1. Go to the section that has the topic you're interested in;
2. Use a keyword search for your topic; or
3. Get in touch with us to ask a question, ask us to show you the data we have about you, or ask us to delete your personal data.
1. General Statements
1.5 In some sections below we refer to “GDPR art.” and then mention some numbers and letters. Where we do this, we are referencing a specific article within the European Union’s General Data Protection Regulation (or GDPR) that permits us to collect and use your data in a specific way. We do this for two reasons: (1) because we are required to under GDPR and (2) because GDPR is generally considered to be the one of the highest standards of privacy law in the world and we want you to know that, irrespective of where you live, we are applying the highest standards when it comes to your personal data.
2.2 Along those lines, PAX is the “Controller” of the personal data it collects, which means we are the entity that decides how to collect, process, and use the personal data.
3. What Data Are We Collecting About You?
3.1 Not all data is “personal data” under the law, but a lot of it is, and more than you might think. Because we operate in more than one country, we’ve taken the approach that the broadest definition of personal data is best, because it allows us to explain what we collect more simply. And so, for PAX’s purposes, personal data is:
Any information that can, either alone or with other information, be used to identify an actual human person or their household.
3.2 These are the categories of personal data that we collect:
• "Basic Data" means your name, your email address, your physical address, your phone number, your gender identification, and your verified age. Basic Data is collected only if you elect to provide it to PAX in the course of using the PAX website or PAX app. You may be required to provide Basic Data to use some of PAX’s services, such as completing purchases from PAX’s website or entering promotions.
• "Purchase and Warranty Data" is all Basic Data plus credit card or payment information, age verification information and any ID you’ve used to verify your age, your warranty number, your PAX device serial number, any claims or issues you've reported to us related to your device or the warranty, and any other information related to your purchase of a device or service from us. Purchase and Warranty Data is collected only if you elect to provide it to PAX in the course of using the PAX website or customer support services. You may be required to provide Purchase and Warranty Data to use some of PAX’s services, such as completing purchases from PAX’s website, receiving customer support and making a warranty claim.
• "Product Data" means your PAX device's serial number, an app ID, information about your connected device paired through the PAX app, and any Diagnostic Data and Technical Data (each as described below). Product Data is collected automatically if you download and use the PAX app or connect a PAX device to the PAX app. You do not have to use the PAX app to have a great experience using a PAX device.
• "Diagnostic Data" means all the basic information we collect about your use of a PAX device or the PAX app and how well they are working. This includes, for example, when you turn the PAX device on or off, which firmware version you have installed, battery level, device features used, when you insert or remove a pod (but not any Pod Data, as described below), when you open or close the PAX mobile app, the app version that you have installed and the app features that you use. As Diagnostic Data is part of Product Data, Diagnostic Data is collected automatically if you download and use the PAX app or connect a PAX device to the PAX app. Diagnostic Data does not include Usage Data.
• "Technical Data" means any information we collect as we operate our websites and apps, like your IP address when you connect to our websites, your mobile device identifier, what browser you used to access our site and what operating system you're using, the movement of your mouse on the screen (mouse hovers and clicks, for example) the length of time you spend on our website or app, any extensions or apps you pair with ours. We don't use your IP address to track or record your specific location, just the country and city where your login occurred. That said, it's possible to pair even a generalized IP address with other information to identify someone, and so we treat IP addresses like personal data. As Technical Data is part of Product Data, Technical Data is collected automatically if you download and use the PAX app or websites. Technical Data does not include Usage Data.
• "Usage Data" means Puff Data, Pod Data and Mobile Location Data. We do not collect Usage Data automatically. We will only collect Usage Data if you use the PAX app and opt to share Usage Data with us. You can update this preference at any time in your PAX app’s settings.
• "Puff Data" is any information that you share with us regarding your puffs on a PAX device. Depending on the device that you use, this may include all details about a particular session, including number of puffs, puff length, temperature, session length, dosage information (per puff and overall amounts consumed), energy used and pressure applied and the amount of oil remaining in the pod. As Puff Data is part of Usage Data, we do not collect Puff Data automatically. We will only collect Puff Data if you use the PAX app and opt to share Usage Data with us. You can update this preference at any time in your PAX app’s settings.
• "Pod Data" means any information that you share with us regarding the content of the pod(s) that you use with your PAX device. How do we know what is in a pod? Good question. When a pod manufacturer fills a pod, they create a laboratory report describing the composition of the pod and provide the laboratory report to us. Some pods for PAX devices have a serial number and some PAX devices can read those serial numbers. If you share Pod Data with us, we will collect the pod serial number and cross reference it with the laboratory report. This means that we can know what type of oil is in a pod that you use. As Pod Data is part of Usage Data, we do not collect Pod Data automatically. We will only collect Pod Data if you use the PAX app and opt to share Usage Data with us. You can update this preference at any time in your PAX app’s settings.
