I. NOTICE AT COLLECTION

This Notice at Collection describes how we collect, use, and disclose personal information we collect from or about you.

A. Collection of Personal Information

1. Personal Information You Provide to Us

We collect personal information you provide directly to us. For example, we collect personal information directly from Merchants who register to use our application on their ecommerce websites, Consumers who subscribe for our services, B2B Contacts when we conduct business dealings with them, and generally from individuals who respond to our inquiries, surveys, communications, offers, or marketing. The types of personal information that we may collect directly from you include:

• Contact information, such as name, email address, phone number, and physical address
• Individual characteristics, such as date of birth and social media information
• Commercial information, such as records of the products or services purchased, obtained, or considered by Consumers, Consumer feedback and other communications, or other purchasing or consuming histories or tendencies, including the information you may share in the contact form on our website about your business
• Video and/or audio information during business meetings

Redo does not see your sensitive financial information, such as financial account, debit card, or credit card information. However, when subscribing to our services, you may transmit such information to third parties, such as banks, processing gateways, and merchant processors, in order to process transactions and payments.

2. Personal Information We Collect Automatically

We automatically collect certain personal information about your interactions with us or our services, including the Redo application and website.

Device and Usage Information

We collect information about how you access our services, including data about the device and network you use, such as your hardware model, operating system version, mobile network, Internet Protocol (“IP”) address, unique device identifiers, device type, browser type, and app version. We also collect information about your activity on our services, such as access times, pages viewed, links clicked, and the page you visited before navigating to our services.

Information Collected by Cookies and Similar Tracking Technologies

We and others that control collection of personal information use tracking technologies, such as cookies and web beacons, to collect information about you. Cookies are small data files stored on your hard drive or in device memory that help us improve our services and your experience, see which areas and features of our services are popular, and count visits. Web beacons (also known as “pixel tags” or “clear GIFs”) are electronic images that we use on our services and in our emails to help deliver cookies, count visits, and understand usage and campaign effectiveness. For more information about cookies and how to disable them, see Your Choices About Cookies below.

Automated Decision Making

We do not envisage that any decisions will be taken about you using automated means (without any human involvement), including profiling, which produces legal or similarly significant effects. In the event that this position changes, we will notify you.

3. Personal Information We Collect From Other Sources

We obtain personal information from other sources. For example, we may collect information from advertising networks, data analytics providers, operating systems and platforms, mailing list providers, social networks, and other advertising partners. This information includes your contact information and usage data collected through cookies and other trackers described in the Advertising and Analytics section below.

4. Personal Information We Receive From Merchants

We will also receive personal information from Merchants regarding the consumers whom they offer their products and/or services to (“Merchant Consumers”).

Merchants are solely responsible for ensuring that any personal information they provide to us is in compliance with applicable privacy laws, including, but not limited to, ensuring that notice is provided to Merchant Consumers about the sharing of their personal information with us and, where applicable, obtaining appropriate consent.

For certain personal information we receive from Merchants, we will process that personal information in our capacity as a data processor. As such, we will only process such personal information on the documented instructions of the Merchant as a data controller. Please refer to the Purpose and Use of Personal Information section below, where we have identified the purposes for which we may undertake processing activities in our capacity as a data processor on behalf of a Merchant.

5. Personal Information We Derive

We may derive personal information or draw inferences about you based on the information we collect. For example, we may make inferences about your approximate location based on your IP address or infer that you are looking to purchase certain products based on your browsing behavior and past purchases.

B. Purpose and Use of Personal Information

We may use the categories of personal information identified in the Collection of Personal Information section above for the following purposes in our capacity as a data processor on behalf of a Merchant:

• To facilitate Merchants’ registration for the Redo application on their e-commerce websites
• To provide order tracking, streamlined returns or exchanges, shipping, instant refund, enhanced shopping experiences, and warranty services
• To process transactions and send you related information, including confirmations, receipts, invoices, customer experience surveys, and recall notices
• To send you technical notices, security alerts, and support and administrative messages
• To respond to your comments and questions and provide customer service
• To communicate with you about products, services, and events offered by the Merchant and provide news and information that we think will interest you
• To carry out any other purpose described to you at the time the information was collected

