COMMAND ALKON INCORPORATED

PRIVACY NOTICE

Last modified: May 23, 2022

Overview

Command Alkon Incorporated, including its related companies (“CAI” or “we”), is an international commercial organization that provides software, services, and web solutions to companies in the ready–mix, aggregate, and bulk hauler industry through on–premise, software–as–a–service (“SaaS”), and other web–based methods. CAI respects the privacy of the users of its products and services and is committed to protecting their privacy and maintaining their trust. This Privacy Notice describes our practices for collecting, using, storing, transferring, disclosing, and otherwise processing personal data (otherwise referred to as Personal Information) in connection with your use of CAI products and/or services, websites, apps, and social media pages, as well as your interactions with CAI staff in meetings and at CAI events, including offline sales and marketing activities. Please read this Privacy Notice carefully to understand our policies and practices regarding treatment of personal data. By accessing our website and/or using our products or services, you consent to our collection, use, and disclosure of personal data as described in this Privacy Notice. If you have a privacy question or concern, please contact us per the “Contact Us” information at the bottom of this Privacy Notice.

• Summary of Privacy Notice
• Controller/Processor
• To Whom Does This Notice Apply
• How We Collect and Use Personal Data
• Automatically Collected Data
• How We Use the Data We Collect
• How We Disclose the Data We Collect
• Third–Party Services
• Security
• Retention of Data
• Your Rights and Choices
• International Data Transfers and Privacy Shield
• Legal Basis for Processing
• Children’s Privacy
• Changes to the Privacy Notice
• Contact Us

Summary of Privacy Notice

Application – Our Privacy Notice applies to the processing of personal data provided by: 1) visitors and users of the various CAI sites, apps, products, and/or services; 2) attendees at CAI and industry events; 3) customers and prospective customers and their representatives; 4) subscribers to our notices and/or newsletters; 5) suppliers and business partners and their representatives; 6) visitors to our offices; and 7) anyone else who provides personal data to CAI for any other purpose. For more details, see below.

Types of Data Processed – CAI collects the personal data you provide. For example, when you sign up for an account, we may collect information like names, e-mail addresses, physical address, phone numbers, etc. You may also provide personal data to, for example, learn more about our products or sign up for our notifications. We may process the following personal data which we may (depending upon the circumstances) collect during website visits, marketing interactions, app use, and use of our products and/or services in the course of agreements with you and/or your employer: your name, contact information (e-mail address, telephone number, etc.), job information (employer, title, supervisor, etc.), certain ID numbers (driver’s license, employee, etc.), job performance information and certifications, payment information, IP address, geolocation, signature, camera image, username and password, union information, ethnicity, some job-related medical information, messaging, and behavioral data and information about you received through placement of cookies and tracking pixels during platform use. For more details, see below.

Processing Purpose – We process your personal data for the following purposes: 1) performance of agreements with you and/or your employer; 2) monitoring, development, support, and administration of apps, websites, and platforms; 3) security and fraud prevention; 4) our marketing purposes (we do not sell your personal data); 5) our business administration; and 6) behavioral analysis associated with platform use. For more details, see below.

Lawful Basis for Processing – To the extent applicable to you, some jurisdictions require any processing of personal data to be supported by a legal basis. We generally rely on the following legal justifications for our processing activities: 1) the performance of an agreement with you and/or your employer; 2) pursuing our legitimate interests as long as they do not override your interests, rights and freedoms; 3) your consent; and 4) compliance with a legal obligation. For more details, see below.

Data Transfers – We may transfer your personal data to other CAI affiliates and/or third parties (i.e. business partners, resellers, etc.), acquiring or acquired entities, service providers, and, in accordance with applicable law, governmental authorities, courts, external advisors, and similar third parties. Some data transfers may cross national borders. We will use all reasonable measures to ensure that your personal data remains confidential when transferred. We do not sell your personal data to any third parties. Additionally, CAI will not share your data with any third party without full disclosure, except as otherwise set forth in this Privacy Notice. For more details, see below.

Data Retention and Deletion – Your personal data will be deleted once it is no longer needed for the purposes of the original processing, legitimate interest, or as required by applicable law. For more details, see below.

