Ekata – Global Privacy Notice

For the purpose of this Privacy Notice, unless otherwise specified, “Personal Information” means any information relating to an identified or identifiable individual. In connection with the provision of the Services, we obtain Personal Information relating to you in the situations described below.

1. Personal Information Provided by You
   • General Communication Information. When you contact us (for example via email, phone or online web forms), we will collect Personal Information provided by you, such as your first and last name, telephone number, email address, physical address, employer name, as well as any other content that you provide (“General Communication Information”). If you do not provide certain General Communication Information, we may not be able to answer your requests or queries.
   • Account Information. We may collect usernames, passwords, and other details of account-level information from representatives of business Customers when they correspond with us by phone or email, or request support for the Services (“Account Information”). If they do not provide certain Account Information, such as usernames and passwords, they may not be able to use the Services or take advantage of certain features of the Services.
   • Billing Information. We may collect billing information from representatives of our business Customers when they purchase our Services, such as billing name and address, ACH, or credit card number.
2. Personal Information Provided by Customers
   • Customer Data. We collect information in the form of queries submitted to the Services by business Customers for identity verification and fraud prevention and detection purposes. Such queries may contain the name, e-mail address, physical address, phone number, and IP address of the business Customer’s consumers (“Customer Data”). When a Customer submits Customer Data to the Services, Ekata may analyze Customer Data in conjunction with Ekata Data (see below) and other Customers’ data, to create Metadata (see below) to provide results to the Customer’s query.
3. Personal Information Derived from Customer Data
   • Metadata. We derive information from our analysis of Customer Data, such as the number of times a data element has been queried in a period of time (velocity) or the last time a data element has been seen (recency) Metadata”) to identify behavioral patterns and insights for our fraud prevention and identity verification services (e.g., patterns confirming that a provided address is genuine).
4. Third parties
   • Third party data. To enable us to provide our Services, we obtain Personal Information from publicly available sources and from third party data providers, who may collect the information from publicly available sources or directly from individuals. This data collection includes the mapping of IP addresses to non-precise location data (e.g., city, state), and the collection of the following data elements: name, e-mail address, physical address, phone number, and IP address. Ekata includes such third-party data together with Metadata (collectively “Ekata Data”) in its own databases.
5. Personal Information Automatically Obtained from Your Interaction with the Services
   • Usage Information (such as cookies and similar technologies). When you interact with our ads, websites, apps or other digital assets, we or our service partners may collect certain information by automated means such as cookies, web beacons, and embedded scripts. This Usage Information may include standard information from a web browser (such as browser type and browser language), an IP address, device identifier numbers, and the actions a website visitor or Customer takes on Pro Insight (such as how a visitor/Customer interacts with the web pages and the links clicked).
     Cookies: Our Web pages and Pro Insight use “cookies” and similar technologies. A cookie is a file stored on your device that may be used to identify an individual as a unique user by storing certain personal preferences and user data. We use cookies and other technologies to identify your device, identify authorized users of Pro Insight, and track affiliate referrals.
     Web Beacons: We may also use web beacons, small graphic images, or other web programming code which may be included in our Web pages and e-mail messages. We may use Web beacons (or similar technologies) to count visitors to Pro Insight, and to monitor how users navigate Pro Insight, among other legitimate business purposes.
     Log files, IP addresses, URLs, embedded scripts, and similar data: We gather certain information automatically to administer the Services and analyze trends in the aggregate. This information may include IP addresses (or the proxy server a business Customer uses to access the Services), device and application identifiers, browser type, Internet service provider, the pages and files viewed, searches conducted, operating system and system configuration information, and date/time stamps associated with usage. Also, Ekata automatically receives the URL of the Web site from which a business Customer came (if a business Customer follows a link to the Pro Insight). This information is used to analyze overall trends, and to provide and improve the Services. For example, Ekata collects IP addresses from Customers when they log into the Services as part of security features to confirm identity or detect compromised accounts. Ekata may also use embedded scripts, which are programming code designed to collect information about an interaction with a Web site, such as the links clicked on. The code is temporarily downloaded onto a device from our Web server or a third-party service provider, is active only while you are connected to the Web site containing the embedded script, and is deactivated or deleted thereafter.

