-- Global Privacy POLICY
Effective Date: 1 November
2023
Contents
1.
Who We Are
2.
Introduction
3.
Defined Terms
4.
How We Collect Data
5.
Types of Data We Collect
6.
Why We Use and
Process Data
7.
Who We Share Data with and Why
8. Your Choices About Our Use of Data
9.
How Long We Use and Store PII
10.
How We Protect Data
11. Opt-Out
Preferences
12. Persons Outside the
United States, EU, EEA, UK and Switzerland
13. Contact Us
14.
Updates to
this Privacy Policy
15. Addendum for Persons Residing in California
16. Addendum for Persons Located
in the European Union, EEA, UK and Switzerland
1.
Who We Are
We are located at 23801 Calabasas Road, Calabasas, CA 91302, USA. Along with our affiliates (collectively, “Company Group”, or “we/our/us”),
we own and operate a number of websites (the “Websites” or “Sites”)
and mobile applications (the “Apps”).
This global Privacy Policy (“Privacy Policy”) applies to each
Website and App that it appears on.
2. Introduction
This Privacy Policy explains how we collect, use, process, share and
store Data when you use our Services (both terms as defined below), explains
rights that you may have under specific data privacy and protection laws, and
provides instructions on how to exercise any rights that apply to you
(collectively, “Data Laws”).
The rights discussed in the CCPA Notice are for residents of
California. The rights discussed in the
GDPR Notice are for persons located in the EU, EEA, UK or Switzerland.
Depending on where you live or are located, these rights may not apply to
you. Both the CCPA Notice and the GDPR
Notice are provided as Addenda at the end of this Privacy Policy.
Our Websites, Apps and Services may include links to
third-party websites, plug-ins, services, social networks or mobile
applications. Clicking on those links, or enabling those connections, may allow
the third-party to collect or share Data about you. We do not control these
third parties, and you should read each of their privacy notices before
you submit any information to them.
Paypal
Notices
PayPal is an independent Controller for the purpose of
Processing Customer Data. You can access Paypal’s Privacy Statement at: https://www.paypal.com/us/webapps/mpp/ua/privacy-full
You should carefully read this document to understand our policies and
practices for processing and storing Data. By interacting with our Services,
you accept the policies and practices described in this Privacy Policy. This
Privacy Policy may change from time to time (see Updates to This Privacy
Policy), and your continued use of our Services after any change means you
accept those changes. Please check the
Privacy Policy frequently for any updates.
3.
Defined Terms
In addition to the terms already defined
above, we provide these definitions:
“CCPA” means the California Consumer Privacy Act of 2018, as it may be
amended from time to time.
“Data” is information about you that we
collect, or that you provide to us, and may include PII.
“Device” means the computer, smart phone or other electronic device that you use
to access the Services.
“Device Information”
means information about a Device, including the IP address used to access the
Services, associated cookies or cookie identifiers, and other information
related to the formatting or presentation of the Services for your Device and
includes information about the Device often stored in picture files, including
Device type and the location you were in when you took the picture.
“EEA” means countries
in the EU plus Iceland, Lichtenstein, and Norway.
“EU” means the countries which are currently
members of the European Union.
“GDPR” means the
General Data Protection Regulation of the European Union, and the equivalent
Data laws of the EEA, United Kingdom and Switzerland.
“Identifiable
Natural Person” is one who can be identified, directly or indirectly, by a
single piece of data such as a name, an ID number, IP address, location data,
an online identifier or by other data that, when combined, makes it possible to
determine the identity of that natural person.
“Personal Data” means
any information about an identified
or Identifiable Natural Person who has rights under the GDPR (“Data Subject”).
“Personal Information” means
information that identifies, relates to, describes, is capable of being
associated with, or could be linked, directly or indirectly, with a particular
consumer, household or Device.
“PII” means personally
identifiable information, which is information that can be used to identify a
specific individual, including Data that may be classified as Personal
Information subject to the CCPA Notice or Personal Data subject to the GDPR
Notice.
“Services” means the Sites,
Apps, and other services available from us.
4.
How We Collect Data
We use different methods to collect Data, including:
Direct Interactions. These direct interactions include
the contents of your communications with us, whether via e-mail, chat
functionality, social media, telephone or otherwise, and inferences we may make
from other personal information we collect. Where permitted by applicable law,
we may collect and maintain records of calls and chats with our agents,
representatives, or employees via message, chat, post, or similar
functionality. Our chatbox vendors may also retain
records of your chats with us.
Additionally,
data from direct interactions may be collected through third parties that have
their own privacy policies and procedures regarding the collection and
processing of your data. When using the ChatGPT functionality on the Sites, you
consent to our collection of and the transfer and processing of the data you
provide in the chat, to ChatGPT.
These
interactions also include data you provide when you create an account, subscribe to our Services,
search for a product, place an order, upload a photo or other content, create a
seller profile on our Services that offer seller capabilities, participate in
discussion boards or other social media functions on our Services, enter a
competition, promotion or survey, and when you report a problem with our
Services. If you choose to make any
seller profile that you create public, people may see your name, the country
you designate in your profile, and your “About” details. You can adjust the privacy settings for your
seller profile at any time.