Your Choices and Rights – Depending on your jurisdiction, you may have a number of rights with regard to your personal data, which may include the right to access your personal data, the right to obtain a copy of your personal data, the right to have your personal data transferred to a third party, the right to correct your personal data, the right to restrict certain processing, and/or the right to have your personal data erased. To exercise your rights related to your personal data, please use the “Contact Us” information at the bottom of this Privacy Notice. For more details, see below.

Changes to this Privacy Notice – We reserve the right to change the terms of this Privacy Notice at will and at any time as required by changing practices or privacy legislation. The current version of this Privacy Notice will always be available via link from our websites, platforms, or through the “Contact Us” information at the bottom of this Privacy Notice. You should review this Privacy Notice periodically so that you keep up to date on our most current policies and practices.

Detailed Privacy Notice

Controller/Processor —

CAI may be the Data Controller or the Data Processor for purposes of processing personal data, depending on the circumstances. Where CAI processes data on behalf of our customers and/or their affiliates, CAI most often acts as a Data Processor. Where CAI processes personal data for its own purposes and outside the instruction of its customers and/or their affiliates, CAI may be a Data Controller. If you have any questions about CAI’s role with regard to your personal data, please use the “Contact Us” information at the bottom of this Privacy Notice.

To Whom Does This Notice Apply —

Our Privacy Notice applies to all non-employment processing of personal data by CAI regardless of the source of collection. This Privacy Notice applies to the processing of personal data provided by: 1) visitors and users of the various CAI sites, apps, products, and/or services; 2) attendees at CAI and industry events; 3) customers and prospective customers and their representatives; 4) subscribers to our notices, e-mails, and/or newsletters; 5) suppliers and business partners and their representatives; 6) visitors to our offices; and 7) anyone else who provides personal data to CAI for any other purpose.

How We Collect Personal Data —

Personal Data You Provide:

CAI collects the personal data you or your representative provides. This could happen at a CAI event, during a support event, through marketing, during a face-to-face interaction, etc. Examples of the types of personal data CAI may collect include, but may not be limited to, your: name, address, telephone number, e-mail address, employer, title, date of hire, supervisor, seniority, driver’s license number, employee number, social security number, other tax ID number, job performance information and certifications, payment information, IP address and/or device identifier, geolocation, signature, still and/or video camera image, username and password, union information, ethnicity, some job-related medical information, messaging, and behavioral data and information about you received through placement of cookies and tracking pixels during platform use. If you have questions or concerns about any of these personal data types, please use the “Contact Us” information at the bottom of this Privacy Notice.

Data Collected Through Our Products and Services:

CAI obtains personal data in connection with providing its products and services, including:

(i) SaaS products or services hosted for CAI customers;

(ii) Web-based products or services for collaborative commerce solutions covering the entire ordering and purchasing process in the business-to-business market sector;

(iii) On-premise software products licensed to a customer for use on their own premises through provision of professional services;

(iv) On-premise hardware products sold to a customer for use on their own premises; and

(v) Customer support services related to SaaS, web-based and on-premise software and hardware products.

For instance, when our customers use the products or services above, they may provide details about their employees, including their names, job titles, e-mail addresses, login credentials, telephone numbers, addresses, dates of birth, driver’s license numbers, and other information. Some of our web-based solutions enable customers to, for example, submit personal data to create users of the solution, to store transaction documents that may include some personal data of signatories or business contacts, to use geo-location, and to store contact information associated with trading partners.

We often process personal data on behalf of our customers subject to a written contract. We do not control the data processing or protection practices of our customers (who may be your employer, service provider, or business partner), so their terms may differ from those set out in this Privacy Notice. Please note that where CAI collects personal data through products or services controlled by our customers, our customers are the Data Controller for what data is collected and how it is used and disclosed. In those instances, CAI acts as a Data Processor only. Any questions related to how our customers process, use or share the personal data they collect through our products or services should be directed to the relevant customer.

Automatically Collected Information:

As you navigate through and interact with our websites and/or SaaS products and applications, we may use automatic data collection technologies to collect certain information about your equipment, actions and patterns (“User Activity Information”), including: (i) details of your use, including traffic data, location data through geo-location technology, logs and other communication data and the resources that you access and use; and (ii) information about your device, including your operating system, IP address, and other mobile sign-on data. Some of this information may be considered personal data in your jurisdiction.