We set out below the purposes for which we process Personal Information. We indicate the categories of Personal Information per processing purpose. We will only process your Personal Information when we have a valid legal ground for the processing in accordance with applicable law, depending on the country in which you are located. However, please note that even though the chart below may not list consent as a legal basis for each processing activity, in some countries consent is the only or most appropriate legal basis for the processing of Personal Information, and in those countries we rely on consent for all processing activities. In certain cases, this consent may be obtained on our behalf from our Customers.

Processing activity	Legal Basis for Processing (where required under applicable law)	Categories of Personal Information
Provide Services to our customers for fraud and incident prevention and servicing customer accounts, including activities such as facilitate payments for the Services, communicate with our customers, connect third party services for customers, personalize the services at customers’ requests, and audit interactions with customers.	We, and our Customers, have a legitimate interest in combatting fraud or fraudulent use of our Customers’ services. We may also rely on the “performance of a contract” legal ground when we process Personal Information to fulfill individuals’ requests e.g., to respond to individuals’ inquiries.	Account Information Customer Data Usage Information (such as cookies and similar technologies) Billing Information Ekata Data Metadata
Maintain the Services in good working order, and to manage cyber threats, risk exposure, and franchise quality with respect to the integrity and security of our Services and internal systems.	We have a legitimate interest in ensuring the safety, security and performance of our Services.	Account Information Customer Data Usage Information (such as cookies and similar technologies) Ekata Data Metadata
Operate, evaluate, and improve our business (including developing new products and services).	We have a legitimate interest in improving and developing our business, products, and services.	Account Information Customer Data Usage Information (such as cookies and similar technologies) Billing Information Ekata Data Metadata
Provide tailored business communication and marketing.	We have a legitimate interest in promoting our business. When we send electronic direct marketing communications, or when we tailor our advertising, we will obtain individuals’ prior consent if required in accordance with applicable laws.	General Communication Information Account Information We do not use Customer Data for marketing purposes.
As may be required by applicable laws and regulations, including for compliance with Know Your Customers, Anti-Money Laundering, anti-corruption and sanctions screening requirements, or as requested by any judicial process, law enforcement, or governmental agency having or claiming jurisdiction over Mastercard or Mastercard’s affiliates.	Compliance with legal obligations	General Communication Information Account Information Customer Data Usage Information (such as cookies and similar technologies) Billing Information Ekata Data Metadata
Protect against and prevent fraud and cyber threats, unauthorized transactions, claims and other liabilities, and manage risk exposure and franchise quality with respect to the integrity and security of our Services.	We, or a third party, have a legitimate interest in protecting against legal claims.	General Communication Information Account Information Customer Data Usage Information (such as cookies and similar technologies) Billing Information Ekata Data Metadata
Perform due diligence reviews, accounting, auditing,  billing, reconciliation and collection activities.	We have a legitimate interest in managing our Customer, vendor and partner relationships as necessary to operate our business.	Account Information Billing Information
Protect our Customer and others against fraud, cyber incidents and strengthen the cyber resilience of our Customer’s operations.	We, or our Customers, have a legitimate interest in combatting fraud or fraudulent use of our Customers’ services.	Account Information Customer Data Usage Information (such as cookies and similar technologies) Ekata Data Metadata

Ekata may provide your Personal Information to the following third parties for the purposes set out below:

1. Subsidiaries and Affiliates
   We may share the Personal Information we collect with our subsidiaries and affiliates that are part of the Mastercard group of companies, for the purposes described in this Privacy Notice.
2. Service Providers
   We may share Personal Information with our service providers who perform services on our behalf and in relation to the purposes described in this Privacy Notice. Examples of our service providers include analytics providers, data storage providers and payment processing providers. We require these service providers by contract to only process Personal Information in accordance with our instructions and as necessary to perform services on our behalf or comply with legal requirements. We also require them to have safeguards designed to protect the security and confidentiality of the Personal Information they process on our behalf.
3. Third-Party Business Partners
   We may share Personal Information with third-party data providers in order to supplement our database. For example, we may send an email address to a data provider to see whether and when the data provider may have seen the email address before.
   
