SOCKETLABS EMAIL SERVICE PRIVACY POLICY EFFECTIVE: April 25, 2019 INTRODUCTION AND SCOPE Your online privacy and trust are very important to us at SocketLabs Acquisition, LLC (“SocketLabs”, “we”, “us” and “our”). We are providing this SocketLabs On-Demand Email Service Privacy Policy (this “Policy”) to inform you of our practices regarding the way we collect, use, or otherwise process your personal data through our hosted SocketLabs On-Demand email service (“Email Service”). This Policy specifically and exclusively applies to data subjects whose personal data we may process: a) if you are a sender or a recipient on an email processed by the Email Service; b) if your personal data is included within email processed by the Email Service (in other words, if a sender of an email includes your personal data in a message); or c) if your personal data is included in an email recipient list managed by the Email Service. We process such personal data on behalf of the customers of our Email Service and according to their instructions. This Policy does not apply to personal data which we may collect by other means, such as through our websites, control panel (with the exception of email recipient list information) or otherwise. These means of collection are addressed in the SocketLabs General Privacy Policy. We are providing this Policy to, among other things, help users make an informed decision about whether to use or continue using the Email Service. By using the Email Service, you consent to the personal data processing practices described in this Policy. CONTROLLERSHIP / BASIS OF PROCESSING In the context of this Policy, SocketLabs acts as an agent, also known as data processor, for the personal data we process for our customers (based on their documented instructions or those of the relevant data controllers) when providing the Email Service. CATEGORIES OF PERSONAL DATA SocketLabs allows its customers full control over the categories of information included in the emails they send and the data they provide to us. Therefore, we cannot reasonably foresee and list all the types of data we may be asked to process, and we are unaware of the exact categories of personal data being processed. SocketLabs requires, at a minimum, a sender email address and a recipient email address. SocketLabs may also collect certain information automatically about your interactions with the Email Service, including without limitation: IP address, device information, geographic location, information about which email messages you opened, and which links you clicked in email messages processed by the Email Service. SocketLabs does not solicit sensitive personal data such as information about a person’s health, religious beliefs, ethnic origin, identification numbers, or other sensitive data and you should not provide such sensitive data to SocketLabs or include it in email messages being processed by the Email Service. HOW WE RECEIVE PERSONAL DATA • We receive your personal data when any party provides us with it, for example by including your personal data in an email being processed by the Email Service, entering your personal data into the Email Service in order to send you an email (e.g., through an API, web signup form or through the Email Service control panel), or including your personal data in an email recipient list managed by the Email Service. • We may collect information automatically about your interactions with the Email Service, for example, when you interact with web signup forms or email messages processed through the Email Service. PURPOSES OF PROCESSING We process personal data for the purposes of providing the Email Service as a data processor on behalf of our customers and according to our Terms of Service, which also include: • optimizing and monitoring the Email Service; • monitoring, analyzing, and improving the operation and security of the Email Service; • monitoring, investigating, and preventing unauthorized access or unacceptable use of the Email Service such as violations of our terms and policies or unlawful behavior; • compiling aggregated statistics about the use of the Email Service; and • responding to your inquiries, and/or other requests or questions. DATA RETENTION PERIODS We will retain your personal data as necessary to provide the Email Service and satisfy our obligations under our Terms of Service, unless a longer retention period is required by law, for legal, tax or regulatory reasons, or other lawful purposes. SHARING PERSONAL DATA WITH THIRD PARTIES We may use third parties to perform certain services on our behalf. We may share your personal data with these third parties solely to enable them to perform the services for us. Such third parties may include, without limitation, those providing services such as cloud computing, hosting, database, security, email, document management, analytics, customer chat, customer relationship management, storage, and anti-spam. We require that these third-party vendors maintain at least the same level of confidentiality and data protection that we maintain for your personal data. We do not provide your personal data to parties unconnected with our Email Service. OTHER DISCLOSURE OF YOUR PERSONAL DATA We may disclose your personal data: • to the extent required by law or if we have a good-faith belief that such disclosure is necessary in order to comply with official investigations or legal proceedings initiated by governmental and/or law enforcement officials, or private parties, including but not limited to: in response to subpoenas, search warrants, or court orders; • if we sell or transfer all or a portion of our company’s business interests, assets, or both, or in connection with a corporate merger, consolidation, restructuring, or other company change; • to protect or defend our property, interests or rights or that of third parties; • to research and investigate any suspected wrongdoing in connection with our Terms of Service or other policies; or • to our subsidiaries or affiliates only if necessary for business and operational purposes. If we must disclose your personal data in order to comply with official investigations or legal proceedings initiated by governmental and/or law enforcement officials, we may not be able to ensure that such recipients of your personal data will maintain the privacy or security of your personal data. Notwithstanding anything to the contrary in this Policy, we may compile, use, distribute, disclose, publish, license, and sell information collected through your use of the Email Service, so long as all personally identifiable