Privacy Policy | Smilebox

SMILEBOX PRIVACY POLICY

[Last Modified: January 1, 2024]

This privacy policy (“Privacy Policy” or “Policy”) describes how Smilebox Inc., a wholly owned subsidiary of Perion Network Ltd. (“Smilebox”, “we”, “us”, or “our” respectively), collects, uses and discloses certain information, including Personal Data (as defined below) from users who access our informative website available at: https://www.smilebox.com (“Website“) or the services offered through the platform available at: https://plus.smilebox.com/, or the extension available at: https://www.smilebox.co/ (which shall all collectively with the Website shall be referred to as “Users”, “you” or “your”, and “Services” respectively), as well as the choices you can make about that information.

This Privacy Policy forms an integral part of our Terms of Service. Capitalized terms used herein but not defined herein, shall have the meaning ascribed to it under the Terms of Service.

Note you are not required by law to provide us with any Personal Data. Sharing Personal Data with us is entirely voluntary.

This Privacy Policy governs the use, processing and sharing of Personal Data that applies to all individuals world-wide, however, certain jurisdictions require that applicable disclosures will be provided in a certain way and format, and therefore additional notices will apply as follows:

Additional Information to California Residents: In the event you are a California resident– please also review our CCPA Privacy Notice to learn more about our privacy practices with respect to the California Consumer Privacy Act.

Additional Information to Colorado Residents: In the event you are a Colorado resident – please also review our CPA Notice to learn more about our privacy practices and your rights under the Colorado Privacy Act.

Additional Information to Connecticut Residents: In the event you are a Connecticut resident– please also review our CDPA Notice to learn more about your rights under the Connecticut Data Privacy Act.

Additional Information to Virginia Residents: In the event you are a Virginia resident– please also review our VCDPA Notice to learn more about our privacy practices and your rights under the Virginia Consumer Data Protection Act.

Additional Information to Nevada Residents: In the event you are a Nevada resident– please also review our Nevada Privacy Law Notice to learn more about our privacy practices and your rights under the Nevada Revised Statutes Chapter 603A.

Additional Information to Utah Residents: In the event you are a Utah resident – please also review our UCPA Notice to learn more about your rights under the Utah Consumer Privacy Act.

POLICY AMENDMENTS:

We reserve the right to amend this Policy from time to time, at our sole discretion. The most recent version of the Policy will always be posted on the website. The updated date of the Policy will be reflected in the “Last Modified” heading. We will provide notice to you if these changes are material, and, where required by applicable law, we will obtain your consent. Any amendments to the Privacy Policy will become effective immediately, unless we notify otherwise. We recommend you review this Policy periodically to ensure that you understand our most updated privacy practices.

CONTACT INFORMATION AND DATA CONTROLLLER INFORMATION:

Smilebox Inc., a subsidiary of Perion Network Ltd., incorporated under the laws of the State of Washington, U.S., is the Controller [as such term is defined under the EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”) or equivalent privacy legislation]. For any question, inquiry or concern related to this Privacy Policy or the processing of your Personal Data, you may contact Perion Group’s privacy team as follows:

Data Protection Officer:

By Email: [email protected]

By Mail: Smilebox, Inc. C/O Perion Network Ltd. 26 HaRokmim Street, Azrieli Center 1, Holon, 5885849 Israel

Data Protection Representative for data subjects in the EU, UK and Swiss:

We value your privacy and your rights as a data subject and have therefore appointed Prighter Group with its local partners as our privacy representative and your point of contact.
Prighter gives you an easy way to exercise your privacy-related rights (e.g., requests to access or erase personal data). If you want to contact us via our representative, Prighter or make use of your data subject rights, please visit the following website: https://prighter.com/q/11106546394, or contact directly through the following email address: [email protected].

DATA SETS WE COLLECT AND FOR WHAT PURPOSE:

We may collect two types of information from you, depending on your interaction with us.

