Privacy Policy

Last Updated: August 19, 2018

The Scope of this Privacy Policy

This Privacy Policy (or the “Policy”) describes the policies that govern how BlueLabs Analytics, Inc. and its covered entity, DKPW Inc. (“BlueLabs”) collects, uses, shares, and processes personal information.

Personal information that is collected from residents of certain countries is subject to additional or differing legal requirements. Information received from residents of British Columbia is governed not by the general terms of this Privacy Policy but by the “BC Privacy Policy” found below and incorporated herein. Information transferred from Member States of the European Union and European Economic Area and Switzerland is governed not by the general terms of this Privacy Policy but by the “Privacy Shield Policy” found below and incorporated herein

Our Privacy Policy applies to personal information about identified individuals. It does not cover information that is aggregated, anonymous, or does not otherwise identify individuals.

The personal information that BlueLabs processes comes from our clients, from various public or private sources, or is collected by us from individuals directly. We apply our data science methods to the data sets that we have obtained from various sources, in order to build analytic models to predict political, civic, and other behavior, and to provide strategic guidance, aggregate information, and predictive models to our clients. In addition to our Privacy Policy, personal information that we obtain from our clients or from public or private sources is subject to the privacy policies of the entity that shared the information with us or that released or licensed the information to us, as applicable.

Our clients’ information is the sole property of our clients, and the rights we have with respect to our clients’ information are the rights that they grant to us. We use and share personal information that our clients share with us in the manner requested or authorized by our clients and consistent with the restrictions placed on that information by our clients.

We use and share personal information that we obtain from public sources in a manner that is consistent with the restrictions placed on that information by the entity that released it. We use and share personal information that we license from private sources in a manner that is consistent with the restrictions placed on that information by the entity that licensed it to us.

How We Use Information

Data science involves the use of complex analysis across large data sets to identify correlations and insights in the data. While we may help our clients identify desired audiences, the messages they convey to these audiences are their responsibility; our clients don’t speak for us and we don’t speak for our clients.

When we use personal information for our own purposes, we do so to improve our data science practices and our business; to maintain the accuracy of our information; to monitor and protect our business; to perform security screenings; to investigate, prevent, or take action relating to illegal activities or violations of our policies; and for other research, development, and analytical purposes.

We may use Non-Modeling Data in the following additional ways:
• to respond to inquiries;
• to contact individuals or, for example, to send them our newsletters or provide them with information about the Site or our services;
• to market our services;
• to track usage of the Site;
• to improve the Site;
• to help us better understand how users access and use the Site, and other administrative purposes;
• to help us better understand how users access and use the Site, and other administrative purposes;
• to display relevant advertising; or
• to comply with legal obligations.

Whenever we use any third-party owned data, we rely on that third party to tell us how their own privacy policies limit our use of personal information, consistent with our contracts with that third party. These third parties are responsible for determining the privacy and protection of their information, and any inquiries about the use of personal information by a third party should be directed to it.

Information We Collect About Individuals

Directly from a person: Information that we collect directly from individuals and then process using our data science methods (“Modeling Data”) includes information that they provide when they respond to surveys conducted by us or by our vendors on our behalf.

When we use personal information for our own purposes, we do so to improve our data science practices and our business; to maintain the accuracy of our information; to monitor and protect our business; to perform security screenings; to investigate, prevent, or take action relating to illegal activities or violations of our policies; and for other research, development, and analytical purposes.

We also may collect the following information directly from a person that we do not process using our data science methods (“Non-Modeling Data”): We may collect and store a person’s name and email address if they submit inquiries or comments to us or sign up to receive our newsletter. We may also store information that they provide through additional communications initiated by them, including phone calls, letters, emails and other electronic messages, or in other circumstances described in this Privacy Policy.

From third parties: This may include information about a person that we receive from our clients, obtain from public sources, or license from private sources. Examples of information we receive from our clients include information collected through a mobile application or other methods about a person’s visits, purchases, returns, deliveries, coupons, loyalty clubs, and so on. Examples of public sources of information include census information, voter registration records, real property records, court records, assessor information, tax rolls, telephone directories, and web directories and information.

We may combine information collected directly from a person and from third-party sources.

Automatically when a person visits our site or uses our services: We also may collect information that a person’s computer or mobile device provides in connection with their use of the BlueLabs.com website or BlueLabs’ other websites and mobile applications that link to or reference this Privacy Policy (collectively, the “Site”), such as browser type, type of computer or mobile device, browser language, IP address, mobile carrier, phone number, unique device identifier, requested and referring URLs, the content individuals view on our site or services, and the date and time of their access. Visitors may be able to disallow our use of certain location data through their device or browser settings. See the section below titled “Cookies and Tracking” for more information.

