California Consumer Privacy Act Notice
Effective Date: 04/15/2024
The California Consumer Privacy Act as amended by the California Privacy Rights Act (“CPRA”) provides certain verified California residents with the right to receive disclosure of our information collection and disclosure practices, the specific information collected about them, to request that we correct information we hold, to make requests that we do not sell information or do not share personal information for cross-context or behavioral marketing purposes, to request that we limit processing of sensitive personal information to the purposes for which it was originally provided, or that we delete information subject to certain exceptions. For details on how to exercise these rights, please see below. We will not discriminate against you as a result of your exercise of any of these rights. For purposes of the CPRA personal information means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California resident or household.
Our California employees (current, former or applicants) can learn about our information collection and disclosure practices and how to exercise their CPRA rights by contacting the Human Resources.
I. Information Collected, Sources, and Business Purpose for Collection
The following table lists the categories of personal information defined in the CPRA, whether we have collected information in the category during the past 12 months, the sources of the information, and the business purposes for which we collect and use the information. The categories of information include information we collect from our website visitors, registered users, employees, vendors, suppliers and any other person that interacts with us either online or offline. Not all information is collected about all individuals. For instance, we may collect different information from applicants for employment or from vendors or from customers.
Category of Information | Collected? | Source | Business purposes for use |
A. Identifiers (name, alias, postal address, email address, phone number, fax number, account name, Social Security number, driver’s license number, passport number, unique personal identifier, IP address) | Yes | Individuals submitting information to us; information we automatically collect from site visitors; information we may receive from third-party marketing and data partners. | Auditing relating to transactions; security detection, protection and enforcement; functionality debugging/error repair; ad customization; performing services for you; internal research and development; quality control. |
B. Protected Information (name with: Social security number, driver’s license or state ID number, financial account, medical, health, and health insurance information, user name and password) | Yes | Individuals submitting information; employment applications; employees. | Auditing relating to transactions; security detection, protection and enforcement; functionality debugging/error repair; performing services for you; quality control. |
C. Protected anti-discrimination classification information (Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).) | Yes | Vendors, employees, or contractors submitting information. | Performing services for you; compliance with law. |
D. Commercial information (transaction history, products/services purchased, obtained or considered, product preference) | Yes | Individuals submitting information; information we automatically collect from site visitors; information we may receive from third-party marketing or data partners. | Auditing relating to transactions; security detection, protection and enforcement; functionality debugging/error repair; ad customization; performing services to you; internal research and development; quality control. |
E. Electronic network activity (browsing or search history, website interactions, advertisement interactions) | Yes | Information automatically collected from site visitors. Information collected from employees, contractors or vendors who are provided access to our systems. | Auditing relating to transactions; security detection, protection and enforcement; functionality debugging/error repair; ad customization; performing services for you; internal research and development; quality control. |
F. Audio, video or similar information (customer service calls, security monitoring) | Yes | Individuals submitting information; information we collect for security purposes. | Auditing relating to transactions; security detection, protection and enforcement; functionality debugging/error repair; performing services for you; internal research and development; quality control. |
G. Biometrics | No | N/A | N/A |
H. Geolocation | Yes | Information we automatically collect from site visitors. | Auditing relating to transactions; security detection, protection and enforcement; functionality debugging/error repair; ad customization; performing services for you; internal research and development; quality control. |
I. Professional, educational or employment related information | Yes | Information submitted by individuals; vendors, employees, or contractors submitting information; information received from third parties in connection with vendor or employment status or applications; information we observe in connection with vendor or employment oversight. | Auditing relating to transactions; security detection, protection and enforcement; employment and benefits administration; vendor oversight and management; performing services for you; internal research and development; compliance with law. |
J. Non-public educational information (Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records). | No | N/A | N/A |
K. Sensitive Personal Information (social security, driver’s license, state identification card, or passport number, account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account, precise geolocation, consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership, genetic data, biometric information, health, sex life or sexual orientation.) | Yes | Information submitted by individuals; Vendors, employees, or contractors submitting information information received from third parties in connection with vendor or employment status or applications; information we observe in connection with vendor or employment oversight. | Identity verification; employment and benefits administration; vendor oversight; security detection, protection and enforcement; compliance with law. |
L. Inference from the above (preferences, characteristics, behavior, attitudes, abilities, etc.) | Yes | Internal analytics | Auditing relating to transactions; security detection, protection and enforcement; functionality debugging/error repair; ad customization; performing services for you; internal research and development; quality control. |
*More specifically, the business purposes include:
1. Performing services for you:
- To administer or otherwise carry out our obligations in relation to any agreement to which we are a party;
- To assist you in completing a transaction or order;
- To allow tracking of shipments;
- To prepare and process invoices;
- To respond to queries or requests and to provide services and support;
- To provide aftersales customer relationship management;
- To create and manage our customer accounts;
- To notify you about changes to our services and products;
- To administer any promotion, contest, survey, or competition;
- To provide you information regarding our products and services,
- To offer our products and services to you in a personalized way, for example, we may provide suggestions based on your previous requests to enable you to identify suitable products and services more quickly.