information is removed. By way of example, and without limitation, we may publish a report on the adoption of the Email Service in different geographic regions, or a report that shows which browser versions are most popular among our users. This anonymous data will be owned exclusively by SocketLabs. COMMITMENT TO SECURITY OF DATA SocketLabs uses commercially reasonable technical and organizational security measures to preserve the confidentiality, integrity, and security of your personal data. We cannot, however, ensure or warrant the security of any information you transmit to SocketLabs and you do so at your own risk. Once we receive your personal data, SocketLabs makes commercially reasonable efforts to ensure the security of our systems. However, please note that this is not a guarantee that such personal data may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, managerial or other safeguards. ACCESS & REVIEW If you are a data subject about whom we store personal data, you may have the right to request access to, and the opportunity to update, correct, or delete such personal data. If we have received your personal data in reliance on the Privacy Shield, you may also have the right to opt out of having your personal data shared with third parties and to revoke your consent to our sharing your personal data with third parties. You may also have the right to opt out if your personal data is used for any purpose that is materially different from the purpose(s) for which it was originally collected or which you originally authorized. To submit such requests, please contact the party that has provided your personal data to us. We have limited rights to access the personal data our customers submit to us. Therefore, if you contact us with such a request, please provide the name of our customer who submitted your personal data to us. We will forward your request to that customer and provide any needed assistance as they respond to your request. If you have provided your personal data to us directly or if you want to raise any other questions related to the way we process your personal data, please contact us using the information in the Contact Information section of this Policy. A NOTE ABOUT MINORS Our Services are not directed at, or intended for use by, children under the age of 13. We do not knowingly process the personal data of anyone under 18. Children should always get permission from a parent or guardian before sending personal data over the Internet. If you believe your child may have provided us with their personal data, you can contact us using the information in the Contact Information section of this Policy and we will delete that personal data. THIRD PARTY SITES & SERVICES Some third-party sites or services may be accessible from the Email Service, including, but not limited to, third-party sites and services accessible via links in an email message we send. We encourage you to review the privacy statements of these third-party sites and services so that you can understand how those sites and services collect, use, and share your personal data. SocketLabs is not responsible for the policies or practices of third parties or third-party sites and services. INTERNATIONAL TRANSFERS We may store and process your personal data in any country or area where we have facilities or where we engage third party service providers. Your personal data may be transferred to countries other than the country where you reside, including, but not limited to, the United States. Such countries may have different data protection laws and our use and storage of your personal data will be in accordance with this Policy. When we receive personal data from the EEA or Switzerland, we will comply with the Privacy Shield framework as outlined in this Policy. MODIFICATIONS AND UPDATES TO THIS POLICY SocketLabs may modify this Policy at any time by posting a revised version and updating the “Effective” date above. The revised Policy will become effective immediately upon posting to this page, or to a page linked to from the SocketLabs website. It is your responsibility to revisit this page or periodically review the Policy to stay aware of any changes. Your continued use of the Email Service after the Policy has been revised constitutes your agreement to the revisions. EU-U.S. AND SWISS-U.S. PRIVACY SHIELD FRAMEWORKS With respect to transfers of personal data within the scope of this policy from the European Economic Area (“EEA”) and Switzerland to the United States, SocketLabs complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework (the “Privacy Shield”), as adopted and set forth by the U.S. Department of Commerce regarding the processing of personal data. SocketLabs commits to adhere to and has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. SocketLabs remains liable for the protection of personal data that we transfer to our third-party service providers within the scope of the Privacy Shield, but only to the extent that we are responsible for the event giving rise to the damage. For the purposes of enforcing compliance with the Privacy Shield, SocketLabs is subject to the investigatory and enforcement powers of the United States Federal Trade Commission. To learn more about the Privacy Shield, and to view SocketLabs’ certification, please visit https://www.privacyshield.gov and https://www.privacyshield.gov/list, respectively. DISPUTE RESOLUTION Where a privacy complaint or dispute cannot be resolved through SocketLabs’ internal processes, SocketLabs has agreed to participate in the VeraSafe Privacy Shield Dispute Resolution Procedure. Subject to the terms of the VeraSafe Privacy Shield Dispute Resolution Procedure, VeraSafe will provide appropriate recourse free of charge to you. To file a complaint with VeraSafe and participate in the VeraSafe Privacy Shield Dispute Resolution Procedure, please submit the required information here: https://www.verasafe.com/privacy-services/dispute-resolution/submit-dispute/ BINDING ARBITRATION If your dispute or complaint can’t be resolved by us, nor through the dispute resolution program established by VeraSafe, you may have the right to require that we enter into binding arbitration with you pursuant to the Privacy Shield’s Recourse, Enforcement and Liability Principle and Annex I of the Privacy Shield. CONTACT INFORMATION Please contact SocketLabs with any questions or comments about this Policy. SocketLabs Acquisition, LLC Privacy Officer 700 Turner Industrial Way, Suite 100 Aston, PA 19014 USA [email protected] Please allow up to 30 days for us to reply. Privacy Seal