At Anomalo, we take your privacy seriously. Please read this Privacy Policy to learn how we treat your personal data. By using or accessing our Services in any manner, you acknowledge that you accept the practices and policies outlined below, and you hereby consent that we will collect, use and share your information as described in this Privacy Policy.
Privacy Policy
1. What is Covered by this Privacy Policy.
- 1.1 Coverage. At Anomalo, we take your privacy seriously. This Privacy Policy covers how we treat Personal Data that we gather when you access or use Anomalo’s data quality software and services, website, and other products and services (“Services”). Services also includes Anomalo’s services that require you to log in to use such as Anomalo’s support platform and Slack. Please read this Privacy Policy to learn how we treat your Personal Data.
- 1.2 Acceptance. By accessing or using our Services in any manner, you acknowledge that you accept the practices and policies outlined below, and you hereby consent that we will collect, use and share your information as described in this Privacy Policy.
- 1.3 Compliance with Applicable Law. Anomalo intends to comply with all applicable law, including without limitation the EU and UK General Data Protection Regulation and the California Consumer Protection Act (“CCPA), as well as the principles of the EU – US. Data Privacy Framework (“DPF” and “DPF Principles”). Your rights under applicable law are summarized in the applicable Schedules below.
- 1.4 Third-party Practices. This Privacy Policy covers third party practices as provided below but does not cover the practices of companies that we don’t own or control, or people we don’t manage, or websites or services to which Services may link to except to the extent such websites or services are part of Services and exchange data directly with Services. Services do not include social media features such as “Share” and “Like” buttons that are provided by third-party social media platforms like Facebook, LinkedIn, and Twitter.
2. Personal Data We Collect.
- 2.1 “Personal Data” means any information that identifies or relates to a particular individual and includes information referred to as “personally identifiable information” or “personal information” under applicable data privacy laws, rules, and regulations. Personal Data includes, but is not limited to name, identification number, location, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of a natural person.
- 2.2 Categories. Anomalo collects the categories of Personal Data as described in the following chart. Anomalo has collected such Personal Data over the past twelve months:
Categories of Personal Data We Collect
|
Examples of Personal Data We Collect
|
Categories of 3rd Parties with Whom We Share this Personal Data
|
Profile or Contact Data
|
- First and last name
- Email address
- Phone number
- Account name
- Username
- Passwords
- Job Title
- Company name
|
- Service Providers
- Analytics Partners
|
Payment Data
|
- Payment card type
- Payment card number
- Billing address
- Billing phone number
- Billing email
|
|
Device / IP Data
|
- IP Address
- Domain server
- Device / OS / browser type
|
- Service Providers
- Advertising Partners
- Analytics Partners
- Parties You Authorize
- Parties You Access
- Parties You Authenticate
|
Web Analytics
|
- Browsing history
- Search history
- Referring webpage / source
|
- Service Providers
- Advertising Partners
- Analytics Partners
|
Social Network Data
|
- Email address
- Username
- Company name
|
- Service Providers
- Analytics Partners
|
Professional- or Employment-related Data
|
|
- Service Providers
- Analytics Partners
|
Geolocation Data
|
- IP address-based location information
|
- Service Providers
- Advertising Partners
- Analytics Partners
|
Table 1. Categories of Personal Data Collected
3. Source of Personal Data. Anomalo collects Personal Data about you from the categories of sources described in the following charts.
You
|
Third Parties
|
We collect information from you provide it directly to us. We collect such information when you create an account, use our Services, provide information in free-form text boxes in Services or through responses to surveys or questionnaires.
We collect information from you when you use the Services and information is collected automatically. For example, we collect information through Cookies. If you download Services or use a location-enabled browser, we may collect information about your location and mobile device as applicable. If you download and install Services, certain applications, software, or other content we make available, we may collect information when you are logged on and available to receive updates or alert notices.
|
We collect information from analytics providers to analyze how you interact with and engage the Services.
We collect information from third parties who help us provide customer support, generate leads, and create user profiles.
We collect information from social networks and third-party sites or services if you provide your social network account credentials to us or otherwise sign into the Services through a social network or other third-party site or service.