The first type of information is non-identifiable and anonymous information (“Non-Personal Data”). We are not aware of the identity of the individual from who we have collected the Non-Personal Data. Non-Personal Data which is being gathered consists of technical information, and may contain, among other things, the type of operating system and type of browser, type of device, your action in the website or Services (such as session duration).

The second type of information is individually identifiable information, namely information that identifies an individual or may with reasonable effort identify an individual (“Personal Data” or “Personal Information” as applicable under law).

For the avoidance of doubt, any Non-Personal Data connected or linked to Personal Data shall be deemed as Personal Data as long as such connection or linkage exists.

The table below details the types of Personal Data we process, the purpose, lawful basis, and our processing operations:

DATA SET	PURPOSE AND OPERATIONS	LAWFUL BASIS UNDER THE GDPR
Online Identifiers and Behavioral Data: When you access and interact with our Services, we collect certain online identifiers such as Cookie ID, advertising ID, IP address or similar unique online identifiers generated (“Online Identifiers”). Further, we will collect your behavioral information, which is collected indirectly by our external marketing tools, or analytic tools. This information includes the referring URL (that is, the webpage directing you to our Services, and other websites, products or apps visited in the session), your interests in our competitors, the web page you visited when you tapped/clicked on our ad, how you interact with our webpage, time, duration of use, pages you have viewed on our Services (“Behavioral Data”).	Online Identifiers and Behavioral Data are used to enable the operation and proper functionality of the Services, for security and fraud prevention purposes, debugging purposes and to resolve technical problems. For example, in order to automatically recognize you by the next time you enter your account or to confirm you are a real person. Additionally, Online Identifiers and the Behavioral Data are collected and processed for marketing and analytic purposes, for example, in order to understand how Users use our Services, measure effectiveness of some ads we place, track conversions, build targeted audience, and market our Services to people who have taken some action on the website. Note, certain Online Identifiers and Behavioral Data are indirectly collected and processed by third-parties tools we use which place cookies, pixels and similar tracking technologies.	Online Identifiers which are collected through cookies we implement, and are strictly necessary for the proper and basic operation of the Services will be processed in our legitimate interest. Online Identifiers and BehavioralData used for fraud prevention, improving the Services are subject to our legitimate interest. When we process your Online Identifiers and Behavioral Data for targeting, marketing and analytic purposes we will obtain your consent which we will obtain through our consent management platform available through Website. You may withdraw consent at any time by using the cookie preference settings as available in our Website footer, or as otherwise detailed under Section 11 herein “User Rights”.
Contact Information: If you voluntarily contact us for support or other inquiries, including requests to receive our newsletter, you may be required to provide us with certain information such as your name, email address, organization name, etc. In addition, you can choose to provide us with additional information as part of your correspondence with us (“Contact Information”).	Provide the required support: We collect your Contact Information to provide you with the support you requested or to respond to your inquiry.	We process your Contact Information in order to provide you the requested support, subject to our legitimate interest.
	Newsletter: We will use your email in order to send you our newsletter and other marketing materials.	We process such contact information subject to your consent. You may withdraw consent at any time through the “unsubscribe” link within the email or by contacting us directly.
	Improve the Services: The correspondence with you may be processed and stored by us in order to improve our customer service and in the event, we believe it is required to continue to store it, for example, in the event of any claims or in order to provide you with any further assistance (if applicable).	When we process your Contact Information on order to improve our Services, we do so based on our legitimate interest.
Account Information: When you create an account and sign up for our Services you will be requested to provide us with certain information such as your full name and email address, and create a password credentials (“Account Information“).	We will use your Account Information to create your account, authentication, provide account management (including billing and invoices), customer support and to provide the Services.	We process your Account Information for the performance of our contract with you or, depending on your interaction with us, in order to take steps prior to entering into such contract. If you wish to opt-out, and stop receiving our emails, simply click the “unsubscribe” button appears within the email we sent you.
