U.S. Privacy Statement
A. U.S. Privacy Statement
This U.S. Privacy Statement is designed to provide data subjects in the U.S., other than our Personnel, with notice of our Personal Data practices over the prior 12 months (from the Effective Date), including through Aviagen online and offline services and anywhere this U.S. Privacy Statement is posted (the “Service(s)”), and to meet the notice requirements of the CCPA. This notice will be updated at least annually. Additionally, this U.S. Privacy Statement also applies to our current data practices such that it is also meant to provide California Consumers with “notice at collection” as required by the CCPA. For any new or substantially different processing activities that are not described in this U.S. Privacy Statement, we will notify you as may be legally required, such as at the point of collection. Capitalized terms used but not defined herein will have the meanings given to them in the CCPA.
1. Notice of Collection and of Privacy Practices
This Section A.1 does not apply to data that is collected in a human resources (“HR”) context. For example, if you are an employee, former employee, or applicant of an Aviagen company, or if we have collected data from or about you otherwise in a HR context (e.g., emergency contact or beneficiary info) (“Personnel”), and are a current California resident, you may request additional information about our HR privacy practices via email at support-hr@aviagen.com. However, Section 2 (California Privacy Rights) does apply to California Personnel.
Notably, this U.S. Privacy Statement does not apply to data that is not treated as PI under the CCPA or to the extent the data is subject to an exemption under applicable laws.
Processing Purposes
Generally, we collect, retain, use, and disclose your PI in order to provide you the Services and as otherwise related to the operation of our business, which include both Business Purposes and Commercial Purposes (defined below). This may include disclosing or otherwise making PI available to our vendors that perform services for us in their role as “Service Providers” as defined by the CCPA (“Service Providers”). We do not knowingly Sell or Share the PI of Consumers under 16. Our Services are intended for persons at least the age of majority and in a business-to-business context.
Business Purposes
Business purposes are the following listed purposes that are generally not tied to an opt-out right under the CCPA such that they do not implicate Sale or Sharing as defined under the CCPA (see the DO NOT SELL/SHARE Section below), (“Business Purposes”). The Business Purposes may apply to all the categories of PI in the table below.
The specifically defined CCPA business purposes:
| Processing Purpose(s) | Examples(s) of Processing Purpose |
|---|---|
| 1. Performing Services | Provide our Services/communicate about our Services: to provide you with info or services, to send you electronic newsletters and push notifications (if you have elected to receive such), to communicate with you about your use of the Services, to provide you with special offers or promotions. Enable additional features of our sites: to enable you to participate in a variety of our site’s features, including watching promotional videos. Process your orders: to process or fulfill an order or transaction. Contact You: to contact you about your use of our Services and, in our discretion, changes to our Services or our Service’s policies. Account management: to verify your info is active and valid, and manage your account. Customer Service: to respond to any questions, comments, or requests you have for us or for other customer service purposes. Payment and other purchase-related purposes: to facilitate a purchase made using our Services, including payment. |
| 2. Managing Interactions and Transactions | Auditing: auditing compliance with user interaction or transaction specifications and standards. |
| 3. Security | Security/fraud prevention: to protect the security of Aviagen, our Services, or its users and to prevent and address fraud. |
| 4. Debugging | Repairs: identify and repair errors that impair existing intended functionality of our Services. |
| 5. Advertising & Marketing (excluding Cross-Context Behavioral Advertising and Targeted Advertising) | Advertising, marketing, and promotions: to assist us in determining relevant advertising and the success of our advertising campaigns; to help us determine where to place our ads, including on other websites. |
| 6. Quality Assurance | Quality and Safety of Service: undertaking activities to verify or maintain the quality or safety of our Services, and to improve, upgrade, or enhance our Services. |
| 7. Research and Development | Research and analytics: to better understand how users access and use our Services, both on an aggregated and individualized basis, to improve our Services and respond to user preferences, and for other research and analytical purposes. |
Additional Business Purposes:
- Conducting our business and operations (e.g. general business operations, customer communications related to their account and/or services, account management, training, record keeping, reporting, etc.).
