We collect, use and are responsible for certain personal information about you. When we do so we are subject to various laws in the United States and the General Data Protection Regulation which applies across the European Union (including in the United Kingdom), and we are responsible as a “data processor” of that personal information for the purposes of those laws, unless you are a GrowSurf User, in which case you are our direct customer, and we have responsibility as a "Controller" of your data.
Our users are "controllers" for the purposes of those laws if you are a GrowSurf participant, referred to our site and/or applications by them, and may have separate legal responsibilities to you with respect to your data. Our subprocessors are "data processors" for the purpose of use of your data, and GrowSurf is the "controller" of such data, except to the extent that GrowSurf users otherwise specify data use and retention.
In Short: We are not responsible for the safety of any information that you share with third-party providers who advertise, but are not affiliated with, our websites.
It would be helpful to start by explaining some key terms used in this policy:
We, us, our:
GrowSurf, Inc., located at 2035 Sunset Lake Road, Ste B2, Newark, DE 19702
1900 E. Golf Rd.
Schaumburg, IL 60173
Our data protection officer:
Kevin Yun, GrowSurf
Any information relating to an identified or identifiable individual
We may collect and use the following personal information that identifies, relates to, describes, is reasonable capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household:
This personal information is required to provide products AND/OR services to you. If you do not provide personal information we ask for, it may delay or prevent us from providing products and/or services to you.
The laws of the state of Illinois provide for protection of biometric information. The Biometric Information Privacy Act (BIPA) was passed by the Illinois General Assembly on October 3, 2008. Codified as 740 ILCS 14/1 ff. and Public Act 095-99. The BIPA guards against the unlawful collection and storing of biometric information. When Illinois passed the law in 2008, it became the first state to regulate the collection of biometric information. Washington and Texas have since passed similar laws. The Illinois law regulates collection, retention, and use of the following types of information: "Biometric identifier" means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. GrowSurf does not collect or process or store any of these types of information, and does not provide data processing services for those types of information if collected by their users.
We collect most of this personal information directly from you—in person, by telephone, text or email and/or via our website and apps. However, we may also collect information:
In Short: Yes, we may use Google Maps for the purpose of providing better service.
By using our or our customer's Maps API Implementation, you agree to be bound by Google’s Terms of Service. By using our implementation of the Google Maps APIs, you agree to allow us to gain access to information about you including personally identifiable information (such as usernames) and non-personally identifiable information (such as location).
The Maps APIs that we use store and access cookies and other information on your devices. If you are a user currently in the European Union, note that we require our customers to get your permission to use your data and to allow us to process same and to notify you in case of data breach in accordance with the data privacy regulations of the EU and of its member countries, as applicable.
In Short: If you choose to register or log in to our or our customer's websites using a social media account, we may have access to certain information about you.
Our or our customer's Sites offers you the ability to register and login using your third party social media account details (like your Facebook or Twitter logins). Where you choose to do this, we and our customers will receive certain profile information about you from your social media provider. The profile Information we receive may vary depending on the social media provider concerned, but will often include your name, e-mail address, friends list, profile picture as well as other information you choose to make public. If you login using Facebook, we may also request access to other permissions related to your account, such as friends, check-ins, and likes, and you may choose to grant or deny us access to each individual permission.
Under data protection law, we can only use your personal information if we have a proper reason for doing so, e.g.,:
To comply with our legal and regulatory obligations;
For the performance of our contract with you or to take steps at your request before entering into a contract;
For our legitimate interests or those of a third party; or
Where you have given consent.
A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests.
The table below explains what we use (process) your personal information for and our reasons for doing so:
What we use your personal information for (Our reasons)
We may use your personal information to send you updates (by email, text message, telephone or post) about our products and/or services, including exclusive offers, promotions or new products and/or services.
We have a legitimate interest in processing your personal information for promotional purposes (see above “How and why we use your personal information”). This means we do not usually need your consent to send you promotional communications. However, where consent is needed, we will ask for this consent separately and clearly.
We will always treat your personal information with the utmost respect.
We will keep your personal information while you have an account with us or while we are providing products and/or services to you. Thereafter, we will keep your personal information for as long as is necessary:
To respond to any questions, complaints or claims made by you or on your behalf;
To show that we treated you fairly; or
To keep records required by law.
When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
In Short: We aim to protect your personal information through a system of organizational and technical security measures.
We have implemented appropriate technical and organizational security measures designed to protect the security of any personal information we process. However, please also remember that we cannot guarantee that the internet itself is 100% secure. Although we will do our best to protect your personal information, transmission of personal information to and from our Sites is at your own risk. You should only access the services within a secure environment.
In Short: We do not knowingly collect data from or market to children under 18 years of age.
We do not knowingly solicit data from or market to children under 18 years of age. By using the Sites, you represent that you are at least 18 or that you are the parent or guardian of such a minor and consent to such minor dependent’s use of the Sites or Apps. If we learn that personal information from users less than 18 years of age has been collected, we will deactivate the account and take reasonable measures to promptly delete such data from our records. If you become aware of any data we have collected from children under age 18, please contact us at email@example.com.
You may at any time review or change the information in your account with us or our customer or terminate your account by:
Logging into your account settings and updating your account
Contacting us or our customer using the contact information provided below. If you are a GrowSurf participant, please direct any requests for access or deletion of your Personal Data to our Customers with whom you have a direct relationship.
Cookies and similar technologies:
Most Web browsers are set to accept cookies by default. If you prefer, you can usually choose to set your browser to remove cookies and to reject cookies. If you choose to remove cookies or reject cookies, this could affect certain features or services of our Sites.
