CREATOR PRIVACY & PERSONAL DATA PROTECTION POLICY

Your privacy is very important to us. This “Privacy & Personal Data Protection Policy” addresses the data we process about individual authors of content (“Creator”, “you” or “your”) on, through or related to the services we offer to our customers. We are Tagger Media LLC (“we”, “us” or “Tagger”). Our registered office address is at 429 Santa Monica Blvd., Suite 220, Santa Monica, CA 90401.

At Tagger we believe in the importance of protecting your information and ensuring you have appropriate control over it, we've summarized the key points from within our Privacy & Personal Data Policy ("Policy", "Privacy Policy") - but of course we suggest reading it in full.

Only those within our organization with the appropriate access level are able to view your information & we restrict access on our end. If Privacy Policy does not say otherwise, the vocabulary used in Privacy Policy should be understood as GDPR, CCPA or other common law regulations say.

If you'd like to unsubscribe, access, amend or delete any information, please contact privacy@taggermedia.com.

If at any time you are concerned or have questions about how we might be handling your data, please reach out to our Data Protection Officer at privacy@taggermedia.com.

If you do not accept and agree with our Privacy Policy, then you must not access or use the Tagger environment or services.

1. GENERAL

• We pull and index publicly available data from the Internet. We also contract directly with third party providers to gain access to their data. In each case, the data we have access to is published or made available by you and other Creators. This data is then organized and stored in our databases. We offer access to our databases, as well as analytics of the data within that databases, to third parties (our “Services”).
• For the purposes of this Policy, Tagger operates as a data controller, except for information that is obtained via third-party websites, online forums, or other platforms, in which case such platform will serve as data controller with respect to such information, and Tagger Media will serve as data processor. Any personal data we collect from you is processed in the United States, Canada, or the European Union, and under the terms of this Policy. Any personal data we collect from you is processed in the legitimate interest of our business and providing our services to you as the lawful means of such processing. We rely on the following legal bases for processing of your data: your consent; contracts we may have in place with you; and legitimate business interests. In instances where Tagger collects personal data directly from you or via any means other than via public Content Platform APIs (such as Facebook API, Instagram API, Twitter API, YouTube API), Tagger operates as a data controller. In instances where Tagger collects personal data via public Content Platform APIs, Tagger operates as a data processor. In instances where Tagger operates as a data controller, you may always withdraw your consent to our use of your personal data as described below. We will only retain your personal data for the time necessary to provide you the information and services to which you have consented, to comply with the law and in accordance with your rights below. In any other case in which you believe that the processing of personal data or sensitive data does not occur as described above, you should inform us immediately.
• Since all of the data that we access is publicly available at the time of access, the raw data we have about you could be found by anybody with access to the Internet. Some of this data may be personal information about you (for example your name or username in connection with your Twitter or Facebook profile) and other data may not be (for example if you publish an anonymous review on a website). You must be aware that we only work with personal data that you have previously agreed to when working with other partners. We only use the data that you voluntarily provided to publicly available networks.
• As you are the source of the raw data, you have control over that data within the platform you choose to publish it on (e.g. Twitter or Facebook), including through using the privacy settings made available to you by that platform. You represent and warrant that you are, and have at all times been, in compliance with the respective terms of use of all websites and platforms with which you interact or have interacted. In addition to whatever rights you have via your relationship with any publishing platform, you also have certain rights with respect to your personal information that we process, as set out in this Policy.
• This Policy applies to all of the information that we collect through our Services, irrespective of the type of Services or the device on which you access the Services. 5We will collect, store, use and disclose Personal Data (Personal Information) in accordance with all applicable laws relating to the protection of Personal Data, including the EU Data Protection Directive 95/46/EC, the EU General Data Protection Regulation 2016/679, the EU ePrivacy Directive 2002/58/EC as amended by Directive 2009/136/EC, UK Data Protection Act 2018, The California Consumer Privacy Act ("CCPA") as amended or superseded from time to time, and any national implementing legislation ("Data Protection Laws").

2. PRIVACY PRINCIPLES

• We adhere to the principles relating to the processing of Privacy & Personal Data.

