PRIVACY STATEMENT

Last updated: 20th September 2023


This privacy policy applies to Affinity Global Inc. and its subsidiaries (collectively, “Affinity,” or “we“, “us“, “our“) and covers it’s corporate website - www.affinity.com as well as the other websites that the Affinity Group operates and that link to this Policy.

This Privacy Policy describes how Affinity collects, uses, and discloses information, and what choices you have with respect to the information.

Please read this Privacy Notice carefully. By visiting our website or using any of our services, you indicate your acceptance of our use of your personal data as set out in this Privacy Notice.

Services

We are an ad tech company and create user engagement products for digital media. Our products/services platforms include VEVE, Siteplug, mCanvas, NucleusLinks, AdOpsOne, YieldSolutions and Opinary. Privacy Policy specific to each of our services is published separately on our respective websites.

It is our policy to respect your privacy regarding any information we may collect while using our services and websites, collectively called the Services.

Information We Collect

End user’s Data

We collect your data when you engage with us through our marketing platforms. We may collect information on your device and your interaction with the advertisement. This information enables us to provide a better user experience to you and improve our Products and Services, including recognizing your device when you use other sites and applications that have partnered with us. The information includes:

  • Device identifiers such as iOS devices’ Identifier for Advertising (IDFA) and iOS Identifier for vendors, Google Advertising ID (GAID), or Android ID for Android devices
  • Location information:
    • Geo-location of your device if you have given the app or site permission to collect your location information.
    • IP address (only for countries other than the United Kingdom and countries outside the European Union)
    • Location information we infer from your device’s IP address.
  • Other information such as Device type, Operating System, and Language settings

Other Data

Log Data : Our servers automatically collect information when you access or use our applications and services. This data is recorded in log files. Examples of such data include IP Address.

Information provided by you : We collect personal data when you use our website, product or services or provide the personal data directly to us. For the creation of user accounts, you provide your name, email address, password, telephone number, and correspondence address. You also provide billing details for invoicing purposes.

Publishers, Advertisers, Media companies, Advertising Agencies, Domain parking companies, and Domain Owners provide data that is necessary to create accounts.

Subscription Data : You provide personal data such as your name and email ID to us as part of signing up for communication from us through our websites. We may also collect personal data from you when you use interactive features of the Websites, promotions, requesting customer support, or otherwise communicating with us.

Contact Us Data :When you enquire about our products and services, we collect and store this data to communicate with you and respond to your enquiry.

Information from other sources : Apart from the data you provide us directly, we may collect information about you from publicly available sources and third-party sources.

Data received from B2B contact databases : We may receive your data, such as name, business email, and contact number, from GDPR-compliant B2B contact databases we have subscribed to.

Cookies

We collect data through cookies. Cookies are small text files placed on your computer by websites you visit. They are widely used to make websites work or work more efficiently, as well as to provide information about your actions to the owners of the website.

We collect data through cookies from our Website visitors:

Affinity uses cookies to identify and track website visitors, their usage of the website, and their website access preferences. Affinity website visitors can control cookies through the Cookies Settings tool provided on the website.

The categories of cookies used are:

  • Strictly necessary cookies - These cookies are needed to run our website, keep it secure, and comply with regulations that apply to us.
  • Performance/analytics cookies - We may use performance/analytics cookies on our website. These cookies collect information about how website visitors use our website and services, including which pages website visitors go to most often and if they receive error messages from certain pages. It is used to improve how our website functions and performs.

For more details about how we use these technologies, please see our Cookie Policy

Click here to view the Cookie List.

How We Use Your Data

How we use your personal data will depend on which Products or Services you use and how you use those Products or Services.

