name and logo in its promotional materials, including without limitation, on its website. If any provision of this Agreement is found to be unenforceable or invalid, that provision will be limited or eliminated to the minimum extent necessary so that this Agreement will otherwise remain in full force and effect and enforceable. This Agreement is not assignable, transferable or sublicensable by either party except with the other party’s prior written consent, provided however that either party may, without such consent, assign this Agreement (which shall be inclusive of all obligations and privileges herein) to any successor in interest to such assignor that has acquired all or substantially all stock or assets in assignor. Any other purported assignment will be void. This Agreement is the complete and exclusive statement of the mutual understanding of the parties and supersedes and cancels all previous written and oral agreements, communications and other understandings relating to the subject matter of this Agreement, and that all waivers and modifications must be in a writing signed by both parties, except as otherwise provided herein. No agency, partnership, joint venture, or employment is created as a result of this Agreement and Customer does not have any authority of any kind to bind Company in any respect whatsoever. The words “including” or “includes” means including or includes (as applicable) without limitation or restriction. All notices under this Agreement will be in writing and will be deemed to have been duly given when received, if personally delivered; when receipt is electronically confirmed, if transmitted by facsimile; the day after it is sent, if sent for next day delivery by recognized overnight delivery service; and upon receipt, if sent by certified mail, return receipt requested. Notices to Customer shall be addressed to as described above This Agreement shall be governed by the laws of the State of Texas without regard to its conflict of laws provisions. Any claim or action brought by one of the parties in connection with this Agreement will be brought in the appropriate Federal or State court located in the County of Texas and the parties irrevocably consent to the exclusive jurisdiction of such court.

‍

1. Definitions

(a) “Customer Propert(ies)” means each website owned and operated by Customer from which Cookie Data is collected. (b) “Cookie Data” means information collected from Customer Properties by Company (or by a vendor to or partner of Company) in order for Customer to receive the Services. (c) “Input Data” means any and all customer information that Customer provides or makes available to Company in order to receive the Services. “Input Data” includes Cookie Data. (d) “Output Data” means any data that Company provides to Customer.

‍

2. Proprietary Rights

All Output Data and technology and data and technology used to create and deliver it shall remain the exclusive property of Company. The Input Data shall remain the exclusive property of Customer; for avoidance of doubt, Company shall have no rights to use, model or create any product with the Input Data except to provide the Services.

‍

3. Data Usage

Without limitation of the foregoing, Company shall only use the Input Data as set forth herein or as otherwise requested by Customer. Without limitation of the foregoing, Customer shall not use the Output Data or any other portion of the Services in violation, or to facilitate the violation, of any law, regulation or agreement to which it is a party, including, without limitation and to the extent applicable, the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), the General Data Protection Regulation (Regulation (EU) 2016/679) (to the extent applicable), and the Fair Credit Reporting Act (FCRA) the Can-Spam Act. Customer further represents and warrants that it shall in a legally sufficient manner disclose how it collect and employs the personal information it handles, including with respect to the Input Data and Output Data, and that it shall not use the Output Data in any manner that violates its own privacy policy or applicable laws. Any party that accepts and enters into this Agreement on behalf of Customer represents and warrants that such party has the authority, the rights, and the capacity to legally bind Customer to the terms herein.