Automated Technologies or Interactions. As you interact with our Services, we may
automatically collect Data about your Device and your browsing actions and
patterns, even if you do not create an account or place an order with us. We
collect this Data by using cookies, server logs, and other similar technologies. You can block cookies in your browser by
activating the settings that allow you to refuse all or some cookies. IMPORTANT
NOTE: if you use your browser settings
to block all cookies (including essential cookies), the Services may not
function properly or may not work at all.
Cross-Device Tracking: Some of our Services use
data analytics companies, advertising networks, and/or social media companies
to engage in “cross-Device tracking,” which occurs when platforms, publishers,
and advertising technology companies try to connect a consumer’s activity
across smartphones, tablets, desktop computers, and other connected devices.
Cross-Device tracking enables us to link your behaviour with our Services
across Devices.
Third parties or Publicly Available
Sources. We receive Data from
third parties such as business partners and sub-contractors who provide us with
a variety of business services like shipping and payment processing,
advertising, analytics, search information, etc.
User Contributions. You may also provide us with
Data to post on the Services or to transmit to third parties (collectively,
"User Contributions"). User Contributions are submitted at your own
risk. We limit access to certain pages, and you can also adjust privacy
settings for User Contributions by logging into your account profile. However,
we cannot and do not guarantee that unauthorised persons will not be able to
view your User Contributions.
5. Types of Data We Collect
PII We Collect
We collect PII including your name, billing address, delivery address,
email address, telephone number, IP address, credit/debit card numbers and
other financial information needed to complete your transactions with us,
photos and other content you upload, any profile image you provide, user IDs
and/or passwords used to access the Services, your Services browsing history,
and any phone number used to call our customer service number. Depending on the
Services you use and the products you choose to customise, you may also provide
us with video and voice
recordings, age, date of birth, gender and other similar information. If you sell products through
our Services, in addition to the information above we collect information
necessary to pay you and comply with tax reporting laws, such as your PayPal
account, and social security or Tax ID number, and your birthdate for
verification of your identity. Each piece of information you give us may be
used independently or in conjunction with other information you provide to us.
Device Information
We collect information relating to the Device(s) you use to access the
Services, including the Device model, operating system, browser type, IP
address, and event information from use of the Services.
Mobile App
Depending on your permissions, if you download and use our Apps, we may
collect or access certain information from your mobile Device including:
- Your contacts so you can select a chosen contact
to ship your order to. Once you select a contact from your mobile Device,
that contact’s information will be stored in our database and their postal
address and phone will be used for delivery of your order and for sending
you reminders of special occasions that you recorded in the Services; and
- Your phone number, entered by you in response to
our request and stored in your account data, as required for shipping in
some countries and for retail pickup orders in countries where that option
is provided.
Community Postings
You can post information on our blogs, forums, or other public posting
areas. Any information you disclose is available to anyone with internet
access. You do not have to use these features, but if you do, please use common
sense and good judgment when posting in these community spaces or sharing your
personal information with others through the Services.
Other Data We Collect
In
addition to PII, we collect other Data from you when you use the Services,
including:
·
Data that
neither directly nor indirectly reveals your identity nor directly relates to
you, such as statistics, or aggregated information. For example, we may
aggregate Data to calculate the percentage of users accessing a specific
Website, App, or feature of our Services;
·
Technical
information, including browser type and version, or operating system and
platform; and
·
Data about
your interactions with our Services, including the full Uniform Resource
Locators (URLs), clickstream to, through and from our Services (including date
and time), products you viewed or searched for or (in the case of some of our
Services) “favourited”; Service response times, download errors, length of
visits, interaction information (such as scrolling, clicks, and mouse-overs),
or methods used to browse away.
Special Category Data
Our business is customisation! Depending on the Services you use and
products you decide to create, you may select customisation features reflecting
skin tone, gender, gender identity, religious dress, disability status, sexual
orientation, or other similar information, or revealing this
or similar information through use of video and voice recording features. We
strive to be inclusive in our product customisation offerings and use this
information to create that special product for your intended recipient.
Data About Children
We do not knowingly collect, use, process, share or store PII from
children under the age of 18. The Services are not intended for use by children
under the age of 18. If you believe that we have unknowingly collected PII from
a child under the age of 18, contact us as soon possible at privacy@pallcprivacy.com. However,
certain of the Services may collect information about children
from an adult who creates a customised product about a child.