We use the End User’s Data to:

  • Display advertisements on your device, which may include interest-based advertising customized to your interests, preferences, and locations.
  • For bidding to serve advertisements and to determine which ads are most effective.
  • To redirect users who erroneously enter a typo domain of an Advertiser (in the address bar only) to the original brand website.
  • To suggest Advertisers / relevant brands to users based on a search input.
  • To analyze and provide our demand partners or advertisers reports on the effectiveness of advertisements and campaigns, including across different types of devices, based on our determination of devices related to the same person.
  • For pushing the notifications based on your consent to our publishers, such as browsers or devices.
  • For pushing the notifications based on the consent you gave us when we act as publishers.
  • To detect, deter, and prevent fraud and fraudulent traffic or to protect the security of our systems.
  • To provide detailed reports to our publishers about their traffic performance.
  • Internal business reporting.

Other Data

  • We use this data to provide our services, send our newsletters, and to communicate with you by responding to your requests, comments, and questions.

Lawful bases for processing

We process your personal data only when we have a lawful basis.

Presently, we use the following:

  1. Consent - We process your data if you have given your consent freely for the same. Where we rely on your consent to use your personal data, you have the right to withdraw that consent at any time. Please contact us using the details in the ‘Contact Information’ section of this notice.
  2. Performance of contract - We process your data when it’s necessary for the performance of the contract. For example, if the processing is necessary to fulfil our commitments under the applicable terms of service.
  3. Legal Obligation - We process your data if the use of your information is necessary for compliance with legal obligations.
  4. Legitimate Interest - We may also process your data on the grounds of legitimate interest for a particular processing activity. For example, to safeguard our services, to understand our user preferences etc.

Where you have consented to a particular processing, you have a right to withdraw the consent at any time.

Users under 16 years of age

The Sites and Services do not knowingly collect personal information from users under the age of 16

If you are under the age of 16, you are not permitted to use the Sites and Services or to disclose Personal Information. If we learn we have collected or received Personal Information from a child under 16, we will delete that information. If you believe we might have any information from or about a child under 16, please contact us using the details set out in the "Contact Information" section below.

Data Retention Policy

End User’s Data:

We will retain data collected in the context of our Marketing Platform for a period of up to 3 years, unless otherwise required by law or applicable contract.

We may retain the information it obtains about you as per the instructions of its customers or partners who provide such information or as required to fulfil our contractual obligations

After the applicable retention period, we may only retain and use your data:

  • in an aggregated or anonymized format;
  • to comply with its legal obligations;
  • to resolve disputes and enforce agreements.

Please note that the use cases stated in this provision will apply as an exception to your data subject or consumer rights related requests.

Other Data

Affinity may retain ‘Other data’ pertaining to you for as long as necessary for the purposes described in this Privacy Policy.

Your Rights

Data Subjects have certain rights in respect of their personal data. The rights given with respect to your personal data include:

  • The Right of Access: You have the right to access personal data and supplementary information. You can ask us for a copy of your personal information
  • The Right to Rectification: You can ask us to change, update or fix your data in certain cases, particularly if it is inaccurate.
  • The Right to Erasure: You can ask us to erase or delete all or some of your personal information (e.g., if it is no longer necessary to provide Services to you) without undue delay.
  • The Right to Restriction of Processing: You can ask us to stop using all or some of your personal information (e.g., if we have no legal right to keep using it) or to limit our use of it (e.g., if you think your personal information is inaccurate or unlawfully held).
  • The Right to Data Portability: You have the right to data portability which provides the right to receive your personal data in a structured, commonly used and machine-readable format, and have the right to transmit the same to another controller.
  • The Right to Object: You have the right to object to the processing of personal data.
  • Automated individual decision-making, including profiling:You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you (data subject).
  • The right to withdraw consent: You have the right to withdraw your consent at any time with effect for the future. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.
  • The right to lodge a complaint: You have the right to lodge a complaint with the supervisory authority if you are dissatisfied with the way we handle or process your personal data.

Whenever you use our services, we aim to provide you with easy means to access, modify, delete, object to or restrict the use of your personal information.

We strive to give you ways to access, update/modify your data quickly, or delete it unless we have to keep that information for legal purposes. These rights can be exercised by contacting us using the details set out in the "Contact Information" section below.