• 2.1 Lawfulness, fairness and transparency

• We collect, process, and share Personal Data fairly and lawfully and for specified purposes. The law restricts our actions regarding Personal Data to specified lawful purposes. These restrictions are not intended to prevent processing, but ensure that we process Personal Data fairly and without adversely affecting the Data Subject.
• We provide detailed, specific information to Data Subjects depending on whether the information was collected directly from Data Subjects or from elsewhere.
• We provide the Data Subject with all the information required by the law, including the identity of the Data Controller and Data Protection Officer, how and why we will use, process, disclose, protect and retain that Personal Data.
• We check that the Personal Data was collected by the third party in accordance with the law and on the basis that contemplates our proposed processing of that Personal Data.

• 2.2 Purpose limitation

• We collect Personal Data only for specified, explicit and legitimate purposes.
• We do not use Personal Data for new, different, or incompatible purposes from that disclosed when it was first obtained unless you have informed the Data Subject of the new purposes, and they have consented where necessary.

• 2.3 Data minimization

• We collect Personal Data only for specified, explicit, and legitimate purposes. We do not further process in any manner incompatible with those purposes.
• We do not use Personal Data for new, different, or incompatible purposes from that disclosed when it was first obtained unless you have informed the Data Subject of the new purposes, and they have Consented where necessary.

• 2.4 Accuracy

• We ensure that Personal Data is accurate and, where necessary, kept up to date. We correct or delete it without delay when inaccurate.

• 2.5 Storage limitation

• We store Personal Data only for specified, explicit, and legitimate purposes. They're not further processed in any manner incompatible with those purposes.
• We do not use Personal Data for new, different, or incompatible purposes from that disclosed when it was first obtained unless you have informed the Data Subject of the new purposes, and they have Consented where necessary.

• 2.6 Integrity and confidentiality (security)

• We secure Personal Data by appropriate technical and organizational methods or measures against unauthorized or unlawful processing and accidental loss, alteration, destruction, or damage.

• 2.7 Accountability

• We implement appropriate technical and organizational methods or measures in an effective manner to ensure compliance with data protection principles, according to commonly accepted standards, laws, or internal regulations.
• We are able to demonstrate compliance with the data protection principles. We recognize new laws and regulations and adapt our activities to changes in the context or broad-range framework or business environment.
• We have adequate resources and controls in place to ensure and to document the law compliance including:
• • appoint a suitably qualified Data Protection Officer accountable for data privacy;
• • implement Privacy by Design, Privacy by Default and complete data protection risk assessment as part of Data Protection Impact Assessment (DPIA) where processing presents a high risk to rights and freedoms of Data Subjects;
• • integrating data protection into internal Information Security Management System and documents;
• • regularly train our personnel on the Privacy and Personal Data;
• • periodically test the privacy measures implemented and conducting periodic reviews and audits to assess compliance, including using results of testing to demonstrate compliance improvement effort.
• We keep and maintain accurate records reflecting our processing, including records of Data Subjects' Consent and procedures for obtaining Consent. These records include, at a minimum, contact details of the Data Controller and the Data Protection Officer, descriptions of the Personal Data types, Data Subject types, Processing activities, Processing purposes, third-party recipients of the Personal Data, Personal Data storage locations, Personal Data transfers, the Personal Data's retention period and a description of the security measures in place.
• We ensure that all personnel have undergone adequate training to enable them to comply with data privacy laws. We regularly test our systems and processes to assess compliance with all of the regulations.
• We do not share Personal Data with third parties unless certain safeguards and contractual arrangements have been put in place. We share the Personal Data internally if the recipient has a job-related need to know the information.

3. CONFIRMATION COLLECTION

• 3.1 Services

• The information we collect varies depending on the source of the information and what you choose to make available. When it comes to data that we haven’t obtained directly from you, we rely on third-part public APIs (such as Instagram API, Facebook API, Twitter API, YouTube API) as our primary method of collection. In instances of personal data other than directly provided by you to us, we only collect data that you have made publicly available by disclosing it on third-party social platforms, websites, or elsewhere online. The data could be personal information, or it could be non- personal (e.g. nobody could be reasonably identified from the data). It could include the following:
• • your name, username, handle, IP address or other identifier;
• • the content of the information you have published via that name, username, handle, or other identifier, including comments, expressions, opinions, posts, etc.;
• • your profile picture;
• • your email or other contact information;
• • your job title or sector;
• • your interests;
• • your location;
• • your gender; and
• • any other information you publish on an Internet website we monitor and/or obtain data from, or on a third party platform that provides us with data.
• In addition to the information you make available about yourself, we may also use that information to infer other information about you. For example, based on your name, we may infer your gender. Equally, based on the content of one of your posts, we may infer some of your interests. You must be aware that different data can become personal data if combined with each other. So be careful when providing any personal data to yourself in posts, emails, notes, etc.
• We may also analyze the content of the information you publish and provide our analysis to our customers. For example, if you publish a Tweet stating that you like a certain brand’s ice cream, we may mark that Tweet as having a positive sentiment toward that brand.
• Tagger Media does not are processing special categories of personal data as defined by Article 9 of GDPR but if we are processing – does it not intentionally.

