CELERIUS GROUP, INC. PRIVACY SHIELD STATEMENT

Effective as of October 13, 2017

TABLE OF CONTENTS

Scope and Responsibility

Definitions

Types of Personal Data Collected

Purpose of Collection and Use

Security

Access

Onward Transfers of Personal Data

Third Party Disclosures

Changes to This Privacy Shield Statement

How to Contact the Celerius Group, Inc.

The Celerius Group, Inc. (“Celerius Group”) complies with the E.U.-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework set forth by the U.S. Department of Commerce with respect to the collection, use and retention of Personal Data transferred from the European Economic Area (“EEA”) and Switzerland to the United States as further described in the Scope section below. This Privacy Shield Statement outlines Celerius Group commitment to the Privacy Shield Principles (“Principles”) and practices for implementing the Principles. If there is any conflict between the terms in this statement and the Principles, the Principles shall govern. The Celerius Group’s Privacy Shield Certification can be found here. To learn more about the Privacy Shield Framework, please visit the U.S. Department of Commerce dedicated Privacy Shield website.

Scope and Responsibility

Celerius Group commits to comply with the Principles with respect to the Personal Data it receives from its Customers or their Users in the EEA and Switzerland in connection with the use of (i) Celerius Group’s applications (“Subscription Service”), (ii) related support service (“Support Service”), and (iii) expert service (including but not limited to professional services) (“Expert Service”) that Celerius Group provides to Customers. In this Statement, the Subscription Service, Support Service and Expert Service are collectively referred to as “Service.”

All employees of the Celerius Group that have access in the U.S. to Personal Data covered by this Statement are responsible for conducting themselves in accordance with this Statement and the Principles. Adherence by Celerius Group to this Statement may be limited to the extent required to meet legal, regulatory, governmental, or national security obligations, but Personal Data covered by this Statement shall not be collected, used or disclosed in a manner contrary to this Statement without the prior written permission of the Celerius Group Chief Executive Officer (CEO).

Celerius Group employees responsible for engaging third parties to which Personal Data covered by this Statement will be transferred are responsible for obtaining appropriate assurances that such third parties have an obligation to conduct themselves in accordance with the applicable provisions of the Principles, including any applicable contractual assurances required by Privacy Shield.

Definitions

For the purposes of this Statement:

“Cookies” means any file with a small amount of data, which may include an anonymous unique identifier. Cookies are sent to a browser from a web site and transferred to a user’s device.

“Customer” means any entity that purchases the Service.

“Customer Data” means the electronic data uploaded into the “Subscription Service” or “Support Service” by or for a Customer or its Users.

“Log Data” means any information such as a computer’s Internet Protocol (IP) address, browser type, browser version, the pages of the Service that are visited, the time and date of a visit, the time spent on those pages and other statistics.

“Personal Data” means any information, including Sensitive Data, that is (i) about an identified or identifiable individual and (ii) received by Celerius Group in the U.S. from the EEA or Switzerland in connection with the Service.

“User” means an individual authorized by Customer to access and use the Service.

Types of Personal Data Collected

Celerius Group hosts and processes Customer Data and Log Data, including any Personal Data contained therein, at the discretion of and pursuant to the instructions of Celerius Group Customers and Users. Celerius Group also collects several types of information from Users and Customers, including:

  1. Information and correspondence of Customers and Users submitted to the Celerius Group in connection with the Service and other requests related to the Service.
  2. Information received from business partners in connection with Customers’ and Users’ use of the Service or in connection with services provided by business partners on their behalf, including configuration of the Service.
  3. Information received from third party services, such as Google Analytics that collect, monitor, and analyze information in order to increase functionality of the Service.
  4. Personal information that may include, but is not limited to email addresses, names and telephone numbers.
  5. Cookies are used to collect information in order to improve Celerius Group services. Browsers can be instructed to refuse all cookies or to indicate when a cookie is being sent. The Help feature on most browsers provide information on how to accept cookies, disable cookies or to notify when receiving a new cookie. If a browser does not affect cookies, it may prevent a user from being able to use some of the features of the Service. Accordingly, Celerius Group recommends enabling cookies.

Purposes of Collection and Use

Celerius Group may use Personal Data submitted by Customers and Users as necessary to provide the Service, including updating, enhancing, securing and maintaining the Service and to carry our Celerius Group’s contractual obligations to Customers. Celerius Group also obtains general information in connection with providing the Service and maintaining Celerius Group’s relationships with its Customers.

Security

Celerius Group takes reasonable, commercially-available, acceptable security procedures and practices appropriate to the nature of the information stored, in order to protect Personal Data covered by this Statement from unauthorized access, destruction, use, modification, or disclosure.