The User Activity Information that we collect helps us to improve our websites and products, and to deliver a better and more personalized service by enabling us to estimate usage patterns, display information you request in your relevant time zone, and recognize you when you return to our website or product.

The technologies we use for this automatic data collection may include cookies. A cookie is a small file placed on the hard drive of your device. We use cookies to help analyze usage, customize our services, measure effectiveness, and promote trust and safety. Cookies are discussed further below.

How We Use the Information We Collect –

CAI uses the information it collects for the purposes of operating effectively, providing its products and services to customers, facilitating business between parties in the industry, and administering and managing its relationships with customers. We also use the information we collect to process, evaluate and respond to your requests; respond to inquiries and applications; create, administer and communicate with you about your account (including any purchases and payments); operate, evaluate and improve CAI’s business (including developing new products and services, managing communications, performing market research, analyzing CAI products/services/websites, and performing accounting, auditing, billing, reconciliation, and collection activities); ensure the safety of CAI network services and resources; and to comply with applicable legal requirements.

How We Disclose the Information We Collect –

We may disclose some personal data that we collect as follows:

• To our affiliates and/or business partners with whom we have contractual relationships;

• To third parties, such as contractors, service providers, consultants and other agents (“Service Providers”), that provide assistance to our business. CAI works with Service Providers in some instances for a variety of reasons including, for example, credit card payment processing, hours of service tracking, data hosting, and accounting. Service Providers with whom we share such personal data generally are bound by confidentiality and privacy obligations and a list of such Service Providers can be found on our website (www.commandalkon.com) under the Legal tab (Sub-processor List);

• To fulfill the purposes for which you or your employer provided such personal data;

• To a buyer or other successor of CAI or any of our affiliates in the event of an acquisition, merger, divestiture, restructuring, reorganization, dissolution or other sale or transfer of some or all of CAI’s or any of our affiliates’ equity or assets, whether as a going concern or as part of bankruptcy, liquidation or similar proceedings, in which personal data is among the assets transferred; and

• For any other purpose disclosed by us when you provide the personal data.

Notwithstanding any other provisions of this Privacy Notice, we also reserve the right to access, preserve and disclose any information we collect as we reasonably believe is necessary: (i) to respond to legal requirements, including complying with any court order, law or legal process and responding to any government or regulatory request, including responding to law enforcement or other government officials in response to a verified request relating to a criminal investigation or alleged illegal activity; (ii) to enforce or apply our policies and agreements; (iii) to detect, prevent or otherwise address fraud, security, trust and safety or technical issues; (iv) to respond to user support requests; or (v) to protect the rights, property, health or safety of CAI, our users, any third parties, or the public in general.

Additional Information for California and other U.S. State Residents –

The personal information that we collect includes information within the categories of data in the table below. These categories also represent the categories of personal information that we have collected over the past 12 months. Note that the categories listed below are defined by California state law. Inclusion of a category in the list below indicates only that, depending on the services and products we provide you and/or your employer and business partner, we may collect or dispose of some information within that category. It does not necessarily mean that we collect or disclose all information listed in a particular category, nor do we collect all categories of information for all individuals.

In addition, while we include data collected in the Business-to-Business context which is considered personal data under certain privacy laws like the EU and UK GDPR and the California Privacy Rights Act, it may not be considered personal data in other jurisdictions, including within other US states.

We have disclosed information in each of the below categories with our affiliates and service providers for our business purposes within the past 12 months.