See the sections on Sharing Personal Data, Tracking Tools, Cookies, Advertising, and Opt-out, and Internet-based Advertisements for additional information.
|
Table 2. Sources of Personal Data
4. Purposes for Collecting Personal Data. Anomalo collects and uses Personal Data for the reasons described below.
Providing Services
|
Marketing Services
|
Legal Requirements
|
We use Personal Data to provide, customize, and improve Services, including by creating and managing your account or other user profiles, processing orders or other transactions, billing, providing you with Services or information you request, meeting or fulfilling the reason you provided the reason you provided the information to us, providing support for Services, personalizing the Services, personalizing communications based on your p references, performing fraud protection, performing security activities, debugging, and improving Services through testing, research, internal analysis, and product development.
|
We use Personal Data to market Services, and to correspond with you, including by conducting marketing activities, performing sales activities, showing you advertisements such as interest-based and online behavioral advertising, responding to correspondence that we receive from you, contracting when necessary or requested, sending you information about Anomalo or Services, and sending emails or other communications according to your preferences or that display content that we think will interest you.
|
We use Personal Data to meet legal requirements and enforce legal terms, including by fulfilling our legal obligations under applicable law, regulation, completing corporate transactions, court order, or other legal process, complying and enforcing agreements with you, responding to claims that a posting or other content violates third-party rights, and resolving disputes.
We use Personal Data to prevent, detect, and investigate security incidents and potentially illegal or prohibited activities, protect your rights, property, and safety of Anomalo, you, and third parties.
|
Table 3. Purposes for Collecting Personal Data
5. Sharing Personal Data. Anomalo discloses Personal Data to the categories of service providers and other parties described below. Depending on applicable law that may be applicable to you, some of these disclosures may constitute a “sale” of your Personal Data; for more information, please refer to the jurisdiction-specific sections below.
Categories of 3rd Parties with Whom We Share Personal Data
|
Examples of 3rd Parties with Whom We Share Personal Data
|
Description
|
Analytics Partner
|
- Providers that track how users were found or referred.
- Providers that track how users interact with Services.
|
Analytics Partners help us provide analytics on web traffic, the usage of Services, and business systems analysis.
|
Advertising Partner
|
- Marketing providers
- Ad networks
|
Advertising Partners help us market Services and provide you with offers that may be of interest to you.
|
Legal-related Providers
|
- Legal counsel
- Courts
- Regulators
|
Legal-related Providers include third parties with which we share Personal Data in conjunction with associated with Legal Requirements described above.
|
Parties You Authorize, Access, or Authenticate
|
- Hosting providers
- Communication providers
- Technology providers
|
Parties You Authorize, Access, or Authenticate help you access or use Services.
|
Service Provider
|
- Hosting providers
- Communication providers
- Payment providers
- Services providers
- Technology providers
|
Service Providers help us provide Services or otherwise perform business functions on our behalf.
|
Table 4. Categories of 3rd Parties with Whom We Share Information
6. Business Transfers
- 6.1 Corporate Transfers. Anomalo may transfer Personal Data it collects to a third party if Anomalo undergoes a merger, acquisition, bankruptcy, or other transaction in which that third party assumes control of our business (in whole or in part). If that occurs, we will make reasonable efforts to notify you before your information becomes subject to different privacy and security policies and practices. However, in accordance with the EU – U.S. Data Privacy Framework, we will ensure that any third party to which Personal Data may be transferred has entered a contract with us requiring them to provide at least the same level of personal data protection as required by the DPF Principles.
- 6.2 Aggregated, De-identified, or Anonymized Data. Anomalo may create aggregated, de-identified or anonymized data from Personal Data we collect, including by removing information that makes the data personally identifiable to a particular user. Anomalo may use such aggregated, de-identified or anonymized data and share it with third parties for our lawful business purposes, including to analyze, build, and improve the Services and promote our business, but we will not share such data in a manner that could identify you.
