Effective as of March 10, 2020

VP Legacies is located at:

VP Legacies
333 West Hampden Ave Ste 1010 Englewood
80110 – Colorado , Arapahoe County
7205077328

VP Legacies, Inc. (and its subsidiaries and affiliates (“we” “our” or “us”) is an independent marketing technology company that offers intelligent, data-driven advertising and marketing services and solutions to help big and small companies accelerate their growth (“Services”).

We have prepared this Service Privacy Notice to describe the types of data we collect from you, and explain how, why, and when we collect this data in order to provide our Services to companies (“Customers” or “Advertisers”). This Service Privacy Notice also identifies what rights you have concerning the collection of this data, such as the right to opt-out of interest-based advertising (also commonly referred to as targeted or personalized advertising). If you have additional questions, you can contact us via email or phone.

---

What Data we Collect

We collect the following categories of data in the provision of our Services for the purposes explained below.

Data You or the Advertiser Provide To Us

• Email and CRM data from Advertisers: Some Customers provide their customer relationship data to us (e.g. name, email address, company address) or instruct us to collect clear email addresses on the Customer’s behalf using VP Legaciesl Technology (“Customer CRM Data”) for processing as part of our Services. By doing so, we can help our Customers serve, measure and analyze interest-based ads to the end user (we may also trigger these ads by licensing RollWorks B2B contact data to a customer). For example, using the example we already provided above, if you gave ACME Soccer Ball Co. your email address, ACME Soccer Ball Co. may use our Services to send you a promotional email for a soccer ball you looked at but did not purchase. Similarly, if you provided your email to a software website when you downloaded a white paper, through our Services the software company may (subject to your marketing preferences) send you a follow up email providing you with more information about the software company’s products or services. We use our Customer’s CRM Data only as a processor for the purpose of assisting that particular Customer with their own advertising efforts and, in some cases, reporting performance back to the Customer’s CRM system. We do not share clear email addresses belonging to one Advertiser with another Advertiser for their advertising purposes.
• Hashed email addresses: If an Advertiser permits us, we collect hashed versions of the email addresses that consumers have entered on that Advertiser’s site. Hashing is a technology process that pseudonymizes (i.e. digitally scrambles) email addresses. For instance, when [email protected] is run through a typical hashing function, it becomes the following string of digits: 0F0B7B1A1A7E8BDBBC6AA545F8CCD6F83671B32479271BFCB6CC8498912058D5. We take this step to de-identify data and protect email addresses, while being able to use the unique identifier created for the purpose of recognizing you and sending your interest-based ads across different devices (computers, tablets and mobile devices) and browsers (also called “cross-device matching”).
• Shopping Data. Some Advertisers provide us with data about their buyers’ shopping habits, including transactional data, product codes, and check-out activity in addition to the browsing data that we collect. This data may come from their Digital Properties or other transactional data they maintain. We generally use this data to help us better target, personalize, and measure the effectiveness of advertising campaigns. etc
• Data We Receive in Our Corporate Capacity. We also collect data from our own Customers and those who visit our website(s).

Data We Automatically Collect From Your Device

Unless you have opted-out or have otherwise refused to provide consent, the following is data that we collect from your device automatically:

• • Device Information: This is technical information about the device you use to access the Advertiser’s Digital Property such as your device’s IP address and operating system. Additionally, in the case of mobile devices, your device type, and mobile device’s unique advertising identifier (such as the Apple IDFA or Android Advertising ID) and any other unique identifier that may be assigned to the mobile device, such as an Android ID or UDID in older Apple phone models, or a non-cookie unique identifier used by Non-Cookie Technologies .
  • Browser Data: This is technical information about the browser you are using that is captured in order to serve you an ad that can be rendered on your device. An example of browser information is the technical information that identifies your browser as, for example, Chrome, Firefox, Safari etc.
  • Activity on Advertisers’ Digital Properties: This is data about your browsing activity on the Advertiser’s website or application. For example, which pages you visited and when, what items were clicked on a page, how much time was spent on a page, whether you downloaded a white paper on a B2B website, what site or ad brought you to the Advertiser’s website, what items you placed into your online shopping cart, and what products were purchased and the price of the products purchased.
  • Location Data: This is non-precise information related to your geography derived from your device’s IP address (e.g. laptop, desktop or mobile etc.). This does not reveal your precise geographic coordinates (i.e. your GPS latitude and longitude) – only country, state, city and zip/postal code level location data, and helps us to display ads that are relevant to your general location (for example, showing ads in French if you are located in France).
  • Ad Data: This is data about the online ads we have served (or attempted to serve) to you. For example, how many times an ad has been served to you, what page the ad appeared on, and whether you clicked on or otherwise interacted with the ad.

Data We Collect From Third Party Sources

• Campaign Performance Data: This data includes information about how well our Customers’ ads and campaigns have performed, whether on our platform or on other platforms.
• Attribute Data: We may collect additional information about you from other third party sources where they have the rights to share such information and we have the rights to use it, for example, demographic data or title and employer data. We use this data to better understand our Customers and to better market our Services to you.
• Data from Advertising Partners: This is data that allows us to match the VP Legacies cookie identifier with identifiers that may already be used by other companies in the digital advertising ecosystem that we work with (“Advertising Partners”), for example, ad exchanges or companies that sell advertising space on publishers’ websites (sometimes referred to as “supply side platforms”). Matching cookie identifiers help us deliver ads to you and recognize you across browsers and devices, and may include pseudonymous advertising identifiers (meaning identifiers that help identify your browser or device, but not you directly) which some third party advertising platforms choose to share with us. We may work with our Advertisers and Advertising Partners to synchronize their unique, pseudonymous identifiers to our own to enable us to more accurately recognize a particular unique browser or device and the advertising interests associated with it (commonly known as “ID Syncing”).

Data collected pursuant to VP Legacies Business only:

• Email Communications: Customers may provide us with access to their email communications from their prospects when they have engaged us to provide email marketing services, which we process as a processor only on behalf of our Customers and in accordance with their instructions. When access to such data involves access to Gmail Data such access will be subject to these additional restrictions:
  • We will only use access to read, write, modify or control Gmail message bodies (including attachments), metadata, headers, and settings to provide a web email client that allows users to compose, send, read, and process emails and will not transfer this Gmail Data to others unless doing so is necessary to provide and improve these features, comply with applicable law, or as part of a merger, acquisition, or sale of assets;
  • We will not use this Gmail Data for serving advertisements; and
  • We will not allow humans to read this data unless agreed to by the Customer, doing so is necessary for security purposes such as investigating abuse, to comply with applicable law, or for the provision of VP Legacies Services.
• Contact data from third parties. We obtain and collect contact data from various third party sources, including from public sources and through licenses with data providers. We may also infer contact data based on email addresses and email naming conventions. This contact data is B2B information – in other words, it is typically a business email address, business street address, or sometimes, a business telephone number. Please note that as part of our VP Legacies Services, we do not collect business email addresses for any individuals who are residing in any European Territories.