How We Share Personal Information

Our services provide individual-level data insights to our clients, and so our services directly involve sharing personal information and insights gained from personal information with our clients. To the extent that we transfer personal information to a client that we obtained from sources other than that client, we ensure that the client enters into appropriate contractual covenants with us to provide the same level of protection of personal information that we provide, and to agree to the same limits on use and sharing of personal information that apply to our own use and sharing of personal information.

We may rely on third-party service providers to provide technologies or services for us in connection with our data science services or a person’s use of the Site, such as administration of services, communications and hosting services, advertising and media purchase services, network security, technical and customer support, tracking and reporting functions, quality assurance testing, and other functions. We may share information from or about a person with these third-party service providers so that they can perform their services. These third-party service providers may share information with us that they obtain from or about a person in connection with providing their services.

We may also share personal information in responding to requests from law enforcement officials, government bodies or judicial authorities, in addressing matters of personal or public safety, national security, litigation, investigations (including data security incident investigations), and other legal matters where the information is pertinent. In the event of a sale, transfer, or reorganization of BlueLabs, or of some of our assets or lines of business, or in the context of related business negotiations, we may also share personal information with the relevant parties. We also use personal information for historical, statistical, and business planning purposes.

We may also remove personally identifying information to create anonymous information that we may share with any third parties.

Data Security

We follow generally accepted industry standards to protect personal information when it is stored or processed by BlueLabs. We have implemented security safeguards to protect personal information regardless of the format in which it is held, against loss or theft, unauthorized access, collection, use, disclosure, copying, modification, disposal, or similar risks. We use safeguards that are appropriate to the sensitivity of the information.

BlueLabs uses security measures to ensure that personal information is being appropriately protected including, by way of example, the following: 1. Physical measures such as locked filing cabinets, drawers and offices, and restricted access to offices;
2. Organizational measures such as limiting access on a “need to know” basis and requiring service providers to provide comparable security measures; and
3. Technological measures such as the use of fine-grained access control, strong passwords, encryption, and internet firewalls. When disposing of or anonymizing personal information, BlueLabs will use appropriate security measures to ensure that personal information is not inappropriately used.
When disposing of or anonymizing personal information, BlueLabs will use appropriate security measures to ensure that personal information is not inappropriately used.

BlueLabs will, on a regular basis, review and update security policies and controls as technology changes to ensure ongoing personal information security.

No method of electronic storage is 100% secure. Therefore, while we strive to use commercially acceptable means to protect personal information, we cannot guarantee its absolute security.

Data Retention

We retain personal information that we collect for as long we need the information in connection with our data science services or in order to facilitate use of the Site, and for a reasonable time thereafter. We retain personal information that we receive from third parties for the period required by their terms of use. In some cases, individuals can request that we remove their personal information collected, as described in the section below titled “Choice and Control”.

Choice and Control

BlueLabs is committed to providing individuals with access to their personal information. If a person believes that BlueLabs may be processing information about them and wish to have access to that information, we can provide them with that information or at least an explanation of why we cannot do so in the particular context, such as when only our client or vendor has the right to provide such access, or if responding to the request would be unreasonably expensive. As described above, much of the personal information that we analyze belongs to third parties, and BlueLabs does not have the right to provide anyone with access to that personal information, except as allowed by the third-party owner. Depending on the privacy policies of the third party that owns the personal information, a person may be able to review, modify, or request the removal of personal information by contacting that third party.

If a person sends us a request to review, modify, or remove their personal information, and that information is owned by a third party, we will let them know the appropriate third party to whom they should direct their inquiry.

If a person sends BlueLabs a written request to review their personal information, and that information is owned by BlueLabs, we will generally make available their information for their review, so long as they provide sufficient detail to allow us to identify the personal information being sought and provide sufficient information in order for us to verify their identity before providing them with their personal information. If a person sends us a request to remove their personal information, and that information is owned by us, we will remove their information from our database, after verifying their identity. In addition, in the case of personal information owned by Blue Labs and collected by us or our vendors via telephone surveys, we comply with applicable legal requirements regarding appropriate use of information collected from persons registered with the National Do Not Call Registry.

