Effective Date: 2022-09-28
- what personal information we collect;
- how we collect it;
- how we use it;
- how and when we share it;
- how to change and/or delete data;
- terms specific to certain types of users, such as European and California users and children under 13;
- how to contact us.
Residents of the European Economic Area (“EEA”), which includes the member states of the European Union (“EU”), should consult the sections of this policy relating to the “EEA Residents” and “International Data Transfers” for provisions that may apply to them.
California residents should consult the section titled “Your California Privacy Rights” for rights that apply to them.
INFORMATION WE COLLECT
- Personal Information. “Personal Information” is information that may be used to directly or indirectly identify an individual (which in some cases, may include certain device information). The Personal Information we collect may include your (a) name, postal address, email address, and phone number; (b) Internet Protocol (IP) address, device ID or other persistent identifiers tied to your computer or device; (c) information about your third party accounts (“Third Party Accounts”) you may choose to provide us for integration and analytics purposes; and (d) information about your customers for the purpose of direct to consumer fulfillment.
In general, Personal Information we collect includes, but is not limited to:
- Personal Information needed for you to be able to use the Services, including for establishing an account, logging in, paying for subscription to the Services, and linking your Third Party Accounts;
- Personal Information to contact and respond to you, including to provide you with results of our analytics services, reply to your inquiries, and keep in touch with you regarding features or matters of interest regarding the Services;
- Un-identifiable and aggregated Personal Information pertaining to your visits to and use of the Services and Site that help us maintain the appropriate features, functionality and user experience
- Your customer information for the purpose of direct to consumer fulfillment
- Usage Data. “Usage Data” is information passively or automatically collected by us through your use of the Services. Usage Data may be collected using cookies, web beacons, page tags or similar tools. All Usage Data is anonymous transactional data that is not associated with any users as individuals. Such Usage Data may include: your Internet Protocol (IP) address, mobile identifiers, browser type, and internet service provider (ISP); your operating system; which of our web pages you access and how frequently you access them; referral or exit pages; click stream data; and the dates and times that you visit the Services or Site.
HOW AND WHEN WE COLLECT INFORMATION
- Personal Information. We collect Personal Information at the time you provide it to us. We collect Personal Information through sign-up forms and as part of your registration for an account, product, or service, or promotion. In addition, we collect personal information from communications with site visitors as well as from third-party outside sources including data brokers and aggregators.
- “Do Not Track” Requests. Some Web browsers have a “Do Not Track” feature that signals to websites that you do not want to have your online activity tracked. Because each browser communicates “Do Not Track” signals differently, we do not respond to “Do Not Track” signals at this time.
- "Customer Data" is collected at the time sales orders occur for the purpose of order fulfillment and is deleted within 30 days after order shipments.
HOW WE USE INFORMATION
- We may use your Personal Information and Usage Data to take actions you request and for the basic purposes of the Services. We may use your Personal Information in connection with other products or services we may offer, with our internal reporting for this site (such as security assessments), or to contact you with promotions regarding other products or services offered by us, our affiliated entities or our third party partners.
- We may also send you messages related to certain features or your activity on this site. We may also send you news or updates about changes to our Services. By default, you will receive these messages via email.
- We may use publicly available Personal Information posted on social media profile information including photos for purposes of assisting us, and our marketing partners with marketing and advertising activities and with contact management.
- We may use Usage Data without restriction in our sole discretion for administrative and optimization purposes, such as to improve the Services and personalize ads (as described more particularly below under “Targeted Advertising”).
- We may combine and use the Personal Information and Usage Data we collect from all services and products offered by us and our Affiliated Entities over various websites to provide, protect, and improve them, and to develop and offer new services and products. We will treat you as a single user of these combined services and products.
- We collect Customer Personally Identifiable Information solely for the purpose of fulfillment and tax reporting
- We will never use Customer Personally Identifiable Information for anything other than these purposes
- We will not use Customer Personally Identifiable Information for marketing or data mining purposes
- We will not sell or share Customer Personally Identifiable Information with third parties
- We will retain Customer Personally Identifiable Information for 30 days after shipment, after which it will be purged. Customer Personally Identifiable Information will be stored in a database with secure access roles in place.