- Other business purposes explained at the time of collection (such as in the applicable privacy policy or notice) that are related to or compatible with the context in which we collected your PI, or that are required or permitted by applicable law, including as detailed in our ONLINE SERVICES PRIVACY STATEMENT.
- To provide your PI to:
- other parties at your direction or through your intentional action (which includes when you opt-in to non-essential cookies on our online Services);
- the government or private parties (i.e., litigants) to comply with law or legal process; and
- In connection with or during negotiations of a proposed or actual financing of our business, or merger, purchase, sale, joint venture, or any other type of acquisition or business combination of all or any portion of Aviagen assets, or transfer of all or a portion of Aviagen’s business to another company, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding.
- Compliance with legal obligations: to comply with legal obligations, as part of our general business operations, and for other business administration purposes and in response to legal obligations or process.
- Prevention of illegal activities, fraud, injury to others, or violation of our terms and policies: to investigate, prevent or take action if someone may be using info for illegal activities, fraud, or in ways that may threaten someone’s safety or violate of our terms or this U.S. Privacy Statement.
- Purposes disclosed at PI collection: We may provide additional disclosures at the time of PI collection, such as on a checkout page.
- Related or compatible purposes: for purposes that are related to and/or compatible with any of the foregoing purposes.
Commercial Purposes
Generally associated with an opt-out right under the CCPA, the following purposes may apply to your PI. For more details on the meaning of Sale and Sharing, and how to opt-out of them, please visit the DO NOT SELL/SHARE Section below.
- Where we disclose, or make available, your PI to THIRD-PARTY DIGITAL BUSINESSES (defined below) in a manner that does not qualify them as a Service Provider, and is not at your direction (e.g., opting in to non-essential cookies).
The next section provides more detail on the categories of PI processed, the categories of recipients to which we may disclose it and more detail on the processing purposes where the PI is sensitive.
Collection and Disclosure
The table below describes the categories of PI we collect as well as examples of types of PI and Sensitive PI that fit within such categories, in the left column. For transparency, we have added processing purpose details for Sensitive PI. The right column states the categories of recipients that receive those specific categories of PI and Sensitive PI as part of disclosures for Business Purposes, as well as disclosures for Commercial Purposes, which may be considered a Sale or Share under the CCPA.
| Category of PI | Categories of Recipients |
|---|---|
| Identifiers and contact information (such as name, work phone, mobile phone, home phone, physical address, mailing address, shipping address, email address, mobile identification number, IP address, and cookie ID). |
Disclosures for Business Purposes: Sale/Sharing Recipients: |
| Personal Records (Some PI included in this category may overlap with other categories. Examples include name, signature, work phone, mobile phone, home phone, physical address, mailing address, shipping address, tax ID number, passport number (when assisting with visas), or payment transmittal information). |
Disclosures for Business Purposes: |
| Personal Characteristics or Traits (such as age (through date of birth) and nationality for purposes of assisting with visas and Know Your Customer screening). |
Disclosures for Business Purposes: Sale/Sharing Recipients: |
| Transaction / Commercial Information (such as Aviagen’s products or services used, purchased, or considered and other purchasing or consuming histories or tendencies provided). |
Disclosures for Business Purposes: Sale/Sharing Recipients: |
| Internet Usage Information (such as search, browsing history, and other interactions with the Service). |
Disclosures for Business Purposes: Sale/Sharing Recipients: |
| Location Data (we may infer your rough location (such as city/state) as part of the services). |
Disclosures for Business Purposes: Sale/Sharing Recipients: |
| Professional or Employment Information (such as your title, affiliated organization, and related information). |
Disclosures for Business Purposes: Sale/Sharing Recipients: |
| Inferences from PI Collected (We may draw inferences from other information we collect about you to determine what products or services may interest you). |
Disclosures for Business Purposes: Sale/Sharing Recipients: |
|
Sensitive PI |
|
| Government IDs (such as passport, and other government IDs). This is done for business records purposes and to comply with legal obligations. |
Disclosures for Business Purposes: Sale/Sharing Recipients: |
| PI collected and analyzed concerning a Consumer’s health (for example, when you attend an event that we sponsor, you may provide us with dietary information so we can accommodate your needs during meals). This information is processed only for the specific purposes collected. |
Disclosures for Business Purposes: Sale/Sharing Recipients: |
Sources of PI
We collect PI directly from you or from your device, Third-Party Digital Businesses, Service Providers, vendors, other individuals (e.g., your friends, your colleagues, and others that use the Service and submit content concerning you or about you) and other third parties.
