We are delighted you are visiting our website and thank you for your interest in our company and our services, web pages and mobile applications (collectively: our “Services”). Data protection and data security are very important to us with regard to the use of our website. We would therefore like to take this opportunity to inform you about the personal data we collect during your visit to our website and what we use this data for.

We kindly ask you to routinely read this privacy policy as changes to legislation or our internal corporate processes can necessitate an adaptation of its content. You can call up, save and print out this privacy policy at any time by clicking the “Privacy Policy” link on our website. We may also attempt to notify you of updates to this privacy policy by providing notice through our Services.

§ 1 Introduction

ReachMail is an email service provider. Our customers are businesses and organizations that use the ReachMail tool to send email marketing messages. ReachMail only allows customers to upload email lists of their contacts who have given permission to the customer to send them email. ReachMail only sends messages to email addresses at the direction of our customers. ReachMail does not share, trade or sell email addresses and only maintains email addresses at the direction of our customers. If a customer terminates their account ReachMail will delete all addresses.

§ 2 Definitions

"Contact" is a person a Member may contact through our Services. In other words, a Contact is anyone on a Member's Distribution List or about whom a Member has given us information. For example, if you are a Member, a subscriber to your email marketing campaigns would be considered a Contact.

“Contact Data” means any Personal Data that ReachMail processes on behalf of Member as a Data Processor in the course of providing Services.

"Data Controller" means an entity that determines the purposes and means of the processing of Personal Data.

"Data Processor" means an entity that processes Personal Data on behalf of a Data Controller.

"Distribution List" is a list of Contacts a Member may upload or manage on our platform and all associated information related to those Contacts (for example, email addresses).

"EEA" means, for the purposes of this Privacy Policy, the European Economic Area and United Kingdom.

"Member" means any entity that is registered with us to use the Services

"Personal Information" means any information that identifies or can be used to identify a Member, a Contact, or a Visitor, directly or indirectly. Examples of Personal Information include, but are not limited to, first and last name, date of birth, email address, gender, occupation, or other demographic information.

"Privacy Shield" means the EU-U.S. Privacy Shield Framework self-certification program operated by the U.S. Department of Commerce and approved by the European Commission pursuant to Decision C(2016)4176 of 12 July 2016.

"Privacy Shield Principles" means the Privacy Shield Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision C(2016)4176 of 12 July 2016 (as may be amended, superseded or replaced).

"Website(s)" means any website(s) we own and operate (such as reachmail.com) or any web pages, interactive features, applications, widgets, blogs, social networks, social network "tabs," or other online, mobile, or wireless offerings that post a link to this privacy policy.

"Visitor" means any person who visits any of our Websites.

§ 3 Controller and scope

As between ReachMail and Members and/or between ReachMail and Visitors, the controller in the meaning of the EU General Data Protection Regulation (hereinafter: GDPR), other national data protection laws of member states and additional data protection regulations is:

Reachmail Holdings, LLC.
Attn: Gregory Gulik
Privacy Manager
770 Legacy Place 2nd Floor
Dedham, MA 02026
+1-312-229-0070
E-Mail: support@reachmail.com.
Website: reachmail.com

As between ReachMail and Contacts, the Member providing the Contact’s information to ReachMail is the Data Controller of Contacts’ data, and ReachMail shall process Contacts’ data only as a Data Processor acting on behalf of Member.

This privacy policy applies to the website(s) of Reachmail Holdings, LLC. that is accessible via the domain and various subdomains and connected domains (hereinafter: “Our Website”).

§ 4 Principles of data processing

The term personal data refers to all information that relates to an identified or identifiable natural person. It includes, for instance, information such as your name, age, address, telephone number, date of birth, email address, IP address and user behavior. Information that does not allow us to establish a connection to you as a person (or would only allow such a connection with an unreasonable amount of effort), for instance anonymized information, is not classified as personal data. Processing personal data (for instance collecting, querying, using, storing and transferring personal data) always requires a legal basis or your consent. Processed personal data is deleted as soon as the purpose for which it was collected is fulfilled and statutory retention periods no longer apply.

Insofar as we process your personal data in order to provide specific services to you, the following serves to inform you of the concrete processes, the scope and the purpose of data processing, the legislation on which it is based and the duration of storage in each case.