Onward Transfers of Personal Data

In the event the Celerius Group transfers Personal Data covered by this Statement to a third party acting as a controller, Celerius Group will do so consistent with any notice provided to Customers and Users and any consent they have given, any only if the third party provides contractual assurances that it will (i) process the Personal Data for limited and specified purposes consistent with any consent provided by the Customers and Users, (ii) provide at least the same level of protection as is required by the Privacy Shield Principles and notify us if it makes a determination that it cannot do so; and (iii) cease processing of the Personal Data or take other reasonable and appropriate steps to remediate if it makes such a determination. If Celerius Group has knowledge about a third party acting as a controller is processing Personal Data covered by this Statement in a way that is contrary to the Principles, Celerius Group will take reasonable steps to prevent or stop such processing.

With respect to agents of Celerius Group, the Celerius Group will transfer only the Personal Data covered by this Statement needed for an agent to deliver to Celerius Group the requested product or service. Furthermore, the Celerius Group will:

  1. Permit the agent to process such Personal data only for limited and specified purposes.
  2. Require the agent to provide at least the same level of privacy protection as is required by the Principles.
  3. Take reasonable and appropriate steps to ensure that the agent effectively processes the Personal Data transferred in a manner consistent with the Celerius Group’s obligations under the Principles.
  4. Require the agent to notify Celerius Group if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles. Upon receiving notice from an agent that it can no longer meet its obligation to provide the same level of protection as is required by the Principles, Celerius Group will take reasonable and appropriate steps to stop and remediate unauthorized processing.

Celerius Group remains liable under the Principles if an agent processes Personal Data covered by this Statement in a manner inconsistent with the Principles, except where Celerius Group is not responsible for the event giving rise to the damage.

Third Party Disclosures

Celerius Group employs third party companies and individuals, and therefore may disclose Personal Data that Customers and Users provide to the service on Celerius Group’s behalf:

  1. To subsidiaries and affiliates.
  2. To perform Service-related services and/to assist in analyzing how the Service is used.
  3. In the event Celerius Group sells or transfers all or a portion of its business or assets (including in the event of a merger, acquisition, joint venture, reorganization, dissolution or liquidation), in which case Personal Data held by Celerius Group about its Customers will be among the assets transferred to the buyer or acquirer. In such cases, Celerius Group will provide notice before Personal Data is transferred and/or becomes subject to a different Privacy Policy.
  4. If required to do so by law or legal process.
  5. In response to lawful requests from public authorities, including to meet national security, public interest or law enforcement requirements.

Access

Customers and Users whose Personal Data is covered by this Statement have the right to access such Personal Data and to correct, amend, or delete such Personal Data if it is inaccurate or has been processed in violation of the Principles (except when the burden or expense of providing access, correction, amendment, or deletion would be disproportionate to the risks to the Data Subject’s privacy, or where the rights of other persons other than the Data Subject would be violated).

Requests for access, correction, amendment, or deletion should be sent using the contact information indicated below.

Recourse, Enforcement, and Liability

Celerius Group’s participation in the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework is subject to investigation and enforcement by the Federal Trade Commission, the Department of Transportation or any other U.S. authorized statutory body.

In compliance with the Privacy Shield Principles, Celerius Group commits to resolve complaints about your privacy and our collection or use of your Personal Data free of charge. Data Subjects with inquiries or complaints regarding this Privacy Shield Policy should first contact Celerius Group using the contact information below.

Questions or Complaints

Please direct any questions or complaints about the use or disclosure of EU and/or U.S. Personal Data to Celerius Group (see below for contact information). Celerius Group will investigate and attempt to resolve any complaints or disputes regarding the use or disclosure of EU and/or U.S. Personal Data within 45 days of receiving your complaint. If there an unresolved privacy or data use concern that has not been addressed satisfactorily, please contact the EU Data Protection Authority (DPA) Panel for resolution within the EU-U.S. Privacy Shield Framework and the Swiss Federal Data Protection and Information Commissioner (FDPIC) within the Swiss-U.S. Privacy Shield Framework. There is no cost to file a complaint.

 

Binding Arbitration

Customers may have the option to select binding arbitration for the resolution of a complaint under certain circumstances, provided they have taken the following steps:

  1. Raised the complaint directly with Celerius Group and provided the opportunity to resolve the issue;
  2. Made use of an independent dispute resolution mechanism; and
  3. Raised the issue through the relevant data protection authority (DPA) and allowed the US Department of Commerce an opportunity to resolve the complaint at no cost.

For more information on binding arbitration, see U.S. Department of Commerce’s Privacy Shield Framework: Annex I (Binding Arbitration).

Changes to this Privacy Shield Statement

This Statement may be amended from time to time consistent with the requirements of the Principles. Appropriate notice regarding such amendments will be given.

How to Contact Celerius Group

To ask questions or comment about this Statement and privacy practices, or to update, change or remove Personal Data, contact Celerius Group at http://www.funnelenvy.com/contact/.