6. Why We Use and Process Data
Use and Processing of PII
We may use and process PII that is either collected by us or provided by
you for the following purposes:
·
Providing the Services
in the manner most effective for you and your Device;
·
Fulfilling your orders
placed through the Services;
·
Making interest-based suggestions and recommendations
about our products and Services;
·
Assessing the effectiveness of our advertising and
tailoring our advertising so you receive only what is relevant to you;
·
Improving the Services
and notifying you about changes;
·
Managing your customer
relationship with us;
·
Enabling your participation in our Services'
interactive, social media, or other similar features;
·
Integrating social media into your experience with our
Services;
·
Carrying out your
support requests;
·
Notifying you about
unfinished transactions, unused credits, or order status;
·
Sending you
information about discounts, special offers, and new products;
·
Managing the Services,
including troubleshooting, data analysis, testing, research, statistical
analysis, security, quality control, and fraud prevention;
·
Verifying your
identity;
·
Reminding you of
special occasions;
·
Performing billing, administration, seller payment and collections
functions;
·
Protecting the Services and our employees and operations;
·
For a Reorganisation
Use;
·
Marketing to you directly through the social media platforms that you
use and through other websites;
·
Sharing information with law enforcement agencies in response to
inquiries and with other third parties when required by law and pursuant to our
internal policies;
·
Carrying out
activities related to any of the above, or any other purpose for which the Data
was collected, including dispute resolution and protection of our legal rights
or the rights of third parties.
Use
and Processing of Other Data
We may use Data that is not PII for any
business purpose.
You can manage your preferences about how your Data is
used by following the instructions in each form or communication you receive
from us. For more information, see Your Choices About Our Use of Data.
7.
Who We Share Data with
and Why
Sharing of PII
We may share Data within our Company Group to comply with internal,
contractual and legal obligations, and for marketing activities.
We may also share Data with third parties as follows:
·
Business partners,
suppliers, service providers, subcontractors and other third parties to enable
them to provide services such as fulfilment, billing, IT, logistics, delivery,
communication, cybersecurity, fraud protection, and legal/audit;
·
Social media platforms;
·
Advertisers and ad networks; including identifying and
engaging with social influencers;
·
Public, governmental,
or regulatory authorities and institutions; and
·
Potential buyers,
investment banks or financial institutions in connection with any contemplated
or actual corporate reorganisations or business transactions such as evaluating or conducting a merger,
divestiture, restructuring, reorganisation, dissolution, or other sale or
transfer of some or all of our assets, whether as a going concern or as part of
bankruptcy, liquidation, or similar proceeding, in which Data held by us about
our users is among the assets transferred (each, a “Reorganisation Use”).
·
Courts, law
enforcement authorities, regulators, attorneys or other third parties in
connection with the establishment, exercise, or defence of legal claims.
Sharing of Other Data
We may share other Data without
restriction.
8.
Your Choices About Our
Use of Data
Transactional Emails: We occasionally
send transactional emails notifying you about your orders, account information,
changes to the Services, updates to our online documents, and other matters.
You may not opt out of transactional emails.
Promotional Offers: You can stop receiving promotional offers
by following opt-out links in each promotional message or contacting us at privacy@pallcprivacy.com and requesting your removal from our
promotional offers list.
Push Notifications on Mobile App: Depending on your Device, push
notifications may be turned on by default. You can opt out of push
notifications at any time by adjusting your Device settings.
Tracking Technologies and Advertising: You can set your browser to refuse all or
some browser cookies, or to alert you when websites set or access cookies.
If you refuse all cookies, you will be unable to use the Services. If you disable or refuse some cookies, parts
of our Services will be inaccessible or not function properly. For more
information about tracking technologies, please see Automated Technologies
or Interactions above.
Updating PII. If you wish to update your account
information, you may log into your account and make changes, or contact us via
the Contact Us link in the App or Website you are using, and we will
update or correct any account information at your request. For EU Data Subjects, please use the form located at the Manage Personal Information
link at the bottom of each webpage to request correction of your PII.
9.
How Long We Use and
Store PII
We store PII from the time of collection as follows, unless contractual
or legal obligations require us to store it for a longer period:
If you either create an account, or buy as a guest, we will delete PII
about you at the first of the following:
1.
You ask us to;
2.
You have not created
an account on any of our Services for a period of nine (9) years, or made a
sale from any seller account;
3.
You haven’t purchased
anything for nine (9) years; or
4. With regard to a Social
Security Number or Tax ID Number, you have not made a sale from any account
using that number for a period of seven (7) years.
Pursuant
to our contractual relationship with Meta, we store Platform Data received from
Meta for no longer than five (5) years. See the Meta terms here for additional information.
10.
How We Protect Data
The Services have
physical, electronic, and administrative security measures in place designed to
protect against the loss, misuse, and unauthorised access, use, alteration, or
disclosure of Data under our control. When you submit credit card information
through the Services, we create a nonce so your credit card information is
never stored by us. While no
transmission over the internet can be guaranteed as 100% secure, and we strive
to protect PII during transmission, we cannot ensure or warrant the security of
any Data that you transmit to or receive from us. We urge you to take steps to keep Data safe
(including your account password), log out of your account after use, and close
your web browser.
11.