7. Tracking Tools, Cookies, Advertising, and Opt-out
- 7.1 Tracking Tools. Anomalo uses cookies and similar technologies such as pixel tags, web beacons, clear GIFs, and JavaScript (collectively, “Cookies”) to enable our servers to recognize your web browser, tell us how and when you visit and use our Services, analyze trends, learn about our user base, and operate and improve our Services. Cookies are small pieces of data—usually text files—placed on your computer, tablet, phone, or similar device when you use that device to access our Services. Anomalo may supplement the information we collect from you with information received from third parties, including third parties that have placed their own Cookies on your device(s). Because of our use of Cookies, the Services do not support “Do Not Track” requests sent from a browser at this time.
- 7.2 Types of Cookies. We use the following types of Cookies:
Type of Cookie
|
Examples of Cookie Type
|
Description
|
Essential
|
Authentication cookies that allow you to log in to secure areas of Services.
|
Essential Cookies are required for providing you with features or services that you have requested. Disabling these Cookies may make Services or features of Services unavailable.
|
Functional
|
Cookies that track your choices of language or region.
|
Functional Cookies are used to record your choices and settings regarding Services, maintain your preferences over time, and recognize you when you return to Services. These Cookies help us personalize content for you, greet you by name, and remember your preferences.
|
Performance / Analytical
|
Cookies used by Google LLC in connection with its Google Analytics services.
|
Performance / Analytical Cookies are used to allow us to understand how visitors use Services by collecting information on the number of visitors, what pages visitors view, and how long visitors view pages.
|
Retargeting / Advertising
|
Cookies that track email opening and internet activity such as pixel tags, web beacons, and clear GIFs.
|
Retargeting / Advertising Cookies are used to collect data about your online activity and identify your interests so that we can provide advertising that we believe is relevant to you.
|
Table 5. Types of Cookies We Use
- 7.3 Accepting Cookies. You can decide whether to accept Cookies through your internet browsers settings. Most browsers have an option for turning off the Cookie feature, which will prevent your browser from accepting new Cookies and (depending on the browser) allow you to decide on acceptance of each new Cookie in a variety of ways. You can also delete all Cookies that are already on your device. If you do this, however, you may have to manually adjust some preference every time your visit our Services or certain features of Services may not work.
- 7.4 Third-party Cookies. Cookies operated by third parties are subject to their own terms. For example, Google’s use of Cookies related to its Google Analytics services and its ability to use and share information collected by Google Analytics about your visits to the Services is subject to the Google Analytics Terms of Use and the Google Privacy Policy. You can opt out of Google’s Cookies by visiting its opt-out page at https://www.google.com/privacy_ads.html or the Google Analytics Opt-out Browser Add-on at https://tools.google.com/dlpage/gaoptout/.
- 7.5 Cookie Settings. To explore what Cookie settings are available to you, look in the “preferences” or “options” section of your browser’s menu. To find out more information about Cookies, including how to manage and delete Cookies, please visit http://www.allaboutcookies.org/ or, if you are located in the European Union, https://ico.org.uk/for-the-public/online/cookies/.
8. Interest-based Advertisements
- 8.1 Interest-based Ads. Anomalo may serve advertisements, and allow third-party ad networks, including third-party ad servers, ad agencies, ad technology vendors, and research firms, to serve advertisements through the Services. These advertisements may be targeted to users who fit certain general profile categories or display certain preferences or behaviors (“Interest-based Ads”). Information for Interest-based Ads, including Personal Data, may be provided to us by you, or derived from the usage patterns of particular users of the Services or third-party services. To accomplish this, Anomalo or its service providers may deliver Cookies, including files known as “web beacons” from an ad network to you through the Services. Web beacons allow ad networks to provide anonymized, aggregated auditing, research, and reporting for us and for advertisers. Web beacons also enable ad networks to serve targeted advertisements to you when you visit other websites. Web beacons allow ad networks to view, edit, or set their own Cookies on your browser, just as if you had requested a webpage from their site.