   In addition, we may partner with a variety of businesses to market or sell our products or services. For instance, partners may co-sponsor our events or offerings. We may share General Communication Information that Customers provide when they sign up for events or other offerings with these Partners so they can send marketing communications and other information of interest. See below for how to withdraw your consent at any time.
4. Customers
   In response to Customers’ queries, we may provide Customers with Metadata and Personal Information regarding their customers.
5. As required by law
   We may disclose data about you: (i) if we are required to do so by law or legal process; (ii) in response to a request from a court, law enforcement authorities, or government officials; or (iii) when we believe disclosure is necessary or appropriate to prevent physical harm or financial loss, or in connection with an investigation of suspected or actual fraudulent or illegal activity.
6. Sale of business
   We reserve the right to transfer Personal Information we have about you in the event we sell or transfer all or a portion of our business or assets. Should such a sale or transfer occur, we will use reasonable efforts to direct the transferee to use Personal Information you have provided to us in a manner that is consistent with this Privacy Notice.

Subject to applicable law, you have the right to:

• Request access to and receive information about the Personal Information we maintain about you, to update and correct inaccuracies in your Personal Information, to restrict or to object to the processing of your Personal Information, to have the information anonymized or deleted, as appropriate, or to exercise your right to data portability to easily transfer information to another company. In addition, you may also have the right to lodge a complaint with a supervisory authority, including in your country of residence, place of work or where an incident took place.
• Withdraw any consent you previously provided to us regarding the processing of your Personal Information, at any time and free of charge. We will apply your preferences going forward and this will not affect the lawfulness of the processing before your consent withdrawal.
• You may opt out from receiving marketing communications by clicking on the unsubscribe link contained in such communications.

Those rights may be limited in some circumstances by local law requirements. United States residents may refer to Section 11 below for additional information.

If you are a resident of the European Union and would like to submit a request, please email us at privacysupport@ekata.com.

If you are a resident of a U.S. State which offers the type of individual rights outlined here, please submit your request by emailing us at privacysupport@ekata.com or calling our toll-free number at +1 (855) 927-1072. 

We maintain appropriate administrative, technical and physical safeguards to protect Personal Information against accidental or unlawful destruction, accidental loss, unauthorized alteration, unauthorized disclosure or access, misuse, and any other unlawful form of processing of the Personal Information in our possession. The types of measures we take vary depending on the type of data, and how it is collected and stored. We restrict access to Personal Information about you to those employees who need to know that information to provide products or services to you.

We also take measures to delete your Personal Information or keep it in a form that does not permit your identification when this information is no longer necessary for the purposes for which we process it or when you request their deletion, unless we are required by law to keep the information for a longer period. In principle, we keep Customer Data for 90 days for troubleshooting purposes, and we keep Metadata for 3 years to improve our fraud prevention and identity verification services.

Mastercard is a global business. We may transfer or disclose Personal Information to recipients in countries other than your country, including the United States, where we are headquartered. These countries may not have the same data protection laws as the country in which you initially provided the information. When we transfer or disclose your Personal Information to other countries, we will protect that information as described in this Privacy Notice.

We comply with applicable legal requirements when transferring Personal Information to countries other than the country where you are located. In particular, we have established and implemented a set of Binding Corporate Rules (“BCRs”) that have been recognized by EEA data protection authorities as providing an adequate level of protection to the Personal Information we process globally. A copy of our BCRs is available here. We may also transfer Personal Information to countries for which the EU Commission has issued an adequacy decision or use contractual protections for the transfer of Personal Information to third parties, such as the European Commission’s Standard Contractual Clauses. You may contact us as specified in the “How to Contact Us” section below to obtain a copy of the safeguards we use to transfer Personal Information outside of the EEA.

