With respect to personal data received or transferred pursuant to the Privacy Shield Frameworks, Apomaya is subject to the regulatory and enforcement powers of the U.S. Federal Trade Commission.
Apomaya also complies with applicable United States state privacy laws, including those applicable to California citizens under the California Consumer Privacy Act.
Apomaya’s Role as a Service Provider to its Customers
Apomaya is the provider of certain applications and services, and in connection with these applications and services Apomaya provides certain marketing and technical services, which might also include technical support services (collectively “Services”) to its customers in the U.S., EEA, Switzerland and the United Kingdom through employees who may be located in the U.S. U.S.-based employees and U.S.-based customers may process Personal Data in connection with the Services to end users of the Services, customers, and prospective customers located anywhere in the world, including in the EEA, Switzerland or the United Kingdom.
Apomaya collects data and information it receives when an individual uses a web browser or other similar web application or device to visit a website on the Internet. Apomaya may also combine data and information it collects with data and information received from third parties. Some, but not all, of this data and information may be Personal Data.
Apomaya may have access to certain non-identifying information of users and third parties, such as browser type and version, operating system, ad blocker type, and similar technical and other information made available by the user’s browser, device, or Internet provider. This information is not Covered Data (as defined below) and Apomaya may collect, store, process, and use this information without limitation. For clarity, IP addresses are treated as Personal Data, as further described below.
Apomaya may collect, store, and process the following categories of Personal Data: IP address, device identifiers, browsing and search history, full name, mailing address, email address, phone number, , and other personally identifiable information. Due to the nature of the Services, Apomaya may also collect Sensitive Personal Data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; or concerns health or sex life and sexual orientation. Personal Data and Sensitive Personal Data are, collectively, the “Covered Data.”
When Apomaya processes Covered Data, Apomaya does so only for the purpose of providing Services pursuant to its customer’s or prospective customer’s instructions. Apomaya will not sell any Covered Data to third parties. However, Apomaya may collect, store, and process anonymized forms of Covered Data, and use that anonymized data for its own analytical and other purposes.
Apomaya employees located in the U.S. may provide Services for customers located throughout the world, including in the EEA, Switzerland or the United Kingdom. To provide such Services, Apomaya may access and use Covered Data. Apomaya will apply the following Privacy Shield Principles to Covered Data physically or remotely transferred from the EEA, Switzerland or the United Kingdom to the U.S.
The Customer’s and Prospective Customer’s Responsibilities with respect to Covered Data
In providing the Services, Apomaya processes the Covered Data that its customers or prospective customers request from, share with, or provide to Apomaya. Apomaya has no direct or contractual relationship with the subject of such Covered Data (a “Data Subject“). As a result, when a customer or prospective customer requests, shares or provides access to Covered Data, the customer or prospective customer is solely responsible for satisfying all legal obligations owed directly to the Data Subject under applicable data protection laws.
As required by applicable law (including, without limitation, the Privacy Shield), Data Subjects may have the right to access the Covered Data an organization holds about them. If such Covered Data is inaccurate or processed in violation of the Privacy Shield Principles, a Data Subject may also have a right to request that Covered Data be corrected, amended, or deleted.
Pursuant to the Privacy Shield Frameworks, EU and Swiss individuals have the right to obtain our confirmation of whether we maintain personal information relating to you in the United States. Upon request, we will provide you with access to the personal information that we hold about you. You may also may correct, amend, or delete the personal information we hold about you. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data transferred to the United States under Privacy Shield, should direct their query to email@example.com. If requested to remove data, we will respond within a reasonable timeframe.
When Apomaya receives Covered Data, it does so on its customer’s or prospective customer’s behalf. To request access to, or correction, amendment or deletion of, Covered Data, Data Subjects should contact the Apomaya customer or prospective customer that collected their Covered Data. Apomaya will cooperate with its customers’ and prospective customers’ reasonable requests to assist Data Subjects to exercise their rights, if any, existing under the Privacy Shield.
As required by applicable law (including, without limitation, the Privacy Shield), Data Subjects may have the right to opt out of (a) sale or disclosures of their Covered Data to third parties not identified at the time of collection or subsequently authorized, and (b) uses of Covered Data for purposes materially different from those disclosed at the time of collection or subsequently authorized. Apomaya’s customers are responsible for informing Data Subjects when they have the right to opt out of such uses or disclosures.
We will provide an individual opt-out choice, or opt-in for sensitive data, before we share your data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized. To request to limit the use and disclosure of your personal information, please submit a written request to firstname.lastname@example.org.
Data Subjects who wish to limit the use or disclosure of their Covered Data should submit their request to Apomaya’s customer or prospective customer that controls the use and disclosure of their Covered Data. Apomaya will cooperate with its customers’ and prospective customers’ instructions regarding Data Subjects’ choices. In some cases, Data Subjects might not have a legal right to limit use or disclosure of their Covered Data. Although Apomaya strives to provide equal service to those Data Subjects that elect to limit the use of their Covered Data, some services (such as personalization services) might be adversely impacted due to the lack of data.