- 8.2 Compliance. In using such technologies, Anomalo complies with DPF Principles. Anomalo also complies with the Digital Advertising Alliance (“DAA”) Self-regulatory Principles for Online Behavioral Advertising. Through the DAA and the Network Advertising Initiative (“NAI”), several media and marketing associations have developed an industry self-regulatory program to give consumers a better understanding of, and greater control over, ads that are customized based on user’s online behavior across different websites and properties. To make choices about Interest-based Ads from participating third parties, including to opt-out of receiving targeted advertisements from participating organizations, please visit the DAA’s or NAI’s consumer opt-out pages, which are located at https://optout.aboutads.info/ or http://www.networkadvertising.org/choices/. Users in the European Union should visit the European Interactive Digital Advertising Alliance’s user information website located at https://youronlinechoices.eu/.
9. Data Security and Retention. Anomalo works to protect your Personal Data from unauthorized access, use, and disclosure using appropriate physical, technical, organizational, and administrative security measures based on the type of Personal Data and how are processing that data. You should also help protect your data by appropriately selecting and protecting your password and other sign-on mechanisms, limiting access to your computer, device, and browser, and signing off after you have finished accessing or using Services. Although we work to protect the security of your account and other data that we hold in our records, please be aware that no method of transmitting data over the internet or storing data is completely secure.
10. Data Retention. Anomalo retains Personal Data about you for as long as you have an open account with us or as otherwise necessary to provide you with our Services. We retain Personal Data for longer when necessary to comply with our legal obligations, resolve disputes, collect fees owed, or is otherwise permitted or required by applicable law, rule, or regulation. We may further retain information in an anonymous or aggregated form where that information would not identify you personally.
11. Personal Data of Children. Anomalo does not knowingly collect or solicit Personal Data about children under 16 years of age. If you are a child under the age of 16, please do not attempt to register for or otherwise use the Services to send us any Personal Data. If we learn we have collected Personal Data from a child under 16 years of age, we will delete that information as quickly as possible. If you believe that a child under 16 years of age may have provided Personal Data to us, please contact us at privacy@anomalo.com.
12. Changes to this Privacy Policy. Anomalo is constantly trying to improve our Services, so we may need to change this Privacy Policy from time to time, but we will alert you to any such changes by placing a notice on Anomalo’s website, by sending you an email, or through other means of communication. Please note that if you’ve opted not to receive legal notice emails from us (or have not provided us with your email address), those legal notices will still govern your use of the Services, and you are still responsible for reading and understanding them. If you use the Services after any changes to the Privacy Policy have been posted, that means you agree to all of the changes. Use of information we collect is subject to the Privacy Policy in effect at the time such information is collected.
13. Contact Information. If you have any questions or comments about this Privacy Policy, the ways in which we collect and use your Personal Data, or your choices and rights regarding such collection and use, please do not hesitate to contact us at privacy@anomalo.com or 855 El Camino Real, Suite 405, Palo Alto, CA 94301-2337.
Schedule A. EU – US Data Privacy Framework
1. Applicability.
- 1.1. Overview of Commitment. Anomalo is committed to complying with DPF Principles so that our commitment to comply with the DPF is enforceable under U.S. law. Anomalo has self-certified its commitment to complying with the DPF, including DPF Principles related the rights of data subjects in the EU and providing such persons with accessible, independent means of resolving complaints about how their Personal Data are handled.
- 1.2. Certification. Anomalo complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.
- 1.2.1. Anomalo has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of Personal Data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.
- 1.2.2. Anomalo has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.
- 1.2.3. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/
- 1.3. Scope. Anomalo will only collect, use, and retain Personal Data for data subjects in the European Union, the United Kingdom, and Switzerland to the extent such information is relevant for our purposes as described in the Privacy Policy, this Schedule A – EU – U.S. Data Privacy Framework, and Schedule B –Data Subject Rights, as applicable.
- 1.4. Applicable Framework. The DPF is available at the following location: https://www.dataprivacyframework.gov/EU-US-Framework.
- 1.5 List of Certified Entities. The list of certified entities under the DPF is available at https://www.dataprivacyframework.gov/list
2. Data Processing.
- 2.1. DPF Principles. Here is a summary of the DPF Principles that Anomalo will comply with related to your Personal Data:
- 2.1.1. Notice. Anomalo will be transparent about the Personal Data we may collect about you and about your rights related to your Personal Data, including your right to access your Personal Data, how to contact us or make complaints about our practices, and to disclose how we share your Personal Data.