§ 5 Privacy for Members and Visitors

This section applies to the Personal Information we collect and process from a Member or Visitor. Information regarding the data of Contacts of our Members is included in the Privacy for Contact section of this policy. In this section, "you" and "your" refer to Members and Visitors.

I. Individual processing activities

1. Website provision and use

a. Type and scope of data processing
When you call up and visit our website, we collect personal data that your browser automatically sends to our server. This information is stored temporarily in a so-called log file. When you use our website, we collect the following data needed for technical reasons to display the website and guarantee its security and stability:

• IP address of the requesting computer
• Date and time of access
• Name of the URL and the requested file
• The website from which access was made (referrer URL)
• Your browser
• Your computer’s operating system

b. Legal basis
Art. 6 Para. 1 (f) GDPR serves as the legal basis for data processing activities detailed in the preceding. Processing the specified data is an essential part of making the website accessible and therefore serves a legitimate interest of our company.

c. Duration of storage
The specified data will be deleted as soon as it is no longer needed to display the website. Collecting the data is essential to making the website available and storing the data in log files is essential to operating the website. The user therefore has no option to object to collection and storage. In some cases data may be stored for other purposes if required by law.

2. Registration / User account

a. Type and scope of data processing
Our website offers you an option to register as a user by submitting your personal data. We use your processed data to create a personalized user account for you that you can use to access specific content and services on Our Website. We process your email address so we can send you new login details should you happen to forget them. You can see in detail which personal data we process during registration from the following overview:

• First name
• Last name
• Phone number
• Company
• Email address

b. Legal basis
Processing the preceding personal data serves the fulfillment of a contract between you and ReachMail or the implementation of pre-contractual activities in accordance with Art. 6 Para. 1 (b) GDPR.

You can withdraw your consent to the use of your personal data at any time with future effect by sending an email to support@reachmail.com.

c. Duration of storage
Processed data will be deleted as soon as the registration is canceled or changed on our website. It may also be necessary to keep your personal data on record after the fulfillment of a contract to meet contractual or legal requirements. In some cases data may be stored for other purposes if required by law.

d. Cancelling registration
You can cancel your registration as a user at any time. You can also request changes to be made to your personal data on record. To do so, please contact support@reachmail.com. However, if the processed data is required for the purpose of contract performance or pre-contractual activities, it can only be deleted prematurely if contractual or legal obligations allow.

3. Contact form

a. Type and scope of data processing
You can get in touch with us via a contact form made available to you on our website. You will be informed of this privacy policy when you submit your inquiry via the contact form in order to obtain your consent. When you make use of the contact form, the following personal data will be collected and processed via the form:

• Your name
• Email address
• Message content

We require your email address in order to allocate your inquiry and send you a response. The contact form data is stored by a third party service provider: Zendesk.com.

b. Legal basis
The lawfulness of data collection is based on Art. 6 Para. 1 (f) GDPR as both you and we have an interest in contacting and communicating with one another and we as a company have a legitimate interest in processing the data detailed in the preceding in order to respond to your inquiry.

c. Duration of storage
We will delete the personal data collected from you via the contact form as soon as we have dealt with your inquiry and brought the subject matter to a close. In some cases data may be kept on record for other purposes if required by law.

4. Contact options on our website

Our website offers you various options to contact us by email:

• Support Contact: support@reachmail.com
• Contact with Sales: sales@reachmail.com
• Contact for forwarding emails from which Contacts wish to unsubscribe: rem@reachmail.com
• Contact to report abuse: abuse@reachmail.com or violation@reachmail.com

a. Type and scope of data processing
Every user of this website can send their inquiries to these email addresses. Email inquiries are processed by the appropriate department. The data we collect in this case is limited to the email address of the email account you used to contact us and any other personal data you disclose to us within the scope of your inquiry.

b. Legal basis
The lawfulness of data collection is based on Art. 6 Para. 1 (f) GDPR as both you and we have an interest in contacting and communicating with one another and we as a company have a legitimate interest in processing the data detailed in the preceding in order to respond to your inquiry.

c. Duration of storage
The duration of storage with regard to the preceding personal data depends on the nature of your inquiry. Your data will be routinely deleted insofar as the purpose of your communication no longer applies and data storage is no longer necessary (or once we have finished handling your inquiry).