Here are some other ways a person can control BlueLabs’ use of their personal information:

• Opt Out of Promotional Email Communications. A person may opt out of promotional emails, including newsletters, that they receive directly from us by clicking on the unsubscribe link in the email. Please note that we are unable to remove individuals from third party e-mail lists. If a person previously added their contact information to the mailing list of one of our clients or partners, including vendors who conduct surveys on our behalf, and later withdraw their permission, they will have to contact that third party (or use an opt-out link provided in an email communication from that third party) to request removal from their mailing list.
• Opt Out of Interest-Based Advertising. We may use third-party service providers, such as Google’s AdSense and AdWords, to help us provide advertisements that are tailored a person based on interests that they have expressed on our site or elsewhere (“Interest-Based Ads”). Any advertisements served by these third-party service providers and their affiliated companies may be controlled using cookies. These cookies allow these providers to display ads based on a person’s visits to this site. Any tracking done by these providers through cookies and other mechanisms is subject to their own privacy policies. Some browser settings allow individuals to limit or remove the Interest-Based Ads delivered to them.

Please note that even if a person opts out of receiving marketing communications from us, we may still send them communications about their account or any products or services they have purchased from us, and we will still respond to their inquiries and requests for information.

Cookies and Tracking

We and our service providers use cookies and other mechanisms to track information about use of our site and services. We or our service providers may combine this information with other information we collect about a person.

• Cookies. We or our service providers may use cookies to track visitor activity on our site and services. A cookie is a text file that a website transfers to a device for record-keeping purposes. We or our service providers may use cookies to track user activities on our site and services, such as the web pages they view and time they spend on those pages. The help section on most browsers will tell you how to prevent your computer from accepting new cookies, how to have the browser notify you when you receive a new cookie, or how to disable cookies altogether. Visitors to our site and users of our services who disable cookies may not be able to browse certain areas of the site or services. Clear GIFs, Pixel Tags and Other Technologies. Clear GIFs are tiny graphics with a unique identifier, similar in functionality to cookies, which are embedded invisibly on web pages. We or our service providers may use clear GIFs (also known as web beacons, web bugs, pixel tags, or action tags, among other names), in connection with our site to perform functions like tracking the activities of visitors to our site, helping us manage content, and compiling statistics about usage of our site or services. We or our service providers may also use clear GIFs in emails to help us track email response rates, identify when our emails are viewed, and track whether our emails are forwarded.
• Embedded Scripts. We use embedded scripts, which is code designed to collect information about how visitors interact with a website, such as the website which linked them to our site.
• Third-Party Analytics. We use service providers, such as Google Analytics, to evaluate the use of our site and our services. We or our service providers use automated devices and applications to evaluate use of our site and services. We or our service providers use these tools to help us improve our site, services, performance, and user experiences. These entities may use cookies and other tracking technologies, such as web beacons or Flash locally shared objects, to perform their services.

Our Privacy Commitments to Employment Applicants

If a person submits an application for employment with BlueLabs, we collect information, including personal contact information, education and work history, as well as Social Security numbers in order to process and consider their application. We will not sell personal information from employment applications to unaffiliated third-parties for marketing purposes. The information on applications may be shared with background check services, our affiliates, and used for certain regulatory, compliance, security, and legal purposes. We may de-identify and anonymize personal information and use such anonymous information for internal purposes, such as to review our hiring practices and talent acquisition efforts.

Minors

We do not collect personal information from any person we know to be under the age of 13, and we will delete any personal information collected that we later know to be from a person under the age of 13. Our site and services are not targeted to children under 13 years of age. If you believe a child under the age of 13 has disclosed personal information to us, please contact us at info@bluelabs.com and specify the customer and information you believe to be from the child under 13.

Changes to This Privacy Policy

We may revise this Privacy Policy from time to time, and if so we will post the revised Privacy Policy on the Site. Be sure to check the effective date of the Privacy Policy.

Contacting Us About our Privacy Policy

Please let us know if you have any questions, concerns, disputes, or issues. We are always open to dialogue to resolve issues. If your concerns cannot be resolved, we can enter into appropriate third-party neutral dispute resolution. If you need to reach us about a privacy or data protection issue, please contact us at info@bluelabs.com.

Challenging Compliance: Questions and Complaints

At any time, individuals may seek information about BlueLabs’ privacy policies and practices by contacting BlueLabs’ Privacy Officer, Chris Wegrzyn, at info@bluelabs.com.

If you have a question or a complaint about BlueLabs’ privacy practices, you should direct that complaint, concern, or question in writing to the Privacy Officer designated under this Privacy Policy. BlueLabs has implemented an Inquiry/Complaint Handling Policy to receive and respond to your inquiry or concern or complaint about the policies and practices relating to the handling of your personal information.

If you provide a written complaint, concern or question to BlueLabs, BlueLabs will advise you of the complaint procedure. BlueLabs will also conduct a review into your concern or complaint. If BlueLabs concludes that a complaint is justified, BlueLabs will take appropriate measures which may include amending its policies and practices. BlueLabs will inform you of the outcome of its review regarding your question or complaint.