- 2.1.2. Choice. Anomalo will honor requests to prevent your Personal Data from being disclosed to a third party or used for a purpose other than the ones for which the data was originally collected. We will ask for your consent if certain types of your Personal Data are to be disclosed to third parties or used outside the original purpose.
- 2.1.3. Accountability for Onward Transfer. Anomalo will accept responsibility for transfers of your data from us to third parties and will ensure continued compliance with relevant DPF Principles for such transfers.
- 2.1.4. Security. Anomalo will take appropriate measures to protect Personal Data that we collect, store, use, or share from loss, misuse, and unauthorized access, disclosure, altercation, and destruction, taking into account the risks involved in processing and the nature of your Personal Data.
- 2.1.5. Data Integrity and Purpose Limitation. Anomalo will take appropriate measures to ensure Personal Data that we collect is accurate, complete, up to date, and reliable for use. We will limit the Personal Data we collect to what is relevant for processing and will not retain Personal Data longer than necessary.
- 2.1.6. Access. Anomalo will honor requests to correct, amend, or delete Personal Data that is inaccurate or that has been used in violation of DPF Principles as provided in the Privacy Policy.
- 2.1.7. Recourse, Enforcement, and Liability. Anomalo will explain how to seek recourse or enforcement related to your rights, including by providing contact information for us, explaining how to submit complaints to independent agencies, and explaining how to request binding arbitration.
- 2.2.Transfers to Third-party Controllers. Anomalo will comply with the DPF’s Notice and Choice Principles whenever we transfer your Personal Data to a third party acting as a controller. Anomalo will enter into a contract with each such third parties that requires that (1) such Personal Data will only be processed by the controller for the limited and specified purposes consistent with the consent provided by the relevant data subject or other legal basis for processing, (2) the controller provide the same level of protection as the DPF Principles, and (3) the controller will notify Anomalo if the controller determines that it can no longer provide the same level of protection as provided under DPF Principles, and, (4) if such controllers are not able to provide such protection, the controller will cease processing or take other reasonable and appropriate steps to remediate its inability to provide such protection.
- 2.3. Transfers to Third-party Agents. Anomalo will comply with DPF Principles whenever we transfer your Personal Data to a third party acting as an agent. In such cases, Anomalo will (1) transfer such Personal Data for the limited and specified purposes described in the Privacy Policy, (2) take reasonable and appropriate steps to ensure that the agent effectively processes the Personal Data transferred in a manner consistent with Anomalo’s obligations under DPF Principles, (3) require the agent to notify Anomalo if the agent determines that it can no longer provide the same level of protection as provided under DPF Principles, (4) take reasonable and appropriate steps to stop and remediate unauthorized processing if Anomalo receives notice of such processing, and (5) provide a summary or representative copy of the relevant privacy provisions of its contract with such agents to the U.S. Department of Commerce upon request.
3. Data Retention. Anomalo will retain your Personal Data for as long as necessary to fulfill our original purpose of processing the Personal Data. Anomalo will comply with DPF Principles to all Personal Data received under any part of the DPF program and will continue to provide adequate protection for the information by authorized means for as long as Anomalo keeps such data even if Anomalo leaves the part of the DPF through which it received the data.
4. Your Rights. EU data subjects have the rights described in this Schedule A – EU – U.S. Data Privacy Framework and Schedule B – European Data Subject Rights, as well as rights provided through the DPF or otherwise provided under the Privacy Policy.
5. Disclosure to Lawful Government Requests. Anomalo is required to disclose Personal Data in response to lawful requests from certain public authorities.
6. Dispute Resolution.
- 6.1. Submitting a Complaint. You may bring a complaint related to Anomalo’s processing of your Personal Data by contacting privacy@anomalo.com. There is no fee or other cost to submit a complaint. Anomalo will respond to you within forty-five (45) calendar days and will investigate and resolve any disputes expeditiously.
- 6.2. Independent Recourse. If Anomalo is not able to resolve your complaint, you may seek independent recourse by contacting the independent recourse agency appropriate to where you reside to investigate your complaint:
- 6.2.1. EU Residents. European Data Protection Board.