• "Mobile Location Data" means the location that you share with us from your device when you use the PAX app and connect your PAX device to the PAX app. Mobile Location Data comes in two forms: (1) IP address; and (2) GPS location. We can use your IP address to understand your location when you use the PAX app, however, we don't use your IP address to track or record your specific location, just the country and city where your login occurred. GPS location is a very precise record of your location based on your mobile/desktop device’s GPS coordinates. As Mobile Location Data is part of Usage Data, we do not collect Mobile Location Data automatically. We will only collect Mobile Location Data if you use the PAX app and opt to share Usage Data with us. You can update this preference at any time in your PAX app’s settings. The only exception to this relates to the PAX app’s PAXFinder™ feature. To enable PAXFinder you are required to share the GPS location of your mobile/desktop device with PAX. PAX will then save the GPS location of your mobile/desktop device when the PAX app was last connected to your PAX device, so that GPS location can be provided to you when you use PAXFinder. PAX only saves the most recent GPS location (the prior GPS location is automatically deleted and replaced by the most recent GPS location) and PAX will only use this GPS location data shared by you to enable PAXFinder for the purpose of providing you with PAXFinder functionality. In addition, you can choose if and how you share your GPS location in your mobile/desktop device’s settings; you can choose to share (or not share) your GPS location, to only share your GPS location when the PAX app is open, or to share your GPS location all the time. Even if you have opted in the PAX app to share your Usage Data (and therefore share your Mobile Location Data) or enabled PAXFinder (and therefore share your GPS location for the sole purpose of receiving PAXFinder functionality) your mobile/desktop device’s GPS location settings will override your PAX app’s settings.
• "Profile Data" means the more detailed PAX profile information that you've set up and shared with us. Your profile data includes your account id, your password, your activity while logged in (including reviews, ratings, notes, submissions, comments, and feedback), social media posts, purchase activity and history, and stores where you've purchased items and used your PAX profile during the purchase. Profile Data is collected only if you elect to provide it to PAX in the course of creating and using a PAX account profile. You do not have to create or use a user account to have a great experience using a PAX device.
• "Feedback and Marketing Data" means information that we collect to suggest new products or services that you might find interesting. This includes any surveys or questionnaires we conduct (whether they're in an email, on our website, in the app, or at a physical location). Feedback and marketing data also means all other forms of personal data, your preferences when it comes to how, when, and why we communicate with you about our products and services, and any interactions you have with our marketing materials (for instance, whether you opened a survey or responded to an in-store questionnaire). Feedback and Marketing Data is collected whenever you provide the types of feedback described in the section or interact with our marketing materials. We talk a lot more about marketing in the section below called "Marketing our Products."
• “Third Party Data” means any personal data about you that we obtain – whether by purchasing it or simply receiving it – from anywhere outside of PAX. We don’t control how those third parties get their data about you, but we won’t take any personal data about you from a third party unless they can prove to us that they had your data lawfully and properly in the first place and are permitted to share it with us. Oftentimes, but not always, this data is publicly available information like an address, business title, or social media profile.
3.3 As explained below, we may combine different kinds of personal data in the performance of our services or sale of products to you. We’ll also sometimes combine the personal data you’ve given us with non-personal data. For example, we might combine data about the time and location of your purchase with weather data to get an idea of whether rainy days change how customers decide to buy products. If the combined data can identify you, we’ll treat it like personal information, even though some parts of the combined data (like the weather) can’t identify you.
3.4 Unless you’ve provided us with informed consent of your willingness to participate in a survey or study, we will not solicit any sensitive categories of personal data about you. This includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data, or information about criminal convictions or offenses.
4. Age Verification
4.1 The products that we sell on our website are highly regulated, and we age-restrict their sale. We are committed to preventing sales to minors and we take measures to mitigate this.
4.2 We utilize trusted verification services to verify the information that you provide and ensure that you qualify to access and purchase products from our website. This process has been developed with the customer’s privacy in mind with detailed information neither shared nor accessible.
4.3 In some cases, we might not be able to verify your age and/or identity through our third-party verification service. If you are unable to verify your age with the requested information, you will be requested to upload a copy of your government ID that enables the verification service to manually verify your date of birth. We only have access to the result that they provide – we do not receive a file with your ID to be stored on our servers or database.
