Privacy Policy

Last Updated: March 20, 2024

This Privacy Policy describes how JointCommerce (“JointCommerce,” “we,” “our,” or “us”) collects, uses, shares, and sells personal information when you access or use app.jointcommerce.com (the “Site”) and our related products and services (collectively, the “Services”).

By using the Site or Services, you agree to the practices described in this Privacy Policy.

1. Information We Collect

A. Personal Information You Provide

We may collect the following categories of personal information that you provide directly:

Identifiers:

· Name

· Email address

· Mailing address

· Phone number

· Account credentials

· Online identifiers (username, account ID)

Financial Information

· Payment information (processed through secure third-party processors)

· Billing address

Commercial Information:

· Purchase history

· Transaction records

· Any information that you submit through forms, surveys, or registration processes.

Professional or Employment-Related Information:

· Business name

· Job Title

· Company information (if applicable)

We collect this information when you create an account, make purchases, contact customer support, or otherwise interact with our Services.

B. Automatically Collected Information

When you visit the Site, we automatically collect data such as:

- Device identifiers
- IP address and geolocation (approximate)
- Browser type
- Operating system
- Pages viewed and usage behavior
- Cookie and tracking technologies

C. Cookies and Tracking Technologies

We use cookies, pixels, tags, and similar technologies to:

- Improve the Site
- Personalize content
- Measure performance
- Provide targeted advertising

You may adjust your browser settings to refuse cookies. Some features may not function properly if you disable them.

D. Sensitive Personal Information

Under California law, "sensitive personal information" receives additional protections. We may collect the following categories of sensitive personal information:

· Account login credentials (username and password)

· Precise geolocation data (only if you enable location services)

Your Right to Limit Use: You have the right to limit our use and disclosure of sensitive personal information to only what is necessary to provide the Services you request. To exercise this right, contact us at privacy@jointcommerce.com.

We do not use or disclose sensitive personal information for purposes other than those specified in CCPA regulations §7027(m) without providing you the right to limit such use.

2. How We Use Your Information

We may use the information we collect for the following purposes:

1. Service Delivery: To provide and maintain the Services
2. Transaction Processing: To process transactions and payments
3. Personalization: To personalize your experience
4. Analytics: To analyze usage, measure performance, and improve our offerings
5. Marketing: To send promotional content, updates, and targeted advertising (you may opt out at any time)
6. Communications: To send transactional emails, updates, and respond to inquiries
7. Legal Compliance: To comply with legal obligations and enforce our terms

8. Security: To detect, prevent, and address security issues, fraud, and technical problems
9. Research and Development: To develop new products, features, and services

CATEGORIES OF PERSONAL INFORMATION AND USES

CATEGORY 1: IDENTIFIERS

Examples: Name, email address, mailing address, phone number, account credentials,

username, account ID, online identifiers

Business/Commercial Purposes:

• Provide and maintain the Services

• Process transactions and fulfill orders

• Communicate with you about your account and services

• Account management and authentication

• Customer support and service

• Fraud prevention and security monitoring

• Detect and prevent technical issues

Categories of Third Parties to Whom Disclosed:

• Service providers (hosting, email, customer support platforms)

• Payment processors

• Email service providers

• Analytics companies

• Advertising networks and marketing partners

• Security and fraud prevention services

CATEGORY 2: FINANCIAL INFORMATION

Examples: Payment card information, bank account details, billing address

Business/Commercial Purposes:

• Process payments and complete transactions

• Fraud detection and prevention

• Billing, invoicing, and collections

• Refund processing

• Payment dispute resolution

Categories of Third Parties to Whom Disclosed:

• Payment processors (e.g., Stripe, PayPal)

• Fraud prevention services

• Banking and financial institutions

• Service providers performing payment-related functions

CATEGORY 3: COMMERCIAL INFORMATION

Examples: Purchase history, transaction records, products/services purchased or

considered, consumption history and tendencies

Business/Commercial Purposes:

• Order fulfillment and shipping

• Personalize your experience and recommendations

• Understand customer preferences and behavior

• Analytics and performance measurement

• Marketing communications and campaigns

• Targeted advertising

• Product development and improvement

• Customer service and support

Categories of Third Parties to Whom Disclosed:

• Service providers (order fulfillment, shipping, customer service)

• Analytics companies

• Advertising networks and demand-side platforms

• Marketing partners and email service providers

• Social media platforms

• Data analytics providers

CATEGORY 4: INTERNET OR NETWORK ACTIVITY

Examples: IP address, device identifiers, browser type and version, operating system,

browsing history on our Site, pages viewed, links clicked, time spent on pages,

referral URLs, cookie identifiers, pixel tags

Business/Commercial Purposes:

• Site improvement and optimization

• Personalize content and user experience

• Analytics and performance measurement

• Understand how users interact with our Services

• Targeted and behavioral advertising

• A/B testing and feature development

• Security monitoring and threat detection

• Detect and prevent fraud, spam, and abuse

• Technical issue detection and debugging

Categories of Third Parties to Whom Disclosed:

• Analytics providers (e.g., Google Analytics)

• Advertising networks and exchanges

• Social media platforms

• Hosting providers and content delivery networks

• Security services and DDoS protection providers

• Marketing technology platforms

• Tag management services

CATEGORY 5: GEOLOCATION DATA

Examples: Approximate location derived from IP address, precise geolocation

(only if you enable location services)

Business/Commercial Purposes:

• Customize content and offers based on location

• Fraud prevention and security

• Analytics and usage measurement

• Comply with geographic restrictions

• Provide location-based services you request

• Improve service delivery

Categories of Third Parties to Whom Disclosed:

• Analytics providers

• Advertising networks

• Fraud prevention services

• Service providers supporting location-based features

CATEGORY 6: INFERENCES

Examples: Profiles reflecting preferences, characteristics, psychological trends,

predispositions, behavior, attitudes, intelligence, abilities, aptitudes

Business/Commercial Purposes:

• Personalization and customization of content

• Marketing and advertising (including targeted ads)

• Product and service recommendations

• Audience segmentation

• Improve Services and develop new features

• Understand customer needs and preferences

• Predictive analytics

Categories of Third Parties to Whom Disclosed:

• Advertising networks and demand-side platforms

• Analytics companies

• Marketing platforms

• Social media companies

• Data analytics providers

CATEGORY 7: SENSITIVE PERSONAL INFORMATION

Examples: Account login credentials (username and password), precise geolocation

(if enabled)

Business/Commercial Purposes:

• Account access and authentication

• Provide requested location-based services (if precise geolocation enabled)

• Security and fraud prevention

• Fulfill services you specifically request

• Purposes that do not infer characteristics about you

Categories of Third Parties to Whom Disclose:

• Authentication and identity verification services

• Security services (limited to credential security, not credential content)

• Hosting providers (credentials stored securely/encrypted)

• Service providers necessary to deliver requested services

Note: We limit use and disclosure of sensitive personal information to purposes

permitted under CCPA regulations §7027(m), and you have the right to further limit use and disclosure (see Section 5.F).

3. How We Share and Sell Personal Information

A. Disclosure to Service Providers and Contractors

We disclose the following categories of personal information to service providers and contractors who perform services on our behalf :

Categories Disclosed to Service Providers:

• Identifiers (name, email, address, phone, account credentials, online identifiers)

• Financial information

• Commercial information

• Internet/network activity

• Geolocation data

• Inferences

• Sensitive personal information (account credentials only, for authentication purposes)

Types of Service Providers:

• Payment processors

• Email and communication service providers

• Cloud hosting and storage providers

• Analytics providers

• Customer support platforms

• Marketing automation tools

• Security and fraud prevention services

These service providers are contractually restricted from using your information for any purpose other than providing services to us and are bound by confidentiality obligations.

If we have not disclosed consumers' personal information to service providers or contractors for a business purpose in the preceding 12 months, we will state that fact in our annual privacy policy updates.

B. Sharing for Cross-Context Behavioral Advertising

We share the following categories of personal information with advertising partners for cross-context behavioral advertising (targeted advertising):

Categories Shared:

• Identifiers (online identifiers, device IDs, IP address, cookies)

• Internet/network activity (browsing behavior, pages viewed, interaction data)

• Geolocation data (approximate)

• Inferences (preferences and interests derived from your activity)

• Commercial information (interactions with our content)

Categories of Third-Party Recipients:

• Advertising networks and platforms (e.g., Google Ads, Facebook Ads, programmatic advertising exchanges)

• Demand-side platforms (DSPs)

• Data analytics and measurement companies

• Social media platforms

• Marketing technology providers

Purpose of Sharing:

• Deliver targeted advertisements across websites and apps

• Build custom audiences and lookalike audiences

• Measure advertising campaign performance and attribution

• Retarget visitors with relevant ads

• Optimize ad delivery and bidding

C. Sale of Personal Information (Required Disclosure)

Under California law, "sale" means disclosing personal information to a third party for monetary or other valuable consideration. We may sell the following categories of personal information of the sale or sharing of your personal information at any time (see Section 7).

Categories Sold:

• Identifiers (online identifiers, device IDs, IP address, cookie data)

• Internet or network activity (browsing behavior, site interactions)

• Geolocation data (approximate location)

• Inferences (interest profiles, preferences, behavioral predictions)

• Commercial information (interactions with our content and services)

Categories of Third Parties to Whom We Sell Information:

• Advertising networks

• Data brokers and analytics companies

• Marketing platforms

• Demand-side platforms

• Social media companies

We Do Not Sell:

• Payment card information or bank account details

• Social Security numbers or government-issued identification numbers

• Precise geolocation data

• Account passwords

• Personal information of consumers we know are under 16 years of age

Your Right to Opt Out: You have the right to opt out of the sale or sharing of your personal information at any time. See Section 5.D below for instructions.