• 3.1 Children

• We care about the safety and privacy of children online. The Services are restricted and limited for use by people 16 or over. We do not knowingly collect personal information from children under 16 years of age. If we become aware that we have inadvertently received personal information from a user under the age of 16, we will delete the information from our records according to the law (e.g., GDPR, CCPA, or Children's Online Privacy Protection Act of 1998 ("COPPA"). If any of the laws is more severe, we will comply with it. If you believe we might have any information from or about a person under the age of 16, please contact us at privacy@taggermedia.com.

4. USE OF INFORMATION

• 4.1 Why we use information

• The rules for the processing of Personal Data, protection of privacy and freedom for private persons are clear to us, known and communicated to all our employees. We use information for ethical and legitimate purposes, legal and responsible business conduct.

• 4.2 What purpose we use Privacy Information (regarding to CCPA) or Personal Data (regarding to GDPR)

• We collect the information set out in the previous section in order to provide the Services to our customers. Our aim is to provide technology that empowers our customers to act with more certainty in a way that is easy to access and use. Our customers use our Services to learn more about their brand, their customers, their competitors and other information available on the social web that is about or relevant to them.
• Primarily, we use personal data we obtain from you or via public APIs to facilitate communications between you and Advertisers that you may be collaborating with, to help advertisers extend influencer marketing program proposals to you, to facilitate influencer marketing campaign management, to notify you of any changes to the platform, to provide customer and technical platform support, and for all other communications.
• We also use the information in ways related to, but ancillary, to the Services we offer. For example, we may use the information to comply with our legal obligations or enforce our rights, including those of third parties. We may also use the information to improve our Services.
• Although it is the responsibility of our customers to use the information properly, we do put in place safeguards to protect your personal information. We require our customers to comply with applicable law, including data privacy laws. We also require our customers to comply with acceptable use guidelines concerning how they use the data.
• We share information with our agents, contractors, and affiliates (meaning legal entities controlled by, controlling, or under common control with us) and partner service providers as reasonably necessary to provide the Services.
• We communicate with you in writing, via email, or other means available on or through the Services. We may communicate transactional or service messages to you, such as welcoming you to our Services or informing you of scheduled downtime. We may also provide you with notices about your account, including expiration and renewal notices, as well as to notify you about:
• • changes to our Services or any products or services we offer or provide though it; or
• • changes to our Terms of Use and this Privacy. We may also use you information for any other purpose with your consent.
• You agree to the above processing. We will never supply your Personal Data to third parties unless under the conditions stated beneath this section of our Privacy Policy.
• We may also use your Personal Data to protect against and prevent fraud, claims, and other liabilities and to comply with or enforce applicable legal requirements, industry standards, and our policies and terms. We use Personal Data for these purposes when it is necessary to protect, exercise, or defend our legal rights, or when we are required to do so by applicable law.

5. INFORMATION STORING

• The Personal Data we obtain from you may be moved to and stored at a destination within the European Economic Area ("EEA") and according to point 14 of Privacy Policy could be processed outside EEA depending on the purpose of processing.
• Without limiting the foregoing, you agree that Personal Data we obtain from you may be processed by our service providers based in countries outside of the EEA for the purposes of providing you with the Service. Such countries may not have laws offering the same level of protection for Personal Data as those inside the EEA.
• We store the Personal Data you and your Users provide us with on our secure servers. In the event of us giving you or your Users (or you/they choosing) a password that grants you/them access to specific areas within our Website or Service, it remains your/their responsibility to maintain the confidentiality of this password. This includes the obligation to refrain from sharing your/their password with other parties. As the transmission of data via the Internet cannot be assumed completely secure, we cannot guarantee the security of any of your or your Users' data transmitted to our Website or Service; you are therefore responsible for any risk associated with such transmission. We will however at all times take all reasonable steps to ensure the transmission of your and your Users' data is executed as securely as possible, and upon receipt of your/their data, we will continue at all times to enforce strict security procedures and features in an attempt to prevent any unauthorized access.