Opting out of email marketing:
You can unsubscribe from our marketing email list at any time by clicking on the unsubscribe link in the emails that we send or by contacting us using the details provided below. You will then be removed from the marketing email list – however, we will still need to send you service-related emails that are necessary for the administration and use of your account. You can also opt-out by:
Noting your preferences at the time you register your account with the Sites.
Logging into your account settings and updating your preferences.
Contacting us using the contact information provided below.
In Short: We may transfer, store, and process your information in countries other than your own.
Our servers are located in the states of California, Oregon, and Illinois, United States of America, unless our customer agreements specify otherwise. If you are accessing our Sites from outside those states, please be aware that your information may be transferred to, stored, and processed by us in our facilities and by those third parties with whom we may share your personal information, in the United States of America and other countries where our customers and their site hosting and data processing services are located.
Our customers are responsible for the processing of personal information they receive on their Sites or through their Apps, under the EU-US Privacy Shield Framework, and subsequently transfer to a third party acting as an agent and data processor on our customer's behalf.
With respect to personal information received or transferred pursuant to the US-EU Privacy Shield Framework, GrowSurf, Inc. is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission (FTC). In certain situations, we may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
We routinely share personal information with third parties, including:
Our affiliates and vendors, including legal, accounting, and other general service providers
Service providers we use to help deliver our products and/or services to you, such as payment service providers, other subprocessors, and, if needed for customers who use our services for participants for services involving physical products, warehouses and delivery companies;
Other third parties we use to help us run our business, such as marketing agencies or website hosts;
Third parties approved by you, including social media sites you choose to link your account to or third-party payment providers;
Credit reporting agencies;
Our insurers and brokers;
We only allow our service providers to handle your personal information if we are satisfied they take appropriate measures to protect your personal information. We also impose contractual obligations on service providers relating to ensure they can only use your personal information to provide services to us and to you. We may also share personal information with external auditors, e.g. in relation to ISO or Investors in People accreditation and the audit of our accounts.
We may disclose and exchange information with law enforcement agencies and regulatory bodies to comply with our legal and regulatory obligations.
We may also need to share some personal information with other parties, such as potential buyers of some or all of our business or during a re-structuring. We will typically anonymize information, but this may not always be possible. The recipient of the information will be bound by confidentiality obligations.
As a general matter, we share a minimum of information needed on GrowSurf users or participants. We may, however, use such data for commercial purposes, particularly for communications for and analysis of data for our users. When participant data is shared with paying users, this is a "sale" of data.
Within this general policy of minimal disclosure, we have made some disclosures and commercial uses of data, possibly including the following specific items.
In the preceding 12 months, we may have transferred or sold to one or more third parties the following categories of personal information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household:
Identifiers (e.g., a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers);
Information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information;
Information may be held at our offices and those of our third party agencies, service providers, representatives and agents as described above.
In Short: In some regions, such as the European Economic Area, or individual states like California (for privacy matters) or Illinois (for biometric information), you have rights that allow you greater access to and control over your personal information. You may review, change, or terminate your account at any time.
Types of Information Which May Be Protected:
Characteristics of protected classifications under California or federal law:
In the preceding 12 months, we may have disclosed for a business purpose to one or more third parties the following categories of personal information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household:
In some world regions (like the European Economic Area), you have certain rights under applicable data protection laws. In the EU, these national and EU wide regulations are referred to as the GDPR. These may include the right (i) to request access and obtain a copy of your personal information, (ii) to request rectification or erasure; (iii) to restrict the processing of your personal information; and (iv) if applicable, to data portability. In certain circumstances, you may also have the right to object to the processing of your personal information. To make such a request, please use the contact details provided below. We will consider and act upon any request in accordance with applicable data protection laws.
If we are relying on your consent to process your personal information, you have the right to withdraw your consent at any time. Please note however that this will not affect the lawfulness of the processing before its withdrawal.
If you are resident in the European Economic Area and you believe we are unlawfully processing your personal information, you also have the right to complain to your local data protection supervisory authority. You can find their contact details here: http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm]
YOUR RIGHTS UNDER THE GDPR
For further information on each of those rights, including the circumstances in which they apply, see the guidance from the UK Information Commissioner's Office (ICO) on individual rights under the General Data Protection Regulation.
In Short: Yes, if you are a resident of California, you are granted specific rights regarding access to your personal information.
California Civil Code Section 1798.83, also known as the “Shine The Light” law, permits our users who are California residents to request and obtain from us, once a year and free of charge, information about categories of personal information (if any) we disclosed to third parties for direct marketing purposes and the names and addresses of all third parties with which we shared personal information in the immediately preceding calendar year. If you are a California resident and would like to make such a request, please submit your request in writing to us using the contact information provided below.
If you are under 18 years of age, reside in California, and have a registered account with the Sites or Apps, you have the right to request removal of unwanted data that you publicly post on the Sites or Apps. To request removal of such data, please contact us using the contact information provided below, and include the email address associated with your account and a statement that you reside in California. We will make sure the data is not publicly displayed on the Sites or Apps, but please be aware that the data may not be completely or comprehensively removed from our or our customer's systems.
Disclosure of Personal Information We Collect About You
You have the right to know:
We have appropriate security measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorized way. We limit access to your personal information to those who have a genuine business need to access it. Those processing your information will do so only in an authorized manner and are subject to a duty of confidentiality. We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
In Short: Yes, we will update this policy as necessary to stay compliant with relevant laws.
If you have questions or comments about this policy, or want to make requests to us in connection with your privacy rights, email us at firstname.lastname@example.org or send requests or other contacts by mail or other physical delivery service to:
1900 E. Golf Rd.
Schaumburg, IL 60173
Last updated: March 27, 2020