‍

4. Restrictions

The Output Data may be used solely for Customer’s own internal business or marketing purposes. Customer may not sell, lease, sublicense, rent or provide to any other party the Output Data (in whole or in part) or a functionally equivalent derivative of the Output Data, or create any service from the Output Data (the “Resale Restriction”). If Customer wishes to resell the Services or the Output Data, Customer may contact Company, and any such resale or relicensing shall be negotiated under a separate agreement. Customer shall not use the Services (including, without limitation any Output Data) to advertise, sell, or promote products or services relating to or promoting: (i) libelous speech, (ii) illegal activities, (iii) pornography, (iv) tobacco products (including e-cigarette products), (v) weapons, including firearms of any type or ammunition, (vi) hate speech, directed against any societal group, including where based on race, ethnicity, religion, heritage, sexual orientation, gender status or nation of origin, (vii) products that violate copyrights or trademarks, (viii) credit repair products, (ix) the sale of particular “pink slip” or over-the-counter stocks, (x) the sale of “psychic” or “astrology” services, or promotion of sweepstakes, or (xi) any product or service that is illegal in the place in which it is offered or delivered. Customer shall not send emails using the Services (including, without limitation, any Output Data) unless such emails contain and respect a valid and working “unsubscribe” from sender option, identifies the sender as required under the Can-Spam Act, and is non-fraudulent. Should Company provide wireless phone numbers to Customer, Customer shall be solely responsible for compliance with all laws related to the use of such phone numbers, including without limitation (a) the Telephone Communication Protection Act (TCPA), (b) the FTC Telemarketing Sales Rule, (c) the Telemarketing Consumer Fraud and Abuse Prevention Act, and (d) all federal state laws and regulations regarding the use of telephone numbers, including compliance with state and federal “do not call” registries and restrictions. Customer represents and warrants that the Input Data does not and will not contain any information subject to (a) HIPAA (the Health Insurance Portability and Accountability Act), (b) GLBA (the Gramm Leach Bliley Act), (c) COPPA (the Children’s Online Privacy Protection Act) (d) GDPR (the General Data Protection Regulation) or (e) FCRA (the Fair Credit Reporting Act), absent further agreement and implementation of necessary documentation by the Parties. For avoidance of doubt, the foregoing restriction includes (without limitation) Customer’s placement of a pixel tag (to generate Cookie Data) on a site, where doing so would render such Cookie Data subject to the foregoing laws. Company shall act solely as a “service provider” or “processor” under respective and applicable state laws.

‍

5. Privacy Policy

Customer shall clearly and conspicuously maintain on each of the Customer Properties privacy notices that (i) comply with all applicable privacy laws; (ii) provide an adequate description of the manner in which online behavioral data from visitors to the Customer Properties (including data regarding website visits) is used, collected, and shared in order to facilitate the applicable Services; and (iii) provide a manner for website visitors to opt-out of the Services, including a link to the opt-out located at https://app.getemails.com/optout. In some jurisdictions, a web banner may also be required or recommended as a means to provide additional, robust notice. Customer acknowledges that Company recommends the following disclosure (or substantively similar language) for insertion in Customer’s online privacy policy and/or any such notice banner:

‍

“When you visit or log in to our website, cookies and similar technologies may be used by our online data partners or vendors to associate these activities with other personal information they or others have about you, including by association with your email or online profiles. We (or service providers on our behalf) may then send communications and marketing to these emails or profiles. You may opt out of receiving this advertising by visiting https://app.retention.com/optout”.

The above is without qualification or limitation of any other other required legal disclosures Customer may be required to make. Company may provide notice of additional recommended policies or language athttps://retention.com/support/update-privacy-policy/, and by email notice. Notwithstanding any recommendations provided by Company (including the above), Customer understands that Customer has sole responsibility for ensuring that its privacy disclosures are sufficient and complete, and that it should consult with its own privacy counsel regarding implementation and disclosure of data and marketing practices including the Services

‍

‍

6. Important FCRA Restrictions

Customer is not a consumer-reporting agency as defined by the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq. ("FCRA") and the Services (including the Output Data and any reports comprising a part of the Services) do not constitute “Consumer Reports,” as that term is defined in the FCRA. Customer will not use or provide the Services (including, without limitation, the Output Data) for any purposes enumerated in the FCRA in lieu of obtaining a Consumer Report, which shall include without limitation, the following uses: (i) in connection with establishing a consumer’s eligibility for credit or insurance to be used primarily for personal, family or household purposes, or in connection with assessing risks associated with existing credit obligations of a consumer; (ii) for the purpose of evaluating a consumer for employment, promotion, reassignment or retention as an employee; (iii) for any tenancy verification or in connection with any application to rent real property; (iv) in connection with a determination of a consumer’s eligibility for a license or other benefit that depends on an applicant's financial responsibility or status; (v) as a potential investor or servicer, or current insurer, in connection with a valuation of, or assessment of credit or prepayment risks associated with, an existing credit obligation; (vi) in connection with any information, service or product sold or delivered to a “Consumer” (as that term is defined in the FCRA) that constitutes or is derived in substantial part from a Consumer Report or for any other purpose under the FCRA. Customer will not use or provide Customer services or data for the preparation of a Consumer Report (vii) or in such a manner that may cause such data to be characterized as a Consumer Report. Customer will not take any “Adverse Action” (as that term is defined in the FCRA), which is based in whole or in part on the Services, against any Consumer.