5. Purchase form

a. Type and scope of data processing
The purchase form consists of data fields you can fill in through our website. This information is processed and stored by our third party payment processor, Stripe.com. ReachMail only stores the card type, expiration date, last four digits of the payment card, and the billing postal code. Users filling in the purchase form will enter the following personal data:

• First name
• Last name
• Billing address
• Phone number
• Email address
• Payment information

b. Legal basis
Processing the preceding personal data serves the fulfillment of a contract between you and ReachMail or the implementation of pre-contractual activities in accordance with Art. 6 Para. 1 (b) GDPR. You can withdraw your consent to the use of your personal data at any time with future effect by sending an email to support@reachmail.com.

c. Duration of storage
The personal data collected from the purchase form will be retained for as long as a Member maintains their membership.

II. Tracking and analysis tools

We use tracking and analysis tools to ensure our website is continuously optimized and its design is suitable for its purpose. Tracking measures also enable us to collect statistical data with regard to user behavior on our website and to use the insights gained to further improve our online offering for you. These interests justify the use of tracking and analysis tools described below in accordance with Art. 6 Para. 1 p. 1 (f) GDPR.

We use third party tracking and analysis tools such as Google Analytics, Facebook Analytics, and SessionStack. For more information on how these third parties use and store your personal information, please refer to each third party’s terms of use and privacy policy.

§ 6 Privacy for Contacts

This section applies to the information we process about our Members’ Contacts as a data controller pursuant to our legitimate business interests. Our Services are intended for use by our Members. As a result, for much of the Personal Information we collect and process about Contacts through the Services, we act as a processor on behalf of our Members. ReachMail is not responsible for the privacy or security practices of our Members, which may differ from those set forth in this privacy policy. Please check with individual Members about the policies they have in place. For purposes of this section, "you" and "your" refer to Contacts.

I. Individual processing activities

1. Information we receive about Contacts from our Members

a. Type and scope of data processing
We may receive the following data from our Members about their Contacts:

• Email address

b. Legal basis
Art. 6 Para. 1 (f) GDPR serves as the legal basis for data processing activities detailed in the preceding. Processing the specified data is necessary to provide our services to our members and therefore serves a legitimate interest of our company.

c. Duration of storage
Your email address will be stored until the Member that provided us with your email address requests that it is deleted. In some cases, data may be kept on record for other purposes if required by law.

d. Do Not Contact List
Contacts may request that we place their email address on a “do not contact” list by emailing our customer service department at support@reachmail.com or calling our customer service department at 1-888-947-3224. If you request to be placed on the “do not contact” list, we will retain your email address for the purpose of ensuring that you are not included on any future emails sent through our service.

II. Tracking Technologies

In connection with the performance of the Services, ReachMail employs the use of cookies, pixels, unique identifiers, web beacons and similar tracking technologies. We will only track which emails sent through the Service are opened by Contacts, and which links are clicked in emails sent through the Service to Contacts.

III. Exercising Data Protection Rights

As described above, for much of the Personal Information we collect and process about Contacts through the Services, we act as a processor on behalf of our Members. In such cases, if you are a Contact and want to exercise any data protection rights that may be available to you under applicable law or have questions or concerns about how your Personal Information is handled by ReachMail as a processor on behalf of our individual Members, you should contact the relevant Member that is using the ReachMail Services, and refer to their separate privacy policies.

If you no longer want to be contacted by one of our Members through our Services, please unsubscribe directly from that Member’s newsletter or contact the Member directly to update or delete your data. If you contact us directly, we may remove or update your information within a reasonable time and after providing notice to the Member of your request.

If you have had trouble removing yourself from a list sent via ReachMail using the opt-out link provided in the email, please FORWARD the message directly to rem@reachmail.com and we will promptly remove you. The email must be forwarded, otherwise we will not know from which mailing list it originated. If you no longer have this email, please provide as much detail as possible, so we can identify the source of the mailing.

We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws. We may ask you to verify your identity in order to help us respond efficiently to your request.

§ 7 General Information

For purposes of this section, "you" and "your" refer to Members, Contacts, and Visitors unless otherwise indicated.