2. Advertising customization:
- For marketing and promotions we believe you may find of interest and to provide you, or allow selected third parties to provide you, with information about products and services that may interest you.
3. Auditing relating to transactions, internal research and development:
- To provide for internal business administration and operations, including troubleshooting, Site customization, enhancement or development, testing, research, administration and operation of our Sites and data analytics;
- To create products or services that may meet your needs;
- To measure performance of marketing initiatives, ads, and websites “powered by” another company on our behalf.
4. Security detection, protection and enforcement; functionality debugging, error repair:
- As part of our efforts to keep our Sites safe and secure;
- To ensure the security of your account and our business, preventing or detecting fraud, malicious activity or abuses of our Sites, for example, by requesting verification information in order to reset your account password (if applicable);
- To ensure the physical security of our premises through the monitoring of surveillance images;
- To resolve disputes, to protect the rights, safety and interests ourselves, our users or others, and to comply with our legal obligations.
5. Quality control:
- To monitor quality control and ensure compliance with our legal obligations, codes and ordinances, policies and procedures,
- To develop and improve our products and services, for example, by reviewing visits to the Sites and various subpages, demand for specific products and services and user comments.
II. Processing Sensitive Personal Information
We collect, process and disclose Sensitive Personal Information for the purposes disclosed at the time we collect this information and for the purposes permitted by the CCPA. We only process Sensitive Personal Information for permitted purposes. The following are permitted purposes under the CCPA:
- To perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services.
- To prevent, detect, and investigate security incidents that compromise the availability, authenticity, integrity, or confidentiality of stored or transmitted personal information.
- To resist malicious, deceptive, fraudulent, or illegal actions directed at the business and to prosecute those responsible for those actions.
- To ensure the physical safety of natural persons.
- For short-term, transient use, including, but not limited to, nonpersonalized advertising shown as part of a consumer’s current interaction with the business, provided that the personal information is not disclosed to another third party and is not used to build a profile about the consumer or otherwise alter the consumer’s experience outside the current interaction with the business.
- To perform services on behalf of our business.
- To verify or maintain the quality or safety of products or services that we own or control, and to improve, upgrade, or enhance such products or services.
- To collect or process sensitive personal information where such collection or processing is not for the purpose of inferring characteristics about a consumer.
III. Disclosing Personal Information
From time to time we disclose your information as described below. This includes disclosing information to our service providers such as professional advisers, lawyers, bankers, staffing partners, auditors and accountants, and, when required by law, to regulators or law enforcement.
A. Disclosure of Personal Information for a Business Purpose.
We may disclose your personal information to service providers and others for a business purpose. The business purposes are listed above. When we disclose personal information for a business purpose, we enter into a contract that describes the purpose and requires the recipient to both keep that personal information confidential and not use it for any purpose except performing the contract.