‍

7. Data Protection Addendum

The parties may enter into a Data Protection Addendum (DPA), which upon execution shall be incorporated into and deemed a part of the Agreement.

‍

The foregoing Data Protection Addendum (“Addendum”) shall be incorporated into the [_] (the “Agreement”) entered into on or about [] between [__________] (“Customer”) and GetEmails, LLC (d.b.a Retention.com) (“Vendor”) (each a “Party” and together the “Parties”), upon the signature of each Party.

‍

1 .Definitions. For purposes of this DPA:

1. ““Data Protection Law(s)” means all applicable laws, regulations, and other legal or self-regulatory requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of Personal Data, each as amended from time to time, including without limitation, to the extent applicable: the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (as amended by the California Privacy Rights Act of 2020, together the “CCPA”), the Virginia Consumer Data Protection Act (“VCDPA”), the Colorado Privacy Act and related regulations (“CPA”), the Utah Consumer Privacy Act (“UCPA”), and the Connecticut Act Concerning Personal Data Privacy and Online Monitoring (“CPDPA”), collectively, “U.S. Privacy Laws”; and any applicable privacy law that draws a distinction between a data “controller” and a data “processor.” For the avoidance of doubt, if a Party’s activities involving Personal Data are not within the scope of a given Data Protection Law, such law is not applicable for purposes of this DPA.
2. “Cookie Data” has the meaning ascribed to it in the Agreement.
3. “Customer Data” means “Customer Data” or “Input Data” described in the Agreement.
4. "Consumer” has the meaning ascribed to it in Applicable Privacy Laws.
5. “Output Data” has the meaning ascribed to it in the Agreement.
6. “Personal Data Breach” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or exfiltration of, or access to, Personal Data.
7. “Personal Data” means (i) any information relating to an identified or identifiable individual, within the meaning of applicable Data Protection Law; (ii) any other information constituting “personal information” as such term is defined in the CCPA (regardless of whether the CCPA applies); and (iii) any other information constituting nonpublic personal information within the meaning of the GLBA (regardless of whether the GLBA applies);
8. “Process” and “Processing” mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
9. “Services” means the Vendor Services described in the Agreement.
10. “Subprocessor” means any Vendor affiliate or subcontractor engaged by Vendor for the Processing of Personal Data.
11. The terms “Business,” “Consumer,” “Controller,” “Data Subject,” “Processor,” “Share,” “Sell,” “Service Provider,” and “Third Party” are defined as in Data Protection Laws. “Controller” is deemed to also refer to “Business,” and “Processor” is deemed to also refer to “Service Provider.” “Data Subject” is deemed to include “Consumer.”
12. Capitalized terms not otherwise defined herein will also have the meaning set forth in the Agreement.

‍

2 .Scope and Roles of Parties.

1. This DPA applies both to the Personal Data that Vendor receives from Customer and the Personal Data that Vendor provides to Customer.
2. In light of the various categories of Personal Data processed in order to provide the Services, Data Protection Laws ascribes different roles to each Party based on the categories and functions of such Personal Data. For purposes of this DPA and the Agreement:
   ‍
   i. When processing or handling the Customer Data (for instance, email addresses received from Customer, for use in email marketing), Vendor acts as a Service Provider. For avoidance of doubt, the Customer Data is employed for the purpose of selecting and suppressing the scope of the set of email recipients;
   ‍
   ii. When processing or handling Cookie Data, Vendor acts as a Third Party and an independent Controller, such Cookie Data being employed in order to generate cross-contextual or cross-channel behavioral advertising, as between digital and email environments.
   
   iii. When processing, handling or licensing Output Data, each Party acts as an independent Controller when and to the extent that such Output Data is in its possession or control. The provisions set forth in Section 5 apply to the Output Data.