Category	Sources	Purpose of Processing
Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, or other similar identifiers.	This information is collected directly from you and/or your employer, our business partners, our service providers, your interaction with our services and products, records we have about you in the course of providing services or products, or through the use of cookies and similar technologies.	This data is processed in connection with a number of our operational functions to provide you with products and services, including facilitating business between parties in the industry and administering relationships with customers. It is also processed in order to help manage and administer your account, as well as to detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity, for compliance management, data analytics and technological development of our systems. In addition, this data, as well as information regarding your purchasing tendencies obtained from our business partners, is also used for marketing purposes, including offering you products and services that may interest you through both direct and partner advertising.
Information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, your name, signature, Social Security number, physical characteristics or description, address, telephone number, driver’s license or state identification card number, medical information.	This information is collected directly from you and/or your employer, our business partners, our service providers, your interaction with our services and products, records we have about you in the course of providing services or products, or through the use of cookies and similar technologies.	This data is processed in connection with a number of our operational functions to provide you with products and services, including facilitating business between parties in the industry and administering relationships with customers. It is also processed in order to help manage and administer your account, as well as to detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity, for compliance management, data analytics and technological development of our systems. In addition, this data is also used for marketing purposes, including offering you products and services that may interest you through both direct and partner advertising.
Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.	This information is collected directly from you and/or your employer, our business partners, our service providers, your interaction with our services and products, or records we have about you in the course of providing services or products.	This data is processed in connection with a number of our operational functions to provide you with products and services, including facilitating business between parties in the industry and administering relationships with customers. It is also processed in order to help manage and administer your account, as well as to detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity, for compliance management, data analytics and technological development of our systems. In addition, this data, as well as information regarding your purchasing tendencies obtained from our business partners, is also used for marketing purposes, including offering you products and services that may interest you through both direct and partner advertising.
Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.	This information is collected directly from you and/or your employer, our business partners, our service providers, your interaction with our services and products, or through the use of cookies and similar technologies.	This data is processed in order to help manage and administer your account, as well as to detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity, for compliance management, data analytics and technological development of our systems. In addition, this data is also used for marketing purposes, including offering you products and services that may interest you through both direct and partner advertising.
Geolocation data.	This information is collected directly from you and/or your employer, our business partners, our service providers, your interaction with our services and products, records we have about you in the course of providing services or products, or through the use of cookies and similar technologies.	This data is processed in connection with a number of our operational functions to provide you with products and services, including facilitating business between parties in the industry and administering relationships with customers. It is also processed in order to help manage and administer your account, as well as to detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity, for compliance management, data analytics and technological development of our systems. In addition, this data, as well as information regarding your purchasing tendencies obtained from our business partners, is also used for marketing purposes, including offering you and providing you with products and services that may interest you through both direct and partner advertising.
Audio, electronic, visual, thermal, olfactory, or similar information.	This information is collected directly from you and/or your employer, our business partners, our service providers, your interaction with our services and products, records we have about you in the course of providing services or products, or through the use of cookies and similar technologies. For visitors, this information is collected via our CCTV cameras, and for callers, it is collected via audio recordings.	This data is processed in connection with a number of our operational functions to provide you with products and services, including recording sales calls and other calls. For visitors, visual data may be processed in order to maintain security and accountability, and to comply with local laws, including those related to health and safety. It is also processed in order to help manage and administer your account, as well as to detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity, for compliance management, data analytics and technological development of our systems.
Professional or employment-related information.	This information is collected directly from you and/or your employer, our business partners, our service providers, your interaction with our services and products, or records we have about you in the course of providing services or products.	This data is processed in connection with a number of our operational functions to provide you with products and services, including facilitating business between parties in the industry and administering relationships with customers. It is also processed in order to help manage and administer your account, as well as to detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity, and for compliance management. In addition, this data is also used for marketing purposes, including offering you products and services that may interest you through both direct and partner advertising.
Inferences drawn from any of the above categories of information to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.	This information is collected directly from you and/or your employer, our business partners, our service providers, your interaction with our services and products, records we have about you in the course of providing services or products, or through the use of cookies and similar technologies.	This data is processed in connection with a number of our operational functions to provide you with products and services, including facilitating business between parties in the industry and administering relationships with customers. It is also processed in order to help manage and administer your account, as well as to detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity, for compliance management, data analytics and technological development of our systems. In addition, this data is also used for marketing purposes, including offering you products and services that may interest you through both direct and partner advertising.
Sensitive personal information, including: any personal information that reveals an individual’s social security or other state identification number; account log-in, geolocation; ethnic origin, union membership; contents of mail, email, or text messages, unless the business is the intended recipient of the communication; and genetic data.	This information is collected directly from you and/or your employer, our business partners, our service providers, your interaction with our services and products, records we have about you in the course of providing services or products, or through the use of cookies and similar technologies.	This data is processed in connection with a number of our operational functions to provide you with products and services, including facilitating business between parties in the industry and administering relationships with customers. It is also processed in order to help manage and administer your account, as well as to detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity, for compliance management, data analytics and technological development of our systems.