	Direct marketing: We use your email address in order to provide you with marketing related communication such as service updates, new capabilities and features, surveys, etc. (“Direct Marketing”).	When we use your email address to send you Direct Marketing, we do so based on our legitimate interest.
	Suppression list: We will further use your email address, if applicable, under our suppression list, when you request to opt-out, all under our legitimate interest and to ensure we comply with such preference and choice.	We will keep you email address for purpose of maintaining a suppression list based on our legitimate interest.
Approximate Geolocation: When using the Services we will collect your approximate location based on your IP address. You may be able to control collection of this data through the settings of your device (“Geolocation Data”).	We process your Approximate Geolocation in order to understand where our Users are located for a number of reasons: it helps us to localize and personalize content, comply with local laws, undertake aggregated analytics, understand if our Services are being used for domestic, business or personal purposes, and improve advertising efficiency.	We collect your Approximate Geolocation based on our legitimate interest.
Usage Data: When you use the Services, information regarding such use is automatically generated and collected, which may include the click stream within the Services, the time spent on each page or feature, crash data and analytics such as how often you use the Service, which type of card do you typically use (e.g., birthdays, weddings, etc.) etc. (“Usage Data“).	We use your Usage Data to help us understand how you are using our Services, and how to better provide and improve our Services to you. This helps us to better understand our business, analyze our operations, maintain, improve, innovate, plan, design, and develop the Services. We also use your Usage Data for statistical analysis purposes, to test and improve our Services, decide how to improve the Service based on the results obtained from this processing.	We process your Usage Data subject to our legitimate interest.
Payment Information: You may use the Service for free of charge; however, certain premium features require payment. When you use our premium Services, we will obtain information regarding your purchase made through our Services, however not the payment information itself (“Payment Information“).	We use your Payment Information in order to process your payment and provide you with the premium Services you purchased.	We use you payment information in order to comply with our legal obligations. We use BlueSnap as our payment processor pursuant to BlueSnap Privacy Policy or CCPA notice, or through PayPal account, in which you will be subject to the PayPal privacy policy or CCPA notice (“Payment Information”).
Creative Content: We process the content and media you upload to the Services or create through the Services, such as designs, images, documents, videos, and metadata about your content (“Creative Content“). Creative Content may include Personal Data of a Smilebox’s User or other third parties which do not necessarily acknowledge this Privacy Policy and our privacy practices, therefore we highly recommend not to upload or use any personal data or using great care while providing such data to the Services. Further, note you may be able to share your Creative Content and disclose it publiclythrough several social media platforms (such as Facebook and Twitter). When youmake Creative Content public, your information becomes publicly available globally, searchable by other users and can be indexed by search engines.	We use the Creative Content for the purpose of providing the Service. If you or Smilebox remove your Creative Content, copies remain viewable in cached and archived pages, or if other parties (such as your Recipients) have copied or saved that information.	We process the Creative Content solely for fulfilling our contract with you, and it will be deleted once your account is deleted.
Recipients Data: When you share your design with third parties which are not Smilebox Users (“Recipient”), we will collect information regarding such Recipients such as phone number and email address (“Recipients Data”).	We will use the Recipients Data for the sole purpose of providing our Services to our users.	We will use the Recipients Data solely for fulfilling our contract with you.
Review and Feedback: If you submit a review or survey regarding your satisfaction of our Services (including through our third-party service providers), you may share information such as your full name and additional free text.	We use such information in order to improve our Services and allow others to make an informed decision prior to using our Services. You agree that we may collect, use and retain the contents of such review, including for the purposes of publicly displaying such information within the Services and our marketing assets.	We use this information based on our legitimate interest.

Please note that the actual processing operation per each purpose of use and lawful basis detailed in the table above may differ. Such processing operation usually includes a set of operations made by automated means, such as collection, storage, use, disclosure by transmission, erasure, or destruction. The transfer of Personal Data to third-party countries, as further detailed in the Data Transfer section below, is based on the same lawful basis as stipulated in the table above.