If you are not satisfied with the resolution proposed by BlueLabs, you will be advised as to the appropriate procedure to elevate your concern.

British Columbia Privacy Rights

Personal information that BlueLabs receives from residents of British Columbia, Canada, is subject to the provisions of British Columbia’s Personal Information Protection Act (“PIPA”), and may be subject to comparable provincial or federal privacy law in Canada. This section of our Privacy Policy (this “BC Privacy Policy”) describes additional privacy policies that govern how BlueLabs collects, uses, and discloses the personal information that is collected from residents of British Columbia.

As used in this BC Privacy Policy, “personal Information” means information about an identifiable individual, but does not include the name, position, name or title, business telephone number, business address, business e-mail or business fax number of the individual. It also does not include the work product information of the individual.

This BC Privacy Policy outlines the principles and practices BlueLabs will follow in order to protect personal information for residents of British Columbia. BlueLabs will ensure the accuracy, confidentiality and security of personal information, and will follow the legal requirements to allow individuals to request access to and correction of their personal information.

If you are not satisfied with the resolution proposed by BlueLabs, you will be advised as to the appropriate procedure to elevate your concern.

I. SCOPE
This BC Privacy Policy does not impose any limits on the collection, use or disclosure of personal information that:
• is covered by one of the exceptions in Sections 12, 15 and 18 of PIPA to collection, use and disclosure of personal information without consent;
• was collected prior to January 1, 2004, where the personal information is used and disclosed in order to fulfill the same reasonable purposes for which it was collected;

This BC Privacy Policy does not apply to personal information if the Freedom of Information and Protection of Privacy Act applies or the federal Access to Information and Privacy Act applies to the personal information.

II. DEFINITIONS
As used in this BC Privacy Policy, the following terms have the following meanings:

“Collection” means the act of gathering, acquiring, or obtaining personal information from any source, including third parties, by any means.

“Consent” means voluntary agreement to the collection, use, or disclosure of personal information for reasonable purposes, which are made known to the individual. Consent can be express or implied. Express consent can be oral or given in writing, but is always unequivocal. Implied consent is consent that can be reasonably inferred from the action or inaction of an individual.

“Disclosure” means making personal information available outside BlueLabs.

“Use” means the treatment, handling, management, and retention of personal information within BlueLabs.

“Personal information” means information about an identifiable individual, excluding the individual’s contact information or their work product information.

“Contact information” means information to enable an individual, at a place of business, to be contacted and includes the name, position, name, or title, business telephone number, business address, business e-mail, or business fax number of the individual.

“Work product information” means information prepared or collected by an individual or group of individuals as part of the individual’s or group’s responsibilities or activities related to the individual’s or group’s employment or business, but does not include personal information about an individual who did not prepare or collect the personal information.

III. ACCOUNTABILITY
BlueLabs is accountable for the protection of the personal information under its control and has designated as its Privacy Officer, Chris Wegrzyn.

IV. COLLECTING PERSONAL INFORMATION
Unless the purposes for collecting the personal information are obvious, and a person voluntarily provides their personal information for that obvious purpose, we will communicate the purposes for which personal information is being collected, either orally or in writing, before or at the time of collection. BlueLabs’ work empowers organizations to make the most of their outreach resources through individual-level, data-driven targeting and optimization.
During the course of carrying out this work with political entities, BlueLabs may collect personal information. We will only collect this information by fair and lawful means and where it is necessary to, fulfill the following purposes:

• We will collect personal information by telephone survey for the purposes of building analytic models to predict political and civic behavior.

V. CONSENT
BlueLabs will obtain consent to collect, use, or disclose personal information except where as noted in this BC Privacy Policy, we are authorized or required to do so without consent.

Consent can be provided orally, in writing, or electronically, or it can be implied where the purpose for collecting, using or disclosing the personal information would be considered obvious to a reasonable person and a person voluntarily provides their personal information for that purpose.

Consent may also be implied where a person is given notice and a reasonable opportunity to opt out of their personal information being used or disclosed and they do not opt out.

Subject to the personal information being necessary to provide the service or product or where the withdrawal of consent would frustrate the performance of a legal obligation, a person can withhold or withdraw their consent from BlueLabs to use their personal information for particular purposes. If a person chooses to withdraw their consent to the collection, use, and disclosure of their personal information, BlueLabs will advise them of the consequences of the withdrawal.

VI. USING AND DISCLOSING PERSONAL INFORMATION
BlueLabs will only use or disclose personal information where it is necessary to fulfill the purposes for which it was collected, or for a purpose reasonably related to those purposes.