I. Disclosing data

We will only disclose your data to third parties if:

• You have explicitly granted your consent in accordance with Art. 6 Para. 1 p. 1 (a) GDPR
• To do so is lawful and necessary to fulfill our contractual obligations towards you in accordance with Art. 6 Para. 1 p. 1 (b) GDPR
• We are obligated to do so by law in accordance with Art. 6 Para. 1 p. 1 (c) GDPR
• Disclosure is necessary to protect our legitimate interest or to assert, exercise or defend legal claims in accordance with Art. 6 Para. 1 p. 1 (f) GDPR and there is no reason to assume that you have an overriding interest in non-disclosure worthy of protection.

We may share and disclose your Personal Information to the following types of third parties for the purposes described in this privacy policy:

• Our service providers: Sometimes, we share your information with our third-party service providers, who help us provide and support our Services and other business-related functions. For example, we share information with providers of payment processing services and fraud detection services. Some other examples include analyzing data, hosting data, engaging technical support for our Services, and delivering content. These third-party service providers enter into a contract that requires them to use your Personal Information only for the provision of services to us and in a manner that is consistent with this privacy policy.
• Advertising partners: We may partner with third-party advertising networks and exchanges to display advertising on our Websites or to manage and serve our advertising on other sites and may share Personal Information of Members and Visitors with them for this purpose. We do not sell or market to any of our Members’ Contacts. We and our third-party partners may use cookies and other tracking technologies, such as pixels and web beacons, to gather information about your activities on our Websites and other sites in order to provide you with targeted advertising based on your browsing activities and interests.
• Any competent law enforcement body, regulatory body, government agency, court or other third party where we believe disclosure is necessary (a) as a matter of applicable law or regulation, (b) to exercise, establish, or defend our legal rights, or (c) to protect your vital interests or those of any other person.
• A potential buyer (and its agents and advisors) in the case of a sale, merger, consolidation, liquidation, reorganization, or acquisition. In that event, any acquirer will be subject to our obligations under this privacy policy, including your rights to access and choice. We will notify you of the change either by sending you an email or posting a notice on our Website.
• Contact information may be shared with a third party that provides data cleaning services to remove problematic email addresses from Members’ Distribution Lists. Contact information will only be shared with this third party at the request of a Member.
• Any other person with your consent.

II Use of cookies

a. Type and scope of data processing
Our website uses cookies. Cookies are small files that are sent to and stored by your browser when you visit our web pages. Certain technical cookies are essential as some of our website’s functions will not work without them. Other cookies enable us to carry out a range of analyses. Cookies can, for instance, recognize your browser and send certain information to us when you return to our website. Cookies enable us to make our website more effective and user-friendly for you as they can help us to understand how you use our website and your preferred settings (for instance country and language settings). If third parties use cookies to process information, this information will be collected directly from your browser. Cookies do not cause any damage to your end device. They cannot execute programs and do not contain viruses.

Our website uses different kinds of cookies whose type and function are explained in the following.

Transient cookies	Our website uses transient cookies, which are automatically deleted when you close your browser. This type of cookies enables capturing your session-ID. It enables us to assign different requests from your browser in one session and it is possible for us to recognize your device on later visits.
Persistent cookies	Our website uses persistent cookies. Persistent cookies are cookies that are stored in your browser for a longer time period and send information to us. The storage duration depends on the type of cookie. You can delete persistent cookies yourself using your browser settings.
Function 1:	Required cookies These cookies are required for technical reasons as they enable you to visit our website and use the functions we provide. These cookies also contribute towards making the use of our website secure and in compliance with regulations.
Function 2:	Performance-related cookies These cookies enable us to analyze the use of our website and to improve its performance and functionality. They are used to collect information on how visitors use our website, which pages are most frequently visited and whether error messages appear on certain pages.
Function 3:	Cookies for marketing and social media Advertising cookies (third-party providers) make it possible to show you various offers that correspond to your interests. These cookies collect data on user web activity over extended periods of time. The cookies may recognize you on various of your end devices.

b. Legal basis
The legal basis for processing personal data using cookies is Art. 6 Para. 1 (f) GDPR on account of the purposes described above. Processing the specified data is an essential part of making the website accessible and therefore serves a legitimate interest of our company. If you have granted your consent to the use of cookies in response to a notice (“cookie banner”) on the website, then lawfulness is also based on Art. 6 Para. 1 p. 1 (a) GDPR.