In addition, we may use certain Personal Data to prevent potentially prohibited or illegal activities, fraud, misappropriation, infringements, identity thefts, and any other misuse of the Services and to enforce the Terms, as well as to protect the security or integrity of our databases and the Services, and to take precautions against legal liability. Such processing is based on our legitimate interests.

HOW WE COLLECT YOUR INFORMATION:

Depending on the nature of your interaction with us, we may collect the above detailed information from you, as follows:

Information you provide us directly – for example, when you register and create an account or correspond with us, or when providing the Creative Content.
Information we receive from third parties – for example, where we receive the Recipient Data or when our users access the Services through a third-party connection or log-in, such as Facebook Connect or your Google account, by “following,” “liking,” adding our Services, etc., such third party may pass certain information about your use of their service to us. This information could include, but is not limited to, the user ID associated with your account (for example, your Facebook UID), an access token necessary to access that service, any information that you have permitted the third party to share with us, and any information you have made public in connection with that service. You should always review, and if necessary, adjust your privacy settings on third-party websites and services before linking or connecting them to the Services. If you communicate with us via social media, including Facebook and choose to share your user generated content with us, we may receive information such as videos you’ve created, your photo, your account name and your comments about Smilebox.
Information we receive automatically – we will collect your Online Identifiers and Behavioral Data including Usage data automatically. For more information on the analytics cookies we use and how to opt out of third-party collection of this information, please see our Section 5 below “Cookies and Similar Tracking Technologies”.

COOKIES AND SIMILAR TRACKING TECHNOLOGIES:

When you interact and use our Services, we, or our third party affiliates, place “cookies” and similar tracking technologies such as pixels or web beacons, that collect certain information about your use and interaction with the Services and use this information for the operation and functionality of the Services as well as for analytics and marketing purposes, all as detailed in the table above. All cookies used by Smilebox are persistent cookies, meaning, they will be stored on your device after the browser session has expired.

You can find more information about cookies at http://www.allaboutcookies.org/.

Please see our cookie declaration available here, which details the cookies we use on our Services, as well as our cookie settings tool available here, enabling you to change your settings and preferences ant any time.

Also note that, most browsers will allow you to erase cookies from your device’s hard drive, block acceptance of cookies, or receive a warning before a cookie is stored. You may set your browser to block all cookies, including cookies associated with our Services, or to indicate when a cookie is being used by us, by adjusting the privacy and security settings of your web browser. Please refer to the support page of your browser to learn more about how you can adjust your privacy and security settings.

DATA SHARING – CATEGORIES OF RECIPIENTS WE SHARE PERSONAL DATA WITH:

We share your Personal Data with third parties, including with business partners or service providers that help us provide our Services. You can find here information about the categories of such third-party recipients.

CATEGORY OF RECIPIENT	DATA THAT WILL BE SHARED	PURPOSE OF SHARING
Service providers	All types of Personal Data	We employ other companies and individuals to perform functions on our behalf, such as sending communications, processing payments, analyzing data, providing marketing and sales assistance (including advertising and event management), identifying errors and crashes, conducting customer relationship management, and providing training. These third-party service providers have access to Personal Data needed to perform their functions, but they are prohibited from using your Personal Data for any purposes other than providing us with requested services.
Recipients	Creative Content	Upon you request we may share your Creative Content with your Recipients.
Any acquirer of our business	All types of Personal Data	We may share Personal Data, in the event of a corporate transaction (e.g., sale of a substantial part of our business, merger, consolidation or asset sale). In the event of the above, our affiliated companies or acquiring company will assume the rights and obligations as described in this Privacy Policy.
Affiliated companies	All types of Personal Data	We may share certain information with our affiliated companies within the Perion Group, which will provide us with certain required services and, for internal compliance and measurement, etc.
Governmental agencies or authorized third parties	Subject to law enforcement authority request.	We may share certain data when we believe it is appropriate to do so in order to comply with the law enforcement, governmental agencies or authorized third parties, or protect the rights, property, or security of the Company, our customers, partners, or others. We may disclose Personal Data to enforce our policies and agreements, as well as defend our rights, including the investigation of potential violations thereof, alleged illegal activity or any other activity that may expose us, you, or other users to legal liability, and solely to the extent required. In addition, we may disclose Personal Data to detect, prevent, or otherwise address fraud, security, or technical issues, solely to the extent required.

