Introduction
When it comes to your Personal Data (“Personal Data”), Carol Gray LLC. and all subsidiaries (“Carol Gray LLC,” “we,” and “us”), as well as our employees, contractors and service providers, are committed to transparency and choice. Carol Gray LLC is committed to providing reliable and trustworthy information to our customers using a variety of means that are supported by a comprehensive privacy program. We aim to process Personal Data in accordance with applicable legislation, while taking into account and transparently balancing the interests of our customers.
This Privacy Statement (“Statement”) provides an overview of how Carol Gray LLC, via our website and services, handles privacy and of how we protect your Personal Data.
This Privacy Statement applies to the Carol Gray LLC website and services that link to or reference this Statement and describes how we handle Personal Data and the choices available to you regarding collection, process, access and how to update, correct and delete your Personal Data. Additional information on our Personal Data practices may be provided in offer descriptions, contractual terms, supplemental privacy statements or notices provided prior to or at the time of data collection. When applicable, certain Carol Gray LLC services may have additional, specific privacy notices that describe how we handle Personal Data for those services. If any other privacy notices conflict with this Privacy Statement, such specific notice will take precedence.
If you are in the European Economic Area, and unless stipulated otherwise contractually, the Controller of your Personal Data is Carol Gray LLC.
What This Statement Covers
This Statement describes the following general aspects of our collection and processing of Personal Data concerning you.
• What Personal Data we collect;
• How Personal Data is used and for what purposes;
• When and why Personal Data is transferred to third parties;
• How we maintain the accuracy, integrity and security of your Personal Data;
• How your Personal Data is retained and destroyed;
• What individual rights are available to you as they pertain to your Personal Data;
• Where applicable, how we may process the Personal Data of children under 13 years of age; and
• Whom you can contact if you have any questions regarding the use of your Personal Data.
Personal Data We Collect
When you visit and use our website, we may collect data or ask you to provide certain data, including Personal Data, about you as you use our website and interact with us, for the purpose of helping us manage our relationship with you. “Personal Data” is any data relating to an identified or identifiable individual and may include name, address, e-mail address, phone number or marketing preferences. If we link other data with your Personal Data, we will treat that linked data as Personal Data. We also collect Personal Data from trusted third-party sources and engage third parties to collect Personal Data to assist us. This data may include the following:
• Contact details, such as name, mailing address, e-mail address and phone number, in order to manage our business relationship;
• Administrative data, including all data submitted through the hiring process and employment relationship, in order to maintain our business and personnel records;
• Data you provide to us to receive technical assistance or during customer service interactions in order to fully perform under any contract
• Data about your computer or device, including browser type and settings, IP address and traffic data relating to your Internet connection.
• Biometric screening data, as it pertains to pandemic safeguards.
When you choose to provide us with Personal Data about third parties, we will only use this data for the specific reasons for which you elect to provide it. It is your responsibility to ensure that, when you disclose to Carol Gray LLC Personal Data of individuals other than yourself—such as your contacts, your users or other third parties—you abide by applicable privacy and data security laws, including informing users and third parties that you are providing their Personal Data to Carol Gray LLC, informing them of how it will be transferred, used or processed and securing appropriate legal permissions and safeguards required for such disclosures, transfers and processing. If you choose to provide Carol Gray LLC with a third party’s Personal Data (such as name, e-mail and phone number), you represent that you have the third party’s permission to do so. Examples include forwarding reference or sending job referrals. You also acknowledge that, when we interact with such third-party individuals whose Personal Data you share with us, it is our duty to inform them that we obtained their Personal Data from you. Where applicable, third parties may unsubscribe from any future communication following the link provided in the initial message or as indicated in the “Contact Us” section of this Statement. If you believe that one of your contacts has provided us with your Personal Data and you would like to request that it be removed from our database, please contact us at carol@carolgray.com.
How We Process Your Personal Data
We use your Personal Data for the purposes and on the grounds outlined below.
On the basis of fulfilling our contract with you or entering into a contract with you on your request, we use your Personal Data to:
• Verify your identity and entitlement to products or services when you contact us or access our services;
• Process your transactions;
• Update you on the status of your orders or engagements;
• Allow you to access services you purchase;
• Manage your subscriptions; and
• Provide you with technical and customer support.