Data Retention
Because there are so many different types of PI in certain categories, and so many purposes and use cases for different data, we are unable to provide retention ranges based on categories of PI in a way that would be meaningful and transparent to you. Actual retention periods for all PI will depend upon how long we have a legitimate purpose for the retention consistent with the collection purposes and applicable law. For instance, we may maintain business records for so long as relevant to our business and may have a legal obligation to hold PI for so long as potentially relevant to prospective or actual litigation or government investigation. We apply the same criteria for determining if we have a legitimate purpose for retaining your PI that you ask us to delete. If you make a deletion request, we will conduct a review of your PI to confirm if legitimate ongoing retention purposes exist, will limit the retention to such purposes for so long as the purpose continues, and will respond to you with information on any retention purposes on which we rely for not deleting your PI. For more information on deletion requests see the RIGHT TO DELETE section.
2. California Privacy Rights
As described in further detail below, subject to meeting the requirements for a Verifiable Consumer Request (defined below) where applicable, we provide Consumers – which are, for clarity, residents of California (including our Personnel)– the privacy rights described in this section. Since we are a business-to-business business consumer privacy laws in other states are not applicable to us. However, for residents of states other than California, we will consider requests but will apply our discretion in how we process such requests. Capitalized terms used but not defined herein will have the meanings given to them in the CCPA.
Making a Request and Scope of Requests
To make a request, other than a Do Not Sell/Share request, please submit your request to us by one of the methods below. For instructions on how to submit a Do Not Sell/Share request, please go to the DO NOT SELL/SHARE section below.
- Complete our downloadable webform and email it back to us at privacy@aviagen.com.
- Call us toll-free at +1-800-737-7677.
Some information we maintain about Consumers that is technically considered PI may nonetheless not be sufficiently associated with information that you provide when making your request. For example, if you provide your name and email address when making a request, we may be unable to associate that information with certain data collection on our Online Service such as clickstream data tied only to a pseudonymous browser ID. Where we are unable to associate such information with the information you provide, we are therefore unable to associate such information with you and cannot include such information in response to those requests. If we cannot comply with a request, we will explain the reasons in our response. We will use PI provided in a Verifiable Consumer Request only to verify your identity or authority to make the request and to track and document request responses, unless you also gave it to us for another purpose.
We will make commercially reasonable efforts to identify PI that we collect, process, store, disclose, and otherwise use and to respond to your privacy requests. We will typically not charge a fee to fully respond to your requests; provided, however, that we may charge a reasonable fee, or refuse to act upon a request, if your request is excessive, repetitive, unfounded, or overly burdensome. If we determine that the request warrants a fee, or that we may refuse it, we will give you notice explaining why we made that decision. You will be provided a cost estimate and the opportunity to accept such fees before we will charge you for responding to your request.
Verifying Your Request
When you make a request, as permitted by the CCPA, we will verify that you are the person you say you are, or, if you are seeking information on behalf of another person, that you are authorized to make the request on their behalf (see our “Authorizing an Agent” section immediately below). In addition, we will compare the information you have provided to determine if we maintain personal information about you in our systems. As an initial matter, we ask that you provide us with, at a minimum, name, email, and address. Depending on the nature of the request and whether we have the email address you have provided in our systems, we may request further information from you in order to verify that you are the Consumer making the request. We will review the information provided as part of your request and may ask you to provide additional information via e-mail or other means to complete the verification process. We will not fulfill your Right to Know (Categories), Right to Know (Specific Pieces), Right to Delete, or Right to Correction request unless you have provided sufficient information for us to reasonably verify you are the Consumer that is the subject of the request. The same verification process does not apply to opt-outs of Sale or Sharing, but we may apply authentication measures if we suspect fraud (such as verifying access to the email provided when making the request).