End User’s rights

We provide same rights to the users of our services. We receive requests related to user’s rights from our publishers and advertisers.

Account Closure

We keep some personal data even after account closure.

Once you choose to close your account, we generally delete your personal information within 3 years of the closure of your account. Some information that is necessary for statutory obligations, such as records of payment processing invoicing data, will be retained as necessary.

Your information shared with others

Recipients of your data

Affinity may share the data we collect or receive about you as described in this Policy as follows:

  • Publishers and Supply Partners- We may share your information with publishers (the app or site publishers) to help them understand how users interact with their apps and sites and advertisements on their apps and sites.
  • Demand Partners and Advertisers- We may share your information with demand partners, brands and advertisers who use our Marketing Platform, to allow them to understand the performance of their campaigns; and to help them better target their campaigns, products or offerings
  • Marketing Partners- We may share your information with data partners who help us with better understanding your preferences by providing data enrichment services and measurement companies who help us with attribution and tracking of advertisements distributed through us.
  • Content Providers- We may share personal information we collect about you with our content providers who provide content to be displayed on our websites.
  • Service Providers- We may share personal information we collect about you with our third-party service providers. The categories of service providers to whom we entrust personal information include: IT and related services such as cloud-based data centers, analytics service providers; service providers for fraud detection; CRM and email marketing services.
  • Disclosures to Protect Us or Other- We may access, preserve, and disclose any information we store associated with you to external parties if we, in good faith, believe doing so is required or appropriate to: comply with law enforcement or national security requests and legal process, such as a court order or subpoena; protect your, our or others’ rights, property, or safety; enforce our policies or contracts; collect amounts owed to us; or assist with an investigation or prosecution of suspected or actual illegal activity.
  • Disclosures in the Event of Merger, Sale, or Other Asset Transfers- If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, purchase or sale of assets, or transition of service to another provider, then your information may be sold or transferred as part of such a transaction, as permitted by law and/or contract.

Cross-Border Data Transfers

Your data will be stored and processed in multiple countries including outside of the European Union (EU) Region.

Since we are an international company, your data will be processed outside of the EU region. Your data will be processed within Third Party Data Centers in Europe, India and the USA used by Affinity. Some countries where we process data may not have as protective laws as your own country and there are risks associated with such transfer.

Affinity offers European Union Model Clauses, also known as Standard Contractual Clauses, to meet the adequacy and security requirements for our publishers and advertisers that operate in the European Union, and other international transfers of data. These clauses are contractual commitments between parties transferring personal data (for example, between Affinity and its Clients, suppliers or data processors outside the EU), binding them to protect the privacy and security of the data.

Security Measures to Protect your Data:

Security Measures

We implement security controls to prevent breaches and unauthorised access to your data.

We maintain reasonable and appropriate security measures to protect your data from loss, misuse, and unauthorized access, disclosure, alteration, and destruction.

Examples of security measures include physical access controls, restricted access to data, monitoring for threats and vulnerabilities etc.

Protection of personal information

Our Sites and Services uses commercial efforts to maintain safeguards for protecting your Personal Information. To refer to our jurisdiction-specific policy:

Affinity takes all measures reasonably necessary to protect against the unauthorized access, use, alteration or destruction of potentially personally-identifying and personally-identifying information.

Contact Information

You can contact us about this privacy policy or use of our services.

If you have questions or complaints regarding this Policy, you may contact us through email at compliance@affinity.com. You may contact us at our mailing address below
20 N. Wacker Drive, 12th Floor,
Chicago, IL 60606

If you are a resident of the European Economic Area and we maintain your Personal Data within the scope of the General Data Protection Regulation (GDPR), you have additional rights. If you are not satisfied with the resolution, you can also lodge a complaint with the Supervisory Authority in the country of your residence.

Privacy policy change

Affinity may change this Privacy Policy from time to time, at our sole discretion.