You may choose to use certain features for which we partner with other entities or click on links to other websites for your convenience and information. These features may operate independently from us. They may have their own privacy notices or policies, which we strongly suggest you review. To the extent any features or linked websites you visit are not owned or operated by us, we are not responsible for the sites’ content, any use of the sites, or the privacy practices of the sites.

This Privacy Notice may be updated periodically to reflect changes in our Personal Information practices. We will notify you of any significant changes to our Privacy Notice and indicate at the top of the notice when it was most recently updated. If we update this Privacy Notice, in certain circumstances, we may seek your consent.

If you are located in the EEA, UK, or Switzerland, Mastercard Europe SA  is the entity responsible for the processing of your Personal Information. You can e-mail us at: privacysupport@ekata.com; or write to us at:

Europe Data Protection Officer
Mastercard Europe SA
Chaussée de Tervuren 198A
B-1410 Waterloo
Belgium

If you are located in the United States, Ekata, Inc. and Mastercard International Inc. would be the entities responsible for the processing of your Personal Information. You can email us at privacysupport@ekata.com; or write to us at:

Ekata Inc.
1201 2nd Ave, Suite 3600,
Seattle, WA 98101,
United States

If you are located in Brazil, Mastercard Brasil Soluções de Pagamento Ltda. Is the entity responsible for the processing of your Personal Information. You can email us at privacysupport@ekata.com; or write to us at:

Brazil Data Protection Officer
Mastercard Brasil Soluções de Pagamento Ltda.
Avenida das Nações Unidas, 14.171, 20º andar, Crystal Tower
São Paulo/SP
Brasil
CEP 04794-000

If you are located in Asia (excluding India), the Middle East, or Africa, Mastercard Asia/Pacific Pte. Ltd. Is the entity responsible for the Processing of your Personal Information. You can email us at privacysupport@ekata.com; or write to us at:

Asia Pacific, Middle East and Africa Data Protection Officer
Mastercard Asia/Pacific Pte Ltd
3 Fraser Street, DUO Tower, Level 17
Singapore 189352

Additional disclosures for U.S. residents, other than California Residents

If you are a U.S. resident from whom we collect Personal Data as a controller, you may have certain rights under an applicable U.S. state privacy law. You may rely on the disclosures in this Privacy Notice regarding how we collect, use, and disclose your personal information as well as the choices you can make related to your personal information.

Your Rights and Choices

In addition to the rights identified in Section 4 (“Your Rights and Choices”) above, you may have the right to opt out of the processing of the personal information for purposes of (i) targeted advertising, (ii) the sale of personal information, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you  and the right to appeal a decision we make with respect to your privacy rights. 

You (or, where permitted by law, your authorized agent) can exercise your rights by submitting a request as described in Section G (“Authorizing an Agent”) of the Additional Disclosures for California Residents below.

Please refer to Section G of the Additional Disclosures for California Residents above for more information on exercises these rights.

Additional Disclosures for California residents  

If you are a California resident from whom we collect Personal Information as a business under the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act of 2020) (“CCPA”), you may rely on this Privacy Notice and the additional information below. 

If you are a job applicant who is a California resident, please refer to our Applicant Privacy Notice here for further information.  

For the purpose of this section for California residents, “Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, or as otherwise defined by the CCPA. Personal Information does not include information that is publicly available, deidentified, or aggregated (as those terms are defined in the CCPA) or otherwise excluded from the scope of the CCPA.

a. Categories of Personal Information about you that we Collect and Disclose. The following is a list of categories of Personal Information (as defined by the CCPA) we have collected and disclosed for a business purpose. 

• Identifiers. Examples: Personal and/or business contact information (e.g., name, postal address, telephone number, job title), online identifier, device identifier(s), internet protocol address, email address, account name, authentication information, and similar identifiers. We may collect this information about other people if you give us their information. We may also associate information that you submit to us, such as articles, comments, or content on our social media pages, with your identifiers. 