The verification standards we are required or permitted to apply for each type of request vary. We verify your categories requests and certain deletion and correction requests (e.g., those that are less sensitive in nature) to a reasonable degree of certainty, which may include matching at least two data points provided by you with data points maintained by us, which we have determined to be reliable for the purpose of verifying you. For certain deletion and correction requests (such as those that relate to personal information that is more sensitive in nature) and for specific pieces requests, we apply a verification standard of reasonably high degree of certainty. This standard includes matching at least three data points provided by you with data points maintained by us, which we have determined to be reliable for the purpose of verifying you, and may include obtaining a signed declaration from you, under penalty of perjury, that you are the individual whose PI is the subject of the request.
If we cannot verify you in respect of certain requests, such as if you do not provide the requested information, we will still take certain action as required by the CCPA. For example, for California Consumers:
- If we cannot verify your deletion request, we will refer you to the U.S. Privacy Statement for a general description of our data practices.
- If we cannot verify your specific pieces request, we will treat it as a categories request.
Authorizing an Agent
You may designate an authorized agent to submit a request on your behalf by submitting requests in the manners described above. If you are an authorized agent who would like to make a request, the CCPA requires that we ensure that a request made by an agent is a Verifiable Consumer Request, as applicable, and allows us to request further information to ensure that the Consumer has authorized the agent to make the request on their behalf. Generally, we will request that an agent provide proof that the Consumer gave the agent signed permission to submit the request, and, as permitted under the CCPA, we also may require the Consumer to either verify their own identity or directly confirm with us that they provided the agent permission to submit the request.
California Privacy Rights
Only California residents have the right to make the following request. Any other requests will be considered and processed in our sole business judgment.
Right to Know
Right to Know – Categories/Confirmation of Processing
You have the right to request that we provide you certain information to you about our collection, use and disclosure of your PI. You can request that we confirm whether we are processing your personal information, and disclose to you: (1) the categories of PI we collected about you; (2) the categories of sources for the PI; (3) our business or commercial purpose for collecting or selling that PI ; (4) a list of the categories of PI disclosed for a business purpose in the prior 12 months and, for each category of PI, the categories of recipients; and (5) a list of the categories of PI sold or shared about you in the prior 12 months and, for each, the categories of recipients.
Right to Know – Specific Pieces
You have the right to request a transportable copy of the specific pieces of PI we collected about you. We will process two (2) “right to know” requests free of charge annually and reserve the right to charge you a reasonable fee for excessive requests, as permitted under the CCPA.
You have the right to request that we delete any of your PI that we have collected directly from you and retained, subject to certain exceptions which we will explain if they apply. After we confirm that your deletion request is a Verifiable Consumer Request, subject to permitted retention exceptions, we will carry out one or more of the following: (i) permanently erase your PI on our existing systems with the exception of archived or back-up systems, (ii) deidentify your PI, or (iii) aggregate your PI with other information. Where legal exceptions will apply to your request for deletion, we will tell you which one(s) and will limit retention to the permitted purpose(s).
Right to Correct
You have the right to request that we correct inaccuracies that you find in your personal information maintained by us. Your request to correct is subject to our verification (discussed above) and the response standards in the CCPA.
The CCPA offers opt-out rights for Sharing (also known as disclosures as part of “cross-context behavioral advertising”) as well as the right to opt-out of Sales of your PI. The CCPA has a broad concept of Sale, which at a minimum includes providing or otherwise making PI available PI to a third party regardless of monetary consideration outside of certain contexts like where we are using Service Providers or you are directing or causing the disclosures (e.g., shipping agents).