Affinity encourages End Users and customers to frequently check this page for any changes to its Privacy Policy. We will notify you of material changes in advance by email or by notice when you log in to the Sites and Services or both. You confirm that your continued use of our services after any change in this Privacy Policy will constitute your acceptance of such changes and agree to be subject to the revised privacy policy.

ANNEXURE A: Jurisdiction-specific provision:

California Privacy Rights Act (CPRA)

This CPRA Privacy Policy describes Affinity practices regarding the collection, use, and disclosure of the personal information of California residents, describes the rights of California residents under the California Privacy Rights Act (“CPRA”), and explains how California residents may contact Affinity to exercise those rights. This CPRA Privacy Policy only applies to the personal information of California residents.

CPRA Categories of Personal Data

Categories of Personal data End User’s Data (Data processed through our Services) Other Data (Data processed through our Websites)
Identifiers

We do not collect any personal identifier data.

IP address is captured on web browsing logs.

Data collected for creation of user accounts and subscriptions of blogs & newsletters from our Websites:

Name, Business email and address, phone number

Information provided by you :We collect personal data when you use our website/services or provide the personal data directly to us. For the creation of user accounts, you provide your name, email address, password, telephone number, and correspondence address. You also provide billing details for invoicing purposes.

Publishers, Advertisers, Media companies, Advertising Agencies, Domain parking companies, and Domain Owners provide data that is necessary to create accounts.

For the creation of user accounts, you provide your name, email address, password, telephone number, and correspondence address. You also provide billing details for invoicing purposes.

Subscription Data : You provide personal data such as your name and email ID to us as part of signing up for communication from us through our websites. We may also collect personal data from you when you use interactive features of the Websites, promotions, requesting customer support, or otherwise communicating with us.

Contact Us Data :When you enquire about our products and services, we collect and store this data to communicate with you and respond to your enquiry.

Information from other sources :Apart from data you provide us directly, we may collect information about you from publicly available sources and third-party sources.

Data received from B2B contact databases: We may receive your data, such as name, business email, and contact number from GDPR-compliant B2B contact databases we have subscribed to.

Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)). N/A Name, signature, tax identification number (i.e. National Insurance Number), Government ID number etc. for individual who are signing up as our partners and customers.
Financial Information N/A Bank details, payment information etc. for our partners and customers.
Commercial Information Not collected Not collected
Protected Classification characteristics under California or federal law. N/A. We do not collect information such as Gender, Age, national origin, marital status etc. N/A. We do not collect information such as Gender, Age, national origin, marital status etc.
Biometric information N/A - N/A - We do not collect Biometric information. N/A - N/A - We do not collect Biometric information.
Internet or other similar network activity. Log data, session information, Cookie Id. Log data, session information, Cookie Id.
Geolocation data

Such as your location information generated based on your IP address etc.

  • IP address (only for non-EU)
  • Location information such as country code we infer from your device’s IP address
  • We do not collect the precise location of the Website visitors
Sensory data. N/A - We do not collect any Sensory data. N/A - We do not collect any Sensory data.
Professional or employment-related information. N/A Employment status, previous employment details, salary details etc only for job applicants.
Inferences drawn from other personal information. N/A
Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)). Only from job applicants - educational details, history, degree.

No Sale of Personal Data:

Affinity has not sold Personal Data in the preceding twelve (12) months.

Right To Opt-Out Of The Sale Of Personal Data:

Affinity does not sell your personal data.

If in case, Affinity ever changes its policy and choose to sell Personal Data, you would have the right to opt-out of the sale of your Personal Data by clicking on the Cookie Settings.

Sensitive data:

We do not generally seek to collect sensitive data through this site or otherwise. In the limited cases where we do seek to collect such data, we will do this in accordance with California Privacy Rights Act("CPRA") requirements. If in case, Affinity ever chooses to use Sensitive Personal Data, you would have the right to limit the use of your sensitive personal Data.