• Categories of Personal Information in Cal. Civ. Code Section 1798.80(e). Examples: Name, address, telephone number, email address, and IP address.  

• Characteristics of Protected Classifications under California or Federal Law. Examples: Gender and age range.

• Commercial Information. Examples: Information we create or retain that are fundamental to our business, e.g. records of personal property; transaction information, such as date and time of transaction, or a transaction ID provided by a customer, the merchant’s name and location product and service information, such as product version, registration and payment information, and program-specific information, when you request products or services directly from us, or participate in marketing programs; preferences that we infer about you based on products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

• Biometric Information. Examples: Behavioral characteristics, that can be used, singly or in combination with each other or with other identifying data, to establish individual identity, such as keystroke timing, device accelerometer, scroll position, and mouse location. 

• Internet or Other Electronic Network Activity Information. Examples: Cookie and web beacon data, IP address, browser type, operating system, mobile device identifier, referring URLs, pages viewed and actions you take on our online properties and apps, and behavioral-based data or biometric information, such as keystroke timing, device accelerometer, scroll position, and mouse location. 

• Geolocation Data. Example: Your city, state or country or your IP address.  

• Sensory Information. Examples: Photographs, audio recordings (including call recordings for customer service purposes), and video recordings. 

• Professional or Employment-Related Information. Examples: Professional information such as job title, department, and name of organization. Additionally, information you provide as part of your job application or in the course of your employment with Ekata and/or Mastercard, e.g., contact information and employment history. Please see Applicant Privacy Notice for further information. 

• Inferences Drawn from Personal Information. Examples: Personal characteristics, life habits, consumption habits, and interests.  

• Sensitive Personal Information. Examples: Biometric information, as described in more detail above in E, for fraud and security prevention. (We note, however, that we do not use or disclose sensitive personal information for purposes which would require us to offer consumers the right to limit our collection and processing of this data under the CCPA). 

b. Sources of Collection of Personal Information. We have collected Personal Information from the following categories of sources:  

We collect, use, and disclose your Personal Information in accordance with the specific business and commercial purposes below:

• You/Your Devices: You or your devices directly. 
• Affiliates. 
• Analytics Providers. 
• Users: Other users of our services. 
• ISPs: Internet service providers. 
• Government: Government entities. 
• Advertising Networks.  
• Social Networks. 
• OS/Platform Provider: Operating systems and platforms.  
• Partners: Business partners. 
• Public: Publicly accessible sources.   

c. Use of your Personal Information. We collect, use, and disclose your Personal Information in accordance with the specific business and commercial purposes below: 

• Providing Services: Providing our services. 

• Communicating: Communicating with you, providing you with updates and other information relating to our services and products, providing information that you request, responding to comments and questions, and otherwise providing customer support. 

• Connecting Third Party Services: Facilitating the connection of third-party services or applications. 

• Business Marketing: Marketing purposes, such as developing and providing promotional and advertising materials that may be useful, relevant, valuable or otherwise of interest to you. You may opt-out of these at any time.  We do not use Customer Data for marketing purposes.

• Personalization: Personalizing your experience on our services, such as presenting tailored content. 

• Sending Messages: Sending you personalized text messages as requested on our Talent Community. Please see Talent Community Privacy Notice for further information. 

• Facilitating Payments: Facilitating transactions and payments. 

• Job Applications: Processing your job application.   

• Safety Issues: Responding to trust and safety issues that may arise. 

• Compliance: For compliance purposes, including enforcing our Terms of Use or other legal rights, or as may be required by applicable laws and regulations or requested by any judicial process or governmental agency. 

• Auditing Interactions: Auditing related to your interaction with our services and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with other standards. 

• Fraud and Incident Prevention: Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity. 

• Debugging: Debugging to identify and repair errors that impair existing intended functionality. 

• Transient Use: Short-term, transient use. 

• Contracting Vendors: Contracting with vendors and service providers to perform services on our behalf or on their behalf, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing advertising or marketing services, providing analytics services, or providing similar services on behalf of Mastercard’s clients. 