On the basis of your consent, we use your Personal Data to:
• Subscribe you to a newsletter or to technical alerts;
• Send you marketing communications and information on new services;
• Communicate with you about, and manage your participation in, contests, offers or promotions;
• Solicit your opinion or feedback and provide opportunities for you to test software; and
• Provide you with interest-based ads on sites other than our own.
On the basis of legal obligations, we are obligated to, for instance, keep records for tax purposes or answer compelling orders for and provide information to public authorities.
On the basis of our legitimate interest in the effective delivery of our services and communications to you, as well as to our other customers and partners, we use your Personal Data to:
• Communicate commercial promotions and provide quotes for products and services;
• Evaluate and improve the performance and quality of our services and website;
• Provide you with a customized experience when you visit our website;
• Allow interoperability within our applications;
• Secure our systems and applications;
• Allow for the provisioning of services;
• Enforce our legal rights; and
• Share your data with partners for sales conversions and lead generation.
We will only process any special categories of Personal Data (“Sensitive Personal Data”) relating to you for the specific purposes outlined above or in relevant Product Notices because either:
• You have given us your explicit consent to process that data;
• The processing is necessary to carry out our obligations under employment, social security or social protection law;
• The processing is necessary for the establishment, exercise or defense of legal claims; or
• You have made the data public.
On the basis of our legitimate interest, we and our third-party partners may combine the data we collect from you over time from our website and services with data obtained from other sources. We combine your data with other sources to improve user experience on our websites and with the services we provide. In some instances, Gray LLC and the third parties we engage may automatically collect data through cookies, web logs and other similar applications. This data is used to better understand and improve the usability, performance and effectiveness of our website and services to help tailor content or offers for you. Please reference the “Tracking Technologies, Cookies & Do-Not-Track” section below for more information.
On the basis of legitimate interest, we process Personal Data for network and information security purposes. Pursuant to Recital (49) of the EU General Data Protection Regulation (“GDPR”), organizations have a recognized legitimate interest in collecting and processing Personal Data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security. According to said Recital (49), network and information security means the ability of a network or of an information system to resist events, attacks or unlawful or malicious actions that could compromise the availability, authenticity, integrity and confidentiality of stored or transmitted data or that could compromise the security of the related services offered by, or accessible via, those networks and systems.
It is in our legitimate interests, as well as in those of our customers, as laid down in Article 6(1)(f) of the GDPR, to collect and process Personal Data to the extent strictly necessary and proportionate for the purpose of securing our networks and information systems. This security includes the development of threat intelligence resources aimed at maintaining and improving on an ongoing basis the ability of networks and systems to resist unlawful or malicious actions and other harmful events (“cyber-threats”). The Personal Data we process for said purposes includes, without limitation, network traffic data related to cyber-threats, such as the following:
• Sender e-mail addresses (e.g., of sources of SPAM);
• Recipient e-mail addresses (e.g., of victims of targeted e-mail cyber-attacks);
• Reply-to e-mail addresses (e.g., as configured by cybercriminals sending malicious e-mail);
• Filenames and execution paths (e.g., of malicious or otherwise harmful executable files attached to e-mails);
• URLs and associated page titles (e.g., of web pages broadcasting or hosting malicious or otherwise harmful contents); and/or
• IP addresses (e.g., of web servers and connected devices involved in the generation, distribution, conveyance, hosting, caching or other storage of cyber-threats such as malicious or otherwise harmful contents).
Depending on the context in which such data is collected, it may contain Personal Data concerning you or any other data subjects. However, in such cases, we will process the data concerned only to the extent strictly necessary and proportionate to the purposes of detecting, blocking, reporting (by removing any personally identifiable elements) and mitigating the cyber- threats of concern to you and to all organizations relying on our services to secure their networks and systems. When processing Personal Data in this context, we will not seek to identify a data subject unless doing so is strictly indispensable to the remediation of the cyber-threats concerned or required by law.
If you believe that your Personal Data was unduly collected or is unduly processed by Carol Gray LLC for such purposes, please refer to the “Your Rights” and “Contact Us” sections below. Please be aware that, if it is determined that Personal Data concerning you is processed by Carol Gray LLC because is it necessary for the detection, blocking or mitigation of convicted cyber-threats, in line with GDPR Article 21(1), objection, rectification or erasure requests may be rejected. It is in our compelling legitimate interests to protect our organization and our customers from cyber-threats; therefore, our interest may override your objection, rectification or erasure requests until you demonstrate the measure necessary to dissociate your Personal Data from any identified cyber-threat.