c. Duration of storage
As soon as the data transmitted to us via the cookies is no longer necessary to achieve the purposes described above, this information will be deleted. Further storage can take place on a case-by-case basis if required by law.

d. Configuration of browser settings
Most browsers are set to accept cookies by default. You can, however, configure your browser so that it only accepts certain cookies or none at all. Please note, however, that you may not be able to use all the functions of our website if its cookies are deactivated in your browser settings. You can also use your browser settings to delete cookies already stored in your browser. In addition, you can set your browser to inform you whenever a cookie is about to be stored. As browsers differ in regards to their functionality, please refer to your browser’s help menu for information on adjusting configuration options.

III. Use of Personal Information

We may use the Personal Information we collect through the Services or other sources for a range of reasons, including:

• To enforce compliance with our Terms of Use and applicable law, and to protect the rights and safety of our Members and third parties, as well as our own. This may include developing tools and algorithms that help us prevent violations.
• To bill and collect money owed to us by you. This includes sending you emails, invoices, receipts, notices of delinquency, and alerting you if we need a different credit card number. We use third parties for secure credit card transaction processing, and those third parties collect billing information to process your orders and credit card payments.
• To send you system alert messages.
• To communicate with you about your account and provide customer support.
• To meet legal requirements, including complying with court orders, valid discovery requests, valid subpoenas, and other appropriate legal mechanisms.
• To provide information to representatives and advisors, including attorneys and accountants, to help us comply with legal, accounting, or security requirements.
• To prosecute and defend a court, arbitration, or similar legal proceeding.
• To respond to lawful requests by public authorities, including to meet national security or law enforcement requirements.
• To provide customer support and obtain feedback about our Services, but only for and from the Member whose Personal Information and User Data are being used.
• To support and improve the service we offer including adding features and providing benchmarking and other comparison information based on aggregating and analyzing data.
• To transfer your information in the event of the sale of all, or substantially all, of the assets of our business to a third-party or in the event of a merger, consolidation or acquisition. However, in such event, any acquirer will be subject to our obligations under this Privacy Policy.
• Other purposes. To carry out other legitimate business purposes, as well as other lawful purposes about which we will notify you.

IV. Hyperlinks

Our website contains so-called hyperlinks to websites operated by other providers. Activating a hyperlink will transfer you directly to the website of the corresponding provider. You can recognize the transfer by the change of URL, for example. We cannot accept any liability for the confidential use of your data on these websites as we have no influence on the compliance of these companies with data protection regulations. Please refer directly to the website concerned to obtain information on how your personal data is handled.

V. Right of access

The GDPR stipulates that you as a data subject whose data is processed have the following rights:

• Pursuant to Art. 15 GDPR, you can request information with regard to your personal data processed by us. In particular, you can request information in relation to the purposes of the processing; the categories of personal data concerned; the categories of recipients to whom the personal data has been or will be disclosed, including recipients in third countries or international organizations; the envisaged period for which the personal data will be stored; the existence of the right to request from us the rectification or erasure of your personal data or restriction of processing of your personal data or to object to such processing; the existence of the right to lodge a complaint; the source of your personal data to the extent that it was not collected by us; and the existence of automated decision-making, including profiling and any meaningful information about the particulars thereof.
• Pursuant to Art. 16 GDPR, you can demand the immediate correction of incorrect or incomplete personal data stored by us.
• Pursuant to Art. 17 GDPR, you have a right to request the erasure of your personal data stored by us insofar as processing is not required for the purpose of exercising the right of freedom of expression and information; for compliance with a legal obligation; for the performance of a task carried out in the public interest or in the exercise of official authority vested in us; or for the establishment, exercise or defense of legal claims.
• Pursuant to Art. 18 GDPR, you have a right to restrict our use of your personal data if you contest the accuracy of the data; the processing is unlawful; we no longer need the personal data, but it is required by you for the establishment, exercise or defense of legal claims. Your right pursuant to Art. 18 GDPR remains unaffected if you have lodged an objection to data processing in accordance with Art. 21 GDPR.
• Pursuant to Art. 20 GDPR, you have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format; you also have the right to have your data transmitted to another controller.
• Pursuant to Art. 7 Para. 3 GDPR, you have the right to withdraw previously granted consent at any time. Consequently, we will not be permitted to continue processing your data on the basis of your consent in the future.
• Pursuant to Art. 77 GDPR, you have the right to lodge a complaint with a supervisory authority. You can contact the supervisory authority of the Member State of your habitual residence, place of work or place of the alleged infringement.
• If you are a data controller and any of your Contacts wishes to exercise any of these rights, they should contact you directly, or contact us as described in the "Privacy for Contacts" section above.
• We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection law. We may ask you to verify your identity in order to help us respond efficiently to your request. If you are a data controller and we receive a request from one of your Contacts, we will either direct the Contact to reach out to you, or, if appropriate, we may respond directly to their request.