Apomaya works with DigiTrust to set a first-party cookie in your browser to enable us and DigiTrust Partners to collect web viewing data across non-affiliated websites over time. This data may be used to infer whether Data Subjects share interests with other users, and deliver relevant advertising based on those inferences. This type of advertising is called interest-based advertising. Data Subjects can exercise choice about the collection of data in this way for interest-based advertising by visiting the Digital Advertising Alliance’s (“DAA”) choice page and opting out from DigiTrust. Opting out from DigiTrust will stop DigiTrust Partners from using the DigiTrust identifier. Through the DAA choice page, you may make other choices for companies that participate in the DAA, some of which are DigiTrust Partners. Please note that limiting third-party cookies via your browser controls does not prevent a first-party cookie from being set in this way.
Apomaya uses reasonable efforts to maintain the accuracy and integrity of Covered Data and to update it as appropriate. Apomaya has implemented physical and technical safeguards to protect Covered Data from loss, misuse, and unauthorized access, disclosure, alternation, or destruction. For example, electronically stored Covered Data is stored on a secure network with firewall protection, and access to Apomaya’s electronic information systems requires user authentication via password or similar means. Apomaya also employs access restrictions, limiting the scope of employees who have access to Covered Data subject to this Policy.
Further, Apomaya uses secure encryption technology to protect certain categories of Covered Data. Despite these precautions, no data security safeguards guarantee 100% security all of the time.
Apomaya will not retain Covered Data longer than allowed by applicable law or regulation.
Purpose Limitation and Data Integrity
Apomaya’s customers are responsible for limiting their collection of Covered Data to that which is necessary to accomplish the purposes disclosed to Data Subjects and compatible purposes. They also are responsible for providing Apomaya with instructions for the processing of Covered Data consistent with such purposes. Apomaya will process Covered Data only in accordance with the customer’s or prospective customer’s instructions. Apomaya will not sell any Covered Data to third parties.
Apomaya’s customers also are responsible for ensuring that (a) Covered Data they collect is accurate, complete, current and reliable for its intended uses; and (b) Covered Data is retained only for as long as is necessary to accomplish the customer’s or prospective customer’s legitimate business purposes disclosed to the Data Subject and for compatible purposes. Apomaya will cooperate with customers’ and prospective customers’ reasonable requests for assistance in meeting these obligations.
In the performance of Services, Apomaya will request only the minimum amount of information required to perform the applicable Services and will retain such information only for as long as necessary to provide the Services or for compatible purposes, such as to provide additional Services, to comply with legal requirements, or to preserve or defend Apomaya’s legal rights.
To the extent Covered Data includes human resources (HR) data, Apomaya commits to cooperate with the panel established by the EU data protection authorities (DPAs) and/or the Swiss Federal Data Protection and Information Commissioner, as applicable (collectively, “Panel”), and comply with the advice given by the Panel with regard to that HR data transferred from EU, Switzerland and/or the United Kingdom, as applicable, in the context of the employment relationship.
Apomaya will not disclose Covered Data to a third party, except as stated below:
Apomaya may disclose Covered Data to advertisers, subcontractors, and third-party agents who assist Apomaya in providing Services to its customers or assist Apomaya in processing data as permitted in this Policy. Before disclosing Covered Data to a subcontractor or third-party agent, Apomaya will obtain assurances from the recipient that it will: (a) use the Covered Data only to assist Apomaya as provided in this Policy; (b) provide at least the same level of protection for Covered Data as required by the Principles; and (c) notify Apomaya if the recipient is no longer able to provide the required protections. Upon notice, Apomaya will act promptly to stop and remediate unauthorized processing of Personal Date by a recipient.
Apomaya’s accountability for personal data that it receives in the United States under the Privacy Shield and subsequently transfers to a third party is described in the Privacy Shield Principles. In particular, Apomaya remains responsible and liable under the Privacy Shield Principles if third-party agents that it engages to process the personal data on its behalf do so in a manner inconsistent with the Principles, unless Apomaya proves that it is not responsible for the event giving rise to the damage.
Apomaya may also be required to disclose, and may disclose, Covered Data in response to lawful requests by public authorities, including for the purpose of meeting national security or law enforcement requirements. To the extent permitted, Apomaya will inform its relevant customer or prospective customer before making such disclosure and provide it with a reasonable opportunity to object to such disclosure.
Recourse, Enforcement, and Liability
Apomaya has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD, operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers for more information and to file a complaint. This service is provided free of charge to you.
If your Privacy Shield complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See Privacy Shield Annex 1 at https://www.privacyshield.gov/article?id=ANNEX-I-introduction
For More Information
Data Subjects with questions about how Apomaya processes Covered Data, or Data Subjects who are EU or Swiss individuals, who wish to request access to, limit use of, or limit disclosure of Covered Data should first contact the Apomaya customer or prospective customer that collected the Covered Data. Apomaya’s Legal Department can be contacted by emailing email@example.com.
This policy is executed in English and may be translated into other languages. In the event of any conflict or discrepancy between the English language version and a translated version, the English language version of this policy shall control.
Apomaya may revise this Policy at any time. If Apomaya decides to materially change this Policy, Apomaya will post the revised Policy at this location.
Effective Date: June 15, 2020; last revised January 28, 2020.