 How We Use the Data We Collect

We generally use the data we collect to help our Customers better identify and engage with you. For example, to serve ads that aim to be more relevant to you or to identify companies interested in the products or services offered by a Customer. The data we collect also helps our Customers measure the effectiveness of their ad campaigns and, in the case of B2B Services, to gauge whether a Customer has identified interested prospective buyers. Additionally, we use this data to operate, improve and enhance our Services, in order to serve the most relevant ads to you and, in turn, improve performance of a Customer’s ad campaigns.

Specifically, we use this data for:

• Interest-Based Advertising: Selecting ads that are more likely to be relevant to you based on data such as your browsing activity, the time of day you visit specific Digital Properties and the time you spend on them, and non-precise geographic data inferred about your device/s. For example, we may show you ads for your favorite shopping site (or similar sites we think you may like) for goods or services only available in your city, region or country during your lunch or commute hours.
• Frequency capping: Making sure that you don’t see the same ad too many times. If we know you’ve already seen a particular Advertiser’s ads several times, we’ll try to show you a different ad next time.
• Sequencing: If you are being served a sequence of ads, making sure we show you the right ad next in the sequence.
• Cross-device matching: Identifying different devices that are likely to be associated with you so that ads can be targeted, capped and sequenced across those devices, and so that campaign effectiveness can be measured and analyzed. For example, cross-device matching helps us not show you ads for the shoes you were looking at on your phone but already purchased on your tablet. Instead we’ll try to show you ads for an upcoming triathlon where you can put those shoes to work. It also helps us match devices so we can honor your opt-out choices across all devices we know are connected to the opted-out cookie. You may opt-out of cross-device interest-based targeting by employing the respective opt-out techniques.  To learn more about how we use cross-device matching, click here.
• Identifying Companies Associated with an IP range for B2B marketing (RollWorks only): We match IP address ranges to companies who disclose their IP address ranges in order to provide aggregated reports to companies regarding their website traffic.
• Attribution: Monitoring when an ad is served by VP Legacies, or other third parties on behalf of an Advertiser, to enable marketing measurement. For example, being able to measure if a certain ad campaign (for example, soccer summer sale) actually sold more soccer balls for ACME Soccer Ball Co., and, if so, which party serving the ad led to more sales.
• Reporting: Providing Advertisers insights into how their ad campaigns served either by VP Legacies and/or by third parties are performing and gaining insights into their customers. Reporting may include ad metrics such as attribution (described above), impressions (ads served), clicks (ads you clicked on), and conversions. What qualifies as a “conversion” is defined by the Advertiser—it might include for example, a sale or a white paper download, or a correlation to an actual or inferred sale, site visit or store visit. This data allows an Advertiser to determine if an ad is not performing well (few attributed conversions), so that the Advertiser will be able to see that data and update the ad (perhaps with a better deal!).
• Licensing Data: Other than Customer CRM Data, we may license any of the data we receive, create or collect to our Customers or other third parties. For instance, when we receive an email address for a U.S. resident from a third party data provider or derive an email address, we may license that to our Customers.
• Conducting Our Corporate Operations. As to data we collect in our corporate capacity – our own B2B lists of Customers and prospective customers – we use that data to conduct our business operations and communications.
• Complying with Legal Process: To satisfy in good faith any applicable law, legal process, or proper governmental request, such as to respond to a subpoena (whether civil or criminal) or similar process.
• Investigating Wrongdoing and Protecting Ourselves or Third Parties: To enforce our Terms of Service or other policies or investigate any potential violation of our Terms of Service and policies, any potential violation of the law, or to protect ourselves, our Customers, or any third party from any potential harm (whether tangible or intangible).

Data Sharing

We may disclose information about you:

• With a Customer: We may share data about how you have interacted with that Customer’s Digital Properties, email campaigns or its Ads. If we have collected contact data from third parties as part of the data collected pursuant to the VP Legacies Services, we may share the business contact data collected from third party sources or inferred (for example, based on email naming conventions) if we think that your business or employer would be interested in that Customer’s products. In regards to VP Legacies Services, we do not collect contact data about residents of European Territories from third parties.
• With Our Service Providers: We contract with companies who provide services to us to support our business operations (e.g., for example, website and data hosting, fraud prevention, viewability reporting, data hygiene, marketing, and email delivery), as well as billing, collections, tech, customer and operational support.
• With our Advertising Partners: We also share data with our Advertising Partners, including hashed email addresses (or other pseudonymous identifiers associated with those hashes), device information, browser data, activity on Advertiser’s Digital Properties, location data, shopper data and Customer CRM Data. This enables them and us to better personalize ads to you.
• In Connection with Legal Proceedings: When we are under a legal obligation to do so, for example to comply with a binding order of a court, or where disclosure is necessary to exercise, establish or defend the legal rights of VP Legacies, our Customer or any other third party.
• In connection with a sale of our business: If a third party acquires some or all of our business or assets, we may disclose your information in connection with the sale (including during due diligence in preparation for the sale).

Aggregated and De-Identified Data

VP Legacies may aggregate and de-identify data it collects so that it can either no longer be directly associated with a natural person or cannot be associated with a natural person at all. It may then use such data for its business purposes including the provision interest-based advertising and reporting in the course of its Services.

We may also share aggregated and de-identified data with our subsidiaries and affiliates and third parties, including with our Advertising Partners.

Cookies and Related Technologies

VP Legacies Technology uses cookies, tracking pixels and related technologies to provide our Services to our Customers. Cookies are small data files that are served by our platform and stored on your device. You can refuse consent to, or opt-out of, VP Legacies cookies at any time.

• Specifically, the VP Legacies cookie we serve through our VP Legacies Technology for this purpose is named “__adroll”, “adroll_v4” and “__adroll_fpc” .

Generally, the type of cookies dropped will vary depending on the Advertising Partner. We provide a list of our Advertising Pixel Partners here.

Additionally, we use non-tracking cookies (not unique) to store user decisions in terms of your ad consent and opt-out choices:

• We may drop a __adroll cookie with value opt-out if you opt-out as described below.
• We may drop a __consent cookie that stores the consent choices you have made regarding data processing and advertising by VP Legacies.

A full list of VP Legacies cookies is set out below:

Tracking cookies	Non-tracking cookies
__adroll __adroll_v4 __adroll_fpc	__adroll_consent_paramas __adroll_post_consent_html __adroll_post_connsent_css

Non-Cookie Technology for Tracking Outside European Territories

n respect of website visitors with IP addresses not from a European Territory, VP Legacies and some of its Advertising Partners may use technologies other than cookie technology to recognize your computer, device or browser for the purposes of interest-based advertising, analyzing engagement with ads or content, measuring the effectiveness of a particular ad campaign or marketing effort, to monitor against fraud or misuse of our Services. This use of non-cookie technology may be used in addition to cookies, or separately, to collect and record data about your web browsing activities on browsers, search engines or other platforms that may not utilize VP Legacies Technology.

You may opt-out of tracking via non-cookie technologies by employing the respective opt-out techniques.

Your Choices and Opting-Out of Interest-Based Advertising and Analytics

We recognize how important your online privacy is to you, so we offer the following options for controlling the interest-based ads you receive and how we use your data.

Opting-out of this type of advertising will not prevent you from seeing ads, rather those ads will likely be less relevant. This is because they will not be tailored to your specific interests but will instead be based on the context of the Digital Property in which they are displayed (for example, if you are on a movie website, you may only see ads about movies) or the ads you see may be randomly generated.

