Ⅳ. Where Data is Stored
Your data will be stored in secure Cloud based data servers in encrypted form or temporarily in our secure call centers around the world. Personal data, once transferred to another jurisdiction, may therefore be available to government authorities under lawful orders and laws applicable there. To the extent EU data protection laws apply to the transfer of your personal data outside of the European Economic Area, you consent to us transferring your personal data outside the European Economic Area. We will ensure that there is a valid transfer mechanism in place in relation to such transfer. For the purposes of this paragraph, a valid transfer mechanism shall include any mechanism approved by the European Commission as ensuring adequate protection for personal data that is transferred outside the European Economic Area. We will use reasonable security measures to protect your personal information against unauthorized access. Excelsior has implemented security measures that contain administrative, technical and physical controls that are designed to safeguard your personal information. For example, we use industry standard encryption technology to secure sensitive personal information when it is being collected and transmitted over the Internet as well as firewalls, site monitoring and intrusion detection software.
We may also use your contact details to provide you with information about our products and services which may be of interest to you. If you do not want us to use your information in this way, we will give you the opportunity to opt-out of receiving any such marketing communications at the point where you provide us with your contact details and in each subsequent marketing communication that we send to you. Please note that if you opt out from receiving marketing communications, we may still contact you about service-related issues, such as where we make any changes to this policy.
Ⅵ. Data Services and Email Deployment
We provide customer lists and other information to select third party companies who provide specialized services, such as email message deployment, email verification, email marketing, merge-purge (identifying and removing duplicate addresses) of lists, postal mailing, subscription fulfilment, customer service and telemarketing, research, statistical analysis, and other data processing. These companies work on our behalf and do not ever own, or take over ownership of, the lists or other data sent to them. We strive to protect personal information disclosed to these companies by contractual agreements requiring that they adhere to confidentiality and security procedures and protections that are, at a minimum, equivalent to those employed by Excelsior itself. In order to comply with the Federal CAN-SPAM Act of 2003, we also may provide lists of customers who have opted-out of email promotion for Excelsior Research products to other companies, so they can be suppressed from mailings those companies send on Excelsior Research’s behalf. In addition, if you unsubscribe from a mailing, we send to our own list on behalf of a third party, your removal instruction may also be supplied to the third party and added to their own suppression file.
In order to comply with CASL, the Canadian Anti-Spam Law of 2014, Excelsior Research never uses email, text, or social media Commercial Electronic Messages with contacts in Canada. We will make telephone contacts in Canada and if specifically authorized by the Canadian contact complete the transaction with email-based delivery.
Ⅶ. Excelsior Research Publications, Events, Other Sites and Other Services
If you are a Excelsior Research customer, you can also expect to receive relevant email and postal offers for other Excelsior Research publications, events, Sites and services.
Excelsior Research has implemented reasonable technical and organizational security measures to help protect against unauthorized access to or unauthorized alteration, disclosure, or destruction of personal information. Unfortunately, no data transmission over the Internet can be guaranteed to be entirely secure, and Excelsior Research assumes no liability for any damage suffered by you caused by the interception, alteration, or misuse of information during transmission.
Excelsior Research is for professionals and usage by children is not permitted without the express permission of your parent or guardian. The safety of children is very important to us. If we know one of our users is under the age of 16, we will only use their personal information to respond directly to notify their parents or guardian, or seek parental consent.
Ⅺ. Your Rights and Access to Information
EU, UK, and Swiss Residents
If you are a European Union, UK or Swiss resident, applicable data protection laws (which may include the EU’s General Data Protection Regulation or “GDPR”) may provide you with certain rights with regards to our processing of your personal information.
To the extent established under applicable law, if you are a Canadian, European Union, UK or Swiss resident you may have the right:
- to access, review, and update your personal information;
- to restrict our processing of your personal information;
- to request that we provide you a copy of, or access to, your personal information in structured, commonly used and machine-readable format (or that we transfer your personal information to another controller, when technically feasible);
- to withdraw your consent when our processing of your personal information is based on your consent (and not another legitimate basis);
- to request that we delete all of your personal information (subject to certain limitations); and
- to lodge a complaint with the applicable supervisory authority in the country you live in, the country you work in, or the country where you believe your rights under applicable data protection laws have been violated. Before you do this, we request that you contact us directly in order to give us an opportunity to work directly with you to resolve any concerns about your privacy.
Note that we will only be able to directly process the above requests in situations where we are the “data controller” under the GDPR, which refers to the entity that controls the relevant personal information and its processing. This includes some situations where you provided the relevant information directly to us. However, in many cases we are instead the “data processor” or “sub-processor” under the GDPR, and are processing personal information on behalf of our customer or our client’s customer, who provided the information to us or on whose behalf we are collecting your personal information, and our customer or client’s customer acts as the “data controller” under the GDPR. In those situations where we are acting as the data processor or sub-processor, we will refer your request to the applicable data controller instead.
California Privacy Rights
California law (including the California Consumer Privacy Act or “CCPA”) entitles California residents to certain additional protections regarding personal information. For purposes of this section alone, “personal information” means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California resident or household. Please be aware, however, that under the CCPA personal information does not include:
- Publicly available information from government records;
- Deidentified, aggregated or anonymized information that is maintained in a form that is not capable of being associated with or linked to a California resident;
- Information excluded from the CCPA’s scope, such as:
- Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data; or
- Information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994; or
- Information relating to job applicants, employees, contractors and other personnel of Excelsior Research or its affiliates.
If you are a California resident, you have the right to request:
- information regarding your personal information we have collected in the past 12 months (including the categories of personal information we have collected, the categories of sources of such information, and the business or commercial purposes for collecting or, if applicable, selling such information);
- notice of whether we have disclosed or sold your personal information to third parties in the past 12 months (and if so, what categories of information we have disclosed or sold, and what categories of third parties we have disclosed or sold it to);
- a copy of your personal information collected by us in the past 12 months; and
- that your personal information be deleted.
We will not discriminate against you if you choose to exercise any of these rights. To make any of the above requests, please contact us as set forth at the end of this Article. We will need to verify your identity before processing your request. In order to verify your identity, we will generally require the matching of sufficient information you provide us to the information we maintain about you in our systems. Although we try to limit the personal information collected in connection with a request to exercise the right to know and/or the right to deletion, certain requests may require us to obtain additional personal information from you. In certain circumstances, we may decline a request to exercise the right to know and/or right to deletion, particularly where we are unable to verify your identity. In certain instances, we may be permitted by law to decline some or all of your requests.
Note that we will only be able to directly process the above requests in situations where we are the “business” under the CCPA, which refers to the entity that determines the purpose and means of information processing. This includes some situations where you provided the relevant information directly to us. However, in many cases we are instead a “service provider” under the CCPA, and are processing personal information on behalf of our customer or our client’s customer, who provided the information to us or on whose behalf we are collecting your personal information, and our customer or our client’s customer acts as the “business” under the CCPA. In those situations where we are acting as a service provider, we will refer your request to the applicable business instead.
We will handle any request to exercise your rights in accordance with applicable law. If you wish to exercise any of the rights described above please email us at email@example.com with the subject line “Privacy Rights Request”.