HOW AND WHEN WE SHARE AND DISCLOSE INFORMATION
- General Disclosure Policy. We may share and disclose your Personal Information as described below. We may share and disclose Usage Data without restriction, such as in the ways described below.
- Affiliated Entities. “Affiliated Entities” are entities that we legally control (by voting rights) or that control us. We may provide your Personal Information and Usage Data to any affiliated entities we may have, including our subsidiaries.
- Service Providers. We may provide access to your Personal Information and Usage Data to trusted service providers that assist us with the operation and maintenance of the Service. For example, we may contract with third parties to facilitate purchases from the Services, process payments, host our servers, provide security, and provide production, fulfillment, optimization, analytics, reporting, and software maintenance and development services. Our service providers will be given access to your information only as is reasonably necessary to provide the services for which they are contracted.
- Successors. If we sell or otherwise transfer part or all of our business or assets to another organization, such as in the course of an acquisition, merger, bankruptcy or liquidation, we may transfer your Personal Information and Usage Data.
- Legal Process, Enforcement and Security Notice. We may disclose your Personal Information and Usage Data if we have a good faith belief that access, use, preservation or disclosure of such information is reasonably necessary (i) to satisfy any applicable law, regulation, legal process or enforceable governmental request (such as for example, to comply with a subpoena or court order), (ii) to detect, prevent, and address fraud or other illegal activity, and (iii) to investigate, respond to, or enforce violations of our rights or the security of this site.
- With Your Consent. We may share your Personal Information with other parties with your consent.
- Analytics Partners. We may participate with third party analytics partners to monitor and analyze Web traffic and to keep track of user behavior on this site.
- Transfer Outside Country of Residence. In general, any Personal Information we may collect may be stored and processed in our servers located in the United States or in any other country in which we, or our affiliates, subsidiaries, or agents maintain facilities. By using this site, you consent to any such transfer of Personal Information outside your country of residence to any such location.
HOW WE PROTECT YOUR INFORMATION
- All Personally Identifiable Information is encrypted at rest using OpenSSL and AES-256-CBC cipher.
- Direct access to the database is not possible for anyone except for a limited number of 2 authorized IPs of database administrators within our organization.
- We use tools provided by our host, Google Cloud, to monitor, detect, and log any malicious activity on our servers. Google monitors (among many other things) access rates, response times, ssh connections, network activity, abnormal activity, etc. Our logs never contain PII. All server access is also restricted to a limited number of 2 authorized IPs of database administrators within our organization.
- All application changes are evaluated in a dedicated test environment before pushing to production
- All applications are scanned once every 180 days for vulnerabilities and every 365 days with a penetration test. We remediate any vulnerabilities found within 72 hours.
- We scan application code for vulnerabilities prior to each release
- Security system team is responsible for change management. They are only allowed access using SHA2 ssh keys
- Access to our database through the network is disabled and standard ports are closed. The database is only accessible through a socket on the server itself.
- The reverse proxy only serves whitelisted directories that are only from sources controlled by sku.io
- API endpoints are password protected (SHA512 encryption, salted, and stretched for thousands of rounds)
- Login credentials are always transmitted securely over HTTPS
- Access rights are provided to employees based on their role within the company and are progressive, based on their responsibility
- sku.io does not prevent employees from accessing the organization's data from personal devices. Role-based restrictions and access right still apply.
- Personally Identifiable Information is stored in an unencrypted database. Direct access to the database is not possible for the customer outside of UI interactions or API calls. Granular access rights control ensures that access is not shared to all users of the database.
- We backup databases with PII information in an encrypted database on GCP, encrypted with OpenSSL and the AES-256-CBC cipher. Direct access to the database is not possible for anyone except for a limited number of 2 authorized IPs of database administrators within our organization.
- We use automated probes on our server to report their status in Munin, an open-sourced monitoring tool. This tool automatically triggers alarms when probes detect values outside of their pre-defined range. We monitor (among many other things) access rates, response times, ssh connections, network activity.
- In the event of a breach of Personally Identifiable Information, we will:
- Record the date and time the breach was discovered
- Notify any relevant third parties
- Activate both internal an outside response teams for the type of breach
- Conduct initial interviews of those with critical knowledge of the potential breach
- Get forensics personnel on site to make a secure copy of the affected systems so that they can be fixed without compromising assessment of the manner of the breach
- Discuss the action items to execute
- We have strict requirements for passwords and developers must establish minimum password requirements for personnel and systems with access to Information. Password requirements must be a minimum of twelve (12) characters, contain upper and lower case letters, contain numbers, contain special characters, and they expire quarterly. No part of a user’s name can be contained within the password. We're using Multi-Factor Authentication. API keys provided by Amazon are encrypted and only given access to two key expert developers within our team.