Marketing and Networking
Carol Gray LLC has a legitimate interest in promoting our commercial offerings and in optimizing the delivery of communications to that effect to our customers and audiences who are most likely to find them relevant. We will therefore collect and process data to that end as explained below. However, where we are legally required to obtain your consent to provide you with certain marketing materials, we will only provide you with such marketing materials when we have obtained the necessary consent from you. If you do not want to continue receiving any marketing materials from us, you can click on the unsubscribe function in the communication or e-mail.
Messages
In addition to the purposes described above, we may, in compliance with applicable legal requirements, use your Personal Data to provide you with advertisements, promotions and information about products and services tailored to you and your needs. Examples of such data include demographic data or trend data provided by third parties, where permitted. Contact details, including phone numbers, mail and e-mail addresses, may be used to contact you. If you do not want us to use your Personal Data in this way, you can simply choose not to consent to such use of your data on the webpages and/or forms through which such Personal Data is collected. You can also exercise this right at any time by contacting us as explained below.
Interest-Based Ads
We may provide your data, including the data about your interests in our services, to Third Parties for the purposes of serving you more relevant ads. Where we provide you with interest-based ads on a site other than our own, we do not track your other activities on that site. If you click on our ads, we will know only the domain you came from. For more information, please see the Tracking Technologies, Cookies & Do-Not-Track section below.
Data From Third Parties
Third parties may provide us with Personal Data that they have collected from you or from further online and offline sources about you, such as marketing data from our partners and third parties that is combined with information we already have about you, to provide you with more relevant communications and better-tailored offers. We make reasonable efforts to verify that the third parties we engage for such purposes are reputable and law-abiding, and we will not solicit them to disclose to us Personal Data we do not have a lawful purpose to collect and process. However, we are not liable for any processing of your Personal Data by such third parties prior to, during or after their providing it to us. We may combine such Personal Data with the Personal Data we already have about you to provide you with a better experience, evaluate your interest in our services or improve the quality of our offerings.
Carol Gray LLC Community (Website, Blog and Networking Sites)
We operate the Carol Gray LLC website and related information services to better assist you in using our services, discussing technical issues and sharing your experiences. You should be aware that any data you provide in these public forums will not be kept confidential, as it may be read, collected and used by others who access them. To request removal of your Personal Data from any forum, contact us here. In certain circumstances, we may not be able to remove your Personal Data, in which case we will let you know why. Your use of these other services may be subject to additional terms and conditions.
Tracking Technologies, Cookies & Do-Not-Track
Cookies
A cookie is a commonly used automated data collection tool. Cookies are small text files that are placed on your computer or device by websites that you visit or by HTML-formatted e-mails that you open in order to make websites work, or work more efficiently.
We and our partners may use cookies, web beacons, pixel tags, scripts or other similar technologies on our website or e-mails to:
• Ensure the proper functioning of our website and the proper delivery of legitimate electronic communications;
• Tailor information presented to you based on your browsing preferences, such as language and geographical region;
• Collect statistics regarding your website usage;
• Provide us with business and marketing information; and
• In some cases, enable a third party to deliver future advertising for our services to you when you visit certain websites owned by third parties.
We use different kinds of cookies, outlined below.
Essential cookies are necessary to provide you with services and features available through our website.
Analytics or customization cookies collect data that is used either in aggregate form to help us understand how the website is being used or how effective our marketing campaigns are or to help us customize the website for you.
Advertising cookies and tracking scripts are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly delivered and, in some cases, featuring ads based on your interests. If your website includes a cookie management tool, you will find a hover button at the bottom of your screen.
If you do not wish to receive cookies, you may be able to refuse them by not agreeing to the use of them upon entering the website. If you do so, we may be unable to offer you some of our functionalities, services or support. If you have previously visited our websites, you may also have to delete any existing cookies from your browser.
We gather certain data automatically and store it in log files. This data may include Internet Protocol (IP) addresses, browser type, Internet Service Provider (ISP), referring/exit pages, operating system, date/time stamp and/or clickstream data. We may combine this log data with other data we collect about you. We do this to improve the services we offer you and to improve marketing, analytics or site functionality.