6. DATA ACCURACY AND DATA RETENTION

• Most of the personal information we have about you comes from third-party platforms, websites and other online forums where you have disclosed that information publicly. If this information is inaccurate, we encourage you to correct it on the original platform in which you published that information. In case of inaccuracy of data that we have obtained directly from you, please email us at privacy@taggermedia.com with your request. In addition, in certain cases we infer information about you based upon the information that you provide or make available, or may place your personal information into specific profiles or groups. It is our aim to undertake all steps reasonably possible to ensure that any of this additional analysis is accurate and kept up to date.
• We will retain any personal information about you for as long as it is reasonably necessary for us to provide the Services. However, if you request that we delete your personal information, or if you delete your personal information from the platform in which it was originally published, we will also delete your personal information from our Services as soon as reasonably possible.

7. INFORMATION SHARING AND DISCLOSURE

• In addition to sharing your personal information with our customers, as set out above, we may share your personal information with any member of our company group, which means subsidiaries, our ultimate holding company and its subsidiaries.
• We may share your personal information with selected third parties, including our business partners, suppliers and sub-contractors for the performance of any contract we enter into with them. We may also share your personal information with analytics and search engine providers that assist us in the improvement and optimization of our site.
• We may disclose your personal information to third parties under the following circumstances:
• • Responding to duly authorized information requests from law enforcement or other governmental authorities.
• • Complying with any law, regulations, subpoena, or court order.
• • Investigating and helping prevent security threats, fraud, or other malicious activity.
• • Enforcing or protecting the rights and properties of Tagger or its subsidiaries.
• • Protecting the rights or personal safety of Tagger, Tagger's employees, and others.
• • To a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of the Company's assets or equity securities, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding.
• • To fulfill the purpose for which you provide it.
• • For any other purpose disclosed by us when you provide the information.
• • With your consent.
• If we do not process your Personal Data in accordance with our legitimate interest or based on a contractual obligation we have with you, we may share or disclose your Personal Data if you provide us with your affirmative consent.

8. PRIVACY PRACTICES OF THIRD PARTIES

• We share the Personal Data we hold with third parties, such as our service providers if:
• • they have a need to know the information for the purposes of providing the contracted services;
• • sharing the Personal Data complies with the Privacy Notice provided to the Data Subject and, if required, the Data Subject's Consent has been obtained;
• • the third party has agreed to comply with the required data security standards, policies and procedures and put adequate security measures in place;
• • the transfer complies with any applicable cross border transfer restrictions;
• • the transfer complies with any law regulations or restrictions, especially for the authorized bodies or regulators.
• • a fully executed written contract that contains the law approved third party clauses has been obtained.

9. YOUR RIGHTS

• 9.1 The right to be informed

• You have a right to know about how we're processing your Personal Data. Anything You should know is contained in the Privacy Policy. You may also email us at privacy@taggermedia.com to request additional information about how we're processing your Personal Data.

• 9.2 The right of access

• You may email us at privacy@taggermedia.com to request a copy of the Personal Data we currently contain.

• 9.3 The right to rectification

• You can correct what Personal Data We currently contain by emailing us at privacy@taggermedia.com to request that we correct or rectify any Personal Data that you have provided to us. We may not accommodate a request to change information if we believe the change would violate any law or legal requirement or cause information to be incorrect. Where applicable, we will ensure such changes are shared with trusted third parties.

• 9.4 The right to erasure

• If you should wish to cease use of our services and have your Personal Data deleted, then you may submit a request by emailing us at privacy@taggermedia.com. Upon receipt of such a request for erasure, we will confirm receipt and will confirm once your Personal Data has been deleted. Where applicable, we will ensure such changes are shared with trusted third parties.

• 9.5 The right to restrict processing

• When applicable, you may restrict the processing of your Personal Data by submitting a request via email to privacy@taggermedia.com. In your email, please explain how you wish us to restrict the processing of your Personal Data. When such restrictions are not possible, we will advise you accordingly. You can then choose to exercise any other rights under this Privacy Policy, to include withdrawing your consent to the processing of your Personal Data. Where applicable, we will ensure such changes are shared with trusted third parties.

• 9.6 The right to data portability

• Upon request and when possible, we can provide you with copies of your Personal Data. You may submit a request via email to privacy@taggermedia.com. When such a request cannot be honored, we will advise you accordingly. You can then choose to exercise any other rights under this Privacy Policy, to include withdrawing your consent. Where applicable, we will ensure such changes are shared with any trusted third parties.