Here’s how you can control how we use your data:

• Web browser: You can opt-out of receiving interest-based ads served by us or on our behalf by clicking on the blue icon that typically appears in the corner of the ads we serve and following the instructions provided or by clicking here. Please note that this “opt-out” function is browser-specific and relies on an “opt-out cookie”. This means if you delete your cookies or upgrade your browser after having opted out, you will need to opt-out again.
• Cross Device Opt- Out: In some cases, we may link multiple browsers or devices to you. If you opt-out on a browser or device and we have additional devices or browsers linked to you, we will extend your opt-out decision to any other linked browsers and devices. Since we only link users across browsers and devices in certain conditions, there may be cases where you are still being tracked in a different browser or device we have not linked, and where we are treating you as a different user.
• Mobile Device Opt-Out: To opt-out of receiving interest-based ads that are based on your behavior across different mobile applications, please follow instructions for iOS and Android devices:
  • iOS 7 or Higher: Go to your Settings > Select Privacy > Select Advertising > Enable the “Limit Ad Tracking” setting; and
  • For Android devices with OS 2.2 or higher and Google Play Services version 4.0 or higher: Open your Google Settings app > Select Ads > Enable “Opt out of interest-based advertising”.
• Industry Opt-Out Tools and Self-Regulation:
  • VP Legacies is a member of the Network Advertising Initiative (NAI) and adheres to the NAI Code of Conduct. You may use the NAI opt-out tool here, which will allow you to opt-out of seeing interest-based ads from us and from other NAI approved member companies. In addition, the NAI opt-out tool allows you to separately opt-out of “audience matched” advertising through the NAI’s “Audience Matched Advertising Opt-Out” tool. You can also use the email opt-out tool provided by our Advertising Partner, LiveRamp, to opt-out your email address from their database. Audience matching is a particular type of interest-based advertising where de-identified data (e.g. hashed emails) is tied to “offline” activity or information (this information generally is or can be associated with a consumer’s email address – whether that information is part of our customer’s own ‘consumer lists’ or in lists we license to the customer.) To do ‘audience matching’, we or another platform then ‘match’ that information (in de-identified form) to cookies, mobile ad IDs, or other online identifiers. Because this “audience matched” information is derived from an email address or information that can be tied to an email address, it is possible to opt-out with an email address. However, when you opt-out in this way, you will need to submit all of the email addresses that you use for the opt-out to work.
  • We also comply with the Self-Regulatory Principles for Online Behavioral Advertising as managed by the Digital Advertising Alliance (DAA). You may opt-out of receiving personalized ads from other companies that perform ad targeting services, including some that we may work with as Advertising Partners via the DAA website here.
  • We also comply with the Canadian Self-regulatory Principles for Online Behavioral Advertising as managed by the Digital Advertising Alliance of Canada (DAAC). You may opt-out of receiving personalized ads from other companies that perform ad targeting services, including some that we may work with as Advertising Partners via the DAAC website here.
• Reminder to Users Residing in a European Territory: If you are located in a European Territory you will also have additional data protection rights.

Data Retention

Customer CRM Data: We are processors of CRM data (e.g. customer lists containing emails) that the Customer instructs us to collect or otherwise provides to us in order for us to perform our Services. We retain this CRM Data until the Advertiser asks us to delete this data.

Mobile Identifiers and Cookie Identifiers: Cookies we set expire (and are then deleted) 13 months from the last time your device accessed a Digital Property using VP Legacies Technology. If you visit another Digital Property that uses our technology inside that 13-month expiry period, then the expiry period will be reset and measured from that date instead. The expiration period for mobile identifiers is controlled by the end-user on their own device.

Personal Data Associated with Mobile and Cookie Identifiers Related to Browsing History: We delete personal data associated with mobile and cookie identifiers after 12 months. For example, data such as an Advertiser’s website you visited or ads that you may have clicked.

Personal Data Associated with Advertising Bidding Requests: Data logged in order to process an advertising bid request we have received from an Advertising Partner (such as cookie identifier, IP address, the domain url requesting to display the ad, and browser information) are deleted after 14 days. Data we have logged regarding bids we have placed to display an advertisement (including cookie identifiers, mobile identifiers, the advertisable bid on, and the advertisable won or displayed to the end-user) are deleted after 30 days.

Personal Data Associated with the Display of an Advertisement: Data logged for the display of an advertisement (including cookie identifiers, the advertisement won or displayed to the end user and data indicating whether an end user clicked on the particular advertisable displayed) are deleted after 12 months.

Security

We apply technical, administrative and organizational security measures to protect the data we collect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against other unlawful forms of processing.

International Transfers

We may transfer the data we collect about you to countries (including the United States of America) other than the country where we originally collected it for the purposes of operating our Services. In general, the transferring countries will be the countries in which we, our Customers, our Advertising Partners, or our or their service providers operate.

Those countries may not have the same data protection laws as your country. However, when we transfer your data to other countries, we will protect that data as described in this Service Privacy Notice and take steps, where necessary, to ensure that international transfers comply with applicable laws.

For example, when we transfer your data from a European Territory (as defined below) to our parent company in the United States, we do so under the European Commission’s Standard Contractual Clauses. When we transfer your data outside of a European Territory to Advertising Partners (or vice versa), we do so under lawful data export mechanisms which may include Standard Contractual Clauses, EU-U.S. and Swiss-U.S. Privacy Shield Frameworks and Binding Corporate Rules.

Information for European Territory Residents: Our Legal Basis and Your Rights

Our Legal Basis: If you interact with our Services from the European Territories, our legal basis for collecting and using the personal data described above will depend on the personal data concerned and the specific context in which we collect it. For these purposes, “European Territories” means the European Economic Area and Switzerland, and shall continue to include the United Kingdom, even after the United Kingdom leaves the European Economic Area following Brexit.

Specifically:

• We will normally process personal data about you where the processing is in our legitimate interests (or the legitimate interests of our Customers) to do so and not overridden by your interests or fundamental rights and freedoms. We rely on legitimate interests, for example, when we process personal data as a data controller in order to administer our platforms and provide our Services, so that we can fulfil our contractual obligations to our Customers and support them to provide you with interest-based advertising.
• In some cases, we may collect, and process personal data based on your consent. For example, when you visit an Advertiser’s Digital Property, you will be asked to consent to VP Legacies dropping a cookie.

If you have questions about, or need further information concerning, the legal basis on which we collect and use your personal data, please contact us using the contact details provided under Contact Us.

European Residents’ Privacy Rights: In addition, if you are a resident of a European Territory, you have the following data subject access rights under EU data protection law:

• If you wish to access, correct, update or request deletion of your personal data, please complete the information on this webpage to obtain a verifiable request form.
• If you wish to object to us processing your personal data or would like to otherwise restrict the processing of your personal data, we will honor that request.
• Similarly, if we process your personal data with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect the processing of your personal data conducted in reliance on lawful processing grounds other than consent. You can also refuse consent for VP Legacies or our Advertising Partners to drop cookies by clicking here or by refusing consent for VP Legacies when you see a “consent banner” displayed on an Advertiser site which lists VP Legacies as a vendor.
• You have the right to complain to a data protection authority about our collection and use of your personal data. For more information, please contact your local data protection authority. Contact details for data protection authorities in the European Territories are available here.