Opt-Out Preferences
California
and Virginia residents may opt out of the sale and/or sharing of their
information by broadcasting an Opt-Out Preference Signal, such as the Global
Privacy Control (GPC) (on the browsers and/or browser extensions that support
such a signal). To download and use a browser supporting the GPC browser
signal, click here: https://globalprivacycontrol.org/orgs. If you choose to use the GPC
signal, you will need to turn it on for each supported browser or browser
extension you use.
We can only
link your request to opt-out of sale/sharing to your browser or device
identifier, and not to any information about any account you may have with us.
The connection between your browser or device and any account you have with us
is not known to us. Accordingly, now that we have implemented GPC recognition,
any prior choices you have made regarding sale/sharing of your personal
information are no longer valid. If you wish to opt out of the sale/sharing of
your information, you will need to do so by rebroadcasting the GPC signal to us
now and again in the future to the extent you visit our website with a
different device or clear the cookies cache from your current device.
12. Persons Outside the United States, EU, EEA, UK and Switzerland
You confirm that your command and knowledge of the language in which this
Privacy Policy is written is sufficient to understand the terms and conditions
in this Privacy Policy. If you live in
the European Union, EEA, UK or Switzerland, or are located outside the United
States: (i) you acknowledge that by
using the Services, personal data about you may be transferred to our servers
or third-party servers located in the United States in connection with the
purposes stated in this Privacy Policy and expressly consent to such transfers,
and (ii) you understand that the laws with respect to the protection of Data in
the United States may not be as stringent as those in your home
jurisdiction. If you live in or are in
the European Union, EEA, UK or Switzerland, the Addendum for Persons Located in
the European Union, UK, EEA and Switzerland EU below describes additional
rights you might have.
13. Contact Us
If you have any
concern about the privacy practices of the Services, please contact us at the following
address with a detailed description of your concern, and we will try to resolve
it:
Privacy
Programme
Attn: Legal Department
23801 Calabasas Road
Calabasas, CA 91302
USA
If you are in Europe,
We have appointed ITG EU & GRCI Law to act as our
EU and UK Representatives, respectively. If you wish to exercise your rights
under EU GDPR or the UK GDPR or have any queries in relation to your rights or
privacy matters generally please email from Europe privacyeu@pallcprivacy.com, or from UK, privacyuk@pallcprivacy.com.
14. Updates to This Privacy Policy
Please check this Privacy Policy
periodically to inform yourself of any changes.
We reserve the right to modify this Privacy Policy at any time, so you
should review it frequently. If we make
material changes to this Privacy Policy, we will post notice of the changes on
the Services homepage and/or as required by law notify you by email using the
current email address for your account.
15. Addendum for Persons Residing in California
Effective Date: 15 April
2023
This Addendum for Persons Residing in California (this
“CCPA Notice”) supplements the Privacy Policy and applies only to residents of
the State of California. This CCPA Notice is provided in compliance with the California
Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA), and any terms defined in the CCPA have
the same meaning when used in this CCPA Addendum.
How We Collect Personal Information
We collect
“Personal Information” as defined in the CCPA. We
collect Personal Information from the following categories of sources:
•
Directly from you. For example, from your creation of an account, forms
you complete or products you purchase and Services you use, and when you
participate in a contest or survey.
•
Indirectly from you. For example, from your interactions with the
Services.
•
From other companies in our Company Group.
•
From our business partners and service providers.
We disclose
Personal Information to our Service Providers, Contractors and third-parties
for business purposes pursuant to written agreements or contracts.
Summary of Categories of Personal Information Collected, Sources, and Categories
of Third Parties Shared With
The table below summarises the categories of Personal
Information collected, used and shared by us or our Service Providers and Third
Parties within the last twelve (12) months.
Category
of Personal Information Collected
|
Collected
|
Categories
of Sources from Which Personal Information is Collected
|
Purpose
of Collection
|
Categories
of Third Parties We Share Personal Information With for a Business Purpose
|
Category
of Third Parties to whom Personal Information is Sold or Shared
|
Retention
Period
|
Identifiers, such as your name, address, phone number,
Internet Protocol (IP) address, email address, social media handles, and
account name.
If
you choose to sell products and receive a royalty or commission, we also
collect your social security number and/or tax identification number.
|
Yes
|
You,
if you choose to provide it to us.
You,
when you use the Services.
We
and our Service Providers collect this info automatically.
Our
Service Providers that collect your IP address automatically.
|
To
respond to your communications to us.
To
provide the Services to you.
|
Our
Service Providers, such as our Website host, payment processors, social
networks, order fulfilment processors, and analytics providers.
|
Advertisers
and social networks
|
9
years from the date of your last interaction with us
|
Personal information categories
listed in the California Customer Records statute (Cal. Civ. Code §
1798.80(e)), such as your name, address,
phone number, credit or debit card number.
Only if you are a seller on the CafePress Website, your Social Security Number so that we
may report tax information as required by law.
Some personal information included
in this category may overlap with other categories.
|
Yes
|
You,
if you choose to provide it to us.
|
To
fulfil your orders.