• 9.7 The right to object

• When applicable, you have the right to object to the processing of your Personal Data by submitting a request via email to privacy@taggermedia.com. When such objections are not possible, we will advise you accordingly. You can then choose to exercise any other rights under this Privacy Policy, to include withdrawing your consent to the processing of your Personal Data. Where applicable, we will ensure such changes are shared with trusted third parties.

• 9.8 The right to consent

• At any time, you may withdraw your consent to our processing of your Personal Data through our Websites by notifying us via email at privacy@taggermedia.com. Upon receipt of such a withdrawal of consent, we will confirm receipt and proceed to stop processing your Personal Data. Where applicable, we will ensure such changes are shared with trusted third parties.

• 9.9 Rights in relation to automated decision making and profiling

• Profiling is any form of automated processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to a natural person, in particular, to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements. Profiling and automated decision-making are used in an increasing number of sectors, both private and public. Profiling and automated decision-making can pose significant risks for individuals' rights and freedoms, which require appropriate safeguards. Profiling and automated individual decision-making are also covered by Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties, and on the free movement of such data. Tagger does not currently use profiling mechanisms. Tagger is not responsible for profiling data into a legal manner and consent to Privacy Policy. We do not use your Personal Data to automated decision making and profiling in accordance with GDPR Article 22 (automated individual decision-making, including profiling, with legal or similarly significant effects).

• 9.10 Exercising my right

• You can exercise any of your rights by contacting via email to privacy@taggermedia.com.
• We may need to request specific information from you to reasonably confirm your identity and verify you are the Person Data belong to. This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request and to exercise your rights.

• 9.11 Fees

• You will not have to pay a fee to access your Personal Data (or to exercise any of your other rights). However, we may charge a reasonable fee if your request is unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

10. ACCOUNTABILITY AND GOVERNANCE

• 10.1 Contracts

• Whenever we use a processor, there must be a written contract in place. If a processor uses another organization (i.e., a sub-processor) to assist in its processing of Personal Data for a controller, it needs to have a written contract in place with that sub-processor.
• What we set up in the contract:
• • the subject matter of the processing;
• • the duration of the processing;
• • the nature and purpose of the processing;
• • the type of Personal Data involved;
• • the categories of the data subject;
• • the controller's obligations and rights;
• • the privacy & security requirements;
• • the right to audit (if applicable).

• 10.2 Documentation

• Our documentation of processing activities:
• • we document all the applicable information under Article 30(1) of the GDPR;
• • we record all the applicable information under Article 30(2) of the GDPR.
• If we process special category we document:
• • the condition for processing we rely on GDPR;
• • the lawful basis for our processing;
• • whether we retain and erase the Personal Data in accordance with our internal documentation.
• When preparing to document our processing activities we:
• • do information audits to find out what Personal Data our organization holds;
• • distribute questionnaires and talk to staff across the organization to get a complete picture of our processing activities;
• • review our policies, procedures, contracts, and agreements to address areas such as retention, security, and data sharing.
• As part of our record of processing activities we document, or link to documentation, on:
• • information required for privacy notices;
• • records of consent;
• • controller-processor contracts;
• • the location of Personal Data;
• • Information Security & Privacy Policies and Procedures;
• • Information & Privacy Risk Assessment;
• • Data Protection Impact Assessment;
• • privacy & information security audit reports;
• • records of Personal Data breaches.
• We document our processing activities in a granular way with important links between the different pieces of information.
• We conduct regular reviews of the Personal Data we process and update our documentation accordingly.
• We document our processing activities in writing and electronic form so we can add, remove, and amend information easily.
• We share the results of processing your data, but we do not provide the above documents.

• 10.3 Data protection and privacy “by design” and “by default”

• We consider data protection issues as part of the design and implementation of systems, services, products, and business practices.
• We make data protection an essential component of the core functionality of our processing systems and services.
• We anticipate risks and privacy-invasive events before they occur and take steps to prevent harm to individuals.
• We only process the Personal Data that we need for our purposes(s) and that we only use the data for those purposes.
• We ensure that Personal Data is automatically protected in any our IT system, Service, product, and/or business practice so that individuals should not have to take any specific action to protect their privacy.
• We provide contact information of those responsible for data protection both within our organization and to individuals.
• We offer strong privacy defaults and controls.
• We only use data processors that provide sufficient guarantees of their technical and organizational measures for data protection by design.
• When we use other systems, services, or products in our processing activities, we make sure that we only use those whose designers and manufacturers take data protection issues into account.
• We have dedicated human resources to ensure proper processes of personal data protection and privacy.
• We provide the necessary financial resources for this purpose.
• We provide for people dealing with personal data protection, privacy and security the necessary financial resources to improve and update their knowledge.