5. How We Collect Personal Data
We collect personal data in a variety of ways, depending on how you interact with us, including:
5.1 Direct interactions. You may give us your Basic, Purchase and Warranty, Product, Usage, Profile, or Feedback and Marketing Data, by interacting with us, as when you:
• purchase our products;
• create an account or profile;
• download, update or use our app;
• use a PAX device and then connect that device to our app;
• sign up to receive information, including marketing information, from us;
• make a claim based on your warranty or communicate with us about your device;
• contact customer support or request technical assistance;
• access PAX via social media accounts or PAX’s website(s);
• enter a promotion or survey;
• engage in a commercial transaction or relationship with us as a business entity, contractor, vendor, or other third party;
• give us feedback or reviews; or
• apply and/or interview for a job with us.
5.3 From third parties or publicly available sources. We may receive personal data about you from various third parties and public sources. That includes, among others, our third-party vendors for:
• completing sales;
• monitoring activity on our website, including user interaction and fraud prevention; and
• verifying your age.
6. Why (and How) We Use Personal Data
6.1 As mentioned above, there are several lawful justifications for PAX using your personal data in certain situations. Our promise to you is that we will only use personal data when we have a lawful justification for doing so. In some situations, the only lawful justification for using your personal data is when you provide us with your consent to use your personal data. If you ever give us your consent to use your personal data, don’t worry, you are not giving that consent forever. We will always give you the option to change your mind and withdraw your consent at any time.
6.2 The following list sets out how we use personal data, and the lawful basis for doing so:
• Verifying your age. We need to verify that you are of legal age to purchase our products, and so we collect Basic Data to do so. We need this information to be able to fulfill our part of our contract with you, and so collecting this data is necessary to the performance of our contract with you (GDPR art. 6(1)(b)).
• Completing a transaction. We need Basic Data and Purchase and Warranty Data so you can buy one of our products, pay for it, and for us to ship it to you. We need Commercial Data to operate our business and transact with others. We need this information to be able to fulfill our part of our contract with you, and so collecting this data is necessary to the performance of our contract with you (GDPR art. 6(1)(b)).
• Providing customer service. Depending upon what you contact us for and request, we will use any and all categories of personal data we have in order to provide you with customer service. For instance, if you call us to discuss a problem with your shipment, we’ll use Basic Data, Purchase and Warranty Data, and likely also Product to be able to respond to your query. We need this information to be able to fulfill our part of our contract with you (GDPR art. 6(1)(b)), and because we have a legitimate interest in being able to respond to your questions (GDPR art. 6(1)(f)).
• Product safety, failure diagnosis and correction. We want our products to operate in the best way possible for you. The more we know about the basic operation and workings of our products, the more quickly we can understand that there is a problem and fix that problem. More importantly if there was ever an issue that impacted the safety of PAX users, we would want to discover it and take corrective steps ASAP. We therefore use Product Data to monitor the healthy working of PAX devices and the PAX app so that we can analyze trends in failures and bugs to establish whether these are isolated events or product issues that need solving. We use Product Data for this purpose because we have a legitimate interest in ensuring consumer safety and resolving product issues (GDPR art. 6(1)(f)).
• Marketing to you and others. See section 7 below, “Marketing our Products.”
• Managing our website and apps. We’ll use Basic Data, Technical Data, Purchase and Warranty Data, and Profile Data to keep our website and app operating properly (fraud detection and prevention, site maintenance and updates, app maintenance and updates, IP logs). We use this data because we have a legitimate interest in administering/improving our site and apps, running IT services, ensuring network security, and preventing fraud (GDPR art. 6(1)(f)), and because we need to demonstrate our compliance with data security obligations both as a legal matter and if we are involved in a business reorganization (a merger or acquisition) (GDPR art. 6(1)©, GDPR art. 6(1)(f)).
• Creating insights and analysis. We’ll use Basic Data, Product Data, Usage Data, Profile Data, and Feedback and Marketing Data to analyze how customers use our products, how they use, review or rate other products and services related to ours (like pods, for instance), how we might be able to build better products and to understand general trends in the market. We may share or sell those analyses or data points to third parties, but we want to be clear: we’re not selling your name, address, personal usage, or anything that directly identifies you. Instead, we’re going to compile a picture that says something like “customers in Colorado age 40-50 like these pods,” or “people who identified themselves as professionals use pods two times more often on Mondays than any other day of the week.” It will never be “Customer A, who is a lawyer, used X pod on Y day for Z length of time.”
• Internally managing our company and engaging with third parties. We use Commercial Data in the course of operating our business, just as any company would do. We don’t use this data for any purposes other than those for which it was originally given (for instance, we don’t use Commercial Data to market our products to an independent contractor who performed a task for the Company). To the extent that a contract, agreement, or other document sets out uses for Commercial Data in a manner that is different to what is set out here, that document will control.