To comply with tax laws.
|
Our
Service Providers such as delivery companies, payment processors, order
fulfilment providers, printers, product distributors, and data analytics
providers.
,
|
Advertisers
and social networks
|
9
years from the date of your last interaction with us
|
Protected Classifications, such
as age (40 years or older), gender, etc.
|
Yes
|
You,
directly.
Derived
from your orders.
|
To
analyze the demographics of our customer base.
|
Service
Providers such as data analytics providers.
|
We
do not sell or share this category of Personal Information
|
9
years from the date of your last interaction with us
|
Commercial information, such
as products or services purchased, obtained, or considered.
|
Yes
|
You,
when you use the Services.
We
and our Service Providers collect this info automatically.
|
To
fulfil your orders and provide current and future Services to you.
|
Service
Providers who help us determine our product mix and analyze our customer’s
shopping and purchase preferences.
Our
Service Providers such as delivery companies, payment processors, order
fulfilment providers, printers, product distributors, and data analytics
providers.
Our
affiliates and subsidiaries.
.
|
Advertisers
and social networks
|
9
years from the date of your last interaction with us
|
Biometric information
|
No
|
N/A
|
N/A
|
N/A
|
N/A
|
N/A
|
Internet
network and electronic device activity,
such as browsing history, search history, and information regarding your
interaction with an internet website, application, or advertisement
|
Yes
|
You,
through your Device when you use the Services.
We
and our Service Providers collect this information automatically.
Analytics
providers
Advertising
providers.
Cookies
and tracking technologies.
|
Providing
you with a good experience when you use the Services, such as the ability to
serve content in your preferred language, provide pricing in local currency,
store your user ID and/or password for your convenience, or pre-populate
fields in your use of the Services.
Marketing
and advertising our products, specifically understanding which of our
marketing campaigns resulted in your visit to the Services.
|
Our
Service Providers such as data analytics providers.
|
Advertisers
and social networks
|
Varies
depending on the type of cookie collecting this Personal Information, but no
more than 2 years 9 months
|
Geolocation
data
|
Yes
|
You,
if you choose to provide it to us.
You,
through your Device, when you use the Services.
We
and our Service Providers collect this info automatically.
|
Responding
to your requests for information.
Shipping
your products to you.
Providing
you with a good experience when you visit the Services, such as the ability
to serve content in your preferred language, provide pricing in local
currency, store your user ID and/or password for your convenience, or
pre-populate fields in your use of the Services.
|
Our
Service Providers such as delivery companies and fraud prevention companies.
.
|
We
do not sell or share this category of Personal Information
|
Varies
depending on the type of cookie collecting this Personal Information, but no
more than 2 years 9 months
|
Audio,
electronic, visual, thermal, olfactory, or other information, such as audio recordings when you call our
customer service telephone number, photographic or other images.
|
Yes
|
You,
if you choose to provide it to us, or another customer provides it to us.
|
Incorporating
the image into your products.
Storing
the image for the customer for future use on other products.
|
Service
Providers, such as printers and chat function hosting sites.
|
We
do not sell or share this category of Personal Information
|
9
years from the date of your last interaction with us
|
Professional
or employment-related information
|
No
|
N/A
|
N/A
|
N/A
|
N/A
|
N/A
|
Education
information, defined as
information that is not publicly available personally identifiable
information as defined in the Family Educational Rights and Privacy Act (20
U.S.C. Sec. 1232g; 34 C.F.R. Part 99).
|
No
|
N/A
|
N/A
|
N/A
|
N/A
|
N/A
|
Inferences
drawn from personal information,
such as a person’s preferences, characteristics, trends, predispositions,
behaviour, and attitudes.
|
Yes
|
Advertising
networks, data analytics providers, and special occasions based on our review
of product orders.
|
Targeted
advertising, marketing analytics, reminders of special occasions.
|
Our
Service Providers such as data
analytics providers.
|
Advertisers and social networks
|
9
years from the date of your last interaction with us
|
Sensitive
Personal Information, such as social
insurance, driver's license, passport, or state ID card numbers;
account
or debit or credit card numbers combined with passwords or codes that would
enable access to the accounts; exact geolocation; racial origin, religious
beliefs, or union membership; a consumer's mail, email, or text message
content (unless the information was intentionally sent to us); genetic data
such as DNA samples; and biometric data
|
Yes
|
You,
if you choose to provide it to us
|
To
fulfil your orders
|
Our
Service Providers such as financial auditors, payment card processors, and
fulfilment vendors.
|
We
do not sell or share this category of Personal Information
|
9
years from the date of your last interaction with us
|
Your CCPA Rights and Choices
|
The CCPA provides California residents with specific
rights regarding Personal Information. This section describes your CCPA rights
and explains how to exercise those rights.
1.
CCPA Access
to Specific Information
|
If you are a California resident, you have the right
to request that we disclose certain information to you about our collection and
use of Personal Information about you over the past 12 months. Once we receive
and confirm your verifiable CCPA request (see Exercising
CCPA Access and Deletion Rights below), we will disclose to you:
•
The categories of Personal Information
we collected about you.