- We only use a stub database for testing, not Personally Identifiable Information
- Personally Identifiable Information is encrypted when debugging and not logged
- Developers must use different passwords for different accounts and systems. Developers must use multi-factor authentication (MFA) via Google Authenticator for login to systems. Developers must not hardcode sensitive credentials in their code, including encryption keys, secret access keys, or passwords. Sensitive credentials must not be exposed in code repositories. Developers must maintain separate test and production environments.
- We test applications periodically to assess products' security and locate any security vulnerabilities that might be hidden in source code before releasing it. We're using SonarQube (automated tracking and detection tool for Vulnerabilities) to automatically detect all open source components in our organization's systems.
- We configure standard automation and integration into the tools developers are already using. We have real-time application security awareness training within the developer integrated development environments. We use a CI/CD tool for deployment. We use the Splunk tool to quickly detect and respond to internal and external hacks, to simplify threat management while minimizing risks and safeguarding systems. We quickly remediate, in the shortest time possible, with the best-fix location.
- We engage certain third-party service providers to serve advertisements on our behalf across the Internet and to provide analytics services. We may also participate in third-party affiliate advertising and allow third-party affiliate links to be encoded on some of our pages. This means that we may earn a commission when you click on or make purchases via third-party affiliate links.
- Our advertisers or the ad networks that serve advertisements may utilize cookies or other similar tracking technologies (including within the ads) to collect anonymous information from you such as your device identifiers, advertising IDs, and IP address, web browser, actions you take relating to the ads, any links you click on, and conversion information. This information may be used by us, our service providers and their clients in aggregated, anonymous form to, among other things, analyze and track aggregated data, determine the popularity of certain content or products, measure the effectiveness of ad campaigns, determine the proper amount of repeat views of a given ad, and deliver advertising and content targeted to your interests on our Services and outside of our Services on other websites (also known as “interest-based advertising”). These service providers are prohibited from collecting any Personal Data from you and we do not share any of your Personal Data with them.
- You have a choice about participating in interest-based advertising. If you wish to opt out of such participation, you have a few options:
- On your mobile device, you can visit https://youradchoices.com/appchoices to learn about and download the Digital Advertising Alliance’s opt-out app, which allows you to opt your mobile device out of interest-based advertising from participating companies.
- Your device settings may allow you to limit the use of information from your device in interest-based advertising through your browser’s settings (such as under the “Security & Privacy” settings of the Safari app on an iOS device) or an “Opt Out of Interest-Based Ads” setting (on an Android device).
- You can learn more about advertising networks and interest-based advertising, and your ability to opt out, by visiting the Digital Advertising Alliance at www.aboutads.info/choices or the Network Advertising Initiative at www.networkadvertising.org/choices.
- In providing you with transparency and choice regarding interest-based advertising, we are acting in accordance with our commitment to the Digital Advertising Alliance’s Self-Regulatory Principles. To learn more about these Principles, please visit http://www.aboutads.info/consumers.
CHANGING AND DELETING PERSONAL INFORMATION
- Under certain laws, including as described below with respect to the GDPR and CCPA, you may have the right to: obtain confirmation that we hold Personal Information about you, request access to and receive information about the Personal Information we maintain about you, receive copies of the Personal Information we maintain about you, update and correct inaccuracies in your Personal Information, object to the continued processing of your Personal Information, and have the Personal Information blocked, anonymized or deleted, as appropriate. The right to access Personal Information may be limited in some circumstances by local law, including as described above under California law. If you qualify, in order to exercise these rights, please contact us as described under “Contact Us”.
- You may opt out of promotional communications by sending us an email at the email address below under “Contact Us”.
- We may ask you to provide additional information for identity verification purposes, or to verify that you are in possession of an applicable email account.
- Please understand, however, that we reserve the right to retain an archive of such Personal Information for a commercially reasonable time to ensure that its deletion does not affect the integrity of our data; and we further reserve the right to retain an anonymous version of such Information.