• Creating and managing your profile. When you create a profile on our website or in our app, you agree to share Basic Data, Product Data, Usage Data and Profile Data with us so that we can provide you with a tailored, custom experience (use metrics, recommendations, trends, etc). We need this information to be able to fulfill our part of our contract with you, and so collecting this data is necessary to the performance of our contract with you (GDPR art. 6(1)(b)).
We also use this information to create our own internal user profile for you, which we use to market products to you, deliver content that we think is relevant to you, to advertise to you, to learn about you in particular and our customers more generally, and to create an analysis of our business, our customers, and our market. We have a legitimate interest in doing these things to grow our business and learn about our industry (GDPR art. 6(1)(f)), but we will only process this information in this way if you have agreed (consented) to us doing so, and you can withdraw your consent at any time (GDPR art. 6(1)(a)).
6.3 We will only keep your personal data for as long as necessary under the circumstances in which we collected it, including our obligation to hold onto it for legal, regulatory, or accounting purposes. If we are able to make data completely anonymous (that is, it can’t be used to identify you), we may keep that data indefinitely for statistical or analytic purposes.
7. Marketing our Products
A general note on marketing data: We advertise because we want people to buy, and like, our products, and because we want our business to succeed. That means we place ads, send emails, run promotions, send out questionnaires, take surveys, conduct interviews, and do everything else that a marketing department does to try to create a brand. We’re telling you this bluntly so that you have an easier time understanding what we mean when we talk about marketing: it’s our effort to help our business grow.
Part of that growth is understanding what our existing customers like, what they don’t like, and what they might like in the future. We want to know why our users bought a device, or a particular pod. We think that knowing what our customers like will help us improve our existing products and services and design and deliver new, better ones in the future.
The most important part in all of this: you have absolute control over how, and if, we market to you. The basis upon which we use this information is your consent (GDPR art. 6(1)(a)) and you can withdraw that consent at any time. Want to share details of your usage so that we can send you promotional information that matches your interests? Great. Don’t want us to know anything about your Usage Data at all and never email you? Sure—although we may have to email you if we have a legal obligation to do so or, for example, if you contact us. The point is that you can always decide how much information you share and how we contact you when it comes to marketing.
7.1 Promotional offers
We use your Basic, Product, Usage, Profile, Feedback and Marketing Data, and occasionally Third Party Data to create a marketing profile for you so that we can send you information about what devices, products, services, or other goods you may find interesting. We’ll only send you emails or texts if you’ve opted-in to receive marketing communications. We may ask you to opt-in to marketing communications via email, on our website, in the app, or in a physical location like a store or a festival.
7.2 Third-party marketing
We may use third-party vendors to help us identify who our customers are when they visit our site, help us reach out to customers that have opted in to receive marketing communications, or to find more information about customers that have opted in to receive marketing communications. We share data with them so that it's easier for us to track what our customers are doing on our website -- figuring out what they're browsing through, what images they click on, what their activity is like on the site if they've forgotten to log into their account, etc. This is about us getting a clearer idea of what our customers do online, but only on Pax sites. And we use this information only for internal marketing purposes: we won't sell any of the insights or data we get about our customers to anyone else without your consent. Some third-party vendors may also have access to this data, and we won't control what they do with it (though they still can only use it for lawful purposes). We may also use third-party vendors to help us reach out to individuals who may be interested in our products via direct mail.
7.3 Opting out
You can ask us or third parties to stop sending you marketing messages at any time by submitting a Privacy Request.
Where you opt-out of receiving these marketing messages, this will not apply to personal data provided to us as a result of a product/service purchase, warranty registration, product/service experience or other transactions.
7.5 Change of purpose
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
7.6 Data retention
We delete or anonymize your personal data as soon as it is no longer required for the purposes we have collected, unless we are legally required to continue processing of your personal data. The one primary exception here is that, if you ask us to delete your data and “forget” you, or ask us not to contact you, we’ll keep your email address on our master do-not-contact list as proof that we followed you request and so that we can avoid contacting you in the future.
For more information on the different categories of personal data and their retention periods, please contact us at email@example.com.
7.7 Automated Decisions
We don’t use an automated decision-making system (an algorithm or machine learning tool) to make decisions about you. We’ll use a system that makes recommendations for what we think you’ll like, but acting on those recommendations is always in your hands, not ours.
8. Disclosures of your personal data
8.1 Sometimes, we will share your personal data with:
• Outside third parties. As explained above, we use outside vendors and service providers to enable our company to function. The kinds of third parties we share your data with are:
◦ Service providers acting as processors based outside of the European Economic Area (EEA) who provide IT and system administration services including cookies/user experience/analytics.
◦ Professional advisers acting as processors including lawyers, bankers, auditors and insurers based outside the EEA who provide consultancy, banking, legal, insurance and accounting services.