CAI does not sell your information to others, including for purposes of the California Consumer Privacy Act of 2018 (“CCPA”) and California Privacy Rights Act of 2020 (“CPRA”).

Third-Party Services –

You may be given the opportunity to elect to access and use third-party services or applications (“ThirdParty Services”) through some of our websites and/or products. This Privacy Notice addresses only CAI’s collection, use and disclosure of information collected by CAI. It does not apply to the practices of third parties that we do not own, control, employ or manage, including, but not limited to, any Third-Party Services. By accessing or using third-party services or applications through our websites and/or products, you are directing us to disclose your information to the Third-Party Service on your behalf as requested by that third-party, and you agree that the third party’s use or disclosure of your information will be governed by the third party’s privacy policy and may be different from how we use and disclose your information.

Security –

CAI utilizes reasonable and appropriate administrative, technical, and physical security controls commensurate with the types of data it processes to protect personal data from loss, misuse and unauthorized access, disclosure, alteration and/or destruction. Although we work hard to protect your privacy, no security controls are 100% effective and we cannot guarantee the security of information or that your personal data or private communications always will remain private. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information.

The safety and security of your information also depends on you. Where we have given you (or where you have chosen) user log-in credentials (i.e. a user ID and password) for access to certain parts of our services or apps, you are responsible for keeping those user account credentials confidential. We ask that you not share your credentials with anyone. You are solely responsible for the protection of user account credentials and for all use of your account credentials that is under your control.

Retention of Information –

We will generally retain personal data for as long as is needed to fulfill the purposes outlined in this Privacy Notice. This retention is generally for the life of the relationship plus a short period of time as set forth in our data retention schedule. However, we may retain certain information longer as required by applicable law (such as tax, accounting or other legal requirements) or for legitimate business purposes. Once we no longer need to use your personal data to comply with our obligations, we will remove it from our systems and records and/or take steps to properly anonymize it so that you can no longer be identified from it. Each of the uses set forth in this Privacy Notice constitutes a legitimate interest of CAI to process or use the personal data collected or is necessary to fulfill a contract. If you do not agree with this approach, you may object to CAI’s processing or use of your personal data by contacting CAI in writing via the methods listed below in the “Contact Us” section at the bottom of this Privacy Notice.

Your Rights and Choices –

Account Information & Requests:

In accordance with applicable law depending upon jurisdiction (such as, for example, the EEA from 25 May 2018 onwards or the State of California from 1 January 2020 onwards), you may have the following rights listed below with regard to your personal data:

1) the right to access (this means you can request that we provide you with a copy of your personal data we have collected about you, the categories of sources from which the information was collected, the purposes of collecting the data, the categories of third parties we have shared the data with, and the categories of personal data that have been shared with third parties for a business purpose);

2) the right to correct (this means you may notify us through the “Contact Us” section at the bottom of this Privacy Notice to correct any mistakes in your personal data or update your preferences; we may also not be able to accommodate your request if we believe it would violate any law or legal requirement or cause the information to be incorrect; data solely retained for data backup purposes is generally excluded);

3) the right to transfer (this means you may request that we provide a copy of your personal data to a third party of your choosing);

4) the right to restrict (where our processing of your personal data is necessary for our legitimate interests, depending on the applicable data protection/privacy law which applies, you can object to this processing at any time, subject to some limitations and exceptions; you may also be able to restrict certain types of processing of your personal data under certain circumstances; in particular, you can request we restrict our use of your personal data if you contest its accuracy, if the processing of your personal data is determined to be unlawful, or if we no longer need your personal data for processing but we have retained it as permitted by law);

5) the right to withdraw consent (this mean that to the extent that our processing of your personal data is based on your consent, you may withdraw your consent at any time; withdrawing your consent will not, however, affect the lawfulness of the processing based on your consent before its withdrawal, and will not affect the lawfulness of our continued processing that is based on any other lawful basis for processing your personal data);

6) the right to delete (this means you may ask us to delete your personal data from our systems and we will do so unless we are required to retain such information in order to provide services to you or we require such personal data to comply with our legal or business obligations under applicable law); or

7) the right to say “no” to the sale of your personal data (Note: CAI does not sell personal data).