The term "sensitive data" refers to the various categories of personal data identified by CPRA as requiring special treatment, including in some circumstances the need to obtain explicit consent from you. These categories include racial or ethnic origin, political opinions, religious, philosophical, or other similar beliefs, membership of a trade union, physical or mental health, biometric or genetic data, sexual life or orientation, or criminal convictions and offences (including information about suspected criminal activities).

Disclosures of Personal Data for a Business Purpose:

In the preceding twelve (12) months, Affinity has not disclosed Personal Data for business purposes.

Your Rights:

The CPRA provides consumers (California residents) with specific rights regarding their personal information. This section describes your CPRA rights and explains how to exercise those rights.

  • Access to Specific Information

    You have the right to request that Affinity disclose certain information to you about our collection and use of your personal information over the past 12 months. Once we receive and confirm your verifiable consumer request, we will disclose to you:

    • The categories of personal information we collected about you.
    • The categories of sources for the personal information we collected about you.
    • Our business or commercial purpose for collecting or selling that personal information.
    • The categories of third parties with whom we share that personal information.
    • The specific pieces of personal information we collected about you (also called a data portability request).
    • If we sold or disclosed your personal information for a business purpose, two separate lists disclosing:
      • Sales, identifying the personal information categories that each category of recipient purchased; and
      • Disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained.
  • Deletion Request Rights

    You have the right to request Affinity delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies.

    We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:

    • Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.
    • Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
    • Exercise free speech, ensure the right of another consumer to exercise their free speech rights or exercise another right provided for by law.
    • Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).
    • Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information's deletion may likely render impossible or seriously impair the research's achievement if you previously provided informed consent.
    • Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
    • Comply with a legal obligation.
    • Make other internal and lawful uses of that information that are compatible with the context in which you provided it.
  • Right to Correct Inaccurate Personal Information

    You have a right to request for correction of Inaccurate personal information. We shall use commercially reasonable efforts to correct the inaccurate personal information as directed by the consumer.

  • Right to Know What Personal Information is Sold or Shared and to Whom

    You have a right to request us information about what personal information is sold or shared by us and with whom. Once request received, we shall disclose the following:

    • The category or categories of consumers’ personal information it has sold or shared, or if we have not sold or shared consumers’ personal information, it shall disclose that fact.
    • The category or categories of consumers’ personal information it has disclosed for a business purpose, or if we have not disclosed consumers’ personal information for a business purpose, it shall disclose that fact.
  • Right to Opt Out of Sale or Sharing of Personal Information

    You have a right to opt out of sale or sharing of personal information if we sell or share such personal information. We shall prohibit from selling or sharing the consumer’s personal information after its receipt of the consumer’s direction, unless the consumer subsequently provides consent, for the sale or sharing of the consumer’s personal information.

  • Right to Limit Use and Disclosure of Sensitive Personal Information

    You have a right to request us to limit Use and Disclosure of Sensitive Personal Information. Upon such request we shall prohibit, from using or disclosing the consumer’s sensitive personal information for any other purpose after its receipt of the consumer’s direction unless the consumer subsequently provides consent for the use or disclosure of the consumer’s sensitive personal information for additional purposes.

  • Right of No Retaliation Following Opt Out or Exercise of Other Rights – Non-Discrimination

    We will not discriminate against you for exercising any of your CPRA rights. Unless permitted by the CPRA, we will not:

    • Deny you goods or services.
    • Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
    • Provide you a different level or quality of goods or services.
    • Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

    Only you, or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child.

    You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:

    • Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative.
    • Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

    We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you.

  • Response Timing and Format

    We endeavour to respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing.

    Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request's receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

    We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

CONTACT FOR MORE INFORMATION

If you have any questions or concerns about Affinity’s privacy policy and practices, please contact us by email at compliance@affinity.com, or by mail at:
20 N. Wacker Drive, 12th Floor,
Chicago, IL 60606

Privacy policy change

We will review and update this CPRA Privacy Policy periodically and will note the date of its most recent revision at the top of this CPRA Privacy Policy. If we make material changes to this Policy, we will post the revised Policy on our website and may take additional measures to inform you about such changes prior to such changes taking effect, if required by applicable data protection laws. We encourage you to review this Policy frequently to be informed of how Affinity is protecting your information.