In addition, we may use the categories of personal information identified in the Collection of Personal Information section above for the following purposes in our capacity as a data controller:

• To conduct business dealings with our partners, service providers, contractors, or processors
• To personalize and improve your experience on our services
• To monitor and analyze trends, usage, and activities in connection with our services
• To generate customer behavioural profiles for consumers based on anonymous and historic shopping data in order to create tailored shopping recommendations
• To personalize the advertisements you see when you use our services based on information provided by our advertising partners
• To detect, investigate, and prevent security incidents and other malicious, deceptive, fraudulent, or illegal activity and protect the rights and property of Redo and others
• To debug to identify and repair errors in our services
• To comply with our legal and financial obligations
• To carry out any other purpose described to you at the time the information was collected

In the EEA and UK, the GDPR requires us to identify a “lawful” or “legal” basis for the processing (our use) of your personal information. The lawful bases we have identified is set out in more detail in the Summary of Prior 12 Month Personal Information Processing Activities section below.

C. Disclosure of Personal Information

We may disclose your personal information in the following circumstances or as otherwise described in this Privacy Policy. To learn more about the categories of personal information we may disclose and the categories of recipients, please see the Summary of Prior 12 Month Personal Information Processing Activities section below, which describes our prior 12 month and going-forward personal information disclosure practices.

• Vendors. We may disclose or make available your personal information to service providers, contractors, processors, and other parties who provide services to Redo, Merchants, and Consumers, including CRM software, fraud prevention, customer communication, bug tracking, and other related services.
• Transaction Processing. We may provide you access to banks, processing gateways, and merchant processors for you to provide personal information required to process transactions.
• Warranty Providers. We may disclose your personal information to third parties who provide warranty services.
• Shipping Providers and Carriers. We may disclose your personal information to third parties who provide shipping services.
• Advertising and Analytics. We may make your personal information available to advertising and analytics partners, as described in the Advertising and Analytics section below.
• Legal Disclosures. We may disclose personal information if required by law or legal process, including requests by courts or public authorities. We may also share personal information if we believe your actions violate our policies, or if necessary to protect the rights, property, and safety of Redo, our users, or the public.
• Advisors and Lawyers. We may disclose personal information to our lawyers and advisors where necessary to protect or manage our business interests.
• Change of Ownership. We may disclose personal information during negotiations or execution of any merger, sale of assets, financing, or acquisition.
• With Your Consent. We may disclose personal information with your consent or at your direction.
• Non-Personal Information. We may disclose aggregated or de-identified information that cannot reasonably be used to identify you and commit not to re-identify such information unless required by law.

D. Retention of Personal Information

We store personal information for as long as necessary to carry out the purposes for which we originally collected it and for other legitimate business purposes, including legal and compliance obligations. Specifically, we will keep the personal information of Merchants, Consumers, and B2B Contacts as long as we have a continuing relationship with them to provide or receive services and for up to 6 years thereafter, unless we need to retain the personal information for an additional length of time under the law.

If you’d like, I can convert the entire privacy policy into Webflow-ready rich text format in one combined document.

II. ADVERTISING AND ANALYTICS

We may allow others to provide analytics services and serve advertisements on our behalf across the web and in mobile apps. These entities may use cookies, web beacons, device identifiers, and other technologies to collect information about your use of our services and other websites and applications, including your IP address, web browser, mobile network information, pages viewed, time spent on pages or in mobile apps, links clicked, and conversion information.

This information may be used by us and others to, among other things, analyze and track data, determine the popularity of certain content, deliver advertising and content targeted to your interests on our services and other websites, and better understand your online activity.

For more information about interest-based ads, or to opt out of having your web browsing information used for behavioral advertising purposes, please visit

www.aboutads.info/choices.

Your device may also include a feature that allows you to opt out of having certain information collected through mobile apps used for behavioral advertising purposes.

