Adeption Privacy Shield Policy

This Policy is effective as of November 12, 2018.

Last updated: December 21, 2018.

Adeption complies with the EU-U.S. Privacy Shield Framework (Privacy Shield) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and the United Kingdom to the United States in reliance on Privacy Shield. Adeption has certified to the Department of Commerce that it adheres to the Privacy Shield Principles with respect to such information. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit  https://www.privacyshield.gov.

1. PRIVACY SHIELD OVERVIEW

The U.S. Department of Commerce and the European Commission as well as the Swiss Federal Council have agreed on a set of data protection principles and associated supplemental principles to enable U.S. companies to satisfy European Union (“EU”) and Swiss law requiring that Personal Data transferred from the EU and/or Switzerland to the U.S. be adequately protected (the “EU-U.S. Privacy Shield” and the “Swiss-U.S. Privacy Shield” respectively, together the “Privacy Shield”). The European Economic Area (the “EEA”), which as of the date of this Policy includes all member states of the EU and Iceland, Liechtenstein and Norway, and Switzerland have recognized the Privacy Shield as providing adequate protection of Personal Data.

Consistent with its commitment to protect personal privacy, Adeption has decided to voluntarily adhere to the principles set forth in the Privacy Shield (the “Privacy Shield Principles”). As such, Adeption has certified its compliance with the Privacy Shield Principles with the U.S. Department of Commerce.

For more information about the Privacy Shield Principles, please go to https://www.privacyshield.gov.

Should there be any conflict between the Privacy Shield Principles and this Policy, this Policy shall be interpreted to be consistent with the Privacy Shield Principles.

2. SCOPE

This Policy applies to all Personal Data received by Adeption in the United States from the EEA and/ or from Switzerland, either directly from individuals, from its affiliates or from other third party organizations, and in any format whatsoever, including electronic, paper or oral transmission.

3. DEFINITIONS

For purpose of this Policy, the following definitions shall apply:

Personal Data” and “Personal Information” means data about an identified or identifiable individual that are within the scope of the Directive 95/46/EC or the Swiss Federal Act on Data Protection, received by an organization in the United States from the European Union and/ or Switzerland, and recorded in any form. Personal Data includes all Sensitive Personal Data (as defined below).

Sensitive Personal Data” or “Sensitive Personal Information” means personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual or, where received from a third party, data that is identified and treated as sensitive by the third party. Where Swiss individuals are concerned, “Sensitive Personal Data” or “Sensitive Personal Information” also includes ideological views or activities, and information on social security measures or administrative or criminal proceedings and sanctions, which are treated outside pending proceedings.

Processing” of personal data means any operation or set of operations which is performed upon personal data, whether or not by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure or dissemination, and erasure or destruction.

Controller” means a person or organization which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Adeption,” “we,” “our” or “us” means the legal entities Adeption is provided by: in the United States of America – KtoAct limited (US registered company); Rest of World – JumpShift Development Limited (New Zealand registered company).

4. PRIVACY PRINCIPLES FOR PROCESSING OF PERSONAL DATA RECEIVED FROM THE EEA AND/ OR SWITZERLAND

The privacy principles set forth in this Policy have been developed based on the Privacy Shield Principles.

4.1 NOTICE

Where Adeption collects Personal Data directly from individuals in the EEA and/ or Switzerland or receives it from its European or Swiss affiliates, it or its European or Swiss affiliates will inform those individuals about the purposes for which they collect and use Personal Data about them; the transfer of Personal Data to Adeption in the U.S., the types or identity of third parties to which Adeption discloses that information and the purposes for which it does so; and the choices and means Adeption offers individuals for limiting the use and disclosure of their Personal Data. Notice will be provided in clear and conspicuous language when individuals are first asked to provide Personal Data to Adeption, or as soon as practicable thereafter, and in any event before Adeption uses the information for a purpose other than that for which it was originally collected.

Adeption may from time to time process certain Personal Data about customers, business partners, suppliers, vendors, service providers, employees and candidates for employment, including information recorded and stored on various types of media, including electronic media.

Adeption will process these types of data in conformity with the Privacy Shield Principles and will continue to apply the Principles to personal data received under the application of the Privacy Shield as long as it holds this data.

Adeption may use the information We collect through individual’s use of the Services to:

Adeption may also share Personal Data with its third-party service providers for the sole purpose of, and only to the extent needed to, support Adeption’s or our customers’ business needs. We may also disclose Personal Data to other third parties when required to do so under law or by legal process. Third Party Agents are required to keep confidential Personal Data received from Adeption and may not use it for any purpose other than originally intended.

4.2 CHOICE

Adeption will offer individuals in the EEA or Switzerland the opportunity to choose (by either opt-out or opt-in) if their Personal Data is (a) to be disclosed to a third party, or (b) to be used for a purpose materially different from the purpose for which it was originally collected or subsequently authorized by the individual.

For Sensitive Personal Data, Adeption will give individuals the opportunity to affirmatively and explicitly consent (opt-in) to permit Adeption to (a) disclose their Sensitive Personal Data to a third or (b) use Sensitive Personal Data for a purpose materially different from the purpose for which it was originally collected or subsequently authorized by the individual.