We use local storage, such as HTML5, to store content data and preferences. Third parties with whom we partner to provide certain features on our website or to display advertising based upon your web browsing activity also use HTML5 to collect and store data. Various browsers may offer their own management tools for removing HTML5 content.
Do-Not-Track
There are different ways you can prevent tracking of your online activity. One of these methods is setting a preference in your browser that alerts websites you visit that you do not want them to collect certain data about you. This is referred to as a Do-Not-Track (“DNT”) signal. Please note that our website may not recognize or act in response to DNT signals from web browsers. At this time, there is currently no universally accepted standard for what a company should do when a DNT signal is detected. In the event a final standard is established, we will assess how to appropriately respond to these signals. For more detailed information about cookies, Do-Not- Track and other tracking technologies, please visit allaboutcookies.org and allaboutdnt.com.
Third-Party Data Collection
Cookies may also be placed by third parties to deliver tailored information and content which may be of interest to you, such as promotions or offerings, when you visit third-party websites after you have left our website. We do not permit these third parties to collect Personal Data about you (e.g., e-mail address) beyond such cookies on our site.
Social Media Features and Widgets
Our website includes social media features, such as Twitter, Facebook and LinkedIn, that run on our site. These features are usually recognizable by their third-party brand or logo and may collect your IP address, remember which page you are visiting on our website and set a cookie to enable the feature to work properly. Social media features and widgets are either hosted by third parties or hosted directly on our site. Your interactions with these features are governed by the privacy policy of the company providing them.
Automated Individual Decision-Making and Profiling
Where Carol Gray LLC processes network traffic data for the purposes of network and information security based on our or our customer’s legitimate interest (as outlined in the corresponding section of this Statement), automated decisions concerning particular data elements may occasionally be made. These decisions could involve, in particular, assigning relative cybersecurity reputation scores to IP addresses and URLs based on objective cyber-threat indicators measured by our cyber-threat detection engines. Such indicators may be, for instance, the determination that malicious or otherwise harmful contents are hosted at a given URL or are emanating from a given IP address. Such automatically assigned reputation scores may be leveraged by you, by Carol Gray LLC, by our partners and by other customers to detect, block and mitigate the identified cyber-threats. These scores could therefore result in our services blocking network traffic coming from or going to such URLs and IP addresses. No such processing is intended to produce any other effect than protecting you, Carol Gray LLC our partners and our customers from cyber-threats. Should you nevertheless consider that such automated processing is unduly affecting you in a significant way, please contact directly the relevant data controller whose use of our services is thus impacting you. In the case that the data controller is Carol Gray LLC, please refer to the “Your Privacy Rights” and “Contact Us” sections of this Statement to raise your concerns and to seek our help in finding a satisfactory solution.
How We Disclose Your Personal Data
We do not sell, lease, rent or give away your Personal Data. We only disclose your Personal Data as described below: within Carol Gray LLC, with our partners, with service providers that process data on our behalf and with public authorities, as required by applicable law. Processing is only undertaken for the purpose described in this Statement. If we disclose your Personal Data, we require its recipients to comply with adequate privacy and confidentiality requirements and with security standards.
Partners
We may provide your Personal Data to our partners for the purpose of allowing them to conduct Carol Gray LLC business. Our partners go through our third party risk management and assessment process and only after that are they authorized to promote and sell our services. Our partners may use your Personal Data to communicate with you and others about Carol Gray LLC services. If you do not wish to receive promotional e-mails from our partners, you can unsubscribe directly using the unsubscribe link or tool provided in the partner’s e-mail or other communication to you.
Service Providers Processing Data on Our Behalf
We may use contractors and service providers to process your Personal Data on our behalf for the purposes described in this Statement. We contractually require service providers to keep data secure and confidential, and we do not allow our data processors to disclose your Personal Data to others without our authorization or to use it for their own purposes. However, if you have an independent relationship with these service providers, their privacy statements will apply to such relationships.