• Research: Undertaking internal research for technological development and demonstration. 

• Improving Our Services: Undertaking activities to verify or maintain the quality or safety of our services, and to improve, upgrade, or enhance our services. 

• Enabling Transactions: Otherwise enabling or effecting, directly or indirectly, a commercial transaction. 

• Notified Purpose: For other purposes for which we provide specific notice at the time the information is collected. 

d. Disclosure of your Personal Information to Third Parties 

With respect to the categories of Personal Information identified above in Section 1, we disclose your Personal Information to the following categories of third parties:  

• Advertising Providers: Advertising technology companies, such as advertising networks. We disclose your Personal Information to Advertising Providers only with your consent. Personal Information we disclose: Identifiers; Internet or Other Electronic Network Activity; Geolocation Data.   We do not disclose Customer Data for advertising purposes.
• Analytics Providers. Companies that help us analyze and improve our online properties. We disclose your Personal Information to Analytics Providers only at your direction and only with your consent. Personal Information we disclose: Identifiers; Internet or Other Electronic Network Activity; Geolocation Data.  
• OS/Platform Providers: Operating systems and platforms. Personal Information we share: Identifiers; Internet or Other Electronic Network Activity Information; Geolocation Data. 
• Resellers: Consumer data brokers. Personal Information we disclose: Identifiers; Categories of Personal Information in Cal. Civ. Code Section 1798.80(e); Characteristics of Protected Classifications under California or Federal Law; Geolocation Data; Inferences Drawn from Personal Information. 
• Affiliates. Personal Information we disclose: Identifiers; Categories of Personal Information in Cal. Civ. Code Section 1798.80(e); Characteristics of Protected Classifications under California or Federal Law; Commercial Information; Internet or Other Electronic Network Activity Information; Geolocation Data; Inferences Drawn from Personal Information. 
• Vendors: Vendors and service providers. Personal Information we disclose: Identifiers; Categories of Personal Information in Cal. Civ. Code Section 1798.80(e); Characteristics of Protected Classifications under California or Federal Law; Commercial Information; Internet or Other Electronic Network Activity Information; Geolocation Data; Inferences Drawn from Personal Information.  
• Integrated Third Parties: Third parties integrated into our services. Personal Information we disclose: Identifiers; Internet or Other Electronic Network Activity; Geolocation Data.  
• Third Parties as Legally Required: Third parties as required by law and similar disclosures. Personal Information we disclose: Identifiers; Categories of Personal Information in Cal. Civ. Code Section 1798.80(e); Characteristics of Protected Classifications under California or Federal Law; Commercial Information; Internet or Other Electronic Network Activity Information; Geolocation Data; Inferences Drawn from Personal Information. 
• Third Parties in Merger/Acquisition: Third parties in connection with a merger, sale, or asset transfer. Personal Information we disclose: Identifiers; Categories of Personal Information in Cal. Civ. Code Section 1798.80(e); Characteristics of Protected Classifications under California or Federal Law; Commercial Information; Internet or Other Electronic Network Activity Information; Geolocation Data; Inferences Drawn from Personal Information.  
• Third Parties with Consent or Direction: Other third parties for whom we have obtained your direction or permission to disclose your Personal Information.  Personal Information we may disclose: Identifiers; Commercial Information 

We do not use or disclose sensitive personal information for purposes ​which would require us to offer consumers the right to limit under ​the CCPA. 

e. Collection and Sale of your Personal Information to Other Parties  

We sell your Personal Information. However, we only sell your Personal Information for fraud prevention and identity verification purposes, as detailed further below.  

With respect to Personal Information that we sell, we have collected information from Resellers (consumer data brokers).  

We do not “share” Personal Information with third parties for “cross-context behavioral advertising” (“CCBA”).  

 The following is a list of categories of Personal Information (as defined by the CCPA) we have sold. 

• Identifiers. Examples: Personal and business contact information (e.g., name, postal address, telephone number), internet protocol address, and email address. We may collect this information about other people if you give us their information. 