We may also work with third parties to serve ads to you as part of customized campaigns on third-party platforms. As part of these ad campaigns, we or the third-party platforms may convert information about you into a unique value that can be matched with a user account on these platforms to allow us to learn about your interests and serve you advertising that is customized to your interests. Note that the third-party platforms may offer you choices about whether you see these types of customized ads.

III. TRANSFERS OF INFORMATION TO THE UNITED STATES AND OTHER COUNTRIES

Redo is headquartered in the United States, and we have operations and/or service providers in the United States and other countries. Therefore, we and our service providers may transfer your personal information to, or store or access it in, jurisdictions that may not provide levels of data protection that are equivalent to those of other countries (such as in the EEA or UK). We will take steps to ensure that your personal information receives an adequate level of protection in the jurisdictions in which we process it. For more information on the safeguards used, see the Data Privacy Framework Notice below.

IV. YOUR CHOICES ABOUT COOKIES

Most web browsers are set to accept cookies by default. If you prefer, you can usually adjust your browser settings to remove or reject browser cookies. Please note that removing or rejecting cookies could affect the availability and functionality of our services.

If you wish to reject the use of certain cookies, you can also use the “Preferences” banner at the bottom of our website to reject the use of cookies.

V. CHILDREN

This website is not intended for or directed at children under the age of 18. In addition, we do not knowingly collect personal information from children under the age of 18. We also do not knowingly sell, share, use for targeted advertising, or disclose the personal information of children under the age of 18.

VI. SUMMARY OF PRIOR 12 MONTH PERSONAL INFORMATION PROCESSING ACTIVITIES

In the preceding 12 months, we have collected the categories of personal information set forth below. For details about the precise data points we collect and the categories of sources of such collection, please see the Collection of Personal Information section above. We collect personal information for the business and commercial purposes described in the Purpose and Use of Personal Information section above.

In the preceding 12 months, we have disclosed the following categories of personal information for business purposes to the following categories of recipients, which we also describe in greater detail in the Disclosure of Personal Information section above.

VII. Selling or Sharing of Personal Information

Below, we describe the categories of personal information we may sell or share for targeted advertising currently and in the preceding 12 months. We also describe the third parties who received or may receive the personal information and the business or commercial purpose for the sale or sharing. We do not knowingly sell or share the personal information of children under the age of 18, and have not done so in the prior 12 months.

VIII. Opt-Out Preference Signals and “Do Not Track” Requests

A. We Honor Opt-Out Preference Signals

We honor opt-out preference signals. An opt-out preference signal is a signal that is sent by a platform, technology, or mechanism on your behalf that communicates your choice to opt out of the sharing for targeted advertisements or sale of your personal information. You can learn more about implementing opt-out preference signals by exploring technologies and services that offer this tool. We treat opt-out preference signals as valid requests to opt out of the sale or sharing of your personal information under privacy laws.

Please note that you can also opt out of the sale or sharing of your personal information for targeted advertising through our other methods described in the Instructions on How to Exercise Your Privacy Rights section below.

B. “Do Not Track” Requests

Some browsers have incorporated “Do Not Track” features. Most of these features, when turned on, send a signal or preference to the websites you visit indicating that you do not wish to be tracked. Because there is not yet a common understanding of how to interpret the do not track signal, we currently do not respond to browser do not track signals. However, as noted above, we do honor opt-out preference signals.

IX. Sensitive Personal Information

Under some privacy laws, certain types of personal information are considered “sensitive” or “special” personal information or data and require additional data privacy rights and obligations. Redo does not process “special” personal information under the GDPR. However, the financial information described in this Privacy Policy may be considered “sensitive” under US privacy laws.

Specifically, Redo does not see any information that constitutes “sensitive” personal information or data, but you may provide to banks, processing gateways, and merchant processors your sensitive financial account, debit card, or credit card information when using our services. Redo facilitates your provision of this information to these parties in order to provide our services.

This information may also be used to prevent, detect, and investigate security incidents, resist malicious, deceptive, fraudulent, or illegal actions and prosecute those responsible, and ensure physical safety of natural persons. Because this “sensitive” personal information is used for limited and permitted purposes, we do not offer a limit use and disclosure of sensitive personal information right. However, where required by law, we will obtain your consent before such sensitive personal information is collected. You may withdraw your consent by contacting us at privacy@getredo.com.