DATA RETENTION:

In general, we retain the Personal Data we collect for as long as it remains necessary for the purposes set forth above, all under the applicable regulation, or until you will express your preference to opt-out, where applicable.

The retention periods are determined according to the following criteria:

For as long as it remains necessary in order to achieve the purpose for which the Personal Data was initially processed.
Where we are required to retain Personal Data in accordance with legal, regulatory, tax, or accounting requirement.
Where we deem retention is necessary to obtain an accurate record of your dealings with us in the event of any complaints or challenges.
If we reasonably believe there is a prospect of litigation relating to your Personal Information.

Other circumstances in which we will retain your Personal Data for longer periods of time include: (i) where we are required to do so in accordance with legal, regulatory, tax or accounting requirements, or (ii) for us to have an accurate record of your dealings with us in the event of any complaints or challenges, or (iii) if we reasonably believe there is a prospect of litigation relating to your Personal Data. Please note that except as required by applicable law, we will not be obligated to retain your data for any particular period, and we may delete it for any reason and at any time, without providing you with prior notice if our intention to do so.

SECURITY MEASURES:

We work hard to protect the Personal Data we process from unauthorized access, alteration, disclosure, or destruction. We have implemented physical, technical, and administrative security measures for the Services that comply with applicable laws and industry, such as encryption using SSL, we minimize the amount of data that we store on our servers, restricting access to Personal Data to Smilebox employees, contractors, and agents, etc. Note that we cannot be held responsible for unauthorized or unintended access beyond our control, and we make no warranty, express, implied, or otherwise, that we will always be able to prevent such access.

Please contact us at: [email protected] if you feel that your privacy was not dealt with properly, in a way that was in breach of our Privacy Policy, or if you become aware of a third party’s attempt to gain unauthorized access to any of your Personal Data. We will make a reasonable effort to notify you and the appropriate authorities (if required by applicable law) in the event that we discover a security incident related to your Personal Data.

INTERNATIONAL DATA TRANSFER:

Our data servers in which we host and store the information are located in the US and the EU. Perion Group is based in Israel, and therefore your Personal Data may be accessed from territories which are not your country of residence. In the event that we need to transfer your Personal Data out of your jurisdiction, we will take appropriate measures to ensure that your Personal Data receives an adequate level of protection as required under applicable law. Furthermore, when Personal Data that is collected within the European Economic Area (“EEA“), the UK or Swiss are transferred outside of the EEA, the UK or Swiss (respectively) to a country that has not received an adequacy decision from the European Commission or an equivalent competent authorities, we will take necessary steps in order to ensure that sufficient safeguards are provided during the transferring of such Personal Data, in accordance with the provision of the standard contractual clauses approved by the European Union or the UK standard contractual clauses (UK SCCs) as approved by the UK Information Commissioner Office (ICO), as applicable.

ELIGIBILITY AND CHILDREN PRIVACY:

The Services are not intended for use by children under the age of 16 and we do not knowingly process children’s information. We will discard any information that we receive from a user that is considered a “child” immediately upon our discovery that such a User shared information with us. Please contact us at: [email protected] if you have reason to believe that a child has shared any information with us.

USER RIGHTS:

We acknowledge that different people have different privacy concerns and preferences. Our goal is to be clear about what information we collect so that you can make meaningful choices about how it is used. We allow you to exercise certain choices, rights, and controls in connection with your information. Depending on your relationship with us, your jurisdiction and the applicable data protection laws that apply to you, you have the right to control and request certain limitations or rights to be executed.