• Categories of Personal Information in Cal. Civ. Code Section 1798.80(e). Examples: Name, postal address(es), telephone number, email address, and IP address. 

• Characteristics of Protected Classifications under California or Federal Law. Examples: Age range, e.g., 35-39 years of age. 

• Geolocation Data. Example: Your city, state or country, or your IP address.  

• Associated People. Example: Household members, i.e., people with the same current address. 

• Contact Information Metadata. Examples: Mobile phone carrier name, mobile phone carrier line type, mobile phone number subscriber name, and email address registered owner name. 

• Device Information. Examples: Browser, ISP carrier, and platform. 

With respect to the categories of Personal Information identified above, we have sold Personal Information to our Customers,who use our identity verification and fraud prevention products. We share the following categories of Personal Information to our Customers for this purpose:  Identifiers; Categories of Personal Information in Cal. Civ. Code Section 1798.80(e); Characteristics of Protected Classifications under California or Federal Law; Internet or Other Electronic Network Activity Information; and Geolocation Data.   

We do not have actual knowledge that we sell Personal Information of consumers under 16 years of age or that we share Personal Information of consumers under 16 years of age for CCBA. 

f. Retention 

We take measures to delete your Personal Information or keep it in a form that does not permit identifying you when this information is no longer necessary for the purposes for which we process it, unless we are required by law to keep this information for a longer period. When determining the retention period, we take into account various criteria, such as the type of products and services requested by or provided to you, the nature and length of our relationship with you, possible re-enrolment with our products or services, the impact on the services we provide to you if we delete some information from or about you, mandatory retention periods provided by law and the statute of limitations. 

g. Your Privacy Rights  

If you are a California resident, you may exercise the following rights.  

• Right to Know and Access. You may submit a verifiable request for information regarding the: (1) categories of Personal Information collected, sold, shared with third parties for CCPA, or disclosed by us; (2) purposes for which categories of Personal Information are collected, sold, or shared with third parties for CCBA by us; (3) categories of sources from which we collect Personal Information; (4) categories of third parties with whom we disclosed Personal Information; and (5) specific pieces of Personal Information we have collected about you.  

• Right to Delete. Subject to certain exceptions, you may submit a verifiable request that we delete Personal Information about you that we have collected from you.  We maintain a record of such request as required by the CCPA.

• Right to Correct. You have the right to correct inaccurate Personal Information that we maintain about you. 

• Verification. Requests for access to or deletion of Personal Information are subject to our ability to reasonably verify your identity in light of the information requested and pursuant to relevant CCPA requirements, limitations, and regulations. To verify your access or deletion request, please provide us with your email address, name, phone number, and address.

• Right to Opt Out. In some circumstances, you may opt out of the sale of Personal Information.  

• Right to Equal Service and Price. You have the right not to receive discriminatory treatment for the exercise of your CCPA privacy rights, subject to certain limitations. We will not deny, charge different prices for, or provide a different level of quality of goods or services if you choose to exercise your rights, except where the different price or level of quality of good or service is reasonably related to the value of the data that we receive from you. 

Submit Requests.  To exercise your rights under the CCPA email us at privacysupport@ekata.com or call our toll-free number: +1 (855) 927-1072.  

Authorizing an Agent. If you are acting as an authorized agent to make a request to know, delete, correct, or opt out on behalf of a California resident, email us at privacysupport@ekata.com or call our toll-free number: +1 (855) 927-1072. Please note that we will require you to attach a written authorization signed by the resident whose Personal Information will be subject to the request.  

h. CCPA Metrics

The following metrics are based on requests received from “consumers” as the term is defined by the CCPA.

Request	Requests Received	Requests Complied with in Whole or in Part	Requests Denied	Median Days to Respond	Mean Days to Respond
Requests to Delete	26469	23081	3388	36	35.9
Requests to Access	9	2	7	36	33.3
Requests to Know	0	0	0	0	0
Requests to Opt out of Sale	93	76	17	10	12.6
Requests to Limit Use of Data	0	0	0	0	0