You may be able to exercise some or all of these rights by logging into your account within the products that you use. Otherwise, to request such information directly, please submit a written request using the details provided in the “Contact Us” section at the bottom of this Privacy Notice.

Please note that under California law, we are only obligated to respond to personal information access requests from the same consumer up to two times in a 12-month period. Under both EU and California law, if an individual makes unfounded, repetitive, or excessive requests (as determined in our reasonable discretion) to access Personal Data, we may charge a fee subject to a maximum set by law.

Remember that in certain regions, you also have the right to complain to a data protection authority (“DPA”) about our collection and use of your personal data. For more information, please contact your local DPA.

In the event CAI processes personal data about you on behalf of a customer, please direct your privacy inquiries and requests for access, correction or deletion of personal data to such customer.

Before providing information you request in accordance with certain of these rights, we must be able to verify your identity. In order to verify your identity, you may need to submit information about yourself, including, to the extent applicable, providing answers to security questions, your name, government identification number, date of birth, contact information, or other personal identifying information. We will match this information against information we have previously collected about you to verify your identity and your request. If we are unable to verify your identity as part of your request, we will not be able to satisfy your request. We are not obligated to collect additional information in order to enable you to verify your identity. For deletion requests, you will be required to submit a verifiable request for deletion.

If you would like to appoint an authorized agent to make a request on your behalf, you must provide the agent with written, signed permission to submit privacy right requests on your behalf, or provide a letter from your attorney. The agent or attorney must provide this authorization at the time of request. We may require you to verify your identity with us directly before we provide any requested information to your approved agent.

Information collected for purposes of verifying your request will only be used for verification.

If you chose to exercise any of these rights, to the extent that they apply, U.S. state law prohibits us from discriminating against you on the basis of choosing to exercise your privacy rights. We may, however, charge a different rate or provide a different level of service to the extent permitted by law.

Do Not Track Signals:

Some web browsers permit you to broadcast a signal to websites and online services indicating a preference that they “do not track” your online activities. At this time, we do not honor such signals and we do not modify what information we collect or how we use that information based upon whether such a signal is broadcast or received by us.

Promotional Communications:

From time to time, we may send you marketing communications about our products, in accordance with your preferences. You may opt out of receiving promotional messages from us at any time by following the instructions in those messages (often it will be a notice or link at the bottom of the message). If you opt out, we may still send you non-promotional communications, such as those about your account or our ongoing business relations. Requests to opt out of promotional communications may also be sent to CAI in writing via the methods listed below in the “Contact Us” section at the bottom of this Privacy Notice.

Cookies:

You can manage our use of cookies through the cookie banner that appears when you access our sites. If you prefer, you can usually choose to set your browser to remove or reject browser cookies or to clear local storage. You may also make any cookie management requests by contacting is in writing via the methods listed below in the “Contact Us” section at the bottom of this Privacy Notice. Please note that if you choose to remove or reject some cookies, this could affect the functionality of our website and services. We have an independent Cookie Policy available on our website (www.commandalkon.com) under the Legal tab that provides more detail.

Location Information:

You can turn location-based services on and off by adjusting the settings of your mobile device. Please note that if you choose to turn off location-based services, this could affect the full functionality of our products and services.

California Privacy Rights:

California law permits users who are California residents to request and obtain from us once a year, free of charge, a list of the third parties to whom we have disclosed their personal data (if any) for their direct marketing purposes in the prior calendar year, as well as the type of personal data disclosed to those parties. Except as otherwise provided in this Privacy Notice or per agreement with the data subject, CAI does not sell personal data to third parties for their own marketing purposes.