In the table below you can review your rights, how you can exercise them, and appeal a decision we take in this regard, any specification per geo-location or territory are available below the table:

RIGHT TO BE INFORMED	You have the right to confirm whether we collect Personal Data or Personal Information about you, if you wish to know if we collect Personal Data about you, please review this Privacy Policy.
RIGHT TO KNOW; ACCESS RIGHTS	You further have the right to know which Personal Data we specifically hold about you, and receive a copy of such or access it, if you wish to receive a copy of the Personal Data, please submit a DSR as available here.
RIGHT TO CORRECTION/ RECTIFICATION	You have the right to correct inaccuracies in your Personal Information, or Personal Data, taking into account the nature of the processing and the purposes. Please submit a DSR as available here.
RIGHT TO BE FORGOTTEN; RIGHT TO DELETION	In certain circumstances, you have the right to delete the Personal Data or Personal Information we hold about you. Please submit a DSR as available here.
RIGHT TO PORTABILITY	You have the right to obtain the Personal Data or Personal Information in a portable, and to the extent technically feasible, readily usable format that allows you to transmit the data to another entity without hindrance. We will select the format in which we provide your copy. If you wish to exercise this right please submit our DSR as available here.
RIGHT TO WITHDRAW CONSENT OR RESTRICT THE PROCESSING UNDER THE EU, AND SPECIFICALLY IN THE US THE RIGHT TO OPT OUT FROM: (I) SELLING PERSONAL DATA; (II) RIGHT TO OPT OUT FROM TARGETED ADVERTISING; AND (III) RIGHT TO OPT OUT FROM PROFILING AND AUTOMATED DECISION MAKING	Direct Marketing: You have the right to opt-out from Direct Marketing, if applicable, by unsubscribing through the email received. Marketing and Analytics: If and to the extent applicable, you have the right to opt out of the sale of your Personal Data, or Personal Information, for the purposes of targeted advertising, sale to a third party for monetary gain, or for profiling in furtherance of decisions that produce legal or similarly significant effects concerning you or any other consumer. We do “sell” and “share” your Personal Information for analytic and marketing purposes by using cookies and other tracking technologies. You have the right to opt-out from such “selling” or “sharing” by: Clicking the “do not sell or share my personal information” button or through the cookie setting page all available through our website’s footer. Installing privacy controls in your browser’s setting to automatically signal the opt-out preference to all websites you visit (like the “Global Privacy Control. We honor the Global Privacy Control, where applicable, subject to your jurisdiction, as a valid request to opt-out of the sharing of information linked to your browser.
RIGHT TO APPEAL OR COMPLAINT	If we decline to take action on your request, we shall so inform you without undue delay as required under applicable laws. The notification will include a justification for declining to take action and instructions on how you may appeal, if applicable. Under the EU you have the right to lodge a complaint with the supervisor authority or the Information Commissioner in the UK.
NON-DISCRIMINATION	Such discrimination may include denying a good or service, providing a different level or quality of service, or charging different prices. We do not discriminate our users.

JURISDICTION-SPECIFIC NOTICES:

ADDITIONAL INFORMATION FOR COLORADO RESIDENTS

This section applies to Colorado residents acting only as an individual or household context (and not in a commercial or employment context, as a job applicant or as a beneficiary of someone acting in an employment context). Pursuant to the Colorado Privacy Act (“CPA”) please see below the disclosure of the categories of Personal Data that are collected or processed, the purposes, how consumers can exercise their rights, and appeal such decision, categories of third-parties the controller shares or sells the personal data, or sells the personal data for advertising and how to opt-out.

Under the CPA, Smilebox is required to provide a privacy notice that identifies the categories of Personal Data that are collected or processed, the purposes, how consumers can exercise their rights, and appeal such decision, categories of third-parties the controller shares or sells the personal data, or sells the personal data for advertising and how to opt-out.