Adeption will provide individuals with reasonable, clear and conspicuous and readily available mechanisms to exercise these choices.

4.3 ACCOUNTABILTY FOR ONWARD TRANSFER

Adeption will transfer Personal Data to third-party service providers only for limited and specific purposes. Adeption will obtain contractual assurances from its third-party service providers that they will safeguard Personal Data in a manner consistent with this Policy and that they will provide at least the same level of protection as is required by the relevant Privacy Shield Principles. Adeption recognizes its responsibility and potential liability for onward transfers to third-party service providers. Where Adeption has knowledge that an third-party service provider is using or disclosing Personal Data in a manner contrary to this Policy and/or the level of protection as required by the Privacy Shield Principles, Adeption will take reasonable steps to prevent, remediate or stop such use or disclosure.

If Adeption transfers Personal Information to third parties acting as a Controller, Adeption will apply the Notice and Choice principles and will obtain contractual assurance from these parties that they will provide the same level of protection as is required under the principles, unless a derogation for specific situations under European data protection law applies.

4.4 ACCESS

Upon request and in accordance with the Privacy Shield Principles, Adeption will grant individuals reasonable access to their Personal Data that is held by Adeption. In addition, Adeption will take reasonable steps to permit individuals to correct, amend, or delete their Personal Data that is demonstrated to be inaccurate, incomplete or processed in violation of the Privacy Shield Principles. In accordance with the Privacy Shield Principles, Adeption may limit or deny access to Personal Data where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy, where the legitimate rights of persons other than the individual would be violated or if necessary to safeguard important countervailing public interests (e.g., national security) or in other limited circumstances (e.g., disclosure would breach a legal or other professional privilege).

4.5 SECURITY

Adeption will take reasonable precautions to protect Personal Data in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the Personal Data.

4.6 DATA INTEGRITY AND PURPOSE LIMITATION

Adeption will use Personal Data only in ways that are compatible with the purposes for which it was originally collected or as subsequently authorized by the individual. Adeption will also take reasonable steps to ensure that Personal Data is relevant to its intended use, accurate, complete, and current. Adeption will adhere to the Privacy Shield Principles for as long it retains Personal Information received under its Privacy Shield certification.

4.7 RECOURSE, ENFORCEMENT AND LIABILITY

In compliance with the US-EU and Swiss-US Privacy Shield Principles, Adeption commits to resolve complaints about individual’s privacy and our collection or use of your personal information. EU and Swiss individuals with questions or concerns about the use of their Personal Data should contact us at: privacy@adeption.io

If individual’s question or concern cannot be satisfied through this process Adeption has further committed to refer unresolved privacy complaints under US-EU Privacy Shield and Swiss-US Privacy Shield to an independent dispute resolution mechanism operated by the International Centre for Dispute Resolution, the international division of the American Arbitration Association (ICDR-AAASM).

If individual does not receive timely acknowledgement of their complaint, or if their complaint is not satisfactorily addressed by Adeption, EU and Swiss individuals may bring a complaint before the ICDR-AAA EU and Swiss Privacy Shield program can befound at: http://go.adr.org/privacyshield.html. Finally, as a last resort and in limited situations, EU and Swiss individuals may seek redress from the Privacy Shield Panel, a binding arbitration mechanism.

In the event that Adeption or such authorities determines that Adeption failed to comply with this Policy, Adeption will take appropriate steps to address any adverse effects arising directly from such failure and to promote future compliance.

5. LIMITATIONS

Adeption’s adherence to the Privacy Shield Principles may be limited (a) to the extent necessary to meet applicable national security, public interest, or law enforcement requirements, e.g. in the course of lawful requests by public authorities (b) by statute, government regulation, or case law that creates conflicting obligations or explicit authorizations, provided that, in exercising any such authorization, an organization can demonstrate that its non-compliance with the principles is limited to the extent necessary to meet the overriding legitimate interests furthered by such authorization; or (c) if the effect of the Directive or Member State law is to allow exceptions or derogations, provided such exceptions or derogations are applied in comparable

6. CONTACT INFORMATION

Questions or comments regarding this Policy or our practices concerning Personal Data should be submitted to Adeption by mail or e-mail as follows:

Legal: KtoAct Limited.

981 Mission Street

San Francisco, CA, 94103

United States of America

e-mail: privacy@adeption.io

If you are a citizen of an EEA member state, you may also address any unresolved complaints to the panel of the EU Data Protection Authorities at the following address: http://ec.europa.eu/justice/data-protection/article-29/structure/dataprotectionauthorities/index_en.htm.

If you are a citizen of Switzerland, you may address any unresolved complaints to the Swiss Federal Data Protection and Information Commissioner at the following address: https://www.edoeb.admin.ch/org/00126/index.html?lang=en.

7. CHANGES TO THIS POLICY

This Policy may be amended from time to time, consistent with the requirements of the Privacy Shield Principles. Appropriate public notice will be given concerning such amendments.