•
The categories of sources for the
Personal Information we collected about you.
•
Our business purpose for collecting or
selling that Personal Information.
•
The categories of third parties with
whom we disclose that Personal Information for a business purpose.
•
The specific pieces of Personal
Information we collected about you.
•
The categories of Personal Information
shared for cross-context behavioural advertising purposes, and the categories
of recipients to whom the Personal Information were disclosed for those
purposes; and
•
The categories of Personal Information
sold (if any), and the categories of third parties to whom the Personal
Information was sold.
2.
CCPA Deletion
Request Rights
|
California residents have the right to request that we
delete any of the Personal Information that we collected from them and
retained, subject to certain exceptions. Once we receive and confirm your
verifiable CCPA request (see Exercising Your CCPA Rights below), we will delete (and direct our
service providers to delete) Personal Information about you from our records,
unless an exception applies.
We may deny your deletion request if retaining the
Personal Information is necessary for us or our Service Povider(s)
to:
•
Complete the transaction for which we collected the Personal
Information, provide a good or service that you requested, take actions
reasonably anticipated within the context of our ongoing business relationship
with you, fulfil the terms of a written warranty or product recall conducted in
accordance with law, or otherwise perform our contract with you.
•
Detect security incidents, protect against malicious, deceptive,
fraudulent, or illegal activity, or prosecute those responsible for such
activities.
•
Debug products to identify and repair errors that impair intended
functionality.
•
Exercise free speech, ensure the right of another CCPA user to exercise
their free speech rights, or exercise another right provided for by law.
•
Comply with the California Electronic Communications Privacy Act (Cal.
Penal Code § 1546 et seq.).
•
Enable solely internal uses that are reasonably aligned with user
expectations based on your relationship with us.
•
Comply with a legal obligation.
•
Make other internal and lawful uses of the Personal Information that are
compatible with the context in which you provided it.
3.
CCPA Correction
Requests
California residents have the right
to request that we correct any incorrect Personal Information that we collect
or retain about them, subject to certain exceptions. Once we receive and
confirm your verifiable consumer request, we will correct (and direct any of
our service providers that hold your data on our behalf to correct) your
Personal Information from our records, unless an exception applies. We may
deny your correction request if (a) we believe the Personal Information we
maintain about you is accurate; (b) correcting the Personal Information would
be impossible or involve disproportionate; or (c) if the request conflicts
with our legal obligations.
4.
CCPA Right to Opt Out of Sales or Sharing of Personal Information
California residents have the right
to direct us not to “sell” their Personal Information to third parties for
monetary or other valuable consideration, or “share” their Personal
Information to third parties for cross-context behavioural advertising
purposes.
5.
Exercising CCPA Rights
|
To exercise the CCPA access described above, please
submit a verifiable CCPA request to us here: OneTrust Form or
email us at privacy@pallcprivacy.com.
Only you, or someone legally authorised to act on your
behalf, may make a verifiable CCPA request related to Personal Information
about you. You may also make a verifiable CCPA request on behalf of your minor
child. To designate someone legally authorised to act on your behalf, you may
upload proof of the authorisation toprivacy@pallcprivacy.com.
You may make a
verifiable CCPA request for access only twice within any 12-month period. The
verifiable CCPA request must:
•
provide sufficient information that allows us to reasonably verify you
are either the person we collected Personal Information about or their
authorised representative, which may include information that you have already
provided to us, such as your name and email address; and
•
describe your CCPA request in sufficient detail so that we can properly
understand your request and respond to it.
We may not
respond to your CCPA request or provide you with Personal Information if we
cannot verify your identity or authority to make the request and confirm the
Personal Information is about you or someone you are legally authorised to act
on behalf of. Making a verifiable CCPA request does not require you to create
an account with us.
We will use
Personal Information provided in a verifiable CCPA request only to verify the
requestor’s identity or authority to make the request.
6.
CCPA Response
Timing and Format
|
We endeavour to respond to verifiable CCPA requests
within forty-five (45) days of their receipt. If we require more time (up to 90
days) to respond to your request, we will inform you in writing of the reason
and the needed extension period. If you have an account with us, we will
deliver our written response to that account. If you do not have an account
with us, we will deliver our written response to the email address you provide
on the CCPA Request Form.
Any CCPA disclosures we provide will only cover the
12-month period preceding our receipt of your verifiable CCPA request. Our
response will also explain the reasons we are not complying with your CCPA
request, if applicable.
We do not charge a fee to process or respond to your
verifiable CCPA request unless it is excessive, repetitive, or manifestly
unfounded. If we determine that the CCPA request warrants a fee, we will tell
you why and provide you with a cost estimate before completing your request.
7.
CCPA Non-Discrimination
|
We do not discriminate against California residents
for exercising their CCPA rights. Unless permitted by the CCPA, we will not:
•
Deny you goods or services.