- 6.2.2. UK Residents. Information Commissioner’s Office.
- 6.2.3. Swiss Residents. Swiss Federal Data Protection and Information Commissioner.
- 6.3. ITA Facilitation. If you submit a complaint to a data protection authority in the European Union / European Economic Area, the United Kingdom, or Switzerland, the U.S. Department of Commerce’s International Trade Administration (“ITA”) has committed to receiving, reviewing, and undertaking best efforts to facilitate resolution of the complaint and to respond to the DPA within ninety (90) calendar days.
- 6.4. Binding Arbitration. At your request, Anomalo will participate in binding arbitration through the American Arbitration Association to address any complaint that has been unable to be resolved by any other recourse and enforcement mechanism as provided under the DPF.
7. Enforcement.
- 7.1. Enforcement Agency. Anomalo has designated the U.S. Federal Trade Commission as the enforcement body under the DPF. In addition, Anomalo will respond promptly to inquiries and requests by the ITA for information related to the DPF and, as applicable, the UK Extension of the DPF and the Swiss – U.S. Data Privacy Framework. The U.S. Department of Commerce’s DPF program website is available at https://dataprivacyframework.gov and requests for Dispute Resolution and Enforcement at https://www.dataprivacyframework.gov/assistance
- 7.2. Transparency of Enforcement Actions. Anomalo will publish on its website any relevant DPF-related sections of any compliance or assessment report submitted to the Federal Trade Commission if Anomalo becomes the subject to an FTC or court order based on noncompliance with DPF Principles.
Schedule B. European Data Subject Rights
1. Applicability.
- 1.1. Applicable Law. You may have additional rights under the EU or UK General Data Protection Regulation (“the GDPR”) with respect to your Personal Data if you are a resident of the European Union (“EU”), the United Kingdom (“UK”), Lichtenstein, Norway, or Iceland.
- 1.2. EU – U.S. Data Privacy Framework. Anomalo complies with DPF Principles, including the principles of Notice, Choice, Accountability of Onward Transfer, Security, Data Integrity, Purpose Limitation, Access, Resource, Enforcement, and Liability, as provided by the DPF.
- 1.3. Definitions. For the purposes of this Schedule B – European Data Subject Rights, the terms “Personal Data and “processing” shall have the definition provided under the applicable GDPR. Generally, “Personal Data” means information that can be used to individually identify a person, and “processing” covers actions that can be performed in connection with data such as collection, use, storage, and disclosure.
- 1.4. Conflicts. If there are any conflicts between this Schedule B – European Data Subject Rights and the Privacy Policy, the policy or portion that is more protective of Personal Data shall control to the extent of such conflict.
2. Contact Information.
- 2.1. About this Schedule. If you have any questions about your rights under this Schedule B – European Data Subject Rights, including whether it applies to you, please contact privacy@anomalo.com.
- 2.2. Third-party Controllers. If we are the processor of your Personal Data (i.e., not the controller), please contact the controller to address your rights with respect to such data; if you contact us, we will coordinate with the controller to the extent we can.
- 2.3. Data Protection Representatives. Individuals and data protection supervisory authorities in the EU and the UK may contact our data protection representatives pursuant to Article 27 of the GDPR at https://www.dp-dock.com or anomalo@gdpr-rep.com, or at the appropriate address below:
- 2.3.1. EU: DP-Dock GmbH, Attn: Anomalo, Ballindamm 39, 20095, Hamburg, Germany.
- 2.3.2. UK: DP Data Protection Services UK Ltd., Attn: Anomalo, 16 Great Queen Street, Covent Garden, London, WC2B 5AH, United Kingdom
3. Controllers and Processors.
- 3.1. Controller. Anomalo will be the controller of your Personal Data processed in connection with the Services such as your account or user profile information.
- 3.2. Processor. Anomalo will be the processor for Personal Data that is processed through Services, as well as the Personal Data of our customers’ end users and employees in connection with the Services.
4. Data Processing.
- 4.1. Lawful Basis. Anomalo will only process your Personal Data if we have a lawful basis for doing so. Lawful bases for processing, include consent, contractual necessity, and our legitimate interests, as well as the legitimate interests of others and other lawful bases.