Information For California Residents Only

This section supplements the information contained in this Service Privacy Notice and applies solely to visitors, users, and others who are residents of the State of California, as defined in Section 17014 of Title 18 of the California Code of Regulations. This section is effective as of January 1, 2020, to comply with the California Consumer Privacy Act of 2018 (“CCPA”).

Any terms defined in the CCPA have the same meaning when used in this section.

Information We Collect and the Purposes for Which this Information is Used

We collect information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device (“personal information”). This collection of information is listed in What Data We Collect.

We set out below the CCPA categories of personal information we have collected from consumers within the last twelve (12) months in respect of our Services. Please note that personal information in certain categories may overlap with other categories.

	Category	Collected	Details	Source
A.	Identifiers	Yes	Device IP address, email address, cookie string data, pseudonymous data (e.g. hashed emails), operating system, and (in the case of mobile devices) your device type, and mobile device’s identifier (such as the Apple IDFA or Android Advertising ID) and any other unique identifier that may be assigned to any device by third parties and cross-referenced to recognize a device.	Directly and indirectly from consumers, third party data providers and Advertising Partners. In the case of business email addresses, RollWorks B2B Services may infer a business email address.
B.	Personal information listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e))	Yes	In respect of RollWorks B2B Services: Name, business address, business telephone number, education, employment and employment history. In respect of AdRoll D2C Services: The perceived general education level of consumers may be collected for D2C marketing, advertising and analytics to the extent relevant for providing marketing or advertising.	Directly from third party data providers.
C.	Protected classification characteristics under California or federal law	Yes	Limited to age ranges such as 35-44, 45-54, 55-64 and 65+ and male/female gender categories are sometimes collected for use of AdRoll’s D2C Services that do not carry a risk of unintended discrimination.	From third party data providers.
D.	Commercial information	Yes	Records of products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies.	Directly from consumers and Advertiser.
E.	Biometric information	No	–	–
F.	Internet or other similar network activity	Yes	Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement. For example, which pages you visited and when, what items were clicked on a page, how much time was spent on a page, whether you downloaded a white paper on a B2B website, what items you placed into your online shopping cart, what products were purchased and the price of the products purchased.	Directly from cookie browsing history on Advertisers’ Digital Properties. Non-personal information about one of our ads e.g. the third party who served the ad, and the name of the ad) may be connected with browsing history or activity on our websites for the purposes of determining attribution information (e.g. whether particular ad led to a consumer visiting our website, and, if so, which particular ad campaign).
G.	Geolocation data	Yes	Non-precise geolocation derived from IP address.	Directly from consumers and Advertising Partners.
H.	Sensory data	No	–	–
I.	Professional or employment-related information	Yes	In respect of RollWorks B2B business only: Current or past job history, including details about the employer (industry, name, company location, company domain or URL), and employee (positions held, duration of employment, and office location of the company where the employee worked).	Third party data providers.
J.	Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R Part 99))	No	–	–
K.	Inferences drawn from other personal information	Yes	Creating profiles that reflect consumer preferences and interests.	Third party data providers.

For clarity, under CCPA personal information does not include:

• Publicly available information from government records;
• De-identified or aggregated consumer information; and
• Information excluded from the CCPA’s scope such as:
  • health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data; and
  • personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994.

Purposes for Which Personal Information is Collected

All data we collect is for the business purpose of providing services primarily for our marketing, advertising or analytical Services. However, as part of performing these Services, we also use data collected (as identified above) for the following additional business purposes:

• Auditing Interactions with Consumers: count ad impressions and verify the quality of ad impressions served to unique visitors identified by cookie id or other unique identifier;
• Debugging and Repair: the identification and repair of impairments to intended and existing functionalities in our Services and VP Legacies Technology, perform debugging and related activities to repair errors that impair the functionality of our Services;
• Security: detect security incidents and protect against malicious, deceptive, fraudulent or illegal activity, including, when necessary, to prosecute those responsible for such activities;
• Internal Research and Development: conduct internal research for technological development of our Services and demonstration of the performance of these Services; and
• Quality and Safety Maintenance and Verification: verify the quality or safety of our Services and improve, upgrade or enhance our Services and VP LegaciesTechnology we provide.

Sharing Personal Information

We may disclose your personal information to a third party for a business purpose (as set out above) or sell your personal information, subject to your right to opt-out of those sales.

Disclosure of Personal Information for a Business Purpose

VP Legacies Services do not amount to a sale of personal information. Instead, VP Legacies discloses personal data for business purposes, primarily to perform its advertising, marketing and analytical Services.

In the preceding twelve (12) months, we have disclosed the following categories of personal information for our business purposes:

• Category A: Identifiers;
• Category B: California Customer Records personal information categories;
• Category C: Protected classification characteristics under California or federal law;
• Category D: Commercial information;
• Category F: Internet or other similar network activity;
• Category G: Non-precise geolocation derived from IP address;
• Category I: Professional or employment-related information; and
• Category K: Inferences drawn from other personal information.

We disclose your personal information for a business purpose to the categories of third parties set out in Data Sharing.

Sales of Personal Information

In the preceding (12) twelve months, pursuant to our Data Service, we have sold personal information in the form of business emails from Category A (Identifiers).

Other than our Contact Data Service, we do not consider that our Services constitute a ‘sale of personal information’ under the CCPA. Instead, in the course of providing our Services, we disclose personal information for business purposes.

However, we aim to provide consumers with control over the collection and use of their personal information. Consistent with this goal, we will honor requests from consumers to “opt-out” of the collection and disclosure of their personal information. Your Rights and Choices section below provides instructions on how to opt-out of our collection and disclosure of personal information.

Your Rights and Choices

The CCPA provides California residents with specific rights regarding their personal information. This section describes the rights of California residents under CCPA and provides information on how to exercise those rights.

Right to Know and Data Portability Rights

You have the right to request that we disclose certain information to you about our collection and use of personal information over the past 12 months. Once we receive and confirm your verifiable consumer request, we will disclose to you:

• The categories of personal information we collected about you;
• The categories of sources for the personal information we collected about you;
• Our business or commercial purpose for collecting or selling that personal information;
• The categories of third parties with whom we share that personal information;
• The specific pieces of personal information we collected about you (otherwise known as a data portability request); and
• Two separate lists where we have sold or disclosed your personal information for a business purpose:
  • Sales: identifying the personal information categories that each category of recipient purchased; and
  • Disclosures for a business purpose: identifying the personal information categories that each category of recipient obtained

Right to Delete

You have the right to request that we delete any of your personal information that we collect from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request your personal information from our records, unless an exception applies.

We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:

• Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relations with you or otherwise perform our contract with you;
• Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity or prosecute those responsible for such activities;
• Exercise free speech, ensure the right of another consumer to exercise their free speech rights or exercise another right provided by law;
• Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.);
• Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent;
• Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us;
• Comply with a legal obligation; and
• Make other internal and lawful uses of that information that are compatible with the context in which you provided it.