BlueLabs may disclose personal information where required or authorized by law, without consent.

To the extent that we enter into contracts or other arrangements with third parties, which involve the transfer of personal information, we will ensure that the third party enters into appropriate covenants with us to provide the same level of protection over personal information that BlueLabs provides.

In some cases, BlueLabs may seek consent for the use and disclosure of personal information after it has been collected, but before it is used or disclosed, for example, where BlueLabs wants to use personal information for a purpose not previously identified to that person.

BlueLabs does not, as a condition of supplying products or services, require individuals to consent to collection, use, or disclosure of personal information beyond what is necessary to provide the product or service.

BlueLabs does not attempt to obtain consent for collecting, using, or disclosing personal information by providing false or misleading information regarding the purposes for the collection, use, or disclosure of personal information or by using deceptive or misleading practices. BlueLabs will not sell, rent, or lease personal information to third parties unless we have obtained a person’s explicit consent to do so.

VII. RETAINING PERSONAL INFORMATION
If BlueLabs uses personal information to make a decision that directly affects a person, BlueLabs will retain that personal information for at least one year, so that they have a reasonable opportunity to request access to it.

Subject to the above, BlueLabs will retain personal information only as long as necessary to fulfill the identified purposes, or to fulfill a legal or business purpose.

VIII. ENSURING ACCURACY OF PERSONAL INFORMATION
BlueLabs will make reasonable efforts to ensure that personal information is accurate and complete if it will likely use it to make a decision that directly affects that person, or if BlueLabs is likely to disclose it to another organization.

BlueLabs will not routinely update personal information. To the extent that a person believes that the personal information they provided to BlueLabs may no longer be accurate or complete, they may advise BlueLabs to update its records. A request to update personal information must be made in writing, by phone or email, and provide sufficient detail to identify the personal information and the correction being sought. Requests to update or correct personal information should be forwarded to BlueLabs at info@bluelabs.com.

If a person successfully demonstrates to BlueLabs that their personal information is inaccurate or incomplete, BlueLabs will correct the personal information as required.

IX. SECURING PERSONAL INFORMATION
See the “Data Security” section above in our overall Privacy Policy for data security policies that apply also to personal information collected from residents of British Columbia.

From time to time, personal information may be disclosed outside of Canada, where it may be subject to the lawful access requirements of the jurisdiction.

X. PROVIDING ACCESS TO PERSONAL INFORMATION
Individuals have a right to access the personal information that is held by BlueLabs. This right is subject to exceptions which are set out in PIPA.

In order to obtain access to personal information, a person must make a written request that provides sufficient detail to allow BlueLabs to identify the personal information being sought.

Individuals may be required to provide sufficient personal information to identify themselves in order to enable BlueLabs to verify their identity before providing their personal information. They may also be asked more specific questions about the type and amount of personal information that they are seeking.

BlueLabs will make the information available within 30 working days. If BlueLabs is seeking an extension in order to respond to a request, BlueLabs will provide written notice of the extension.

In responding to a person’s access request, BlueLabs will provide them their personal information that is under its control, information about the ways in which the personal information has been and is being used by BlueLabs, and the names of the individuals and organizations to whom the personal information has been disclosed by BlueLabs.

If BlueLabs refuses in whole or in part to provide a person access to their personal information, we will notify them in writing. The notification will include providing them the reasons for the refusal, in particular, the exceptions in PIPA upon which we are relying, and will advise them of any recourse which is available to them as a result of BlueLabs’ refusal.

PRIVACY SHIELD POLICY

This Privacy Shield Policy applies to the processing of personal information transferred from European Union Member States as well as Switzerland and European Economic Area Member States Iceland, Lichtenstein, and Norway (hereafter collectively referred to as "Member States"). It applies to processing BlueLabs performs pursuant to a contract with a controller (also referred to herein as "client") in accordance with the EU Data Protection Directive ("Directive") and its replacement the EU General Data Protection Regulation ("GDPR"). This section of our Privacy Policy (this Privacy Shield Policy) describes the privacy policies that govern how BlueLabs collects, uses and discloses the personal information that is transferred from Member States.

BlueLabs complies with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework Principles as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from Member States to the United States. BlueLabs has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this Privacy Shield Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/

BlueLabs may revise this Privacy Shield Policy from time to time, and if so we will post the revised Privacy Shield Policy on the Site with an effective date.