In Section 3 to the Privacy Policy, we describe our collection and processing of Personal Data, the categories of Personal Data that are collected or processed, and the purposes for which Personal Data is processed, stored or used. We will not collect additional categories of Personal Data or use the Personal Data we collected for materially different, unrelated, or incompatible purposes without obtaining your consent. Additionally, Section 6 to this Privacy Policy details and discloses the categories of third-parties we share for business purposes. Section 11 to this Privacy Policy details and discloses your rights and Personal Data shared or sold for targeted advertising.

Only you, or someone legally authorized to act on your behalf, may make a request to know or delete your Personal Data. If the request is submitted by someone other than you, proof of authorization (such as power of attorney or probate documents) will be required.

Note your rights are not absolute, and we may, depending on the applicable right you wish to exercise, deny your exercise request, in full or in part, in certain limited events, as described under the DSR.

We will respond to your request within 45 days after receipt of a verifiable Consumer Request (no more than twice in a twelve-month period). We reserve the right to extend the response time by an additional 45 days when reasonably necessary and provided consumer notification of the extension is made within the first 45 days. If we refuse to take action on a request, you may appeal our decision within a reasonable period time by contacting us at [email protected] and specifying you wish to appeal. Within 60 days of our receipt of your appeal, we will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, you may submit a complaint as follows: Colorado AG at https://coag.gov/file-complaint/

If you have an account with us, we may deliver our written response to that account or via email at our sole discretion. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. You do not need to create an account for submitting a request.

Any disclosures we provide will only cover the 12-months period preceding our receipt of your request. The response we provide will also explain the reasons we cannot comply with a request, if applicable.

ADDITIONAL INFORMATION FOR CONNECTICUT RESIDENTS

Under the Connecticut Data Privacy Act, Public Act. No. 22-14 (“CDPA”) if you are a resident of Connecticut, acting in an individual or household context (and not in a commercial or employment context or as a representative of business, non-profit or governmental entity), your rights with respect to your personal data are described below.

Under the CDPA, Smilebox is required to provide you with a clear and accessible privacy notice that includes: the categories of Personal Data processed, purpose of processing, instructions for exercising consumer rights and appealing decisions, categories of Personal Data shared with third parties, categories of third parties with whom data is shared, and any sale of data or targeted advertising.

We shall respond to your request within 45 days of receipt. The response period may be extended once by 45 additional days when reasonably necessary, taking into account the complexity and number of requests and we inform you of such extension within the initial 45 days response period, together with the reason for the extension.

If we decline to take action on your request, we shall so inform you without undue delay, within 45 days of receipt of your request. The notification will include a justification for declining to take action and instructions on how you may appeal. Within 60 days of our receipt of your appeal, we will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, you may submit a complaint to the Connecticut Attorney General at link: https://www.dir.ct.gov/ag/complaint/ or (860) 808-5318.

We shall provide information in response to your request free of charge, up to twice annually, unless requests are manifestly unfounded, excessive or repetitive. If we are unable to authenticate your request using commercially reasonable efforts, we may request additional information reasonably necessary to authenticate you and your request. If we cannot authenticate you and your request, we will not be able to grant your request.

ADDITIONAL INFORMATION FOR VIRGINIA RESIDENTS

Under the Virginia Consumer Data Protection Act, as amended (“VCDPA”) if you are a resident of Virginia acting in an individual or household context (and not in an employment or commercial context), you have the following rights with respect to your Personal Data.

“Personal Data” means any information that is linked or reasonably linkable to an identified or identifiable natural person, and does not include publicly available information that is lawfully made available from government records, that a consumer has otherwise made available to the public; de-identified or aggregated consumer information; Information excluded from the VCDPA scope, such as: HIPAA, GBPA, non-profit entities, higher education, employment data and FCRA, Driver’s Privacy Protection Act of 1994, Family Educational Rights and Privacy Act, Farm Credit Act.

“Sensitive Data” under the VCDPA means data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; the processing of genetic or biometric data for the purpose of uniquely identifying a natural person; the personal data collected from a known child; and precise geolocation data.