International Data Transfers and Privacy Shield –

CAI is based in the United States and has offices globally. To facilitate our operations and to help deliver our products and services, we may transfer personal data to the U.S. and any other country where our affiliates, vendors, consultants and service providers operate. Such countries may have laws which are different, and potentially not as protective, as the laws of your country of residence. If you are a Data Controller using CAI as a Data Processor and if the content or data that you store on or through CAI software, apps or websites contains the personal data of individuals from the EEA, you agree that you have the legal authority to transfer the personal data to CAI, including the transfer to countries such as the U.S. where the privacy protections and rights of authorities to access personal data may not be equivalent to those in the EEA.

When we transfer personal data abroad, we will take appropriate safeguards to protect the information in accordance with this Privacy Notice and seek to ensure that we, along with any overseas recipients, comply with applicable privacy laws. CAI relies on EU Standard Contractual Clauses (“SCCs”) for legal transfer of personal data between its entities from jurisdictions subject to the EU General Data Protection Regulation (“GDPR”) to the U.S. CAI relies on the UK’s Data Transfer Agreement for legal transfer of personal data between its entities from jurisdictions subject to the UK General Data Protection Regulation (“UK GDPR”) to the U.S.

In supplement to the SCCs, if CAI becomes aware that any governmental authority (including law enforcement) wishes to obtain access to or a copy of some or all of the personal data processed by CAI, whether on a voluntary or a mandatory basis, for purposes related to national security intelligence, then unless legally prohibited or under a mandatory legal compulsion that requires otherwise, CAI will: 1) immediately notify the party to whom the personal data applies (i.e. customer or vendor); 2) inform the relevant government authority that it has not been authorized to disclose the personal data and, unless legally prohibited, will need to immediately notify the party to whom the personal data applies; 3) inform the governmental authority that it should direct all requests or demands directly to the party to whom the personal data applies; and 4) not provide access to the personal data until authorized in writing by the party to whom the personal data applies or until compelled legally to do so. If legally compelled to do so, CAI will use reasonable and lawful efforts to challenge such prohibition or compulsion. If CAI is compelled to produce the personal data, CAI will only disclose personal data to the extent legally required to do so in accordance with applicable lawful process.

CAI employs Data Protection Addendums (“DPAs”) with sub-processors who process personal data on behalf of CAI where required by applicable privacy laws.

When we transfer personal data from the European Economic Area (“EEA”), the United Kingdom, or Switzerland to the United States, CAI still complies with, but does not rely on, the EU-U.S. Privacy Shield Framework and the Swiss – U.S. Privacy Shield Framework (“Privacy Shield”) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union, the United Kingdom, and Switzerland to the United States in reliance on Privacy Shield. CAI has maintained its certification to the Department of Commerce that it still adheres to the Privacy Shield Principles (“Principles”) with respect to such information. If there is any conflict between the terms in this Privacy Notice and the Principles, the Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.

If you have concerns about our compliance with this Privacy Notice, you should contact us as indicated in the “Contact Us” section at the bottom of this Privacy Notice. If you are a resident of the EEA, the United Kingdom, or Switzerland and we are not able to resolve your complaint, you may submit your complaint free of charge to JAMS (https://www.jamsadr.com/eu-us-privacy-shield), CAI’s designated independent dispute resolution provider. Under certain conditions specified by the Principles of the EU-U.S. and the Swiss-U.S. Privacy Shield Frameworks, respectively, you may also be able to invoke binding arbitration to resolve your complaint. CAI is subject to the investigatory and enforcement powers of the Federal Trade Commission with regard to EU-U.S., U.K.-U.S., and Swiss-U.S. transfers of personal data. If CAI shares personal data collected in the EEA, the United Kingdom, or Switzerland with a third-party service provider that processes the data solely on CAI’s behalf, then CAI will be liable for that third party’s processing of such data in violation of the Principles, unless CAI can prove that it is not responsible for the event giving rise to the damage.