I. DEFINITIONS
As used in this Privacy Shield Policy, the following terms have the following meanings:
• "Personal data or personal information" means any information relating to a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
• "Data subject" means an identified or identifiable natural person.
• "Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
• "Processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
• "Consent" of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
• "Personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

II. NOTICE
In accordance with the Privacy Shield Principles, data subjects must be provided notice of specified information in connection with the processing of their personal information. Depending upon BlueLabs' contracts with clients/controllers, some portions of the requisite notice may be provided directly by the clients/controllers. To the extent that such notice is not provided by the clients/controllers, BlueLabs shall provide such notice before or at the time of data collection. This may include for example, notice with respect to:
• The type of personal information collected.
• The purpose for the collection and use of the information.
• The type or identity of third parties to which personal information is disclosed.
• The rights of the individual with respect to their information including the right to access, correction, deletion, restriction of processing, data portability, and objection.

Additional requisite elements of the notice that must be provided to data subjects are set forth in this Privacy Shield Policy which shall be provided to data subjects before or at the time of data collection.

Blue Labs will only use personal information as required or permitted by applicable law. BlueLabs may use and disclose personal information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. This may include disclosures of personal information in response to lawful requests by public authorities, including disclosures for national security or law enforcement requirements.

III. PROCESSING CONTRACTS
All contracts with clients/controllers involving the processing of personal information transferred from Member States shall set forth BlueLabs' obligations as a processor including that BlueLabs shall:
• Only process personal data upon instruction from the controller unless otherwise required to do so by applicable law.
• Ensure that individuals processing the data have committed or are required to treat the data confidentially.
• Implement appropriate technical and organizational security measures.
• Obtain authorization from the controller to engage subcontractors and require subcontractors to agree to the same data protections agreed to by BlueLabs with the understanding that BlueLabs remains responsible for the actions of its subcontractors in performing BlueLabs obligations to the controller.
• Assist the controller insofar as possible in fulfilling the controller's obligations to respond to requests by data subjects exercising their rights including the data subjects' rights to access, correction, deletion, restriction of processing, data portability, and objection; except to the extent such rights may be limited by law including laws designed to safeguard national security, defense, public security, criminal proceedings, and judicial proceedings.
• Assist the controller insofar as possible in fulfilling the controller's obligations to provide notice in the case of a personal data breach.
• At the choice of the controller, delete or return all personal data to the controller after the end of the provision of services and delete all copies unless otherwise required by law.
• Make information available to the controller necessary to demonstrate the controller's compliance with applicable law.
• Allow audits and inspections by the controller to demonstrate compliance except as otherwise required by applicable law.

IV. CHOICE AND CONSENT
Data subjects may be asked to consent to use of their personal data unless such consent is not required.

BlueLabs offers data subjects the opportunity to choose whether their personal information is to be disclosed to a third party or used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the data subject, unless the use or disclosure is otherwise permitted or required by applicable law. BlueLabs will not use or disclose personal information for any use or purpose not authorized by contract with a client/controller or not described in the notice provided by the client/controller or notice provided by BlueLabs without the data subject's express consent, unless otherwise permitted or required by applicable law.

This consent shall be freely given, specific, informed and an unambiguous indication of the data subject's wishes. The consent shall take the form of a statement or clear affirmative action, signifying agreement to the processing of personal data. The consent may take the form of ticking a box electronically or another statement or conduct which clearly indicates acceptance (Opt-In). Silence, pre-ticked boxes and inactivity does not constitute consent and will not be used by BlueLabs.

Once this consent has been given, data subjects may withdraw this consent to disclose personal information to a third party or use personal information for a purpose other than the purpose for which it was originally collected or subsequently authorized (Opt-Out). To withdraw consent, data subjects must submit a request to the BlueLabs Privacy Officer/Data Protection Officer at info@bluelabs.com. The withdrawal of consent will be processed without undue delay after receipt of the request. The withdrawal does not impact the lawfulness of any processing that occurred prior to the withdrawal.

Minors may not consent to use and disclosure of their personal data unless authorized by applicable law to consent to such use and disclosure on their own behalf. Adults may consent on behalf of children if they are the legal parent, guardian or personal representative in accordance with applicable laws. Individuals who consent to the use and disclosure of personal data represent that they have the legal authority to do so. We will delete any personal information collected based upon consent that we later know to be from a person not authorized to consent to the use and disclosure.

V. ONWARD TRANSFERS TO SUBCONTRACTORS
Should BlueLabs contract with another processor ("subcontractor") to provide any of the services BlueLabs provides to clients/controllers, BlueLabs will enter into a contract with that subcontractor that provides that the subcontractor may have access to personal information only for purposes of performing these tasks on our behalf. BlueLabs will obtain assurances from the subcontractor that the subcontractor will safeguard personal information consistently with this Privacy Shield Policy. Appropriate assurances will be obtained under contract obligating the subcontractor to provide at least the same level of protection as is required by the relevant Privacy Shield Framework Principles, and other applicable law including GDPR. BlueLabs remains liable for the acts and omission of its subcontractors.