In the preceding twelve (12) months, we may have disclosed the following categories of personal information to service providers (such as payment processors, mail houses, marketing partners, shipping partners, employee benefits partners; professional advisors); affiliated companies; government regulators; law enforcement; or strategically aligned businesses:
Identifiers, Protected personal information, Protected anti-discrimination, classification information, Commercial Information, Electronic network activity information, Audio, video or similar information, Geolocation, Professional or employment-related information, Sensitive personal information, Inferences.
B. Disclosing Personal Information in Sale Arrangements
We do not sell personal information for monetary consideration but we may transfer your information to a third party that provides us with services such as helping us with advertising, data analysis and analytics, and security, which may fall under the definition of for “other valuable consideration” and which may therefore be considered a “sale” under the CCPA. We do not sell the personal information of individuals we actually know are less than sixteen (16) years of age. Please see below for opting out of having your information sold. In the preceding twelve (12) months we may have disclosed the following categories of information for a business purpose which falls within the definition of a ‘sale.’
Identifiers, Commercial Information, Electronic network activity information, Geolocation, Professional or employment-related information, Inferences.
C. Sharing Personal Information for Cross-Context Behavioral Marketing
Sharing your personal information means making it available to a third party so that they can use it to display targeted or cross-context behavioral advertisement to you. Cross-context behavioral or targeted advertising means that we display an advertisement to you that is selected based on personal information about you that we obtained or inferred over time from your activities across other companies’ websites, applications or online services that we use to predict your preferences or interests. Targeted advertising does not include using your interactions with us or information that you provide to us to select advertisements to show you. In the preceding twelve (12) months, We have shared the following categories of personal information of non-minors for behavioral or cross context or targeted advertising.
Identifiers, Commercial Information, Electronic network activity information, Professional or employment-related information, Inferences.
IV. CCPA Rights.
The CCPA provides California residents with specific rights regarding their personal information. This section describes your CCPA rights.
A. Information Access and Portability Rights
As a California resident you have the right to request that we disclose certain information upon request about our information collection and disclosure practices. You also have the right to request a copy of the specific pieces of personal information we collected about you. You may make Information Access Requests up to twice during a 12 month period. Once we receive and confirm your verifiable request, we will disclose to you:
- The categories of personal information we collected about you, the sources of the information, our business or commercial purpose for collecting the information and whether the information was disclosed for a business purpose, shared or sold.
- The categories of information we disclosed for a business purpose and the categories of information we sold or shared during the prior 12 months along with the categories of recipients of such information.
- The specific pieces of personal information we collected about you during the prior 12 months, or, at your option, since January 1, 2022. Please note that this disclosure will not include data generated to help ensure security and integrity or as prescribed by regulation. We will endeavor to provide the information in a format that is readily useable, including by mailing you a paper copy or providing an electronic copy to your registered account, if you have registered an account with us.
B. Information Deletion Rights
California residents have the right to request that we delete any of your personal information that we collected from them and retained, subject to certain exceptions. Once we receive and confirm your verifiable request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies. You may make deletion requests at any time. We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:
- Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities and to help to ensure security and integrity to the extent the use of your personal information is reasonably necessary and proportionate for those purposes.
- Debug products to identify and repair errors that impair existing intended functionality.
- Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
- Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).
- Engage in public or peer-reviewed scientific, historical, or statistical research that conforms or adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s ability to complete such research, if you previously provided informed consent.
- Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us and compatible with the context in which you provided the information.
- Comply with a legal obligation.
- Make other internal and lawful uses of that information that are compatible with the context in which you provided it.
C. Information Correction Rights
California residents have the right to request that we correct information that we hold which is inaccurate. We will require that you provide information about yourself so that we can verify your identity before we can make any change in the information we hold about you and we will use commercially reasonable efforts to make the requested corrections. In some cases, for instance if you have an account with us, you can update your information by logging into your account. You can make information correction requests at any time.