Public Authorities
In certain instances, it may be necessary for Carol Gray LLC to disclose your Personal Data to public authorities or as otherwise required by applicable law. No Personal Data will be disclosed to any public authority except in response to:
• A subpoena, warrant or other process issued by a court or other public authority of competent jurisdiction;
• A legal process having the same consequences as a court-issued request for data, in that if Carol Gray LLC were to refuse to provide such data, it would be in breach of local law, and it or its officers, executives or employees would be subject to liability for failing to honor such legal process;
• A situation where such disclosure is necessary for Carol Gray LLC to enforce its legal rights pursuant to applicable law;
• A request for data with the purpose of identifying and/or preventing credit card fraud; or
• A situation where such disclosure of Personal Data is necessary to prevent or lessen a serious and imminent threat of bodily or other significant harm to the data subject or to other individuals potentially concerned.
Cross-Border Transfers of Personal Data Among Carol Gray LLC Entities and to Third-Party Vendors
Carol Gray LLC is a global company, and, as such, we process data in many countries. To conduct our business, and in accordance with this Statement, your Personal Data may be transferred to Carol Gray LLC. in the United States and to subsidiaries and third-party vendors of Carol Gray LLC. located worldwide. All transfers will occur in compliance with data transfer requirements of applicable laws and regulations. Where Personal Data originating from the European Economic Area is transferred to Carol Gray LLC entities or to third-party vendors engaged by Carol Gray LLC to process such Personal Data on our behalf who are located in countries that are not recognized by the European Commission as offering an adequate level of Personal Data protection, such transfers are covered by alternate appropriate safeguards, specifically standard data protection clauses adopted by the European Commission. If applicable to you, you may obtain copies of such safeguards by contacting carol@carolgray.com.
In the process of continuing to develop our business, we may also occasionally acquire subsidiaries or other business entities. As a result of such transactions, and in order to maintain a continued relationship with you, we may transfer your Personal Data to a related affiliate.
If we are involved in a reorganization, merger, acquisition or sale of our assets, your Personal Data may be transferred as part of that transaction. We will notify you of any such deal and outline your choices in that event.
How We Protect Your Personal Data
Safeguards
We take reasonable and appropriate administrative, technical, organizational and physical security and risk management measures in accordance with applicable laws to ensure that your Personal Data is adequately protected against accidental or unlawful destruction, damage, loss or alteration, unauthorized or unlawful access, disclosure or misuse and all other unlawful forms of processing of your Personal Data in our possession.
Securing Personal Data is an important aspect of protecting privacy. Our security organization applies policies, standards and supporting security controls at the level appropriate to the risk level and services provided. In addition, appropriate security controls are communicated to application owners and technology teams across the business to support a secure operating environment.
We pay specific attention to the protection of Personal Data and the risks associated with processing this data by taking necessary security measures.
These measures include the following:
Physical safeguards – We lock doors and file cabinets, control access to our facilities, implement a clean desk policy and apply secure destruction to media containing your Personal Data.
Technology safeguards – We use network and information security technologies, such as Symantec anti-virus and endpoint protection software, encryption, intrusion detection and data loss prevention, and we monitor our systems and data centers to ensure that they comply with our security policies.
Organizational safeguards – We conduct regular company-wide, as well as role-specific and targeted, training and awareness programs on security and privacy to make sure that our employees and contractors understand the importance of protecting your Personal Data and that they learn and maintain the necessary knowledge and skills effectively to protect it in practice. Our organizational privacy policy and standards also guide our handling of your Personal Data.
Personal Data Breaches
Carol Gray LLC takes every reasonable measure to prevent Personal Data breaches. When these do occur, we have a process in place to take swift action within our responsibilities. These actions will be consistent with the role we have in relation to the products, services or processes affected by the breach. In all cases, we will work together with affected parties to minimize effects, to make all notifications and disclosures that are required by applicable law or that are otherwise warranted and to take action to prevent future breaches. We systematically outline responsibilities in case of Personal Data breaches in our contracts, both with our customers and with our vendors.
Storage of Your Personal Data
The data we collect from you may be stored, with risk-appropriate technical and organizational security measures applied to it, on in-house and third-party servers in the United States, in the United Kingdom and anywhere Carol Gray LLC or our vendors operate.