• 10.4 Data protection risk & impact assessment

• Our information security & privacy risk assessment and Data Protection Impact Assessments (DPIA) process is based on international standards and best practices and contains:
• • structured and documented process;
• • identification of all relevant information & privacy risks and risks to individuals' rights and freedoms, assessed their likelihood and severity, and detailed all relevant mitigations;
• • proposed mitigation reduces the identified risk;
• • recorded the advice and recommendations of our Data Protection Officer (where relevant) or external consultants (where relevant);
• • reviewing process of the information & privacy risk results and the DPIA regularly or when we change the nature, scope, context or purposes of the processing;
• • the DPIA if we plan to:
• ◦ use systematic and extensive profiling or automated decision-making to make significant decisions about people;
• ◦ process special-category data or criminal-offense data on a large scale;
• ◦ systematically monitor a publicly accessible place on a large scale;
• ◦ use innovative technology in combination with any of the criteria in the European guidelines;
• ◦ use profiling, automated decision-making or special category data to help make decisions on someone's access to a service, opportunity or benefit;
• ◦ carry out profiling on a large scale;
• ◦ process biometric or genetic data in combination with any of the criteria in the European guidelines;
• ◦ combine, compare or match data from multiple sources;
• ◦ process Personal Data without providing a privacy notice directly to the individual in combination with any of the criteria in the European guidelines;
• ◦ process Personal Data in a way that involves tracking individuals' online or offline location or behavior, in combination with any of the criteria in the European guidelines;
• ◦ process children's Personal Data for profiling or automated decision-making or marketing purposes, or offer online services directly to them;
• ◦ process Personal Data that could result in a risk of physical harm in the event of a security breach;
• • the need to consider whether to do a DPIA if we plan to carry out any other:
• ◦ evaluation or scoring;
• ◦ automated decision-making with significant effects;
• ◦ systematic monitoring;
• ◦ processing of sensitive data or data of a highly personal nature;
• ◦ processing on a large scale;
• ◦ processing of data concerning vulnerable data subjects;
• ◦ innovative technological or organizational solutions;
• ◦ processing that involves preventing data subjects from exercising a right or using a service or contract;
• • review and revisit risk assessment and the DPIA process when necessary regarding the results of the risk analysis.

• 10.5 Data protection officers

• We have appointed a Data Protection Officer (DPO) based on their professional qualities and expert knowledge of data protection law and practices.
• Our DPO reports directly to our highest level of management and is given the required independence to perform their tasks.
• We involve our DPO, in a timely manner, in all issues relating to the protection of Personal Data.
• We ensure that any other tasks or duties we assign our DPO do not result in a conflict of interest with their role as a DPO.
• Our DPO is tasked with monitoring compliance with the GDPR and other data protection laws, our data protection policies, awareness-raising, training, and audits.We take account of our DPO's advice and the information they provide on our data protection obligations.
• When carrying out a DPIA, we seek the advice of our DPO, who also monitors the process.
• When performing their tasks, our DPO has due regard to the risk associated with processing operations and takes into account the nature, scope, context, and purposes of the processing.
• Our DPO is easily accessible as a single point of contact for our employees, individuals, partners, contractors, third parties and the regulator.

11. SECURITY

• We develop, implement and maintain Information Security Management System and safeguards appropriate to our size, scope, and business, our available resources, the amount of Personal Data that we own or maintain on behalf of others and identified risks (including use of encryption and Anonymization where applicable). We regularly evaluate and test the effectiveness of those safeguards to ensure the security of our processing of Personal Data. We exercise particular care in protecting Sensitive Personal Data (if present) from loss and unauthorized access, use, or disclosure.
• We maintain data security by protecting the confidentiality, integrity, and availability of the Personal Data, defined as follows:
• • Confidentiality means that only people who have a need to know and are authorized to use the Personal Data can access it.
• • Integrity means that Personal Data is accurate and suitable for the purpose for which it is processed.
• • Availability means that authorized users are able to access the Personal Data when they need it for authorized purposes.
• We comply with and not attempt to circumvent the administrative, physical, and technical safeguards we implement and maintain in accordance with the law and relevant standards to protect Personal Data.