VI. SECURITY
BlueLabs follows generally accepted industry standards to protect personal information when it is stored or processed by BlueLabs. BlueLabs has implemented security safeguards to protect personal information regardless of the format in which it is held, against loss or theft, unauthorized access, collection, use, disclosure, copying, modification, disposal, or similar risks. BlueLabs uses safeguards that are appropriate to the sensitivity of the information.

BlueLabs uses security measures to ensure that personal information is being appropriately protected including, by way of example, the following:
1. Physical measures such as locked filing cabinets, drawers and offices, and restricted access to offices;
2. Organizational measures such as limiting access on a “need to know” basis and requiring service providers to provide comparable security measures; and
3. Technological measures such as the use of fine-grained access control, strong passwords, encryption, and internet firewalls.

When disposing of or anonymizing personal information, BlueLabs will use appropriate security measures to ensure that personal information is not inappropriately used.

BlueLabs will, on a regular basis, review and update security policies and controls as technology changes to ensure ongoing personal information security.

No method of electronic storage is 100% secure. Therefore, while BlueLabs strive to use commercially acceptable means to protect personal information, BlueLabs cannot guarantee its absolute security.

VII. DATA INTEGRITY AND PURPOSE LIMITATION
Personal information that is collected and processed by BlueLabs is limited to the information relevant for the purpose of the processing for which it was originally collected or subsequently authorized by the data subject, unless the use or disclosure is otherwise permitted or required by applicable law or unless the data subject has expressly consented to processing for other purposes. BlueLabs takes reasonable steps to ensure that personal information is reliable for its intended use, accurate, complete, and current and shall do so for as long as BlueLabs retains the information.

VIII. INDIVIDUAL RIGHTS
The Privacy Shield Framework Principles and the GDPR give data subjects' certain rights with respect to their personal information. These rights include the right to access, correct, delete, restrict, and move personal information subject to certain requirements, restrictions, and exceptions. Data subjects may also object to the processing of personal data under certain circumstances. Data subjects also have certain rights with respect to automated decision- making including profiling. As set forth in this Privacy Shield Policy, BlueLabs will provide data subjects their rights as required by law and subject to the requirements, restrictions and exceptions set forth in the Privacy Shield Framework and GDPR.

In order to request access, correction, deletion, restriction, or movement; or in order to object to processing or automated decision making, please email the BlueLabs Privacy Officer/Data Protection Officer at info@bluelabs.com. BlueLabs may need to verify your identity prior to granting any such request.

A. Access
Upon request, BlueLabs will, as required by applicable law or if required by its contracts with clients/controllers, grant individuals reasonable access to personal information that it holds about them. BlueLabs will assist controllers in fulfilling requests by individuals for access to their information that is being processed by BlueLabs. A copy of personal data undergoing processing must be provided to data subjects by controllers without charge. Controllers may charge a reasonable fee for additional copies. An individual's right to access may be limited if it would adversely affect the rights and freedoms of others.

B. Correction
Upon request, BlueLabs will, as required by applicable law or if required by its contracts with clients/controllers, permit individuals to correct or amend information without undue delay that is demonstrated to be inaccurate or incomplete. As a processor, BlueLabs will assist controllers in fulfilling requests by individuals for correction or amendment. Taking into account the purposes of the processing, data subjects have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

C. Deletion
Upon request, BlueLabs will delete information without undue delay as required by applicable law or if required by its contracts with clients/controllers. As a processor, BlueLabs will assist controllers in fulfilling requests by individuals for deletion. The right to have personal information deleted is subject to certain conditions, including but not limited to: the data is no longer necessary for the purposes for which it was collected or processed; the data subject withdraws consent when the processing is based on consent and there are no other legal grounds for processing; the data subject objects to the processing and there are no overriding legitimate grounds for the processing; and the data have been unlawfully processed. Under certain circumstances under the law, data cannot be deleted, including but not limited to when processing is necessary for: public health, scientific research or statistical purposes, and defense of legal claims.

D. Restriction
Upon request, BlueLabs will restrict the processing of information as required by applicable law or if required by its contracts with clients/controllers. As a processor, BlueLabs will assist controllers in fulfilling requests by individual for restrictions. Restrictions may be requested, for example, when: the accuracy of the personal data is contested; the processing is unlawful and the data subject prefers restriction to deletion; the data is no longer needed for processing but is still needed for defense of legal claims; or there is a question whether the processing overrides the interests of the data subject.

