Not included in the definition of Personal Information is information that is publicly available, information that has been de-identified or aggregated, or information exempt from the purview of the CPRA, such as:
- Protected Health Information (“PHI”) governed and protected by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), and the California Confidentiality of Medical Information Act (“CMIA”) or clinical trial data; and
- Personal Information regulated by certain industry-specific privacy laws, such as the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA), California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994.
Purposes for Collection, Use, and Disclosure of Personal Information
Generally, we may collect, use, or disclose the Personal Information about you for one or more of the following purposes: We only use your Personal Information for the original purposes it was given and to further our legitimate interests, such as:
- To provide and deliver products and fulfill orders;
- To establish and manage business relations with you;
- To respond to inquiries, requests, and comments from you;
- To operate, improve, and personalize the products and services we offer, and to give each user a more consistent and personalized experience when interacting with us;
- To publish public product and customer review submitted by you;
- To send you newsletters and information about products, services and promotions of our business partners and affiliates;
- For customer service, for Site security, and to detect fraud or illegal activities;
- To prevent or investigate activity we believe may be potentially illegal, unlawful, or harmful;
- For archival and backup purposes in connection with the provision of the services;
- To better understand how you access and use the Site, for the purposes of trying to improve the Site, diagnose problems on the Site, administer our Site, and respond to user preferences;
- To enforce our other applicable policies; and
- For data aggregation purposes. We retain the right to collect and use any deidentified or anonymous information, incapable of identifying a particular user (even when combined with other information) collected from your use of our Site and to aggregate such data for internal analytics that improve our Site and service. At no time is Personal Information included in such data aggregations.
We may also use or disclose your Personal Information in accordance with your consent, when required by law to do so, or if it is necessary for a corporate transaction (such as a merger or acquisition). We will not collect additional categories of Personal Information or use the Personal Information for materially different, unrelated, or incompatible purposes without providing you additional notice.
Sharing of Personal Information
We may share the information we collect as described in this section of the Privacy Notice. We may share this information for the following reasons:
With Employees, Contractors, and Agents
We may share information we collect with our employees, contractors, and agents, including third-party service providers, that perform services and functions at our direction and on our behalf, but their use of such information shall be limited to the performance of their duties and is consistent with our purposes for using such information.
With Other Third Parties for a Business Purpose or as Permitted or Required by Law:
We may share information about you with other parties [e.g., Google Analytics] for our business purposes, to send you products or services that you may be interested in, or as permitted or required by law, including: (a) to comply with a law, legal process or regulations; (b) responding to or cooperating with law enforcement authorities, other government officials or other third parties pursuant to a subpoena, a court order or other legal process; (c) to protect the vital interests of a person; (d) to protect our property, services and legal rights; (e) to companies we plan to merge with or be acquired by; and (f) to support our audit, compliance and governance functions.
California Rights and Choices
The CPRA provides California residents with certain rights regarding their Personal Information (subject to certain limitations at law). The following section describes your CPRA rights and explains how to exercise those rights.
Right to Access and Portability
Under the CPRA, California residents have the right to request that we disclose certain information about our collection and use of Personal Information over the last twelve (12) months. Once we receive and confirm your verifiable consumer request, in which we may have to gather further identifiable information in order to confirm your identity, we will disclose to you the following:
- The categories of Personal Information we collected about you;
- The categories of sources for the personal information we collected about you;
- Our business or commercial purpose for collecting or selling that Personal Information;
- The categories of third parties with whom we share that Personal Information;
- The specific pieces of Personal Information we collected about you (also called a data portability request); and
- If we disclose your Personal Information for a business purpose, identifying the Personal Information categories disclosed.
Upon receiving a verifiable access request, we will, once per calendar year per requesting individual, deliver the accompanying information to you in a portable, easily readable electronic format.
Right to Deletion
The CPRA allows California residents the right to request that we delete any Personal Information about you that we collect and retain, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, in which we may have to gather further identifiable information in order to confirm your identity, we will delete (and in turn direct our service providers to delete, if applicable) your Personal Information from our records, unless an exception applies.