•
Charge you different prices for goods or services, including through
granting discounts or other benefits, or imposing penalties.
•
Provide you a different level or quality of goods or services.
•
Suggest that you may receive a different price or rate for goods or
services or a different level or quality of goods or services.
8.
CCPA Notice of
Financial Incentive
We may
offer you financial incentives for the collection, sale, retention, and use of
your personal information as permitted by the CCPA that can, without
limitation, result in reasonably different prices, rates, or quality levels.
Pursuant
to the CCPA, this Notice is to provide you with information regarding any
financial incentive or “price or service difference" that we may provide
in exchange for your personal information. The Personal Information collected
from you in exchange for financial incentive or “price or service difference”
may include collecting the following categories of personal information from
customers who participate: identifiers; customer records; protected class and
demographic information; commercial information and preferences; internet or
other electronic network activity information and device information; audio,
electronic, visual, or other sensory information; and inferences.
In order
to participate in our rewards programme(s) and use our services, you may
provide Personal Information from time to time, directly or indirectly, in
exchange for cash, gift cards, or other financial incentive, or price or
service difference, the amount or nature of which will be specified in each
instance at the time the Personal Information is to be submitted. You can
opt-in to the financial incentive or price or service difference by submitting
Personal Information. If you wish to opt-out of the financial incentive or
price or service difference, do not submit the Personal Information. If you
opt-in and subsequently wish to withdraw from the financial incentive or price
or service difference, you may request such withdrawal by contacting us here: OneTrust Form.
Each
financial incentive or price or service difference related to the collection
and use of Personal Information is based upon our sole reasonable, good-faith
determination of the estimated value of such information to our business,
taking into consideration the value of the offer itself and the anticipated
revenue generation that may be realized by rewarding brand loyalty. We
calculate the value of the offer and financial incentive by using the expense
related to the offer. By participating in any of the above promotional programmes,
you agree that the benefits are reasonably related to the value of the Personal
Information collected and contained.
Other
California Privacy Rights
In addition to your rights under the CCPA,
California’s “Shine the Light” law (Civil Code Section § 1798.83) permits users
of the Services that are California residents to request certain information
regarding our disclosure of Personal Information to third parties for their
direct marketing purposes. We do not disclose Personal Information to third
parties for their direct marketing purposes.
If you would like more information about our compliance with California’s
“Shine the Light” law, please send an email to privacy@pallcprivacy.com or write us at:
Privacy Programme
Attn: Legal Department
23801 Calabasas Road
Calabasas, CA 91302
USA
Changes to this CCPA Notice
We reserve the right to amend this CCPA Notice at our
discretion and at any time. When we make changes to this Notice, we will post
the updated Notice on the Services and update the Notice’s effective date. Your
continued use of the Services following the posting of any changes to this
Notice constitutes your acceptance of those changes.
CCPA Contact Information
If you have questions or comments about this Notice,
the ways in which we collect and use Personal Information, your choices and
rights regarding such use, or you wish to exercise your rights under California
law, please contact us at:
Email: privacy@planetart.com
Web Form: OneTrust Form
Postal Address: Privacy Programme, Attention:
Legal Department, 23801 Calabasas Road, Calabasas, California 91302-1547
16. Addendum for Persons Located in the European Union, UK, EEA and
Switzerland
This Addendum for Persons Located in
the European Union, UK, EEA and Switzerland (this “GDPR Notice”)
supplements the information contained in the Privacy Policy and applies solely
to persons located in the EU, UK, EEA and Switzerland. We adopt this GDPR Notice to comply with
GDPR, and any terms defined in GDPR (including Personal Data) have the same
meaning when used in this GDPR Notice.
In General
We do not intentionally collect, use, process, share or store
special categories of Personal Data, although you may provide information which
constitutes special category Personal Data as part of your personalisation
choices.
Who is Responsible for Personal Data About You?
We are responsible for Personal Data about you. Specifically Personal Data is controlled by:
Privacy Programme
Attention: Legal Department
Gateway House, Tollgate, Chandler’s Ford,
Eastleigh, Southampton, S053 3TG,
United Kingdom
We have appointed ITG EU & GRCI Law to act as our EU and UK
Representatives, respectively. If you wish to exercise your rights under EU
GDPR or the UK GDPR or have any queries in relation to your rights or privacy
matters generally please email from Europe privacyeu@pallcprivacy.com, or from UK privacyuk@pallcprivacy.com.
We may need to request additional information from you to confirm your
identity before responding to your request or question.
On Which EU Legal Basis Do We Process Personal Data About You?
Depending on the specific purpose or purposes for the processing of the
Personal Data, we rely on the following legal grounds:
·
Performance of your
customer contract or other contractual obligations or in order to take steps
before entering into a contract with you;
·
Compliance with a
legal obligation (such as record obligations for commercial or tax purposes or
other regulatory obligations);
·
Protection of your
vital interests or the vital interests of another natural person; or
·
Our legitimate
interests or those of any third-party recipients that receive the Personal
Data, provided that such interests are not overridden by
your interests or fundamental rights and freedoms;
·
Important reasons of
public interest;
·
The establishment,
exercise or defence of legal claims.