◦ Logistics providers to process and deliver your order and to deal with any post-purchase and/or customer service issues.
◦ Customer support personnel who respond to questions and warranty claims.
◦ Marketing companies to help us reach out to customers who have opted-in to receive marketing communications or new customers via direct mail.
We’ll also share personal data if we buy, sell, transfer, or merge parts of our business with another company.
• Regulators. If we are subject to an audit, review, reporting requirements or other inquiry by a properly constituted regulatory agency (like the Food and Drug Administration, for instance), they may require us to share the data we have, including personal data.
• Subpoenas and legal demands. We have to comply with lawful subpoenas or investigative demands from courts and law enforcement agencies. We want to be really transparent on this point: if law enforcement (or anyone else with a valid subpoena) follows the correct legal process and demands information about you from PAX, it’s very likely that we have to share that information. That means we might have to share data about where you’ve used the device and, depending upon which device you use, the amount and type of product you’ve used. If that’s a concern for you, or if you just don’t like that, then you shouldn’t share Usage Data with us.
8.2 We share your personal data outside third parties only to enable us to fulfill our part of our contract with you (GDPR art. 6(1)(b)), because you have consented to it (GDPR art. 6(1)(a)), or because it’s necessary for a legal or regulatory requirement (GDPR art. 6(1)(c)). None of these third parties are allowed to use your personal data in any way that is different from the reasons we outline here.
9. International transfers
9.2 For those present in the EU, if we transfer your personal data outside of the EEA to a place that does not have a similar degree of protection for personal data (as described under GDPR), we will use other measures to protect your data such as Standard Contractual Clauses (SCC).
9.3 If you have questions about transferring data out of the EEA, please contact us and we’ll provide you with more information.
10. Data security
10.1 We work hard to keep your data (and ours) safe. We use a variety of tools – technological, administrative, and physical – to keep data secure. These safeguards are designed to ensure that whatever personal data we keep is protected against unlawful access or use. Despite our best efforts, however, no security measures are completely impenetrable.
10.2 We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
11. Your legal rights
11.1 When you provide us with personal data, you have rights about how we use it, and why. In some circumstances, those rights are set out in specific legislation like the European Union’s GDPR, Canada’s PIPEDA, or California’s Consumer Privacy Act. In general, you have the right to:
• Request access to your personal data.
• Request correction of your personal data.
• Request erasure of your personal data.
• Object to processing of your personal data.
• Request restriction of processing your personal data.
• Request transfer of your personal data.
• Withdraw consent.
If you wish to exercise any of the rights set out above, please submit a request by clicking Privacy Request above.
11.2 No fee usually required
In some rare circumstances, you may have to pay a fee regarding a request, but in general you don’t have to pay anything to exercise these data rights.
11.3 What we may need from you
In order to make sure that you’re the person entitled to exercise the rights listed above, we’ll sometimes request information to verify your identity. We will not ask for more data than is necessary to confirm your identity.
11.4 Time limit to respond
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
12. Third Party Services
13. Contact Us
By email: firstname.lastname@example.org
By mail: PAX Labs, 660 Alabama Street, Second Floor, San Francisco, CA 94110; Attn: Legal Department.
14. Further Reading
Privacy rights are very complicated. We want you to be able to make informed choices about how and why you share your data with us. Here are some links to important guidance and documents from governments and policy groups that talk about key issues. We’ve outlined key rights under the GDPR and CCPA below, but here are some other helpful links:
The European Commission provides a good explanation of what “personal data” is, and you can read the entire GDPR here.
Your EU Rights
If you're present in the European Union, the Information Commissioner’s Office in the UK provides a succinct explanation the rights you have when it comes to data.
The Federal Trade Commission is the main US federal agency that handles privacy issues. They have a series of posts about consumer privacy rights that you can read here.
Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”) covers privacy rights as well, and the Office of the Privacy Commissioner offers its explanation of rights here.
15. Your California Privacy Rights
If you are a California customer, you have the right to receive, once per year, free of charge, 1) the identity of any third party company to which we have disclosed your personal information as defined by California’s “Shine the Light” law for that company’s own direct marketing purpose; and 2) a description of the categories of personal information disclosed. To request this information, submit a request by clicking Privacy Request above, or the mail address set forth in the section entitled “Contact Us” below. Requests must include “California Privacy Rights Request” in the first line of the description and include your name, street address, city, state, and ZIP code. Please note that we are not required to respond to requests made by means other than through the provided email or mail address.
California consumers have a right to knowledge, access, and deletion of their personal information under the California Consumer Privacy Act. California consumers also have a right to opt out of the sale of their personal information by a business and a right not to be discriminated against for exercising their California privacy rights. Pax does not discriminate in response to privacy rights requests.