We may deny a deletion request if retaining the information is necessary to:
- Complete the transaction for which we collected the Personal Information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you;
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity;
- Debug products to identify and repair errors that impair existing intended functionality;
- Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 seq.);
- Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
- Enable solely internal uses that are reasonably aligned with consumer expectations;
- Comply with a legal obligation and requests from law enforcement agencies; and
- Make other internal and lawful uses of that information that are compatible with the context in which you provided it.
Right to Opt-Out of the Sale or Sharing of Your Information
We do not sell Personal Information, as the term “sale” is defined in the CPRA , will not sell Personal Information in the future, and in the preceding twelve (12) months, have not sold any Personal Information. We do share your information with third-parties who assist us in providing you with the services you signed up for. We also share information with third parties who assist us in operating our website and marketing our services. If you request, we will limit or cease sharing information we collect from you as directed. However, if you prevent the sharing of all information collected we may not be able to provide you with the services you have requested.
Right to Limit Use and Disclosure of Sensitive Personal Information
Under the CPRA, with certain limitations, California residents have the right to limit the use of that resident’s sensitive personal information, as that term is defined in the CPRA, to that use which is necessary to perform the requested services or provide the goods requested. Under the CPRA, the following types of information are considered sensitive personal information:
- A consumer’s social security, driver’s license, state identification card, or passport number;
- A consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account;
- A consumer’s precise geolocation;
- A consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership;
- The contents of a consumer’s mail, email, and text messages unless the business is the intended recipient of the communication;
- A consumer’s genetic data;
- Biometric information for the purpose of uniquely identifying a consumer;
- Personal information collected and analyzed concerning a consumer’s health; or
- Personal information collected and analyzed concerning a consumer’s sex life or sexual orientation.
To exercise the access and deletion rights under the CPRA as described above, please submit a verifiable consumer request by completing the online form or to [email protected].
Verifiable Consumer Requests
A verifiable consumer request may be submitted by a California resident or a person registered with the California Secretary of State that is authorized to act on your behalf. These requests for access, which can only be made twice during a twelve (12) month period, and deletion must:
- Detail sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Information or an authorized representative; and
- Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
We cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you.
Timeframe for Responding to Requests and Format
We will respond to your request within thirty (45) days of receipt.
The period of response may be extended to sixty (60) or ninety (90) days if more time is required. In that event, we will inform you of the reason and extension period in writing.
We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded.
The CPRA prohibits a business from discriminating against California residents for exercising the rights outlined above. We will not discriminate against you for submitting such requests by:
- Denying goods or services to you;
- Charging different prices or rates for goods or services, including through the use of discounts, benefits, or other penalties;
- Providing a different level or quality of goods or services; and
- Suggesting a different price or quality of goods or services will apply if rights are exercised.
No Financial Incentive
We do not offer any financial incentives or price or service differences in an attempt to influence a resident’s decision whether or not to exercise a right afforded to the consumer under the CPRA.
Our Site is not directed at children. We do not knowingly collect Personal Information from children under the age of 21. If you are a parent or guardian and believe your child has provided us with Personal Information without your consent, please contact us by using the information in the “Contacting Us” section, below, and we will take steps to remove such Personal Information from our systems.
A California resident may use an authorized agent to submit a right to access request or a request to delete. To use an authorized agent, the California resident must provide the agent with written authorization. In addition, the California resident may be required to verify their own identity with us. CTrust may deny a request from an agent that does not submit proof that they have been authorized by the California resident to act on their behalf. Such requirements, however, will not apply where a California resident has provided the authorized agent with power of attorney pursuant to Cal. Prob. Code Sections 4000 to 4465.
Updates to this Privacy Notice
We may update or change this Privacy Notice. The effective date at the top of this page states when this Privacy Notice was last revised. Any change to this Privacy Notice will become effective when we post the revised Privacy Notice on our Site. Your use of our Site means you accept our Privacy Notice.
If any change may materially and negatively affect the privacy of your Personal Information, we will use reasonable efforts to notify you in advance and give you a reasonable time to object to any changes.
We encourage you to periodically review this Privacy Notice to stay informed about how we collect, use, and share Personal Information.
Use the contact information below if you have questions, concerns or complaints about this Privacy Notice or our privacy practices or would like additional information about CTrust’s privacy practices.
Email Address: [email protected]