Links to Other Websites
Our website may contain links to other websites that are owned or operated by other companies. If you choose to visit any linked websites, we encourage you to review their privacy statements carefully, as they may differ from ours. We are not responsible for the content or privacy practices of websites that are owned by companies that are not within the Carol Gray LLC group of companies. Our website may also link to co-branded websites that are maintained by Carol Gray LLC and one or more of our business partners who are collecting your Personal Data pursuant to their own privacy practices. We encourage you to read the privacy statements on any co-branded site to which you link for information about the privacy practices of that site.
Children’s Privacy
Our website is not directed to, nor do we knowingly collect data from, children under 13 years of age, except where explicitly described otherwise in the privacy notices of products and services designed specifically to assist you by providing child online protection features. In such cases, we will only collect and process Personal Data related to any child under 13 years of age which you choose to disclose to us or otherwise instruct us to collect and process.
Managing Your Personal Data
How Long We Retain or Store Your Personal Data
We will hold your Personal Data on our systems for the longest of the following periods:
• As long as necessary to maintain our ongoing business relationship, or as needed to provide you with the products, services or information which you are entitled to or can otherwise reasonably expect to receive from us;
• For as long as necessary for the purpose for which we collected it or for which you supplied it to us in accordance with any product- or service-relevant activity or process;
• Any retention period that is necessary to comply with our legal obligations, to resolve disputes or to enforce our agreements; or
• The end of the period in which litigation or investigations might arise in respect to our business relations or other interactions with you.
For the sake of clarity, where Carol Gray LLC is a data controller processing your Personal Data for our own purposes, your Personal Data will be deleted or de-identified when it is no longer needed for its originally stated processing purposes or for any additional compatible purpose for which Carol Gray LLC may lawfully further process such data.
Moreover, where Carol Gray LLC is a data processor processing your Personal Data for the purpose and on the instructions of another data controller or data processor, we will comply with the time limits agreed with that other Controller or Processor unless we are compelled by applicable laws and regulations to delete such data sooner or to retain it further.
Your Privacy Rights
Subject to applicable laws, as an individual data subject, you may have the right:
• To ask us to provide you with information regarding your Personal Data we process concerning you;
• To rectify, update or complement inaccurate or incomplete Personal Data concerning you;
• To delete or request the erasure of Personal Data concerning you;
• In certain circumstances, to request that we restrict the way in which we process Personal Data concerning you;
• To withdraw any consent you may have given for us to process Personal Data concerning you;
• To object to our processing of Personal Data concerning you on the basis of our legitimate interests or those of third parties;
• To obtain of us the portability of Personal Data concerning you which we process using automated means on the basis of your consent or of a contract you have entered into with us; and
• In the European Economic Area, to lodge a privacy complaint with a supervisory authority if you are unhappy with the way we have handled your Personal Data or any privacy query or request that you have raised with us.
Where your exercise of any of the rights above is dependent on Carol Gray LLC’s action, we will abide by our legal obligation to take reasonable measures to ascertain your identity and the legitimacy of your request, and we may ask you to disclose to us any information necessary for that purpose. We will respond to legitimate requests within 1 (one) calendar month or 31 (thirty-one) calendar days (whichever is longer). In certain limited circumstances, we may need to extend our response period as permitted by applicable law. Pursuant to any such requests, we may retain certain data necessary to prevent fraud or future abuse or as otherwise required or permitted by law, including complying with legal obligations to which we are subject, as well as establishing, exercising and defending our legal claims.
If you reside in a Designated Country, you also have a right to lodge a complaint with your local data protection authority or with the Information Commissioner’s Office (ICO), our lead supervisory authority.
If you are a California resident under the age of 18, you may be permitted to request the removal of certain content that you have posted on our website. To make such a request, please contact us at carol@carolgray.com.
Non-discrimination
We will not discriminate against you for exercising your rights and choices under this policy or any applicable law.
Contact Us
To exercise any of your rights, or if you have any other questions or complaints about our use of your Personal Data and its privacy, write or e-mail our Privacy Team at the most convenient location below:
Carol Gray LLC
1414 NW 53rd Dr.
Portland, OR 97210
USA
email: carol@carolgray.com
Changes to This Statement
We reserve the right to revise or modify this Statement. In addition, we may update this Privacy Statement to reflect changes to our data practices. If we make any material changes, we will notify you by e-mail (sent to the e-mail address provided by you) or by means of a notice on this website prior to the change becoming effective. We encourage you to periodically review this page for the latest information on our privacy practices.