California consumers with a PAX account or who interact with PAX products can exercise their rights directly or through an authorized agent by signing in to their PAX account. If you are a California consumer without a PAX account and you or your authorized agent would like to exercise your privacy rights, to you can make a CCPA “Do Not Sell” request to us by submitting a request by clicking Privacy Request above.
If you do not have a PAX account, PAX will ask you for information that we consider necessary to verify your identity for security and to prevent fraud. This information may include name, contact information, and information related to your transaction or relationship with PAX, but the specific information requested may differ depending on the circumstances of your request for your security and to protect privacy rights. If we delete your personal information, we will both render certain personal information about you permanently unrecoverable and also deidentify certain personal information.
Do Not Track
California law requires us to let you know whether we respond to web browser Do Not Track (DNT) signals. DNT is a way for users to inform websites that they do not want their webpage visits tracked. Since the industry and legal standard for what DNT means or how to comply with it are not conclusive, we currently do not respond to DNT signals. Learn more about DNT here.
17. Change Log
• January 22, 2021: Removed EU-US Privacy Shield framework due to the Court of Justice of the European Union invalidating the Privacy Shield as an adequate transfer mechanism for data flowing from the EU to the US.
• December 2, 2022: Added Commercial and Employment Data, Modified Intake of Data, and Added CCPA Rights.
• February 24, 2023: Update to Sections 7.1 and 7.2 to provide for use of Third Party Data in marketing to customers that have opted in to receive marketing communications. Update to the method for making privacy requests.
Rights for EU Residents
If you are present in the EU, you have the right to:
Request access to your personal data (commonly known as a "data subject access request") (GDPR art.15). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
Request correction of the personal data that we hold about you (GDPR art.16). This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
Request erasure of your personal data (GDPR art.17). This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request. We’ll also maintain a record of your email address in a master list of deletion requests to demonstrate that we have complied with your request and will not contact you in the future.
Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms (GDPR art.21). You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
Request restriction of processing of your personal data (GDPR art.18). This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data's accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
Request the transfer of your personal data to you or to a third party (GDPR art.20). We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
You have the right to object to the processing of your personal data under certain circumstances in particular if we process your personal data on the basis of legitimate interest (GDPR Art. 6 (1)(b)) or if we use your personal data for marketing purposes.
You have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your residence, place of work or place of the alleged infringement if you consider that our processing of your personal data infringes the applicable data protection laws. Please contact us at email@example.com and we will provide you with detailed information as regards the contact details of the appropriate supervisory authority.
Information we collect
Information you provide to us
We collect the personal information you provide to us when you purchase our products or visit our website. The categories of information we may collect include:
- Personal Identifiers, including name, email address, postal address, telephone number, social security number, driver's license number, State ID card number, passport number, tax ID number, and military ID number
- Commercial and Financial Information, including purchases and credit card or debit card number
To the extent we process deidentified personal information, we will make no attempt to reidentify such data.
Information collected automatically
We automatically collect internet or other electronic information about you when you visit our website, such as IP address, browsing history and interactions with our website. This data may be collected using browser cookies and other unique personal identifiers.
How long we keep your data
We do not retain data for any longer than is necessary for the purposes described in this Policy.
How we share and disclose information
Information Disclosed for Business or Commercial Purposes in the Last 12 Months, and Categories of Parties Disclosed To
We may disclose the following personal information about you when you purchase our products or visit our website:
|Personal Information Disclosed||Recipient (by Category)|
|Personal Identifiers||Business Operations Tool, Commerce Software Tools, Governance, Risk & Compliance Software, IT Infrastructure Services, and Sales & Marketing Tools|
|Online Identifiers||Commerce Software Tools, Data Analytics Providers, IT Infrastructure Services, and Sales & Marketing Tools|
|Internet Activity||Commerce Software Tools, Data Analytics Providers, Governance, Risk & Compliance Software, and Sales & Marketing Tools|
|Commercial and Financial Information||Business Operations Tool and Commerce Software Tools|
California Privacy Notice (CCPA)
This section provides additional information for California residents under the California Consumer Privacy Act (CCPA). The terms used in this section have the same meaning as in the CCPA. This section does not apply to information that is not considered "personal information," such as anonymous, deidentified, or aggregated information, nor does it apply to publicly available information as defined in the CCPA.
Collection and Disclosure of Personal Information
The personal information we collect is described above in Information we collect. The personal information we disclose for business or commercial purposes is described above in How we share and disclose information. The length of time for which we retain personal information is described above in How long we keep your data.