ANNEXURE B: EU-U.S. Data Privacy Framework for Data Transferred to the United States from the EU

Participation in EU-US Data Privacy Framework (EU-US DPF) and UK extension to the EU-U.S. DPF:

Affinity has created this privacy notice based on the EU-U.S. Data Privacy Framework to help you understand how we are subject to and comply with the EU-U.S. Data Privacy Framework (EU -U.S.DPF) and UK extension to the EU-U.S. DPF.

The U.S. Department of Commerce has established this framework regarding the collection, use, and retention of personal information transferred from the European Union (“EU”) and the UK to the United States.

Affinity Global Inc, a Delaware Corporation headquartered in Chicago, Illinois, has certified that it adheres to the EU-U.S. DPF Principles and the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce with respect to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. If there is any conflict between the policies in this privacy policy and the data subject rights under the EU- U.S. DPF Principles, the EU -U.S. DPF Principles and UK extension to the EU-U.S. DPF shall govern.

To learn more about the EU US DPF program and to view our certification page, please visit Home (dataprivacyframework.gov) for more details.

Scope

We are an ad tech company and create user engagement products for digital media.

Legal entities under which these brands are covered are listed below:

  • Affinity Global Inc.
  • Affinity Global Advertising Pvt. Ltd.
  • mCanvas Advertising Pvt. Ltd.
  • Co-Operatie Hostway Europe Holdings Company UA.
  • Affinity Global GmbH (formerly Opinary GmbH).

Type of Personal Data in Scope of EU-U.S. Data Privacy Framework and UK Extension to the EU-U.S. DPF:

We cover non-HR data in the framework. Based on the nature of the businesses listed above, Affinity will process any of the data elements listed in the sections End User’s Data and Other Data.

Purpose of Data in Scope of EU-U.S. Data Privacy Framework and UK Extension to the EU-US DPF:

Refer to the sections How We Use Your Data and Lawful bases for processing for the purpose of processing and its lawful basis.

Notice

We may be required to disclose Personal Data in response to lawful requests by public authorities, including requests to meet national security or law enforcement requirements. Prior to the transfer of Personal Data from the EU and the UK to the United States, we require a contractual confirmation from the Controller from whom we acquired the information that the Personal Data has been provided to us in accordance with GDPR, EU U.S. DPF and UK extension to the EU-U.S. DPF, or the applicable EU Member State Data Protection law, thereby ensuring the data subjects have been provided with proper notice regarding how their Personal Data will be used.

Choice

Pursuant to the EU U.S. DPF Framework and UK extension to the EU-U.S. DPF, EU and UK individuals have the right to obtain our confirmation of whether we maintain personal information relating to you in the United States. Upon request, we will provide you access to the personal information we hold about you. You may also correct or amend\ the personal information we hold about you. Furthermore, you may delete data that has been handled in violation of the DPF Principles. An individual who seeks access or who seeks to correct, amend inaccurate date or delete mishandled information transferred to the United States under EU U.S. DPF and UK extension to EU-U.U. DPF should direct their query to compliance@affinity.com. If requested to remove data, we will respond within a reasonable timeframe.

We will provide an individual opt-out choice, or opt-in for sensitive data, before we share your data with third parties other than our agents or before we use it for a purpose other than which it was originally collected or subsequently authorized.

To request to limit the use and disclosure of your personal information, please submit a written request to compliance@affinity.com.

Accountability for onward transfer

Affinity is responsible for processing personal data it receives under the EU U.S. Data Privacy Framework and UK extension to EU-U.S. DPF and subsequently transferring it to third parties as described in sections Your information shared with others.