- 4.2. Contractual Necessity. Anomalo processes the following categories of Personal Data as a matter of contractual necessity: Profile or Contact Data, Payment Data. “Contractual necessity” means that we need to process the data to perform under our contract with you, which enables us to provide you with Services. When we process data due to contractual necessity, the failure to provide such Personal Data may will result in your inability to use some or all the Services that require such data.
- 4.3. Legitimate Interests. Anomalo process the following categories of Personal Data as a matter of the legitimate interests of Anomalo or some third party: Profile or Contact Data, Device / IP Data, Web Analytics, Social Network Data, Professional- or Employment-related Data, and Geolocation Data. Our legitimate interests include, as described in more detail in the Privacy Policy, Providing Services, Marketing Services, and Legal Requirements. Anomalo may also de-identify or anonymize Personal Data to further our legitimate interests.
- 4.4. Other Lawful Bases. From time to time, Anomalo may process Personal Data to comply with a legal obligation, when necessary to protect the vital interests of your or other data subjects, or when it is necessary for a task to be carried out in the public interest.
5. Data Subject Rights.
- 5.1. Your Rights. You have certain rights with respect to your Personal Data. For more information about these rights, or to submit a request, please email us at privacy@anomalo.com.
- 5.1.1. Access. You can request more information about the Personal Data we hold about you and request a copy of such Personal Data. You can also access certain of your Personal Data by logging on to your account.
- 5.1.2. Erasure. You can request that we erase some or all of your Personal Data from our systems.
- 5.1.3. File a Complaint. You have the right to file a complaint about Anomalo’s practices with respect to your Personal Data with the supervisory authority of your country or EU member state. A list of supervisory authorities is available here.
- 5.1.4. Objection. You can request that we stop further use or disclosure of your Personal Data for certain purposes, such as for Marketing Services.
- 5.1.5. Portability. You can request a copy of your Personal Data that we are holding in a machine-readable format. You can also request that we transmit the data to another controller where technically feasible.
- 5.1.6. Rectification. If you believe that any Personal Data that we are holding is incorrect or incomplete, you can request that we correct or supplement that data.
- 5.1.7. Restriction of Processing. You can request that we restrict further processing of your Personal Data.
- 5.1.8. Withdrawal of Consent. If we are processing your Personal Data based on your consent (as indicated at the time of collection of such data), you have the right to withdraw your consent at any time. Please note that if you withdraw your consent, you may have to then provide express consent on a case-by-case basis for the use or disclosure of certain of your Personal Data if such use or disclosure is necessary to enable you to use some or all of the Services.
- 5.2. Compliance with Requests. Anomalo will comply with your requests related to your rights as required by applicable law and the DPF. Anomalo may not be able to comply with your request, in whole or in part, if it frivolous, extremely impractical, jeopardizes the rights of others, or not required by law or the DPF. In some cases, we may need you to provide us with additional information, which may include Personal Data, as necessary to verify your identity and the nature of your request.
6. Transfers. The Services are hosted and operated in the United States through Anomalo and its Service Providers. If you do not reside in the United States, the laws in the United States may differ from the laws where you reside. BY using the Services, you acknowledge that any Personal Data about your, regardless of whether provided by you or obtained from a third party, is being provided to Anomalo in the United States and will be hosted on servers in the United States and other countries, and you authorize Anomalo to transfer, store, and process your Personal Data to and in the United States and other such countries. You further consent to the transfer of your Personal Data to the United States pursuant to (1) a data processing agreement incorporated standard data protection clauses, often called Standard Contract Clauses (“CCCs”), (2) Anomalo’s self-certification of its compliance with the DPF, including as applicable the UK Extension to the DPF and the Swiss-U.S. DPF Principles.
Schedule C. California Resident Rights
1. Applicability.
- 1.1. Applicable Law. You may have additional rights under the CCPA and other California law with respect to your Personal Data if you are a resident of California.
- 1.2. Definitions. For the purposes of this Schedule C – California Resident Rights.