‍

3 .Customer’s Instructions to Vendor With Respect to the Customer Data.

Process the Customer Data only to provide the Services, unless obligated to do otherwise by applicable law. In such case, Vendor will inform Customer of that legal requirement before the Processing unless legally prohibited from doing so. Without limiting the foregoing, the Parties agree as follows:

1. Vendor will not retain, use, disclose, or otherwise Process the Customer Data in a manner inconsistent with Vendor’s role in performing services for Customer, and shall only use the Customer Data to provide requested services to Customer;
2. Vendor will not use, or disclose the Customer Data outside of the direct business relationship between Customer and Vendor;
3. Vendor will not “sell” the Personal Data, as such term is defined in the applicable Data Protection Laws (regardless of whether any of those laws applies);
4. Vendor will not “share” the Customer Data as such term is defined in the CCPA, provided however that Customer understands that the Services it requests may constitute a “sharing” of information (such as Cookie Data) on behalf of Customer in order to facilitate cross contextual advertising;
5. Vendor will comply with any applicable restrictions under Data Protection Law as to combining the Customer Data that Vendor receives from, or on behalf of, Customer with Customer Data that Vendor receives from, or on behalf of, another person or persons, or that Vendor collects from any other interaction between Vendor and a data subject;
6. Vendor will provide the same level of protection for the Customer Data subject to the CCPA as is required under the CCPA;
7. Vendor will notify Customer as soon as legally permissible if Vendor determines that Vendor can no longer meet its obligations under applicable Data Protection Laws;
8. Customer has the right to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Data.;
9. Customer will not instruct Vendor to Process Customer Data in violation of applicable Data Protection Laws;
10. The Agreement, including this DPA, along with Customer’s configuration of any settings or options in the Services (should Vendor provide such configuration options) constitute Customer’s complete and final instructions to Vendor regarding the Processing of Customer Data.

‍

4 .Vendor’s Use of Subprocessors

1. Vendor may subcontract the collection or other Processing of Customer Data in compliance with applicable Data Protection Law to provide the Services. Prior to a Subprocessor’s Processing of Customer Data, Vendor will impose contractual obligations on the Subprocessor that comply with applicable Data Protection Laws and are substantially the same as those imposed on Vendor under this DPA. Subprocessor security obligations will be deemed substantially the same if they provide a commercially reasonable level of security.
2. Vendor’s current Subprocessors are listed at https://www.rb2b.com/compliance/subproccesors-list (the “Subprocessor List”). When any new Subprocessor is engaged, Vendor will make an updated Subprocessor List available at least 15 days before the new Subprocessor Processes any Customer Data by posting an update there and on the same day sending an email to the email address listed for notices in the Agreement, if any (the “Update”).
3. If Customer has a reasonable basis for objecting to appointment of a Subprocessor, it may send Vendor a written notice of such basis within 10 days of the Update, including a termination date (which may be no earlier than 15 days after the date of the Update. If Vendor cannot accommodate Customer’s objection to Customer’s reasonable satisfaction by such termination date, then the Agreement will terminate on such date.
4. Vendor remains liable for its Subprocessors’ performance to the same extent Vendor is liable for its own performance, consistent with the limitations of liability set forth herein.

‍

5 .CCPA “Third Party” Provisions.

This Section 5 applies to the extent Vendor provides Output Data to Customer:

1. Without limitation of other restrictions in the Agreement, Customer shall only use the Output Data in order to market to its customers and evaluate the effectiveness of its marketing campaigns. Vendor shall only use the Cookie Data in order to perform data-matching and data-synching in order to provide requested marketing services to Customer.
2. Each Party shall ensure that it has provided legally sufficient consumer notice and choice mechanisms, including (as to California residents) providing “opt out” and “notice at collection” disclosures and mechanisms in compliance with the California Consumer Privacy Act and the California Privacy Rights Act (together the “CCPA”) and other applicable state privacy laws. Each Party will sufficiently disclose the manner in which its Personal Data is used (including as contemplated in the Agreement). Each Party will, as required by applicable Data Protection Law, privacy a link on its website to a “Your Privacy Choices” “Do Not Share or Sell” or similar “opt out” functionality.
3. To the extent that either Party makes available to the other a list of residents who have requested “opt out” or “deletion” of their personal information the receiving Party shall comply with such requests, to the extent required under applicable law (such as, without limitation, the CCPA).
4. Each Party may take reasonable and appropriate steps to ensure that the other Party uses the personal Data provided to it solely as set forth in the Agreement and solely in compliance with the CCPA, and upon reasonable notice either Party may take reasonable and appropriate steps to remediate the other Party’s unauthorized use of the Personal Data provided to it by the other Party.
5. Each Party shall notify the other within five (5) business days should it determine that it can no longer meet its legal obligations under the CCPA, with respect to the Personal Data provided to it by the other Party.

‍

6 .Data Security Requirements

1. Vendor will assist Customer in Customer’s compliance with the security obligations under applicable Data Protection Laws, as relevant to Vendor’s role in Processing the Customer Data, taking into account the nature of Processing and the information available to Vendor, by implementing appropriate technical and organizational measures.
2. Vendor will ensure that the Vendor personnel it authorizes to Process the Customer Data are subject to an appropriate written confidentiality agreement covering such data.
3. Vendor will comply with the Personal Data Breach-related obligations applicable to it under applicable Data Protection Laws. Taking into account the nature of Processing and the information available to Vendor, Vendor will assist Customer in complying with those applicable to Customer by informing Customer of a confirmed Data Breach of Customer Information without undue delay, and in no case more than 48 hours after becoming aware of it. To the extent available, this notification will include Vendor’s then-current assessment of the following, which may be based on incomplete information:
   i. The nature of the Personal Data Breach, including, where possible, the categories and approximate number of Consumers concerned, and the categories and approximate number of Personal Data records concerned;
   ii. The likely consequences of the Personal Data Breach; and
   iii. Measures taken or proposed to be taken by Vendor to address the Personal Data Breach, including, where applicable, measures to mitigate its possible adverse effects.
4. Nothing shall be construed to require Vendor to violate, or delay compliance with, any legal obligation it may have with respect to a Personal Data Breach or other security incidents generally.

‍

7 .Assistance Responding to Consumers.

Taking into account the nature of the Processing, Vendor will provide reasonable assistance to Customer for the fulfilment of Customer’s obligation to honor requests by individuals to exercise their rights under applicable Data Protection Law with respect to the Customer Data (such as rights to access their Personal Data) and will promptly notify Customer of any such requests or Personal Data-related complaints from an individual that Vendor receives, where Vendor determines such request relates to information provided by Customer. Vendor will in any event provide this notification within 3 business days when Vendor receives the request or complaint through the contact information listed in Vendor’s then-posted online privacy policy.

‍

8 .Assistance with Data Protection Assessments.

Taking into account the nature of the Processing and the information available to Vendor, Vendor will provide reasonable assistance to and cooperation with Customer for Customer’s performance of any data protection assessment of the Processing of the Customer Data involving Vendor.

‍

9 .Audits.

Vendor will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA with respect to its Processing of the Customer Data, and allow for and contribute to audits, including inspections, conducted by Customer or an independent auditor at its own expense.

‍

10 .Return or Destruction.

Vendor will, at Customer’s choice, return to Customer and/or destroy all Customer Data in its possession after the termination or expiration of Customer’s subscription to the relevant Services, except to the extent applicable Data Protection Law requires storage of the Customer Data, within 30 days, except as otherwise agreed by the parties.

‍

11 .U.S. Data Only.

The Agreement (and this DPA) contemplates the provision or transfer of Customer Data solely from persons or browsers/devices located in the United States. The Parties understand that should Customer Data be provided from other locations, including without limitation European Union nations or the United Kingdom, additional data processing addendums may be required.