Exercising Right to Know, Data Portability and Right to Deletion

To exercise the access, data portability, and deletion rights described above, please submit verifiable consumer request to us by either:

• Visiting this webpage.

Only you, or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child.

You may only make a verifiable request for access of data portability twice within a 12-month period. The verifiable consumer request must:

• Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative; and
• Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with personal information if we cannot: (i) verify your identity or authority to make the request; and (ii) confirm the personal information relates to you.

We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.

Response Timing and Format

We will deliver our written response to you electronically unless you indicate delivery to be by mail.

Any disclosures we provide to you will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot complete a request, if applicable. Please note that personal information deleted during this period as set out in Data Retention will not be provided.

The format of our responses to you concerning personal information collected, disclosed or sold will be provided in a readily useable format that should allow you to transmit the information from one entity to another entity without hindrance.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Personal Information Sales Opt-Out Rights

To exercise the right to opt-out of our sale of your Contact Data or to opt out of interest-based advertising, you (or your authorized representative) may submit a request to us by visiting the Do Not Sell My Personal Information webpage.

Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:

• Deny you goods or services;
• Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties;
• Provide you a different level or quality of goods or services; or
• Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

However, we may offer you certain financial incentives permitted by CCPA that can result in different prices, rates or quality levels. Any CCPA-permitted financial incentive we offer will reasonably relate to your personal information’s value and contain written terms that describe the program’s material aspects. Participation in a financial incentive program requires your prior opt in consent, which you may revoke at any time.

Changes to this Service Privacy Notice

We may update or modify this Service Privacy Notice at our discretion and at any time. When we make changes to this Service Privacy Notice, we will post the updated notice online and update the notice’s effective date. Please review this Service Privacy Notice periodically.

If we are required by applicable data protection laws to obtain your consent to any material changes before they come into effect, then we will do so in accordance with law.

Changes to this Service Privacy Notice

We may update or modify this Service Privacy Notice at our discretion and at any time. When we make changes to this Service Privacy Notice, we will post the updated notice online and update the notice’s effective date. Please review this Service Privacy Notice periodically.

If we are required by applicable data protection laws to obtain your consent to any material changes before they come into effect, then we will do so in accordance with law.

What Data We Collect

We may collect the following categories of information on our websites and use them for the purposes explained below.

Data You Provide To Us

• Contact Information: You may provide us with your name, address, phone number and email when you set up an account with us and you may provide your name, title, company, email, address and/or phone number when you sign up for an event with us online or download content from our site.
• Account Information: If you open an account, we will collect your username and password and other information necessary to open and access your account.
• Customer Service Information: Information you may provide to our customer service including your email address for purposes of responding to your inquiries and survey responses.
• Financial Information: Credit card number or other payment account information. This information is collected directly by our payments processor and not stored at VP Legacies
• Hashed email addresses: We collect hashed versions of the email addresses that consumers have entered on that Advertiser’s site. Hashing is a technology process that pseudonymizes (i.e. digitally scrambles) email addresses. For instance, when joe@vpleagices is run through a typical hashing function, it becomes the following string of digits: 0F0B7B1A1A7E8BDBBC6AA545F8CCD6F83671B32479271BFCB6CC8498912058D5. We take this step to de-identify data and protect email addresses, while being able to use the unique identifier created for the purpose of recognizing you and sending your interest-based ads across different devices (computers, tablets and mobile devices) and browsers (also called “cross-device matching”).

Data We Automatically Collect From Your Device

• Device Information: This is technical information about the device you use to access our websites such as your device’s IP address and operating system. Additionally, in the case of mobile devices, your device type, and mobile device’s unique advertising identifier (such as the Apple IDFA or Android Advertising ID) and any other unique identifier that may be assigned to the mobile device, such as an Android ID or UDID in older Apple phone models, or a non-cookie unique identifier used by Non-Cookie Technologies.
• Browser Data: This is technical information about the browser you are using that is captured in order to serve you an ad that can be rendered on your device. An example of browser information is the technical information that identifies your browser as, for example, Chrome, Firefox, Safari etc.
• Activity on our Digital Properties: This is data about your browsing activity on our websites, or when you interact with our other tools or dashboards.. For example, which pages you visited and when, what items were clicked on a page, how much time was spent on a page, whether you downloaded a white paper.
• Location Data: This is non-precise information related to your geography derived from your device’s IP address (e.g. laptop, desktop or mobile etc.). This does not reveal your precise geographic coordinates (i.e. your GPS latitude and longitude) – only country, state, city and zip/postal code level location data, and helps us to display ads that are relevant to your general location (for example, showing ads in French if you are located in France).
• Ad Data: This is data about the online ads we have served (or attempted to serve) to you. It includes things like how many times an ad has been served to you, what page the ad appeared on, and whether you clicked on or otherwise interacted with the ad.

Data We Collect from Third Party Sources

• Data from Advertising Partners: This is data that allows us to match the VP Legacies cookie identifier with identifiers that may already be used by other companies in the digital advertising ecosystem that we work with (“Advertising Partners”), for example, ad exchanges or companies that sell advertising space on publishers’ websites (sometimes referred to as “supply side platforms”). Matching cookie identifiers help us deliver ads to you and recognize you across browsers and devices, and may include pseudonymous advertising identifiers (meaning identifiers that help identify your browser or device, but not you directly) which some third party advertising platforms choose to share with us. We may work with our Advertising Partners to synchronize their unique, pseudonymous identifiers to our own to enable us to more accurately recognize a particular unique browser or device and the advertising interests associated with it (commonly known as “ID Syncing”).
• Contact Data from Third Parties. We obtain and collect contact data from various third party sources, including from public sources and through licenses with data providers. This contact data is B2B information – in other words, it is typically a business email address, business street address, or sometimes, a business telephone number.
• Attribute Data: We may collect additional information about you from other third party sources where they have the rights to share such information and we have the rights to use it, for example, demographic data or title and employer data. We use this data to better understand our Customers and to better market our Services to you.

How We Use the Data We Collect

We use this data to operate our business and provide Services to you as well as to serve ads that aim to be more relevant to you. Specifically, we use this data for:

• Providing our Services and Customer Support: For example, to monitor usage of features, manage campaigns, and log data for audit purposes. We may contact you when you ask us for support or when it appears to us that you might need support, and to maintain records of our communications with you for future reference.
• Invoice you and collect fees for services we have provided.
• Troubleshoot Problems: To monitor and fix our website performance, for example if the site is slow, not loading properly, or to investigate aberrations in performance of our Services.
• Prevent Potential Fraud and Enforce our Terms of Service. To prevent fraud on our sites or through the use of our Services; to enforce our Terms of Service or other policies or investigate any potential violation of those Terms and policies, any potential violation of the law; or to protect ourselves, our customers, or any third party from any potential harm (whether tangible or intangible).
• Customize, Measure and Improve our Websites and Services: To provide customized content and to measure which content is most helpful (or unhelpful) to our Customers, which helps improve our website and our services. For example, if we notice higher visits to certain Help Center articles or receive higher customer support tickets for specific issues, we can improve our support materials or identify areas where we can make our product better for our customers.
• Contact You About Your Account or our Services, Including to Market our Services to You or Provide Updates: We may use your contact information to contact you about your account, for example, in relation to the performance of your campaigns, to follow up on billing issues, or to tell you about new Services we are offering. We may send you product updates, performance information, surveys, or communicate with you in other ways about our services. When we can legally do so, we may augment the information you give us in order to contact you by phone or even snail mail. You can opt-out of receiving emails by unsubscribing through the link at the bottom of our emails or by updating your email preferences here.
• Interest-Based Advertising: Selecting ads that are more likely to be relevant to you based on data such as your browsing activity, the time of day you visit our Digital Properties and the time you spend on them, and non-precise geographic data inferred about your device/s. For example, we may show you ads for our Services only available in your city, region or country during your lunch or commute hours.
• Frequency Capping: Making sure that you don’t see the same ad too many times.
• Sequencing: If you are being served a sequence of ads, making sure we show you the right ad next in the sequence.
• Cross-Device Matching: Identifying different devices that are likely to be associated with you so that ads can be targeted, capped and sequenced across those devices, and so that campaign effectiveness can be measured and analyzed. For example, cross-device matching helps us not show you ads for the shoes you were looking at on your phone but already purchased on your tablet. Instead we’ll try to show you ads for an upcoming triathlon where you can put those shoes to work. It also helps us match devices so we can honor your opt-out choices across all devices we know are connected to the opted-out cookie. You may opt-out of cross-device interest-based targeting by employing the respective opt-out techniques. To learn more about how we use cross-device matching, click here.
• Attribution: Monitoring when, where, and at what price we served certain ads so that we can measure our influence on the marketing result of our campaigns and overall marketing strategy. For example, being able to measure if a certain ad campaign (the ads shown and to whom they were shown) actually led to a potential customer becoming a paying Customer.
• Reporting: Analyzing how our ads are performing and gaining insights into our Customers and prospective customers. Reporting may include ad metrics such as attribution (described above), impressions (ads served), clicks (ads you clicked on), and conversions (for example, if you create an account with us or download a white paper from our site). This helps us identify ads that are useful to our Customers and demonstrate VP Legacies value, and relatedly, helps us identify an ad that is not performing well (prospective customers aren’t clicking on it), we will be able to see that data and update our ad or ad campaign strategy.
• Conducting Our Corporate Operations. As to data we collect in our corporate capacity – our own B2B lists of Customers and prospective customers – we use that data to conduct our business operations and communications.
• Complying with Legal Process: To satisfy in good faith any applicable law, legal process, or proper governmental request, such as to respond to a subpoena (whether civil or criminal) or similar process.
• Investigating Wrongdoing and Protecting Ourselves or Third Parties: To enforce our Terms of Service or other policies or investigate any potential violation of our Terms of Service and policies, any potential violation of the law, or to protect ourselves, our customers, or any third party from any potential harm (whether tangible or intangible).

Data Sharing

We may disclose data about you:

• With our Service Providers: We contract with companies who help with parts of our business operations (e.g., for example, website and data hosting, fraud prevention, viewability reporting, data hygiene, marketing, and email delivery), as well as billing, collections, tech, customer and operational support.
• With our Advertising Partners: We also share data with our Advertising Partners, including hashed email addresses (or other pseudonymous identifiers associated with those hashes), device information, browser data, activity on our Digital Properties, location data and our CRM Data. This enables them and us to better personalize ads to you.
• In connection with legal proceedings: When we are under a legal obligation to do so, for example to comply with a binding order of a court, or where disclosure is necessary to exercise, establish or defend the legal rights of VP Leagices, our Customers or any other third party.
• In connection with a sale of our business: If a third party acquires some or all of our business or assets, we may disclose your information in connection with the sale (including during due diligence in preparation for the sale).
  

Aggregated and De-Identified Data

VP Legacies may aggregate and de-identify data it collects so that it can either no longer be directly associated with a natural person or cannot be associated with a natural person at all. It may then use such data for its business purposes including the provision interest-based advertising and reporting in the course of its Services.

We may also share aggregated and de-identified data with our subsidiaries and affiliates and third parties, including with our Advertising Partners. For example, we may conduct industry wide surveys to publish benchmark reports, or to include statistics when collaborating with researchers or other companies on industry white papers.

Cookies and Related Technologies

Our websites use cookies, tracking pixels and related technologies to operate and personalize our sites. For example, to provide personalized content on our site, enable customer service chat functionality, for analytics purposes, and to target ads to you about our products and services on other websites.

We also use cookies, tracking pixels and related technologies to provide our services for our Customers. Cookies are small data files that are served by our platform and stored on your device. You can refuse consent to, or opt-out of, VP Legacies cookies at any time below.

Tracking cookies enable us to identify your device when you move between different Digital Properties, so that we can serve targeted advertising to you.

• Specifically, the VP Legacies cookie we serve through the VP Legacies platform for this purpose is named “__adroll” and “__adroll_fpc”.

We provide a list of our Advertising Pixel Partners here.

Additionally, we use non-tracking cookies (not unique) to store user decisions in terms of your ad consent and opt-out choices:

• We may drop an __adroll cookie with value opt-out if you opt-out as described below.
• We may drop a __consent cookie that stores the consent choices you have made regarding data processing and advertising by VP Legacies.

A full list ofVP Legaciescookies is set out below:

Tracking cookies	Non-tracking cookies
__adroll __adroll_v4 __adroll_fpc

Non-Cookie Technology for Tracking Outside European Territories

In respect of website visitors with IP addresses not from a European Territory, VP Legacies and some of our Advertising Partners may use technologies other than cookie technology to recognize your computer, device or browser for the purpose of interest-based advertising, analyzing engagement with ads or content, measuring the effectiveness of a particular ad campaign or marketing effort, to monitor against fraud or misuse of our Services. This use of non-cookie technology may be used in addition to cookies, or separately, to collect and record data about your web browsing activities on browsers, search engines or other platforms that may not utilize VP Legacies Technology. You may opt-out of tracking via non-cookie technologies by employing the respective opt-out techniques.

Your Choices and Opting-Out of Interest-Based Advertising and Analytics

We recognize how important your online privacy is to you, so we offer the following options for controlling the interest-based ads you receive and how we use your data.

Opting-out of this type of advertising will not prevent you from seeing ads, rather, those ads will likely be less relevant. This is because they will not be tailored to your specific interests but will instead be based on the context of the Digital Property in which they are displayed or the ads you see may be randomly generated.