Legitimate interests include, for example, developing and improving our
internal administration or business and service processes, marketing and
reputation activities, keeping our records up to date, handling and managing
our legal and contractual duties and obligations, and compliance with internal
and legal policies and regulations that apply to us.
In addition, we process Personal Data to let you know about updates to
products and services you have purchased from us or expressed interest in
before.
Will Personal Data About You be Transferred Outside the EU/EEA?
Our headquarters and operations are in the United States, UK and
Ireland. We strive to store and process
EU, UK, EEA and Swiss Personal Data in Ireland, on the servers located in the
EU. With the exceptions of Personal Creations and Café Press, all EU/EEA
customer Personal Data is processed and stored on Amazon Web Services (AWS)
servers located in Ireland (see more information below). Personal Creations and Café Press customer
Personal Data is processed and stored on AWS Servers in the U.S.
Notice Re: EU-U.S. and Swiss-U.S. Privacy Shield, CJEU
Schrems II Ruling and EU Standard Contract Clauses (SCC)
We have withdrawn from
the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework as
set forth by the U.S. Department of Commerce regarding the collection, use, and
retention of personal information transferred from the European Union and
Switzerland to the United States as further described below.
On July 16, 2020, the
European Court of Justice (CJEU) determined that the EU-U.S. Privacy Shield
framework is no longer valid for the transfer of Personal Data from the
European Economic Area (EEA) to the U.S. (known as the Schrems II decision).
The Schrems II decision also placed additional compliance requirements
on the use of EU Standard Contract Clauses (SCC) for the transfer of EU/EEA
Personal Data to the U.S. by companies subject to Section 702 of the U.S.
Foreign Intelligence Surveillance Act (FISA) and/or Executive Order 12333 (E.O.
12333).
We know our customers,
website visitors, and business partners care deeply about privacy and data
security.
First, please know that it
is our good-faith belief that the types of EU/EEA Personal Data we collect,
use, process, share and/or store in the U.S. are not of the types of Personal
Data that would be subject to requests from U.S. government authorities pursuant
to FISA Section 702 and/or E.O. 12333.
Second, please note that as
part of our good-faith efforts to comply with applicable data protection laws,
we strive to continue to store and process EU, EEA, UK and Swiss Personal Data
in Ireland, on servers located in the EU. In compliance with the GDPR and other
applicable laws we also implement at-rest data encryption, data minimisation
and need to know access to Personal Data.
Third, although we have
withdrawn from Privacy Shield, we are retaining the data collected during our
participation, and are providing adequate protection for such data.
Fourth, when international
transfer of Personal Data is necessary to perform a contract with you, or in
individual cases for the purposes of our compelling
legitimate business interests, we will use SCC to comply with our internal
policies, contractual and legal obligations.
If you represent one
of our service providers or business partners and your organisation is a party
to an agreement with us that includes EU Standard Contract Clauses (SCC) for
compliance with EU/EEA data protection laws, please contact us at privacy@pallcprivacy.com to discuss whether any updates to our agreement are needed resulting
from the Schrems II decision.
Trust is a top
priority for us, and we will continue to work vigilantly to ensure that our
customers, website visitors, and business partners are able to continue to
enjoy the benefits of our Services securely, compliantly, and without
disruption.
Your Consent to Transfer of Personal Data
In addition to the above, we may also process, store,
and/or transfer Personal Data we collect about you, in and to a country outside
the EU including the United States. Those other countries may have different
privacy laws that may or may not be as comprehensive as your own.
By submitting Personal Data or interacting with our Services,
you consent to this transfer, storing, and/or processing including in the
United States.
a.
Your Personal Data Use Choices
See Section 8 (Your Choices About Our Use of Data) above.
b.
How Can I Access or Correct Personal Data About Me?
You may exercise your access, correction or deletion
rights by using the form located at the Manage Personal Information link
at the bottom of each webpage.
Alternatively, you may send us an email from Europe at privacyeu@pallcprivacy.com or from
the UK to privacyuk@pallcprivacy.com to request access to, correction, or
deletion of Personal Data that you have provided to us. In some situations, we
cannot delete Personal Data about you except by also deleting your user
account. Please note that deletion of your account will cause you to lose your
stored photos, completed and in-process projects, and all content you have
uploaded for sale through any of our Services with Shops or Marketplaces. If
this Data is deleted by us at your request, we will not be able get it back for
you if you change your mind in the future. We
may not be able to grant a request to change or delete Personal Data about you
if we believe the change or deletion would violate any law or legal requirement
or negatively affect the accuracy of the Data.
If you delete your User Contributions from our
Services, copies may still be viewable in cached and archived pages or where
other users have copied or stored them. Our terms of use govern proper access
and use of information provided on our Services, including User Contributions.