12. Incident response and breach reporting

• We have put in place procedures to deal with any suspected security incident and Personal Data Breach and will notify Data Subjects or any applicable regulator where we are legally required to do so.
• If you know or suspect that a security incident or Personal Data Breach has occurred immediately, contact via email to privacy@taggermedia.com. You should preserve all evidence relating to the potential security incident and Personal Data Breach.
• Internal procedures ensure constant contact, communication and cooperation with entities whose may be related to the effects of violations. We are ready to work with every stakeholder to minimize potential losses or inconvenience.

13. International Transfers of Personal Information

• Information we collect from you could be processed outside EEA, depending on the purpose of processing. Whenever Personal Data is transferred outside the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
• We will only transfer Personal Data to countries that have been deemed to provide an adequate level of protection for Personal Data by the European Commission. You could check how the EU determines if a non-EU country has an appropriate level of data protection by clicking the link: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en .
• Where we use certain service providers, we may use specific contracts approved by the European Commission, which give Personal Data the same protection it has in Europe. You could check standard contractual clauses for data transfers between EU and non-EU countries by clicking the link: https://ec.europa.eu/info/law/law-19topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en .
• Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield, which requires them to provide similar protection to Personal Data shared between Europe and the US. You could check the commercial sector: EU-US Privacy Shield by clicking the link: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/eu-us-data-transfers_en.
• To the extent permitted by applicable data protection laws, Personal Data may be transferred between various locations of Tagger insofar as reasonably necessary for the purposes set out in this Privacy Policy and within the scope of legitimate interest of Tagger.
• If Personal Data is transferred outside the EU for doing business by Tagger in other law jurisdictions, then EU law and law of the relevant jurisdiction apply jointly. If they are divergent, that stringent are used.

14. Links to Other Sites

• We may, at times, provide links on our Website to third party websites, including without limitation those owned or managed by our partner networks, affiliates, or advertisers. These websites have separate privacy policies, and we, therefore, cannot accept any responsibility for the content. As such, choosing to follow these links is a choice you make at your own risk, and we advise that you check these websites' individual privacy policies before submitting any Personal Data.

15. California Residents – The Privacy Rights (CCPA Privacy Notice)

• This California Privacy Notice is part of the Privacy Policy. It is used when it is appropriate for Tagger business. This section only applies to California residents. The rights discussed in this section do not extend to individuals who are not California residents. The California Consumer Privacy Act of 2018 (CCPA) requires that businesses disclose certain additional information about how it collects, uses, discloses, and sells the personal information of a California resident.

• 15.1 Right to Know/Right to Access General Collection and Use of Personal Information.

• If you are a California resident, you have the right to request that we disclose what information we have collected, used, disclosed, or sold over the past 12 months. Once we receive and confirm your verifiable request, we will disclose to you, based on your specific request:
• • The categories of personal information we collected about you over the past 12 months.
• • The specific pieces of personal information we have collected about you over the past 12 months.
• • The categories of sources from which the personal information is collected over the past 12 months.
• • The business or commercial purpose for collecting or selling that personal information over the past 12 months.
• • The categories of third parties with whom we shared your personal information over the past 12 months.
• If we disclosed your personal information for a business purpose, the personal information categories that each category of recipients obtained. If we sell your personal information for a business purpose, the personal information categories that each category of recipients purchased.

• 15.2 Right to Request Deletion

• If you are California resident, you have the right to request that we delete any of your personal information that we have collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable request, we will delete your personal information from our records, and direct our service providers to do the same, unless an exception applies.

• 15.3 Right to Opt-Out of Sale of Personal Information.

• If you are California resident and have 16 years old or more, you have the right to direct businesses that sell personal information to not sell your personal information.

• 15.4 Right to Opt-In to Sales of Personal Information for Minors Under 16.

• We do not intentionally process personal information children under 16 years old.
• Under the CCPA, if you are California resident between 13 and 15 years old, you must affirmatively authorize the sale of your personal information or personal information. If the child is under the age of 13 years old, a parent or guardian must affirmatively authorize the sale of information. If you opt-in to personal information, sales may opt-out of future sales at any time.

• 15.5 Right to Non-Discrimination.