Business and Commercial Purposes for Collection
We collect personal information for the following business purposes:
- Advertising and Marketing
- Provide Products or Services
- Short-Term Transient Use
We also "sell" (as defined in the CCPA) personal information for commercial purposes, including to advertise and market our products.
Information “Sharing” and “Selling”
We use third party data analytics providers and this may be considered a “sale” of information under the CCPA.
You may opt-out of these data practices here.
We do not knowingly sell or share (for cross-context behavioral advertising) the personal information of consumers under 16 years of age.
Your CCPA rights are described below. You can make a Request to Know or a Request to Delete under the CCPA by submitting a Privacy Request at the top of this page, or by clicking here, or by emailing us at moc.xap@ycavirp.
Right to Know
You have the right to request to know the following about the personal information we have collected about you in the past 12 months:
- the categories and specific pieces of personal information we have collected about you
- the categories of sources from which we collect personal information about you
- the business and commercial purposes for which we collect personal information
- the categories of third parties with whom we share the information
- the categories of personal information about you that we disclosed for a business purpose, and the categories of third parties to whom we disclosed that information for a business purpose
The information we would provide to you in response to a Request to Know Categories is contained in this Privacy Notice. To access the specific personal information we have about you, submit a Request to Know via the link above. If you make a Request to Know more than twice in a 12-month period, we may require you to pay a small fee for this service.
Right to Delete
You have the right to request that we delete any personal information about you that you have provided to us. We will permanently delete from our records any personal information that is not necessary for our business operations and direct our service providers to do the same.
We consider information to be necessary for our business operations if it is used to:
- Complete an obligation to you that you have requested
- Detect and resolve issues related to security or functionality
- Comply with legal obligations
- Enable solely internal uses
Right to Non-Discrimination
If you exercise your CCPA consumer rights:
- We will not deny goods or services to you
- We will not charge you different prices or rates for goods or services, including through the use of discounts or other benefits or penalties
- We will not provide a different level or quality of goods or services to you
Right to Opt-Out
You have the right to opt-out of any selling and sharing of your personal information.
You may exercise your right to opt-out here.
Opt-Out Preference Signals. Your browser settings may allow you to automatically transmit the Global Privacy Control (GPC) signal to online services you visit. When we detect such signal, we place a U.S. Privacy String setting in your browser so that any third party who respects that signal will not track your activity on our website. GPC is supported by certain internet browsers or as a browser extension. You can find out how to enable GPC here.
Right to Correct
You have the right to correct inaccuracies in your personal data, taking into account the nature of the data and our purposes for processing it.
Before we can respond to a Request to Know or Request to Delete, we will need to verify that you are the consumer who is the subject of the CCPA request. Verification is important for preventing fraudulent requests and identity theft. Requests to Opt-Out do not require verification.
Typically, identity verification will require you to confirm certain information about yourself based on information we have already collected. For example, we will ask you to verify that you have access to the email address we have on file for you. If we cannot verify your identity based on our records, we cannot fulfill your CCPA request.
For a request that seeks specific personal information, we ask that you sign a declaration stating that you are the consumer whose personal information is the subject of the request, as required by the CCPA.
In some cases, we may have no reasonable method by which we can verify a consumer's identity. For example:
- If a consumer submits a request but we have not collected any personal information about that consumer, we cannot verify the request.
- If the only data we have collected about a consumer is gathered through website cookies (i.e. the consumer visited our website but had no other interaction with us), we are unable to reasonably associate a requester with any data collected; therefore, we cannot verify the request.
A California resident's authorized agent may submit a Request to Know or a Request to Delete under the CCPA by emailing us at moc.xap@ycavirp. Requests submitted by an authorized agent will still require verification of the person who is the subject of the request in accordance with the process described above. We will also ask for proof that the person who is the subject of the request authorized an agent to submit a privacy request on their behalf. An authorized agent that has power of attorney pursuant to California Probate Code section 4121 to 4130 must submit proof of statutory power of attorney, but consumer verification is not required.
If you have trouble accessing this notice, please contact us at moc.xap@ycavirp.
If you have any privacy-related questions, please send them to moc.xap@ycavirp.
Notice of Financial Incentive
Gratitude Discount via Id.Me offer for 20% off an order. Offered to Teacher, Medical, Nurse, First Responder, Military. A customer provide validation information for their group identity. All done by ID.me. Create an account with ID.me and provide validation information to get discount code. The registration happens on ID.me and once validate they can received discounts from many vendors. Removing that verification is processed on ID.me. We calculate the value of the offer and financial incentive by using the expense related to the offer.
Virginia Privacy Notice (VCDPA)
This section provides additional information for Virginia residents under the Virginia Consumer Data Protection Act (VCDPA). The terms used in this section have the same meaning as in the VCDPA. This section does not apply to information that is not considered "personal data," such as deidentified or publicly available information as defined in the VCDPA.