E. Data Portability
Under certain circumstances, data subjects have the right to receive their personal data in a structured, commonly used and machine-readable format and have the right to transmit that data to another controller without hindrance from the initial controller. If technically feasible, data subjects may have the data transmitted directly from one controller to another. The right to portability must not adversely affect the rights and freedom of others. As a processor, BlueLabs will assist controllers in movement of the data for these purposes as applicable.

F. Objection
Data subjects have the right to object to the processing of personal data under certain circumstances including the right to object at any time to the processing of personal data for direct marketing purposes. Once a data subject objects to processing for direct marketing purposes, the personal data may no longer be processed for such purposes.

Data subjects also have certain rights with respect to automated decision-making including profiling. A data subject has the right, under certain circumstances, not to be subject to profiling which produces legal effects for the data subject. This right does not apply if the profiling is necessary to perform a contract between the data subject and controller, is authorized by law, or is based on the data subject's explicit consent.

Upon request, BlueLabs will restrict the processing of information in accordance with the data subject's exercise of the right to object as required by applicable law or if required by its contracts with clients/controllers. As a processor, BlueLabs will assist controllers in fulfilling such requests by individuals.

IX. RECOURSE, ENFORCEMENT AND LIABILITY
In compliance with Privacy Shield Principles, BlueLabs commits to resolve complaints about the collection or use of personal information. Individuals with inquiries or complaints regarding this Privacy Shield Policy or regarding the use or disclosure of personal information should first contact BlueLabs Privacy Officer/Data Protection Officer at:
Chris Wegrzyn, Privacy Officer/Data Protection Officer
BlueLabs Analytics, Inc.
info@bluelabs.com

BlueLabs will investigate and attempt to resolve complaints regarding use and disclosure of personal information by reference to the principles contained in this Privacy Shield Policy.

BlueLabs has further committed to cooperate with the panels established by the EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved Privacy Shield complaints concerning data transferred from Member States.

BlueLabs has further committed to refer unresolved privacy complaints under the Privacy Shield to the DPAs or FDPIC as applicable. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed by BlueLabs, please contact the DPA or FDPIC for more information and to file a complaint.

The EU DPA panel may be contacted at ec-dppanel-secr@ec.europa.eu and the EU DPA may be contacted directly via the information provided at http://ec.europa.eu/justice/data- protection/bodies/authorities/third-countries/index_en.htm. Fax: (32-2)296 80 10. Telephone (32-2)295 17 86. Mail: Data protection panel secretariat, Rue de Luxembourg 46 (01/126), B- 1000 Brussels, BELGIUM.

The Swiss FDPIC may be contacted directly via the information provided at https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/contact.html. By mail at Office of the Federal Data Protection and Information Commissioner FDPIC, Feldeggweg 1 CH 3003 Berne. Telephone +41 (0)58 462 43 95 (Monday-Friday 10-12am). Telefax: +41 (0)58 465 99 96.

The dispute resolution process shall be conducted in English.

The United States Federal Trade Commission (FTC) is the statutory body that has jurisdiction to hear any claims against BlueLabs regarding possible unfair or deceptive practices and violations of U.S. laws or regulations governing entities certified under Privacy Shield. In connection with its certification under Privacy Shield, BlueLabs is subject to the investigatory and enforcement powers of the FTC.

Arbitration may be invoked for complaints that remain unresolved after: (1) submitting a complaint to BlueLabs does not resolve the complaint; (2) submitting a complaint to an independent dispute resolution mechanism established by the EU DPA or Swiss DPA does not resolve the complaint; and (3) allowing the U.S. Department of Commerce an opportunity to resolve the issue. If these prerequisites for arbitration have been met, you can submit the matter to binding arbitration of the Privacy Shield Panel. The remedies from this arbitration are limited to individual-specific, non-monetary equitable relief (such as access, correction, deletion, or return of the individual’s data in question) necessary to remedy the violation of the Principles only with respect to the individual. No damages, costs, fees, or other remedies are available from this arbitration. Each party bears its own attorney's fees for arbitration.

X. LIMITATIONS & AMENDMENTS
Adherence by BlueLabs to the Privacy Shield Principles may, as permitted, be limited (a) to the extent required to respond to a legal obligation; (b) to the extent necessary to meet national security, public interest or law enforcement obligations; and (c) to the extent expressly permitted by an applicable law, rule or regulation.
This Policy may be amended from time to time, in a manner consistent with the requirements of the Privacy Shield Principles and GDPR. BlueLabs will post any revised policy on the Site. We encourage visiting the BlueLabs website periodically to check for updates.