Opterus Privacy Policy
10/23
A. Purpose
Opterus Inc. (“Opterus”) is committed to maintaining the confidentiality and security of Personal Information belonging to any entity (“Retailer”) for which Opterus performs services or with respect to which Opterus otherwise has access to Personal Information collected by, or belonging to, the Retailer. This Privacy Policy explains how and why Opterus processes Personal Information, that is, how and why we collect, use, disclose or store that Personal Information, and how we protect personal privacy within our centralized Head Office-to-Store communications solution (the “OpsCenter”). In this Privacy Policy, “Personal Information” means non-public, personal data and other information about identifiable individuals on any media format which is made available to, acquired from, owned by, stored on behalf of, or otherwise the responsibility and/or property of, the Retailer, other than a person's business title or business contact information when used or disclosed for the purpose of business communications.
B. Scope
Opterus will handle, treat, and otherwise protect Personal Information in accordance with this policy (“Privacy Policy”) and any contractual agreement between such Retailer and Opterus. If there is a direct conflict between any term of this Privacy Policy and the terms of a written contract between Retailer and Opterus, the terms of the written contract will prevail to the extent of the conflict.
C. Privacy Laws
It is Opterus' policy to comply with the privacy legislation within each jurisdiction in which we operate. Sometimes the privacy legislation and / or an individual's right to privacy are different from one jurisdiction to another. In this Privacy Policy, "Privacy Laws" means any applicable legislation now in force or that may in the future come into force governing the protection of personal information in any country, province, territory or state in which Opterus or the Retailer operates.
D. What Personal Information does Opterus Collect?
Personal Information may be collected by the Retailer in respect of individuals with whom it interacts, and Opterus may receive and hold Personal Information if the Retailer uploads such Personal Information to the OpsCenter. Opterus does not collect or receive Personal Information from identifiable individuals directly.
E. Automated Decision Making and Profiling
We do not use Personal Information for the purposes of automated decision making.
F. Cookies
Cookies are small text files sent by us to your computer or mobile device and are unique to an account. Opterus uses session-based cookies, which are deleted when you close your browser, and are used to recognize your computer or mobile device when using our applications. This cookie falls into the Authentication category and helps us show you the right information and personalize your experience. We do not use any other types of cookies or tracking technologies to track the actions of our users, or for advertising purposes.
Some Internet browsers may be configured to send “Do Not Track” signals to the online services that you visit. We currently do not respond to do not track signals. To find out more about “Do Not Track,” please visit http://www.allaboutdnt.com.
G. Responsibilities of Retailer and Opterus re: Use and Disclosure of Personal Information
It is the Retailer’s responsibility, with respect to identifiable individuals, to comply with Privacy Laws in connection with its use of the OpsCenter, including in its collection, use, storage, transmission, disposal or other handling of Personal Information. To the extent that the Retailer transmits or makes available Personal Information to Opterus, uploads it to the OpsCenter, and/or uses it in connection with the OpsCenter, the Retailer represents to Opterus that it has the right to use the Personal Information. The Retailer retains all right, title and interest in and to the Personal Information and will be fully liable for and will indemnify Opterus for damages or loss suffered by Opterus as a result of a breach of Privacy Laws by the Retailer or its employees, agents, consultants and other representatives ("Personnel").
Opterus or our Personnel may incidentally access the Retailer’s Personal Information in the course of providing technical support and assistance to the Retailer with respect to the OpsCenter. Opterus may share the Retailer’s Personal Information with our Personnel and other parties who require such information to assist us with managing our relationship with the Retailer (including: third parties that provide services to us or on our behalf, third parties that assist Opterus in the provision of services to the Retailer, and third parties whose services we use to conduct our business) and who agree not to use or disclose the Personal Information other than to provide such services or as required by law. For example, Rackspace provides certain hosting services for the OpsCentre, and as a result, Personal Information may be processed and stored at Rackspace’s Dallas, Texas data center and/or any global Rackspace facility in a production or test environment.