The VCDPA requires Smilebox to disclose the categories of Personal Data processed, purpose of processing, how you can exercise your rights, including how a you may appeal our decision with regard to the consumer request, the categories of Personal Data shared with third parties and with whom, and if Smilebox sells Personal Data to third parties or processes Personal Data for targeted advertising.

We will respond to your request within 45 days after receipt of a verifiable Consumer Request (no more than twice in a twelve-month period). We reserve the right to extend the response time by an additional 45 days when reasonably necessary and provided consumer notification of the extension is made within the first 45 days. If we refuse to take action on a request, you may appeal our decision within a reasonable period time by contacting us at [email protected] and specifying you wish to appeal. Within 60 days of our receipt of your appeal, we will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, you may submit a complaint to the Virginia Attorney General at https://www.oag.state.va.us/consumercomplaintform.

ADDITIONAL INFORMATION FOR NEVADA RESIDENTS

The Nevada Revised Statutes Chapter 603A (“Nevada Privacy Law”) grants Nevada Consumers (i.e., a person who seeks or acquires, by purchase or lease, any good, service, money or credit for personal, family or household purposes from the Internet website or online service of an operator) certain rights with respect to their Covered information.

“Covered Information” means any one or more of the following items of personally identifiable information about a Consumer collected by an operator through an Internet website or online service: first and last name, home or other physical address, electronic mail address, telephone number, social security number, an identifier that allows a specific person to be contacted either physically or online, and any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator or data broker in combination with an identifier in a form that makes the information personally identifiable.

Under the Nevada Privacy Law, Smilebox is required to provide you with a clear and accessible privacy notice that includes: categories of Covered Information processed, categories of third parties with whom data is shared, description of the process for exercising Consumer’s rights, if such process exists, description of the process by which Smilebox revise such privacy notice, and the effective date of the notice.

The effective date of this notice is as outlined in the header of this Privacy Policy. In Section 1 to this Privacy Policy we describe the process for this privacy policy amendments, Section 3 to the Privacy Policy describes the categories of Covered Information processed, Section 6 to this Privacy Policy details and discloses the categories of third-parties with whom we share Covered Information. Section 11 to this Privacy Policy details and discloses your rights, if and to the extent applicable, and means for exercising them.

Note, Smilebox does not “sell” your Covered Information as defined under the Nevada Privacy law. Further, though the Nevada Privacy Law does not grant Consumer with additional rights, Smilebox allows Nevada Consumers to submit a verified request regarding your Covered Information collected by Smilebox through the DSR available here, which will be reviewed by Smilebox with due care.

ADDITIONAL INFORMTION FOR UTAH RESIDENTS

Under the Utah Consumer Privacy Act (“UCPA”) if you are a resident of Utah, acting in an individual or household context (and not in a commercial or employment context) your rights with respect to your Personal Data are described below.

“Personal Data” means data which is linked or reasonably linkable to an identifiable individual, and does not include de-identified data and publicly available data or data that is processed not within the scope of UCPA.

“Sensitive Data” under the UCPA means Personal Data that reveals an individual’s racial or ethnic Origin; religious beliefs; sexual orientation; citizenship or immigration status; information regarding an individual’s medical history, mental or physical health condition, or medical treatment or diagnosis by a health care professional; the processing of genetic personal data or biometric data, if the processing is for the purpose of identifying a specific individual; or specific geolocation data.

The UCPA requires Smilebox to disclose the categories of Personal Data processed, purpose of processing, how you can exercise your rights, including your opt-out rights from the sale of Personal Data or processing for targeted advertising, the categories of Personal Data shared with third parties and with whom, and if Smilebox sells Personal Data to third parties or processes Personal Data for targeted advertising. Note, under the UCPA, Smilebox does not “sell” your Personal Data.

We will respond to your request within 45 days after receipt of your request (no more than twice in a twelve-month period). We reserve the right to extend the response time by an additional 45 days when reasonably necessary and provided consumer notification of the extension is made within the first 45 days. If we refuse to take action on a request, we will provide with the reasoning for our refusal.