‍

Vendor has established and agrees to maintain a written information security program (the “Information Security Program”) designed to comply with this Information Security Addendum and applicable Data Protection Law. Terms not defined herein have the meaning set forth in the rest of the DPA.

As part of its program, Vendor has implemented and agrees to maintain administrative, technical, and physical security safeguards designed to protect the confidentiality, integrity, and availability of Customer Data, including but not limited to:

Administrative and Organizational Safeguards

• Vendor maintains policies and procedures for the security of Customer Data, including the following:
  ◦ Written information security policies that set forth Vendor’s procedures with regard to maintaining the safeguards set forth in this Information Security Addendum.
  ◦ Incident Response Plan, which sets forth Vendor’ procedures to investigate, mitigate, remediate, and otherwise respond to security incidents.
• Vendor conducts regular assessments of the risks and vulnerabilities to the confidentiality and security of Customer Data.
• Vendor regularly tests and monitors the effectiveness of its Information Security Program, including through security audits, and will evaluate its Information Security Program and information security safeguards in light of the results of the testing and monitoring and any material changes to its operations or business arrangements.
• Vendor has appointed an individual to oversee and manage its Information Security Program and lead the response to any Personal Data Breach.
• Vendor maintains role-based access restrictions for its systems, including restricting access to only those Vendor employees that require access to perform the Vendor Services or to facilitate the performance of such Vendor Services, such as system administrators, consistent with the concepts of least privilege, need-to-know, and separation of duties.
• Vendor periodically reviews its access lists to ensure that access privileges have been appropriately provisioned and regularly reviews and terminates access privileges for Vendor employees that no longer need such access.
• Vendor assigns unique usernames to authorized Vendor employees and requires that Vendor employees’ passwords satisfy minimum length and complexity requirements.
• Vendor regularly provides training to employees, as relevant for their roles, on confidentiality and security.
• Vendor requires relevant Vendor employees to acknowledge Vendor’ Information Security Program annually.
• Vendor has a policy in place to address violations of its Information Security Program.

‍

Technical Security

• Vendor logs certain system activity—including authentication events, changes in authorization and access controls—and regularly reviews and audits such logs.
• Vendor maintains network security measures, including but not limited to firewalls, to segregate its internal networks from the internet, risk-based network segmentation, intrusion prevention or detection systems to alert Supplier to suspicious network activity, and anti-virus and malware protection software.
• Vendor has implemented workstation protection policies for its systems, including automatic logoff after a period of inactivity and locking the system after a defined number of incorrect authentication attempts.
• Vendor requires multi-factor authentication on its systems for administrative users.
• Vendor conducts periodic vulnerability scans and assessments on systems storing, processing, or transmitting Personal Data to identify potential vulnerabilities and risks to Personal Data.
• Vendor remediates identified vulnerabilities in a risk-prioritized and timely manner, including timely implementation of all high-risk mitigating manufacturer- and developer-recommended security updates and patches to systems and software storing, transmitting, or otherwise Processing Personal Data.

‍

Physical Security

• Vendor restricts access to its facilities, equipment, and devices to Vendor employees with authorized access on a need-to-know basis.
• Vendor tracks the location of its equipment, devices, and electronic media and maintains a record of such locations.

‍

Amazon Web Services, Inc.

- Cloud Hosting Solutions: data processing, threat/security/vulnerability monitoring, and data storage (USA)

‍

FullStory

- User support (USA)

‍

Intercom.io

- User support, customer service, automated emails to customers (USA)

‍

Hubspot

- User support (USA)

‍

Redislabs

- Cloud hosting for Redis cache (USA)

‍

Logz.io

- System and technical/developer logging management (USA)

‍

NewRelic

- Technical solution reporting & monitoring (USA)

‍

Sendgrid

- System-generated email message delivery (USA)

‍

Twilio

- System-generated SMS delivery (USA)

‍

Stripe

- Billing & payment processor and service, generating invoices, reporting and analytics (USA)

‍

Baremetrics

- Reporting & analytics (USA)

‍

Profitwell

- Reporting & analytics, revenue recovery (USA)

‍

Salesforce

- Customer relation manager, reporting and analytics, automated processes (USA)

‍