Lawful Basis for Processing Personal Data of Individuals (EEA/UK) –

If you are an individual from the EEA or UK, our lawful basis for collecting and using personal data will depend on the personal data concerned and the specific context in which we collect it. We will only use your Personal Data for the purposes for which we collect such Personal Data as outlined below, unless we need to use it at a later date for another purpose that is compatible with the original purpose. If we need to further process your Personal Data for a purpose that is not compatible with the original purpose for collection, we will notify you and provide an explanation of the legal basis which allows us to do so. However, we generally rely on the following lawful justifications for our processing activities: 1) the performance of an agreement with you and/or your employer; 2) pursuing our legitimate interests as long as they do not override your interests, rights and freedoms; 3) your consent; and 4) compliance with a legal obligation. In some cases, we may also rely on GDPR Article 49 derogations, have a legal obligation to collect personal data, or may otherwise need the personal data to protect your vital interests or those of another person. More detail regarding lawful basis is provided below.

Purpose(s) for Processing	Legal Basis for Processing
To process applications and other agreements for our products and services.	The processing of your personal data is necessary to perform a contract or enter into a contract with you and/or your employer
To manage and administer contracts including service agreements with you and your employer.	The processing of your personal data is necessary for us to comply with legal and regulatory obligations The processing is necessary to support our legitimate interests in managing our business (or those of a third party) provided such interests are not overridden by your interests, rights, and freedoms
To improve our products and services, to carry out market research, to perform data analytics, for general risk modelling purposes, and for statistical analyses	The processing is necessary to support our legitimate interests in managing our business (or those of a third party) provided such interests are not overridden by your interests, rights, and freedoms
Marketing	We will seek your consent to the processing of your personal data for marketing – which you may withdraw at any time
For the prevention and detection of fraud, money laundering or other crimes	The processing of your personal data is necessary for us to comply with legal and regulatory obligations or as authorized by applicable law
To manage our relationship with you and between you and your employer	The processing of your personal data is necessary to perform a contract or enter into a contract with you and/or your employer The processing is necessary to support our legitimate interests in managing our business (or those of a third party) provided such interests are not overridden by your interests, rights, and freedoms
To provide the benefit of our products and services	The processing of your personal data is necessary to perform a contract or enter into a contract with you and/or your employer The processing is necessary to support our legitimate interests in managing our business (or those of a third party) provided such interests are not overridden by your interests, rights, and freedoms

Children’s Privacy –

CAI’s business is not directed toward children and CAI does not knowingly collect or solicit any information from children or anyone under the age of 13. CAI does not knowingly allow such persons to utilize our products or services. In the event that we learn that we have inadvertently collected personal data from a child or someone under the age of 13, we will delete that information as quickly as possible. If you believe that we might have any information from or about a child, please contact us via the methods listed below in the “Contact Us” section at the bottom of this Privacy Notice.

Changes to the Privacy Notice –

We may amend this Privacy Notice at any time by posting the amended Privacy Notice on our websites. The date the Privacy Notice was last revised is identified at the top of this Privacy Notice. All amended terms automatically take effect after they are initially posted on our website, unless a change in any applicable law requires immediate amendment. You are responsible for periodically checking this Privacy Notice for any changes.

Complaints –

Without prejudice to any other administrative or judicial remedy you might have, you may have the right to lodge a complaint with local state regulators/data protection authorities if you believe that we have infringed applicable privacy or data protection requirements when processing personal data about you.

In the UK, you may contact:

The Information Commissioner’s Office

Water Lane, Wycliffe House

Wilmslow – Cheshire SK9 5AF

Tel. +44 1625 545 700

email: casework@ico.org.uk

Website: https://ico.org.uk

For the EU, please see:

https://edpb.europa.eu/about-edpb/about-edpb/members_en

Contact Us –

To contact CAI with questions or concerns about this Privacy Notice or CAI’s practices concerning personal data, please use the contact information below. If you are a resident in the EEA, please note that where CAI acts as a data controller responsible for your personal data, the legal entity is Command Alkon Incorporated in the United States. CAI will address all questions and complaints related to this Privacy Notice within a reasonable period.

E-mail:
privacy@commandalkon.com

Or write to:
Command Alkon Incorporated
Chief Privacy Officer c/o The Legal Department
1800 International Park Drive
Suite 400
Birmingham, Alabama 35243

Or call:
1-800-624-1872 (U.S. toll free)
0-800-022-9682 (International toll free)

Website:
www.commandalkon.com