VI. Right to object

In relation to the processing of your personal data on the basis of legitimate interests in accordance with Art. 6 Para. 1 p. 1 (f) GDPR, you have the right pursuant to Art. 21 GDPR to object to your data being processed on grounds relating to your particular situation or if your objection concerns direct marketing. With regard to direct marketing, you have a general right to object without providing a specific reason and we are required to take appropriate action.

VII. International Data Transfers

1. Data center locations. ReachMail may transfer and process your data anywhere in the world where ReachMail, its affiliates or its sub-processors maintain data processing operations. ReachMail shall at all times provide an adequate level of protection for the data processed, in accordance with the requirements of data protection laws.

2. Privacy Shield. ReachMail complies To the extent that ReachMail processes any data protected by EU Data Protection Law under the Agreement and/or that originates from the EEA, in a country that has not been designated by the European Commission as providing an adequate level of protection for Personal Data, the parties acknowledge that ReachMail shall be deemed to provide adequate protection (within the meaning of EU Data Protection Law) for any such data by virtue of having self-certified its compliance with Privacy Shield. ReachMail agrees to protect such Personal Data in accordance with the requirements of the Privacy Shield Principles. If ReachMail is unable to comply with this requirement, ReachMail shall inform Member.

   ReachMail has withdrawn from the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States; however, we will continue to apply the Privacy Shield Principles to the personal information that we received while participating in the Privacy Shield. To learn more about the Privacy Shield program, please visit https://www.privacyshield.gov/.

   With respect to personal data received or transferred pursuant to the Privacy Shield Frameworks, ReachMail is subject to the regulatory and enforcement powers of the U.S. Federal Trade Commission.

   Pursuant to the Privacy Shield Frameworks, EU individuals have the right to obtain our confirmation of whether we maintain personal information relating to you in the United States. Upon request, we will provide you with access to the personal information that we hold about you. You may also correct, amend, or delete the personal information we hold about you. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data transferred to the United States under Privacy Shield, should direct their query to support@reachmail.com. If requested to remove data, we will respond within a reasonable timeframe.

   We will provide an individual opt-out choice, or opt-in for sensitive data, before we share your data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized. To request to limit the use and disclosure of your personal information, please submit a written request to support@reachmail.com.

   In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

   ReachMail’s accountability for personal data that it receives in the United States under the Privacy Shield and subsequently transfers to a third party is described in the Privacy Shield Principles. In particular, ReachMail remains responsible and liable under the Privacy Shield Principles if third-party agents that it engages to process personal data on its behalf do so in a manner inconsistent with the Principles, unless ReachMail proves that it is not responsible for the event giving rise to the damage.

   In compliance with the Privacy Shield Principles, ReachMail commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to Privacy Shield. European Union individuals with Privacy Shield inquiries or complaints should first contact us by email at support@reachmail.com.

   If your Privacy Shield complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See Privacy Shield Annex 1 at https://www.privacyshield.gov/article?id=ANNEX-I-introduction.

3. Alternative Transfer Mechanism. The parties agree that the data export solution identified in Section VII.b shall not apply if and to the extent that ReachMail adopts an alternative data export solution for the lawful transfer of Personal Data (as recognized under EU Data Protection Laws) outside of the EEA (“Alternative Transfer Mechanism”), in which event, the Alternative Transfer Mechanism shall apply instead (but only to the extent such Alternative Transfer Mechanism extends to the territories to which Personal Data is transferred).