- Customer data is deleted within 30 days after order shipments.
TERMS FOR SPECIFIC TYPES OF USERS
- EEA Residents
- Since May 25, 2018, all processing of Personal Information of EEA Residents is performed by us in accordance with the General Data Protection Regulation (2016/679) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of Personal Information and on the free movement of such data (“GDPR”).
- Under the GDPR, we are the controller and a processor of the Personal Information of EEA Residents. Our purpose for collecting and processing Personal Information from EEA Residents is to obtain contact information, to substantiate such information and to provide the Services. The legal basis for collecting Personal Information is your consent. You may withdraw consent for obtaining such communications by following the “Unsubscribe” instructions on any communication or by contacting us at firstname.lastname@example.org.
- If you are a resident of the EEA and believe that we have Personal Information about you, and you wish to access or correct the Personal Information that we have about you or have any questions relating to the processing of your Personal Information, please contact us at email@example.com with the subject line “GDPR Data.”
- International Data Transfers. If you are resident outside the United States, including in the EEA, we transfer Personal Information provided by you for processing in the United States. Under the GDPR, we are considered a “controller” and a “co-processor” of the Personal Information of EEA Residents. By providing Personal Information to us for the purpose of setting up an account, obtaining Services, or adding yourself to our contact lists, you consent to the transfer of your Personal Information to the United States. The transfer of your Personal Information to the United States is necessary for the performance of a contract between you and us for obtaining Services.
- California Consumers
- This section pertains to the rights of individuals or households in California (“California consumers”).
- Under certain circumstances, California Civil Code Section 1798.83 states that, upon receipt of a request by a California consumer, a business may be required to provide detailed information regarding how that business has shared that customer’s Personal Information with third parties for direct marketing purposes. However, the foregoing does not apply to businesses like ours that do not disclose Personal Information to third parties for direct marketing purposes.
- The CCPA (California Civil Code Section 1798.100 et seq.) provides California consumers with additional rights regarding Personal Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly with a particular consumer or household. The categories of Personal Information we collect are generally described above but differ for individual consumers depending on the services used by such consumers.
- Under the CCPA, qualifying California consumers may have the following rights:
- Right to Know and Right to Delete.
- A California consumer has the right to request that we disclose what Personal Information we collect, use, disclose and sell. A California consumer also has the right to submit requests to delete Personal Information.
- When we receive a valid request to know or delete from a California consumer, we will confirm receipt of the request within 10 days and provide information about how we will process the request, including our verification process. We will respond to such requests within 45 days.
- Right for Disclosure of Information.
- A California consumer may also submit requests that we disclose specific types or categories of Personal Information that we collect.
- Under certain circumstances, we will not provide such information, including where the disclosure creates a substantial, articulable and unreasonable risk to the security of that Personal Information, customers’ account with us, or the security of our systems or networks. We also will not disclose California consumers’ social security numbers, driver’s license numbers or other government-issued identification numbers, financial account numbers, any health insurance or medical identification numbers, or account passwords and security questions and answers.
- Submitting Requests. If you are a California consumer and would like to make any requests under the CCPA, please see the “Changing and Deleting Personal Information” the section.
- Verifying Requests. If we receive any request we will use a two-step process for online requests where the California consumer must first, clearly submit the request and then second, separately confirm the request. We will use other appropriate measures to verify requests received by mail or telephone.
- To verify a request, a California consumer must provide a business with sufficient information to identify the consumer, such as name, e-mail address, home or work address, or other such information that is on record with us so that we can match such information to the Personal Information that we maintain. Do not provide social security numbers, driver’s license numbers, account numbers, credit or debit card numbers, medical information or health information with requests. If requests are unclear or submitted through means other than outline above, we will provide the California consumer with specific directions on how to submit the request or remedy any deficiencies. If we cannot verify the identity of the requestor, we may deny the request.
- Children under 13
- We are committed to preserving online privacy for all of its website visitors, including children. Consistent with the Children’s Online Privacy Protection Act (COPPA), we do not knowingly collect any personal information from children under the age of 13, and we delete any such information we become aware of. If you are a parent or guardian and you believe your child has provided us with Personal Information, please contact us at “please contact our site as provided below under “Contact Us,” and be sure to include in your message the same login information that your child submitted.