- 1.3. Conflicts. If there are any conflicts between this Schedule C – California Resident Rights and the Privacy Policy, the policy or portion that is more protective of Personal Data shall control to the extent of such conflict
2. Contact Information.
- 2.1. About this Schedule. If you have any questions about your rights under this Schedule C – California Resident Rights, including whether it applies to you, please contact privacy@anomalo.com.
- 2.2. Third-party Controllers. If we are processing your Personal Data as a service provider for a third party, please contact the entity that collected your Personal Data that we are processing in the first instance to address your rights with respect to such data; if you contact us, we will coordinate with that entity to the extent we can.
3. Controllers and Service Providers.
- 3.1. Controller. Anomalo will be the controller of your Personal Data processed in connection with the Services such as your account or user profile information.
- 3.2. Service Provider. Anomalo will be the processor for Personal Data that is processed through Services, as well as the Personal Data of our customers’ end users and employees in connection with the Services.
4. Data Subject Rights.
- 4.1. Your Rights. You have certain rights with respect to your Personal Data. For more information about these rights, or to submit a request, please email us at privacy@anomalo.com.
- 4.1.1. Access. You have the right to request certain information about our collection and use of your Personal Data over the past twelve (12) months. In response to such requests, we will provide you with the following information:
- 4.1.1.1. The specific pieces of Personal Data that we have collected about you;
- 4.1.1.2. The categories of Personal Data we have collected about you;
- 4.1.1.3. The categories of sources from which that we used to collect that Personal Data;
- 4.1.1.4. The business or commercial purpose for collecting or selling your Personal Data;
- 4.1.1.5. The categories of third parties with whom we have shared your Personal Data; and
- 4.1.1.6. The categories of Personal Data we have shared with each category of third party with whom we have shared or sold your Personal Data.
- 4.1.2. Deletion. You have the right to request that we delete the Personal Data that we have collected about you. Under the CCPA, this right is subject to certain exceptions. For example, we may need to retain your Personal Data to provide you with the Services or complete a transaction or other action you have requested. If your deletion is subject to one of these exceptions, we may deny your deletion request.
- 4.1.3. Prevent Direct Marketing by Third Parties. You have the right to request that we prevent disclosure of Personal Data to third parties for such third parties’ direct marketing purposes. See California Civil Code Section 1798.83 to 1798.84 for additional information.
- 4.2. Compliance with Requests. To exercise your rights, you or your Authorized Agent, you must provide a valid request, which is one that (1) provides sufficient information to allow us to verify that you are the person about whom we have collected Personal Data, and (2) describes your request in sufficient detail to allow us to understand, evaluate, and respond to it. We will also only use Personal Data provided in a valid request to verify your identity and complete your request; you do not need an account to submit a valid request. We will respond to valid requests within forty-five (45) days of receipt. If you do not provide a valid request, we may not respond. We will not charge you a fee for making a valid request unless your request is excessive, repetitive, or manifestly unfounded. If we determine that your valid request warrants a fee, we will notify you of the fee and explain that decision before completing your request.
- 4.3. Authorized Agent. You may authorize an agent to exercise your rights on your behalf (“Authorized Agent”). To do this, you must provide your Authorized Agent with written permission to exercise your rights on your behalf. Your Authorized Agent must provide a copy of that written permission to us when the Authorized Agent makes a request on your behalf.
- 4.4. No Discrimination for Exercising Rights. We will not discriminate against you for exercising your rights under the CCPA or other applicable law. We will not deny you our goods or services, charge you different prices or rates, or provide you a lower quality of goods and services if you exercise your rights under the CCPA or other applicable law.
5. Transfers.
- 5.1. Sale of Data. Anomalo does not sell your Personal Data and we have not done so over the last twelve (12) months. To our knowledge, we do not sell the Personal Data of minor under 16 years of age.
Schedule D. Rights of Residents or Data Subjects in Other Jurisdictions
1. Nevada. If you are a resident of Nevada, you have the right to opt-out of the sale of certain Personal Data to third parties who intend to license or sell that Personal Data. You can exercise this right by contacting privacy@anomalo.com with the subject line “Nevada Do Not Sell Request” and providing us with your name and the email address associated with your account.