In addition, Personal Information may be disclosed or transferred to another party during the course of, or completion of, a change in ownership or the grant of a security interest in, all or part of Opterus through, for example, an asset or share sale, or some other form of business combination, merger or joint venture, provided that such party is bound by appropriate agreements or obligations and required to process Personal Information in a manner consistent with Opterus’ obligations regarding the processing of Personal Information as set out in this Privacy Policy. Retailers will be notified before any such business transaction occurs and be given the opportunity to terminate their account should they so choose to.
Personal Information may also be disclosed as permitted or required by applicable law or regulatory requirements; to comply with valid legal processes such as search warrants,
subpoenas or court orders; when we believe in good faith that disclosing this information is necessary or advisable, including, for example, to protect the rights and property of Opterus, during emergency situations or where necessary to protect the safety of a person or group of persons; where the Personal Information is publicly available; or with the Retailer’s consent.
H. How is Your Personal Information Protected?
Opterus endeavors to maintain physical, technical and procedural safeguards that are appropriate to the sensitivity of the Personal Information in question. These safeguards are designed to protect your Personal Information against loss and unauthorized access, copying, use, modification or disclosure. These safeguards are described in greater detail in the Opterus Security and in the OpsCenter FAQs documents.
The security of your Personal Information is important to us. Please advise Opterus immediately of any suspicious activity you become aware of, including any incident involving the loss of or unauthorized access to or disclosure of Personal Information that is in our custody or control in the OpsCenter.
I. International Data Transfer
Personal Information may be transferred to, stored at, and processed by Opterus outside the country in which data subjects reside, including but not limited to the United States, where data protection and privacy regulations may not offer the same level of protection as in other parts of the world. Any transfer of personal data shall take place only in accordance with and as permitted by data protection legislation and we will take all steps reasonably necessary to ensure that such personal data is treated securely and in accordance with this policy.
J. Retention
We will only retain Personal Information as long as the Retailer continues to use our services.
K. Accountability and GDPR Compliance
EU data subjects permanently residing in the European Union may have supplementary statutory rights with respect to their Personal Information as outlined in the General Data Protection Regulation EU/2016/679. This includes the right to access their Personal Information, have it deleted, have it corrected, or object to or restrict processing. If a Retailer receives such an EU data subject request, please contact us as indicated in Section N: Inquiries or Concerns. In the context of a request for erasure, Opterus will destroy, scramble or pseudonymize the data subject’s information to make it anonymous, in consultation with the Retailer.
Opterus is a Canadian organization and Canada was the first country outside of Europe deemed adequate by the EU Commission in 2001 under the EU Data Protection Directive 95/46/EC (the GDPR’s predecessor). An adequacy finding allows the flow of data from the EU to Canada as a trusted country in data protection. Rackspace incorporates Standard Contractual Clauses C(2021) 3972 into its Master Service Agreement applicable to Opterus as required for the processing of EU resident personal data in the United States. To learn more about Standard Contractual Clauses, please visit https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.
If you need to contact us in relation to any processing of personal data which is subject to the
provisions of the GDPR, please do so by email at [email protected].
L. Revisions to this Privacy Policy
From time to time, we may make changes to this Privacy Policy to reflect changes in our legal or regulatory obligations or in the manner in which we deal with your Personal Information. We will post any revised version of this Privacy Policy on our website and we encourage you to refer back to it on a regular basis. This Privacy Policy was last updated on October 1, 2021.
M. Interpretation of this Privacy Policy
Any interpretation associated with this Privacy Policy will be made by our Chief Technology Officer. This Privacy Policy includes examples but is not intended to be restricted in its application to such examples, therefore where the word 'including' is used, it shall mean 'including without limitation'.
N. Inquiries or Concerns
If you have any questions about this Privacy Policy or concerns about how we manage your Personal Information, please contact Ian Long by telephone, in writing or by e-mail, 416-840-8495 x666 or [email protected]. We will endeavor to answer your questions and advise you of any steps taken to address the issues raised by you. If you are dissatisfied with our response, you may be entitled to make a written submission to the privacy regulators in your jurisdiction.