D. Opt-Out Rights
- Do Not Sell My Personal Information. We do not sell personal information for monetary consideration but we may transfer your information to a third party that provides us with services such as helping us with advertising, data analysis and analytics, and security, which may fall under the definition of for “other valuable consideration” and which may therefore be considered a “sale” under the CCPA. If you are 16 years of age or older, you have the right, at any time, to direct us to not sell your personal information. We do not sell the personal information of consumers we actually know are less than 16 years of age, unless we receive affirmative authorization (the “right to opt-in”) from either the consumer who is at least 13 but not yet 16 years of age, or the parent or guardian of a consumer less than 13 years of age. Consumers who opt-in to personal information sales may opt-out of future sales at any time.
- Do Not Share My Personal Information. You have the right to opt out of having your personal information shared with others for cross-context or behavioral advertising purposes. This does not include using your interactions with us or information that you provide to us to select advertisements to show you.
- Limit Processing of Sensitive Personal Information. You have the right to tell us not to process or disclose Sensitive Personal Information for any purpose other than the purposes permitted by the CCPA or the purposes disclosed at or before the time we originally collected it. We only process Sensitive Personal Information for the purposes permitted by the CCPA or for which we originally collected it.
V. Exercising Your CCPA Rights
A. Making CCPA Requests.
- Access, Correction and Deletion. To exercise the access, correction, and deletion rights California residents may contact us by telephone at the following toll free number: 1 (866) 439-6210, or by sending an email to privacy@grmdocument.com. We will ask you for information that allows us to reasonably verify your identity (that you are the person about whom we collected personal information) and will use that information only for that purpose. We may request that you submit a signed statement under penalty of perjury that you are the individual you claim to be. Any disclosures we provide will only cover the 12-month period preceding receipt of your request, but you may request that expand the 12-month period to cover information collected since January 1, 2022, and we will honor that expanded request unless doing so would involve a disproportionate effort. You may make these requests up to twice in a 12 month period. We will acknowledge receipt of your request within 10 business days and will endeavor to respond within forty-five days of receipt of your request, but if we require more time (up to an additional forty-five days) we will notify you of our need for additional time. We cannot respond to your request or provide you with personal information if we cannot verify your identity and confirm that the personal information relates to you.
- Opt-Out Rights. To opt out of the sale of your personal information or the sharing of your personal information or to ask us to limit processing of your Sensitive Personal Information, you may submit a request to us by clicking the following appropriate link: “Do Not Sell or Share My Personal Information” or “Limit Sensitive Information Processing”. You may also call us toll free at 1 (866) 439-6210.
You may also opt out by activating a user-enabled global privacy control, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicates or signals your choice to opt-out of the sale and sharing of personal information. When we receive such a signal we will stop setting third party, analytics, or advertising partner cookies on your browser. This will prevent the sale or sharing of information relating to that specific device through cookies to our advertising or analytics partners. This option does not stop all sales or sharing of your information because we cannot match your device’s identification or internet protocol address with your personally identifiable information like your name, phone number, email address or ZIP Code. If you delete cookies on your browser, any prior do not sell or do not share signal is also deleted and you should make sure that your user-enabled setting is always activated.
We will comply with your request promptly, and at least within 15 business days. Once we receive your request we will wait at least 12 months before asking you to reauthorize personal information sales or sharing.
B. Using an Authorized Agent. You may submit a request through someone holding a formal Power of Attorney. Otherwise, you may submit a request using an authorized agent only if (1) the person is registered with the Secretary of State to do business in California, (2) you provide the authorized agent with signed written permission to make a request, (3) you verify directly with us that you have authorize the person to make the request on your behalf, (4) you verify your own identity directly with us and (5) your agent provides us with proof that they are so authorized. We will require the agent to submit proof to us that they have been authorized to make requests on your behalf.
VI. Non-Discrimination
We will not discriminate against you as a result of your exercise of any of these rights.
VII. Retention of Personal Information
We will store personal information in a form which permits us to identify consumers, for as long as necessary for the purpose for which the personal information is processed. We may retain and use such personal information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements and rights, or if it is not technically reasonably feasible to remove it. We retain information consumers provide in connection with requests made under the CCPA for a period of two years.
VIII. Changes to This Notice
We reserve the right to amend this Notice at our discretion at any time. When we make changes to this Notice, we will post the updated notice on our website and update the Notice’s effective date.