X. Your Privacy Rights

A. Rights Available to US Residents

Data privacy laws afford consumers residing in the United States certain rights with respect to their personal information, subject to certain exceptions. If you reside in the United States, this section applies to you. Subject to certain limitations, you have the following rights in the United States:

• Right to Delete. You have the right to request us to delete the personal information we have collected about you.
• Right to Correct. You have the right to request us to correct inaccurate personal information we maintain about you.
• Right to Confirm Processing, Know, and Access. You have the right to confirm whether we are processing your personal information and to know and access the personal information we have collected about you, including the categories of personal information, the categories of sources from which the personal information is collected, the business or commercial purpose for collecting, selling, or sharing personal information, the categories of third parties to whom we disclose personal information, and the specific pieces of personal information we have collected about you. You have the right to receive this information in a format, to the extent technically feasible, that is portable, usable, and allows you to transmit the personal information to a person without impediment or hindrance.
• List of Specific Third Parties. You have the right, at our option and based on the circumstances, to receive a list of the specific third parties to which we have disclosed or sold either: (1) your personal information or (2) any personal information.
• Right to Opt-Out of Profiling. You have the right to opt out of the processing of your personal information for profiling in furtherance of decisions that produce legal or similarly significant effects concerning you. Please note that we do not engage in profiling activities to make decisions that result in the provision or denial of financial or lending services, housing, insurance, education, criminal justice, employment opportunities, healthcare services, or access to basic necessities. As such, you do not need to take any further action.
• Rights Related to Sharing for Targeted Advertising or Sale. You have the right to opt out of the sharing of your personal information for targeted advertising or the sale of your personal information.
• Rights Related to Sensitive Personal Information or Data. Data privacy laws may provide additional protection for sensitive personal information or data. Please see the Sensitive Personal Information section above for more information.
• Right to No Discrimination. You have the right not to be discriminated against for exercising any of your privacy rights. This includes us not:
  • denying you goods or services
  • charging you different prices or rates
  • providing you a different level or quality of goods or services
  • suggesting different pricing or service levels
  • retaliating against you for exercising your privacy rights
• Right to Appeal. If we decline to take action in response to your exercise of a privacy right, we will inform you of the reason for denying your request and provide you instructions on how to appeal the decision.

B. Rights Available to UK and EEA Residents

In certain circumstances, under the GDPR you will have the right to:

• Right to request access. This right always applies. However, there are some exemptions which mean you may not always receive all of your personal information that we process.
• Right to request rectification. If your personal information is inaccurate or incomplete. This right always applies.
• Right to request deletion. This only applies in certain circumstances, such as if there is no legitimate reason for its continued processing.
• Right to restrict the processing. In certain circumstances (for example, if you want us to establish its accuracy or the reason for processing your personal information).
• Right to object to the processing. This applies where we rely on a legitimate interest as a legal basis for processing your personal information, unless we have compelling other legitimate grounds for the processing.
• Right to request a transfer. This applies to personal information that you have given to us, and you want to share it with another party. This right only applies where we rely on your consent to process your personal information as the legal basis.
• Right to withdraw your consent. In the limited circumstances where you may have provided your consent to the collection, processing, and transfer of your personal information for a specific purpose. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law. Withdrawal of consent does not affect the lawfulness of processing performed before consent was withdrawn.

If you want to access, rectify, or request deletion of your personal information, object to the processing of your personal information, request that we transfer a copy of your personal information to another party, or withdraw your consent to processing (if applicable), please contact us using the information below.

If you are dissatisfied with the handling of your personal information, you have a right to lodge a complaint with the data protection supervisory authority where you live. In the UK, this would be the Information Commissioner’s Office. In the EU, this would be the Irish Data Protection Commission.

C. Instructions on How to Exercise Your Privacy Rights

You may exercise your privacy rights by emailing us at privacy@getredo.com. You may also opt out of the sale of your personal information or the sharing of your personal information for targeted advertising by clicking the Do Not Sell or Share My Personal Information link located in the footer of this website.