Third-Party digital businesses, including social media platforms, video player providers, analytics companies, and other tech companies that offer digital services (“Third-Party Digital Businesses”) may associate cookies, web beacons (also known as pixel tags) and other similar technology (“Tracking Technologies”) on our online Services that collect PI when you use or access the online Services, or otherwise collect and process PI that we make available about you, including digital activity information. Giving access to PI on our online Services, or otherwise, to Third-Party Digital Businesses without your opt-in direction could be deemed a Sale and/or Sharing. Therefore, we will treat such PI collected by Third-Party Digital Businesses (e.g., cookie ID, IP address, and other online IDs and internet or other electronic activity information) as a Sale, and subject to the opt-out requests described above. For information regarding other categories of third parties to which we may sell/share your PI, see the table in the NOTICE OF COLLECTION AND PRIVACY PRACTICES section above.
When you opt-out pursuant to the instructions below, it will have the effect of opting you out of Sale and Sharing, such that our opt-out process is intended to combine both these opt-out rights. Instructions for opting out are below.
We may collect directly from you or otherwise about you, certain PI such as your email address through other means like event registration, contact us webpage, purchase orders, etc. (which we refer to through this notice as “non-cookie PI”. We do not Sell or Share your non-cookie PI.
Opt-out for cookie PI: If you would like to submit a request to opt-out of the sale/sharing your personal information collected through Tracking Technologies (“cookie PI”), you can exercise your request by visiting our cookies Consent Management Tool, accessible via the icon located at the bottom of our webpages and following the instructions. You must exercise your preferences from each browser you use and on each device that you use. Since your browser opt-out is designated by a cookie, if you clear or block cookies, your preferences will no longer be effective, and you will need to set them again.
Opt-Out Preference Signals (also known as Global Privacy Control or “GPC”)
For California residents, the CCPA requires businesses to process GPC signals, which is a type of opt-out preference signals (“OOPS”), and we treat all visitors to our online Services as California Residents with respect to cookies on our online Services. GPC signals are signals sent by a platform, technology, or mechanism, enabled by individuals on their devices or browsers, that communicate the individual’s choice to opt-out of Sale and/or Sharing, such that the GPC signal effectively automatically communicates such requests. To use an OOPS/GPC, you can download an internet browser or a plugin to use on your current internet browser and follow the settings to enable the OOPS/GPC. To our knowledge, we have configured the settings of our consent management platform to receive and process GPC signals on our websites for California IP addresses, as explained by our cookies Consent Management Tool, accessible via the icon located at the bottom of our webpages. We will apply GPC signals as a Do Not Sell/Share requests as to cookie PI, and if you have previously accepted non-essential cookies we will treat the signal as a request to change that direction to reject non-essential cookies that may be a Sale or Share (i.e., certain functional cookies). Notably, when you are visiting our website on a particular device and browser, we will apply the GPC signal and corresponding Do Not Sell/Share as to cookie-PI only to that specific device and browser. You must re-enable GPC if you visit our website on a different device and/or browser.
We do not: (1) charge a fee for use of our websites if you have enabled GPC; (2) change your experience with our websites if you use GPC; or (3) display a notification, pop-up, text, graphic, animation, sound, video, or any interstitial in response to the OOPS/GPC (except that we may from time-to-time display on our website or consent management platform that you have enabled GPC).
Automated Decision Making and Profiling and Sensitive Personal Information
As of the Effective Date, the definitions of automated decision-making and profiling, and associated opt-out and access requirements, have not been added to the updated regulations of the CCPA. When such regulations are promulgated, we will update this section. We only process sensitive personal information in manners for which you do not have a right to limit the processing (e.g., to provide you requested services, for business record keeping and compliance purposes, etc.).
Right to Non-discrimination
You have the right not to receive discriminatory treatment, in a manner prohibited by the CCPA, for the exercise of your privacy rights.
Ours and Others' Rights
Notwithstanding anything to the contrary, we may collect, use, and disclose your PI as required or permitted by applicable law and this may override your rights under the CCPA. In addition, we need not honor any of your requests to the extent that doing so would infringe upon our or any other person or party’s rights or conflict with applicable law.