Collection and Disclosure of Personal Information
The personal data we collect is described above in Information we collect. The personal data we disclose to third parties and the categories of third parties to whom we disclose personal data is described above in How we share and disclose information. The length of time for which we retain personal information is described above in How long we keep your data.
Purposes for Processing
We process personal information for the following purposes:
- Advertising and Marketing
- Provide Products or Services
- Short-Term Transient Use
Data “Selling” and Targeted Advertising
We do not sell personal data or process personal data for targeted advertising.
The VCDPA gives consumers the right to opt out of automated profiling that produces legal or similarly significant effects, such as approval for a loan, employment, or insurance.
We do not profile consumers in furtherance of decisions that produce legal or similarly significant effects.
Your VCDPA rights are described below. You can make a Privacy Request by clicking the link at the top of this page, or by clicking here.
Right to Access
You have the right to confirm whether we are processing personal data about you and to access such data. Where processing is carried out by automated means, you have a right to receive a copy of your personal data in a portable and readily usable format that allows you to transmit your data to another controller.
If you make a Request to Know more than twice in a 12-month period, we may require you to pay a small fee for this service.
Right to Delete
You have the right to request that we delete any personal data provided by or obtained about you. We will permanently delete any such personal data from our records and direct our processors to do the same. However, we may retain your personal data if it is necessary for certain purposes, including the following:
- To comply with legal obligations
- To comply with an official investigation or cooperate with law-enforcement agencies
- To establish or defend legal claims
- To complete an obligation to you that you have requested
- To respond to security incidents, fraud, harassment, and other similar activity
- To identify and repair technical errors
- To conduct internal research to develop, improve, and repair our products and services
- For internal operations that are reasonably aligned with your expectations
Any personal data retained for these purposes will not be processed for other purposes.
Right to Non-Discrimination
If you exercise your VCDPA consumer rights:
- We will not deny goods or services to you
- We will not charge you different prices or rates for goods or services
- We will not provide a different level or quality of goods or services to you
However, we may offer a different price, rate, level, quality, or selection of products or services if your personal data is required in order to provide those products or services and you have exercised your right to opt out, or the offer is related to a voluntary loyalty or rewards program.
Right to Opt-Out
You have the right to opt-out of any selling of your personal data, processing of your personal data for purposes of targeted advertising, or profiling in furtherance of decisions that produce legal or similarly significant effects for you.
You may exercise your right to opt-out here.
Right to Correct
You have the right to correct inaccuracies in your personal data, taking into account the nature of the data and our purposes for processing it.
Right to Appeal
If we decline to take action in response to any of your privacy requests, you have the right to appeal that decision within a reasonable amount of time.
If you believe your rights have been violated and you are not able to resolve the issue directly with us, you may file a complaint with the Virginia Attorney General’s Office.
EEA/UK Privacy Notice (GDPR)
This section provides additional information for people in the European Economic Area (EEA) or United Kingdom (UK). The terms used in this section have the same meaning as in the General Data Protection Regulation and the UK Data Protection Act (GDPR). The term “personal information” as used in this notice has the same meaning as “personal data” in the GDPR.
Collection and Disclosure of Personal Data
The personal data we collect is described above in Information we collect. The personal data we disclose for business or commercial purposes is described above in How we share and disclose information. The length of time for which we retain personal data is described above in How long we keep your data.
Lawful Bases and Legitimate Interests
We process personal data on the following lawful bases:
- Complying with legal obligations
- Fulfilling contracts
- Legitimate interests
International Data Transfers
Pax Labs, Inc. is not established within the EEA/UK and our website servers are located in the United States, which has not been the subject of an adequacy decision by European data protection authorities. By interacting with this website, you are transmitting your personal data to the United States.
Individuals in the EEA/UK have the following rights regarding their personal data. You can exercise your rights using the request form at the top of this page, or by clicking here. Once you submit a request, we will verify your identity and process your request in most cases within 30 days.
Right to access. You have the right to request a copy of the personal data we hold about you.
Right of portability. You have the right to ask us to transfer your data to another party.
Right to rectification. You have the right to request that we rectify any incorrect information we have about you.
Right of erasure. You have the right to request that we erase (delete) any personal information we hold about you.
Right to lodge a complaint with a supervisory authority. You have a right to lodge a complaint with a supervisory authority. For more information, you can visit the Information Commissioner’s Office website at https://ico.org.uk/, or see a list of EU Data Protection Authorities at https://www.gdprregister.eu/gdpr/dpa-gdpr/.
Controller contact information
Pax Labs, Inc.