In some instances, we will need to verify your identity before honoring your privacy rights request. We will verify your identity by asking you to provide personal information related to your recent interactions with us. We will honor privacy rights requests within 45 calendar days of receipt unless an extension is permitted by law. Opt-out requests for sale or sharing will be honored within 15 business days. Identity verification is not required for opt-out requests, but we may need additional information to locate your records.

D. Appealing a Denial of a Privacy Right Request

You may appeal a denial of your privacy rights request by emailing us at privacy@getredo.com. Within 45 days of receiving an appeal, we will notify you in writing of any action taken, including an explanation of our decision. If we deny your appeal, you may submit a complaint to your state’s Attorney General.

E. Authorized Agents

If permitted or required by applicable law, you may exercise your privacy rights through an authorized agent (including a guardian or conservator). If we receive a request from an authorized agent, we may ask for proof that you granted the agent authority to act on your behalf. Authorized agents may contact us at privacy@getredo.com.

F. Shine the Light Disclosure for California Residents

California law permits residents to request details about how their information is shared with third parties for direct marketing purposes. If you are a California resident and would like to make such a request, please contact us at privacy@getredo.com.

XI. Data Privacy Framework Notice

As a supplement to the information provided throughout this Privacy Policy, we provide the following information in accordance with our obligations as a participating organization under the EU–U.S. Data Privacy Framework and the UK Extension to the EU–U.S. DPF.

Redo complies with the EU–U.S. Data Privacy Framework (“EU–U.S. DPF”) and the UK Extension to the EU–U.S. DPF as set forth by the U.S. Department of Commerce. Redo has certified to the U.S. Department of Commerce that it adheres to the EU–U.S. DPF Principles regarding the processing of personal data received from the European Union and the United Kingdom (and Gibraltar). If there is any conflict between this Privacy Policy and the EU–U.S. DPF Principles, the Principles shall govern. To learn more about the DPF program or to view our certification, visit the Data Privacy Framework website

.

• This Privacy Policy describes our privacy practices regarding personal data received from the EU and UK under the DPF, including what data we collect, how we use it, who we disclose it to, and why.
• You have the right to access, correct, amend, or delete your personal data, and to opt out of disclosures to third parties or use of your personal data for purposes materially different from those originally disclosed or authorized. You may contact us at privacy@getredo.com to exercise these rights.
• We may transfer personal data to third parties acting as controllers or agents. When we do, we comply with the DPF’s Accountability for Onward Transfer principle. We remain responsible for personal data transferred to agents if they process it inconsistently with the DPF.
• The U.S. Federal Trade Commission has jurisdiction over Redo’s compliance with the DPF. We may be required to disclose personal data in response to lawful requests from public authorities, including for national security or law enforcement purposes.
• This Privacy Policy may be amended as required by the DPF, and updates will include revised effective dates.
• We commit to resolving complaints related to our DPF compliance. EU and UK individuals may contact us at privacy@getredo.com.
• We commit to refer unresolved complaints to TrustArc, an independent dispute-resolution provider. You may submit a complaint at: https://feedback-form.trustarc.com/watchdog/request
• For residual complaints not resolved through other means, binding arbitration may be available, as outlined in Annex I of the DPF program: https://www.dataprivacyframework.gov/framework-article/ANNEX-I-introduction

XII. Google Workplace API Disclosure

For purposes of the Google Workplace API, our application does not retain user data obtained through the Workplace API to develop, improve, or train generalized artificial intelligence or machine-learning models. Redo does not sell Google user data to third parties.

XIII. Contact Us

If you have any questions about this Privacy Policy, you may contact us at:

Email:

privacy@getredo.com

Our representative in the UK:

GDPRLocal Ltd.

1st Floor Front Suite

27–29 North Street

Brighton, England BN1 1EB

Email: contact@gdprlocal.com

Telephone: 441 772 217 800

Our representative in the EU:

Instant EU GDPR Representative Limited

Office 2, 12A Lower Main Street

Lucan, Co. Dublin K78 X5P8, Ireland

Email: contact@gdprlocal.com

Telephone: 353 15 549 700