VIII. Data safety and security measures

We undertake to protect your privacy and to treat your personal data confidentially. We have implemented extensive technological and organizational measures to prevent the manipulation, loss or misuse of your personal data stored on our servers. These measures are routinely reviewed and adapted to reflect technological developments. They include the use of acknowledged encryption methods (SSL or TLS).

Please note, however, that the structure of the internet makes it possible for persons and institutions outside of our sphere of control to disregard data protection regulations and the security measures detailed in the preceding. In particular, data that is transmitted without prior encryption – for instance by email – can be read by third parties. We have no technological influence in this regard. It is the user’s responsibility to protect the data provided by them from misuse by way of encryption or other suitable means.

Confidentiality of processing. ReachMail shall ensure that any person who is authorized by ReachMail to process Personal Data (including its staff, agents and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).

Security Incident Response. Upon becoming aware of a Security Incident, ReachMail shall notify you without undue delay and shall provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by you.

IX. Cooperation

The Services provide Member with a number of controls that Member may use to retrieve, correct, delete or restrict Contact Data, which Member may use to assist it in connection with its obligations under the GDPR, including its obligations relating to responding to requests from data subjects or applicable data protection authorities. To the extent that Member is unable to independently access the relevant Contact Data within the Services, ReachMail shall (at Member’s expense) provide reasonable cooperation to assist Member to respond to any requests from individuals or applicable data protection authorities relating to the processing of Personal Data under the Agreement. In the event that any such request is made directly to ReachMail, ReachMail shall not respond to such communication directly without Member’s prior authorization, unless legally compelled to do so. If ReachMail is required to respond to such a request, ReachMail shall promptly notify Member and provide it with a copy of the request unless legally prohibited from doing so.

If a law enforcement agency sends ReachMail a demand for Contact Data (for example, through a subpoena or court order), ReachMail shall attempt to redirect the law enforcement agency to request that data directly from Member. As part of this effort, ReachMail may provide Member’s basic contact information to the law enforcement agency. If compelled to disclose data to a law enforcement agency, then ReachMail shall give Member reasonable notice of the demand to allow Member to seek a protective order or other appropriate remedy unless ReachMail is legally prohibited from doing so.

To the extent ReachMail is required under EU Data Protection Law, ReachMail shall (at Member’s expense) provide reasonably requested information regarding the Services to enable the Member to carry out data protection impact assessments or consultations with data protection authorities as required by law.

IX. Customer EU Data Processing Addendum

The Customer EU Data Processing Addendum can be found at /privacy-policy-gdpr/.

X. California Consumer Privacy Act (CCPA) Addendum

The California Consumer Privacy Act (“CCPA”) provides consumers within the state of California with specific rights regarding their Personal Information. You have the right to request that such business disclose certain information to you about our collection and use of your Personal Information. In addition, you have the right to ask the business to delete Personal Information collected from you, subject to certain exceptions. If a business sells Personal Information, you have a right to opt-out of that sale. Finally, a business cannot discriminate against you for exercising a CCPA right.

When offering services to its Members, ReachMail acts as a “service provider” under the CCPA and our receipt and collection of any consumer Personal Information is completed on behalf of our Members in order for us to provide the Service. Please direct any requests for access or deletion of your Personal Information under the CCPA to the Member with whom you have a direct relationship.

Consistent with California law, if you choose to exercise your applicable CCPA rights, we won’t charge you different prices or provide you a different quality of services. If we ever offer a financial incentive or product enhancement that is contingent upon you providing your Personal Information, we will not do so unless the benefits to you are reasonably related to the value of the Personal Information that you provide to us.

ReachMail collects only the information necessary to provide the services. We share information with other service providers only as much as is necessary to provide such services. Neither ReachMail, nor our service providers, sell or otherwise disseminate information collected from and about our customers to other parties.

Category	Collect	Disclose	Sell
Categories of Protected Classifications	Yes	Yes	No
Characteristics of Protected Classifications	No	No	No
Commercial Info	Yes	No	No
Biometric Info	No	No	No
Electronic Network Activity	Yes	Yes	No
Geolocation Info	Yes	Yes	No
Sensory Information	No	No	No
Non-Public Education Information	No	No	No
Inferences Drawn from Personal Information	No	No	No