Here’s how you can control how we use your data:

• Web browser: You can opt-out of receiving interest-based ads served by us or on our behalf by clicking on the blue icon that typically appears in the corner of the ads we serve and following the instructions provided or by clicking here. Please note that this “opt-out” function is browser-specific and relies on an “opt-out cookie”. This means if you delete your cookies or upgrade your browser after having opted out, you will need to opt-out again.
• Cross Device Opt-Out: In some cases we may link multiple browsers or devices to you. If you opt-out on a browser or device and we have more linked to you, we will extend your opt-out decision to the other linked browsers and devices. Since we only link users across browsers and devices in some conditions, there could be cases where you are still being tracked in a different browser or device we have not linked, and where we are treating you as a different user.
• Mobile Device Opt-Out: To opt-out of receiving targeted ads that are based on your behavior across different mobile applications follow the below instructions, for iOS and Android devices:
  • iOS 7 or Higher: Go to your Settings > Select Privacy > Select Advertising > Enable the “Limit Ad Tracking” setting; and
  • For Android devices with OS 2.2 or higher and Google Play Services version 4.0 or higher: Open your Google Settings app > Select Ads > Enable “Opt out of interest-based advertising”.
• Industry Opt-Out Tools and Self-Regulation:
  • VP Legaciesl\ is a member of the Network Advertising Initiative (NAI) and adheres to the NAI Code of Conduct. You may use the NAI opt-out tool here, which will allow you to opt-out of seeing personalized ads from us and from other NAI approved member companies. In addition, the NAI opt-out tool allows you to separately opt-out of “audience matched” advertising through the NAI’s “Audience Matched Advertising Opt-Out” tool. Audience matching is a particular type of interest-based advertising where de-identified data (e.g. hashed emails) is tied to “offline” activity or information (generally, information that is or can be associated with a consumer’s email address) and matches that de-identified data to cookies, mobile ad IDs, or other online identifiers. Because this “audience matched” information is derived from an email address or information that can be tied to an email address, it is possible to opt-out with an email address. However, when you opt-out in this way, you will need to submit all of the email addresses that you use for the opt-out to work.
  • We also comply with the Self-Regulatory Principles for Online Behavioral Advertising as managed by the Digital Advertising Alliance (DAA). You may opt-out of receiving personalized ads from other companies that perform ad targeting services, including some that we may work with as Advertising Partners via the DAA website here.
  • We also comply with the Canadian Self-regulatory Principles for Online Behavioral Advertising as managed by the Digital Advertising Alliance of Canada (DAAC). You may opt-out of receiving personalized ads from other companies that perform ad targeting services, including some that we may work with as Advertising Partners via the DAAC website here.
  • Finally, we also adhere to the European Interactive Advertising Digital Alliance (EDAA) guidelines for online advertising and you may opt-out via their ”Your Online Choices” website here.
• Reminder to Users Residing in a European Territory: If you are located in a European Territory you will also have additional data protection rights.

Data retention

We retain data for as long as necessary to perform our Services and for the purposes described in this Website Privacy Notice. For example, we may retain:

• billing information as necessary to meet audit requirements;
• login information to confirm when Terms of Service were accepted; and
• information as long as necessary to meet legal requirements, resolve disputes or enforce agreements.

We retain cookie data such as device and browser information, ad data, and data collected on our Digital Properties as follows:

• Mobile Identifiers and Cookie Identifiers: Cookie identifiers we collect expire (and are then deleted) 13 months from the last time your device accessed a Digital Property using our technology. If you visit another Digital Property that uses VP Legacies Technology inside that 13-month expiry period, then the expiry period will be reset and measured from that date instead. The expiration period for mobile identifiers is controlled by the end-user on their own device.
• Personal Data Associated with Mobile and Cookie Identifiers Related to Browsing History: We delete personal data associated with mobile and cookie identifiers after 12 months. For example, data such as an Advertiser’s website you visited or ads that you may have clicked.
• Personal Data Associated with Advertising Bidding Requests: Data logged in order to process an advertising bid request we have received from an Advertising Partner (such as cookie identifier, IP address, the domain url requesting to display the ad, and browser information) are deleted after 14 days. Data we have logged regarding bids we have placed to display an advertisement (including cookie identifiers, mobile identifiers, the advertisable bid on, and the advertisable won or displayed to the end-user) are deleted after 30 days.
• Personal Data Associated with the Display of an Advertisable: Data logged for the display of an advertisable (including cookie identifiers, the advertisable won or displayed to the end user and data indicating whether an end user clicked on the particular advertisable displayed) are deleted after 12 months.

Security

We apply technical, administrative and organizational security measures to protect the data we collect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against other unlawful forms of processing.

International Transfers

We may transfer the information we collect about you to countries (including the United States of America) other than the country where we originally collected it for the purposes of storage and processing of data and operating our services. In general, these countries will be the countries in which we or our service providers operate.

Those countries may not have the same data protection laws as your country. However, when we transfer your information to other countries, we will protect that information as described in this Website Privacy Notice and take steps, where necessary, to ensure that international transfers comply with applicable laws.

For example, when we transfer your information from a European Territory (as defined below) to our parent company in the United States, we do so under the European Commission’s Standard Contractual Clauses. When we transfer your data outside of a European Territory to Advertising Partners (or vice versa), we do so under lawful data export mechanisms which may include Standard Contractual Clauses, EU-U.S. and Swiss-U.S. Privacy Shield Frameworks and Binding Corporate Rules.

Information for European Territory Residents: Our Legal Basis and Your Rights

Our Legal Basis: We provide the representations and information in this section in compliance with European privacy laws, in particular the European General Data Protection Regulation (GDPR). If you are a visitor from the European Territories, our legal basis for collecting and using the personal data described above will depend on the personal information concerned and the specific context in which we collect it. “European Territories” mean the European Economic Area and Switzerland. For the purpose of this Website Privacy Notice, the term “European Territories” shall continue to include the United Kingdom, even after the United Kingdom leaves the European Economic Area following Brexit.

Specifically:

• We will normally collect personal data from you where the processing is in our legitimate interests. For example, to administer our platforms and provide our Services and fulfil our contractual obligations as a service provider.
• In some cases we may collect, and process personal data based on consent. For example, when you visit one of our Digital Properties, you will be asked to consent to VP Legacies dropping a cookie.

If you have questions or need further information concerning the legal basis on which we collect and use your personal data, please Contact Us.

European Residents Privacy Rights: If you are a resident of a European Territory, you have the following enhanced rights under EU data protection law:

• If you wish to access, correct, update or request deletion of your personal information, please complete the information on this webpage to obtain a verifiable request.
• If you wish to object to us processing your personal data or would like to otherwise restrict the processing of your personal data, we will honor that request.
• Similarly, if we process your personal data with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect the processing of your personal data conducted in reliance on lawful processing grounds other than consent. You can also refuse consent for VP Legacies or our Advertising Partners to drop cookies by clicking here or by refusing consent VP Legacies when you see a “consent banner” displayed on our websites which lists VP Legacies as a vendor.
• You have the right to complain to a data protection authority about our collection and use of your personal data. For more information, please contact your local data protection authority. Contact details for data protection authorities in the European Territories are available here.

Information For California Residents Only

This section supplements the information contained in this Website Privacy Notice and applies solely to visitors, users, and others who are residents of the State of California, as defined in Section 17014 of Title 18 of the California Code of Regulations. This section is effective as of January 1, 2020, to comply with the California Consumer Privacy Act of 2018 (“CCPA”).

Any terms defined in the CCPA have the same meaning when used in this section.

For the purposes of this section “Services” shall mean performing advertising and marketing services for VP Legacies purposes as well as maintaining or servicing VP Legacies Customer accounts, providing Customer service, processing or fulfilling orders and transactions, verifying customer information and processing payments.

Information We Collect and the Purposes for Which this Information is Used

We collect information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device (“personal information”).