Since we share Personal Data with third parties as referenced above, we comply with the notice and choice principles as described above for all data disclosed or transferred to a third party. We take reasonable and appropriate steps designed to ensure that the third party effectively processes the Personal Data transferred in a manner consistent with our obligations under the Principles.

When we use data processors to perform processing tasks on our behalf and at our direction and instruction, we require our data processors either:

  • Subscribe to the EU US DPF Program and UK extension to EU-U.S. DPF (in the case of US-based processors), comply with the General Data Protection Regulations or
  • Enter into a written agreement with us requiring the data processor(s) to process the data only for limited and specified purposes and to provide the same level of protection as Affinity.

In cases of onward transfer to third parties, we remain liable for the acts of the third party that are in violation of the EU U.S DPF. Principles and UK extension to EU-U.S. DPF unless we can prove we were not a party giving rise to the damages.

We may be required to release EU and/or UK personal data in response to lawful requests by public authorities including to meet national security and law enforcement requirements.

Data Security

We have an information security policy in place designed to protect Personal Data from loss, misuse, unauthorized access, disclosure, alteration, and destruction. Refer to Security Measures to Protect your Data for more details.

Data Integrity & Purpose Limitation

Any personal information received from our customers in which personal data of EU and UK citizens may be contained is treated as “Confidential,” and adequate technical and administrative controls are implemented across all the Affinity entities.

The personal information is used only for the purpose for which it has been collected and is shared within the organization on a need-to-know basis.

The technical and administrative controls ensure the preservation of the confidentiality, integrity, and availability of information per the contractual obligations to which Affinity has committed itself.

Data Access

An individual may request access to the Personal Data processed pursuant to the EU U.S. DPF and UK extension to EU-U.S. DPF we process as part of our Services. Individuals have the right to learn whether data about him or her is found in our information products and to correct, amend or delete that information when it is inaccurate. This right applies only to Personal Data about the individual making the request and is subject to other limitations as defined by law.

Individuals can request access by sending a request to compliance@affinity.com. We agree to process all reasonable requests for access within a reasonable time period but reserve the right to deny access or limit access in cases where the burden or cost of providing access would be disproportionate to the risks to the individual’s privacy or when the request is manifestly unfounded or excessive.

Recourse, Enforcement, and Liability

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Affinity commits to resolve DPF Principles-related complaints about our collection and use of your personal information.  EU and UK individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF should first contact us at: compliance@affinity.com

Affinity has further committed to refer unresolved privacy complaints under the EU US DPF and the UK Extension to the EU-U.S. DPF to an independent dispute resolution mechanism, Data Privacy Framework Services, operated by BBB National Programs If you do not receive timely acknowledgment of your complaint, or if your complaint is not addressed satisfactorily, please visit https://bbbprograms.org/programs/all-programs/dpf-consumers/ProcessForConsumers for more information and to file a complaint. This service is provided free of charge to you.

Under certain conditions, an individual may invoke binding arbitration to resolve residual claims. We are subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission In addition, we agree to cooperate with local EU Data Protection Authorities and the UK Information Commissioner’s Office (ICO) to resolve a dispute concerning an alleged breach of the EU US DPF Principles and the UK Extension to the EU-U.S. DPF.

If your EU-US DPF and the UK Extension to the EU-U.S. DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See EU US DPF Annex 1 at ANNEX I (introduction) (dataprivacyframework.gov).

Contact Information

If you have any questions or concerns about Affinity’s privacy policy and practices, please contact us by email at compliance@affinity.com, or by mail at:
20 N. Wacker Drive, 12th Floor,
Chicago, IL 60606

Privacy policy change

We will review and update this Privacy Policy periodically and note the date of its most recent revision at the top of this Privacy Policy. If we make material changes to this Policy, we will post the revised Policy on our website and may take additional measures to inform you about such changes prior to such changes taking effect, if required by applicable data protection laws. We encourage you to review this Policy frequently to know how Affinity protects your information.