• We will not discriminate against you for exercising any of your CCPA rights.

• 15.6 Financial incentives

• We do not offer financial incentives permitted by the CCPA.
• Under the CCPA, if you are California resident, we could offer you certain financial incentives permitted by the CCPA, or different prices, rates, levels, or quality of goods or services that are reasonably related to your personal information's value to the business.

• 15.7 Exercising Your Right to Know.

• If you are a California resident, you can exercise the right to know/right to access information. You or your authorized agent may submit a verifiable request via email privacy@taggermedia.com.
• You may only make a verifiable request to know or request for access twice within a 12-month period. The verifiable request must include information that allows us to reasonably verify you are the person about whom we collect personal information or an authorized representative and describe your request in enough detail that we can properly understand, evaluate, and respond to it.
• If we are able to verify your request, we will make our best effort to respond within forty-five (45) days of our receipt of your request. If we require more time (up to 45 additional days), we will inform you of the reason and extension period in writing. We will not disclose information to you if we cannot verify your identity.
• You will not have to pay a fee to access your Personal Data (or to exercise any of your other rights). However, we may charge a reasonable fee if your request is unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

• 15.8 Exercising Your Right to Request Deletion.

• If you are a California resident, you can exercise the right to request deletion. You or your authorized agent may submit a verifiable request via email privacy@taggermedia.com.
• If we are able to verify your request, we will make our best effort to respond within forty-five (45) days of our receipt of your request. If we require more time (up to 45 additional days), we will inform you of the reason and extension period in writing. In our response, we will specify the manner in which we have deleted your personal information. We will not delete information if we cannot verify your identity.

• 15.9 Do Not Sell My Personal Information - Exercising Your Right to Opt-Out of Sale of Personal Information.

• We do not sell your personal information.
• For California residents to exercise the right to opt-out if we engage in selling your personal information, you or your authorized agent may submit a request via email privacy@taggermedia.com.
• We will act upon your request to opt-out within 30 (thirty) days of receiving the request. We will instruct the third parties to whom the information has been sold in the 30 (thirty) days prior to your request not to further sell the information, and we will notify you when this instruction has been completed.
• We will not act upon a request from authorized agents if the agent does not submit proof that the agent has been authorized by you to act on your behalf. We will not act upon a request if we believe it is fraudulent.

• 15.10 How We Verify California Residents' Requests to Know/Requests for Access and Requests for Deletion

• We will not respond to requests to know/requests for access or requests for deletion unless we can verify your identity to a reasonable degree of certainty. To verify your identity, when feasible, we will use information about you that we already have; however, we may need to request additional information, which we will use only for the purposes of verification. We may also use a third-party identity verification service. The information we need to verify your request will depend on the nature and scope of your request. Upon receipt of your request, we will notify you if we need additional information from you to verify your request.

• 15.11 Sale of Personal Information

• We do not sell your personal information.

16. Periodic review, changes to this Policy or procedures related to the Policy

• We conduct periodic, not less than every 12 months Policy and Information Security System Management and documentation reviews. Review is mandatory after changes the nature, scope, context, or purposes of the processing Personal Data. In all of aspect, this Policy, the reviewer must demonstrate independence, knowledge, and experiences according to Personal Data protection.
• We are updating the Policy every 12 months and anytime if there are any material changes to the nature, scope, context, or purposes of the processing.
• If at any time we make a change to this Policy, we will update this page to reflect such change. If we make material changes to how we treat your Personal Data, we will notify you by email. Through a notice on this page, however, we recommend you review this page periodically to ensure you remain happy with the latest version.
• The date the Policy was last revised is identified at the top of the page. You are responsible for ensuring we have an up-to-date active and deliverable email address for you.

17. Contact Us

• We welcome any questions or comments in relation to this Privacy Policy, and advise you to send any such communication privacy@taggermedia.com.

17. Brexit

• We are monitoring the current developments with regards to UK Brexit and regulations that may arise.
• Right now, the UK is still subject to the EU's GDPR. The UK has its own version of the GDPR, the Data Protection Act 2018. There are no plans to repeal this law post-Brexit, but some changes are possible (link to actual: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/779335/Keeling_Schedule_for_GDPR.pdf and https://www.legislation.gov.uk/uksi/2019/419/contents/made ).
• You could check Brexit and data privacy impact in The Information Commissioner's Office clicking the link: https://ico.org.uk/for-organisations/data-protection-and-brexit/