We set out below the CCPA categories of personal information we have collected from consumers within the last twelve (12) months who are VP Legacies Customers and/or visitors of the VP Legacies Digital Properties. Personal information in certain categories may overlap with other categories.

	Category	Collected	Details	Source
A.	Identifiers	Yes	Device IP address, email address, cookie string data, pseudonymous data (e.g. hashed emails), operating system, and (in the case of mobile devices) your device type, and mobile device’s identifier (such as the Apple IDFA or Android Advertising ID) and any other unique identifier that may be assigned to any device by third parties and cross-referenced to recognize a device.	Directly and indirectly from consumers, third party data providers and Advertising Partners. In the case of business email addresses, RollWorks B2B Services may infer a business email address.
B.	Personal information listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e))	Yes	Name, business address, business telephone number, education, employment, employment history, credit card number or other payment account information.	Directly from consumers and third party data providers.
C.	Protected classification characteristics under California or federal law	No	–	–
D.	Commercial information	Yes	Records of products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies.	Directly from consumers.
E.	Biometric information	No	–	–
F.	Internet or other similar network activity	Yes	Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement. For example, which pages you visited and when, what items were clicked on a page, how much time was spent on a page, whether you downloaded a white paper on our own website, what products were purchased and the price of the products purchased.	Directly from cookie browsing history on our Digital Properties. Non-personal information about one of our ads e.g. the third party who served the ad, and the name of the ad) may be connected with browsing history or activity on our websites for the purposes of determining attribution information (e.g. whether particular ad led to a consumer visiting our website, and, if so, which particular ad campaign).
G.	Geolocation data	Yes	Non-precise geolocation derived from IP address.	Directly from consumers and Advertising Partners.
H.	Sensory data	No	–	–
I.	Professional or employment-related information	Yes	Current or past job history, including details about the employer (industry, name, company location, company domain or URL), and employee (positions held, duration of employment, and office location of the company where the employee worked).	Third party data providers.
J.	Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R Part 99))	No	–	–
K.	Inferences drawn from other personal information	Yes	Creating profiles that reflect consumer preferences and interests.	Third party data providers.

For clarity, under CCPA personal information does not include:

• Publicly available information from government records;
• De-identified or aggregated consumer information; and
• Information excluded from the CCPA’s scope such as:
  • health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data; and
  • personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994.

Purposes for Which Personal Information is Collected

The data we collect pursuant to this Website Privacy Notice is for the business purpose of performing advertising and marketing services for our own purposes as well as maintaining or servicing our Customer accounts, providing Customer service, processing or fulfilling orders and transactions, verifying customer information and processing payments (“Services”). However, as part of performing these Services, we also use data collected (as identified above) for the following additional business purposes:

• • Auditing Interactions with Consumers: count ad impressions and verify the quality of ad impressions served to unique visitors identified by cookie id or other unique identifier;
  • Debugging and Repair: the identification and repair of impairments to intended and existing functionalities in our Services and VP Legacies Technology, perform debugging and related activities to repair errors that impair the functionality of our Services;
  • Security: detect security incidents and protect against malicious, deceptive, fraudulent or illegal activity, including, when necessary, to prosecute those responsible for such activities;
  • Internal Research and Development: conduct internal research for technological development of our Services and demonstration of the performance of these Services; and
  • Quality and Safety Maintenance and Verification: Verify the quality or safety of our Services and improve, upgrade or enhance our Services and VP Legacies Technology.

Sharing Personal Information

We may disclose your personal information to a third party for a business purpose (as set out above) or sell your personal information, subject to your right to opt-out of those sales .

The Data Sharing section sets out the personal information that we share with third parties.

Disclosures of Personal Information for a Business Purpose

VP Legacies performance of its Services do not amount to a sale of personal information. Instead, VP Legacies discloses personal data for business purposes.

In the preceding twelve (12) months, we have disclosed the following categories of personal information for our business purposes:

• Category A: Identifiers;
• Category B: California Customer Records personal information categories;
• Category C: Protected classification characteristics under California or federal law;
• Category D: Commercial information;
• Category F: Internet or other similar network activity;
• Category G: Non-precise geolocation derived from IP address;
• Category I: Professional or employment-related information; and
• Category K: Inferences drawn from other personal information.

We disclose your personal information for a business purpose to the categories of third parties set out in Data Sharing.

Sales of Personal Information

We do not consider that the performance of our Services constitutes a ‘sale of personal information’ under the CCPA. Instead, in the course of performing our Services, we disclose personal information for business purposes.

However, we aim to provide consumers with control over the collection and use of their personal information. Consistent with this goal, we will honor requests from consumers to “opt-out” of the collection and disclosure of their personal information.

Your Rights and Choices

The CCPA provides California residents with specific rights regarding their personal information. This section describes the rights of California residents under CCPA and provides information on how to exercise those rights.

Right to Know and Data Portability Rights

You have the right to request that we disclose certain information to you about our collection and use of personal information over the past 12 months. Once we receive and confirm your verifiable consumer request, we will disclose to you:

• The categories of personal information we collected about you;
• The categories of sources for the personal information we collected about you;
• Our business or commercial purpose for collecting or selling that personal information;
• The categories of third parties with whom we share that personal information;
• The specific pieces of personal information we collected about you (otherwise known as a data portability request); and
• Two separate lists where we have sold or disclosed your personal information for a business purpose:
  • Sales: identifying the personal information categories that each category of recipient purchased; and
  • Disclosures for a business purpose: identifying the personal information categories that each category of recipient obtained

Right to Delete

You have the right to request that we delete any of your personal information that we collect from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our services providers to delete) your personal information from our records, unless an exception applies.

We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:

• Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relations with you or otherwise perform our contract with you;
• Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities;
• Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided by law;
• Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.);
• Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent;
• Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us;
• Comply with a legal obligation; and
• Make other internal and lawful uses of that information that are compatible with the context in which you provided it.

Exercising Right to Know, Data Portability and Deletion Rights

Only you, or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child.

You may only make a verifiable request for access of data portability twice within a 12-month period. The verifiable consumer request must:

• Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative; and
• Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with personal information if we cannot: (i) verify your identity or authority to make the request; and (ii) confirm the personal information relates to you.

We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.

Personal Information Sales Opt-Out Rights

To exercise the right to opt-out of interest-based advertising, you (or your authorized representative) may submit a request to us by visiting the Do Not Sell My Personal Information webpage.

Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:

• Deny you goods or services;
• Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties;
• Provide you a different level or quality of goods or services; or
• Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

However, we may offer you certain financial incentives permitted by CCPA that can result in different prices, rates or quality levels. Any CCPA-permitted financial incentive we offer will reasonably relate to your personal information’s value and contain written terms that describe the program’s material aspects. Participation in a financial incentive program requires your prior opt-in consent, which you may revoke at any time.

Changes to this Privacy Notice

We may update or modify this Website Privacy Notice at our discretion and at any time. When we make changes to this Website Privacy Notice, we will post the updated notice online and update the notice’s effective date. Please review this Website Privacy Notice periodically.

If we are required by applicable data protection laws to obtain your consent to any material changes before they come into effect, then we will do so in accordance with law.