D. Required Legal Disclosures

We may disclose any category of personal information if required by law, regulation, legal process, subpoena, court order, or governmental request, or to:

• Comply with legal obligations

• Protect our rights, property, or safety, or that of others

• Enforce our Terms of Service

• Investigate fraud, security issues, or technical problems

• Respond to claims or litigation

3A. CCPA APPLICABILITY

This Privacy Policy complies with the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). JointCommerce is subject to the CCPA because we [SELECT ONE OR MORE AS APPLICABLE

☐ Have annual gross revenues exceeding $26,625,000

☐ Process personal information of 100,000 or more California residents or households annually

☐ Derive 50% or more of our annual revenue from selling or sharing personal information

California residents have specific privacy rights described in Section 5 below.

4. Categories of Personal Information Sold or Shared

We may sell or share the following categories: - Identifiers (e.g., online identifiers, device IDs, IP address)
- Commercial information (e.g., interactions with our content)
- Internet or network activity
- Geolocation (approximate)
- Inferences for advertising or personalization

We do not sell payment information or government-issued identifiers.

4A. Categories of Personal Information Sold or Shared. Detailed Disclosure: Categories Sold, Shared, and Disclosed (Last 12 Months)

Detailed Disclosure: Categories Sold, Shared, and Disclosed (Last 12 Months)

CATEGORY: IDENTIFIERS

(name, email, address, phone, account credentials, online identifiers, device IDs,

IP address, cookie IDs)

SOLD (for monetary or other valuable consideration):

✓ YES - Online identifiers, device IDs, IP address, cookie identifiers

SHARED (for cross-context behavioral advertising):

✓ YES - Online identifiers, device IDs, IP address, cookie identifiers,

email (hashed for matching purposes)

DISCLOSED TO SERVICE PROVIDERS/CONTRACTORS:

✓ YES - All identifier categories

CATEGORIES OF THIRD-PARTY RECIPIENTS:

• Advertising networks (Google Ads, Facebook Ads, programmatic exchanges)

• Data brokers and analytics companies

• Marketing platforms and email service providers

• Social media companies

• Demand-side platforms (DSPs)

• Service providers (hosting, email, authentication, customer support)

• Payment processors (limited to name, email, billing address)

• Security and fraud prevention services

CATEGORY: FINANCIAL INFORMATION

(payment card details, bank account information, billing address)

SOLD:

✗ NO

SHARED (for cross-context behavioral advertising):

✗ NO

DISCLOSED TO SERVICE PROVIDERS/CONTRACTORS:

✓ YES - Disclosed only to payment processors and fraud prevention services

CATEGORIES OF THIRD-PARTY RECIPIENTS:

• Payment processors (Stripe, PayPal, etc.)

• Fraud prevention and verification services

• Banking and financial institutions processing payments

• Service providers performing payment-related functions only

Note: Payment card details are processed by third-party payment processors and

are not stored on our servers. We never sell or share financial information.

CATEGORY: COMMERCIAL INFORMATION

(purchase history, transaction records, products viewed or purchased, shopping behavior)

SOLD:

✓ YES - Aggregated purchasing patterns, product interests, transaction metadata

(not including specific financial details)

SHARED (for cross-context behavioral advertising):

✓ YES - Product viewing behavior, shopping cart activity, product interests,

purchase categories

DISCLOSED TO SERVICE PROVIDERS/CONTRACTORS:

✓ YES - All commercial information categories

CATEGORIES OF THIRD-PARTY RECIPIENTS:

• Advertising networks and marketing platforms

• Analytics companies

• Data brokers and audience data providers

• Social media platforms for custom audience creation

• Service providers (order fulfillment, shipping, customer service)

• Email marketing service providers

• Marketing automation platforms

• Product recommendation engines

CATEGORY: INTERNET OR NETWORK ACTIVITY

(browsing history, search history, pages viewed, interactions with our Site,

device information, browser information)

SOLD:

✓ YES - Browsing behavior, page views, interaction data, device/browser details

SHARED (for cross-context behavioral advertising):

✓ YES - All internet/network activity collected on our Site

DISCLOSED TO SERVICE PROVIDERS/CONTRACTORS:

✓ YES - All internet/network activity

CATEGORIES OF THIRD-PARTY RECIPIENTS:

• Advertising networks and programmatic ad exchanges

• Analytics providers (Google Analytics, Adobe Analytics, etc.)

• Social media platforms (Facebook Pixel, LinkedIn Insight, etc.)

• Marketing technology platforms

• Tag management services

• Hosting providers and content delivery networks (CDNs)

• Heat mapping and session recording services

• A/B testing and optimization platforms

• Security services and DDoS protection providers

CATEGORY: GEOLOCATION DATA

(approximate location from IP address; precise geolocation only if you enable

location services)

SOLD:

✓ YES - Approximate geolocation (city/region level derived from IP address)

✗ NO - Precise geolocation (we do not sell precise GPS coordinates)

SHARED (for cross-context behavioral advertising):

✓ YES - Approximate geolocation (city/region level)

✗ NO - Precise geolocation

DISCLOSED TO SERVICE PROVIDERS/CONTRACTORS:

✓ YES - Approximate and precise geolocation (when enabled)

CATEGORIES OF THIRD-PARTY RECIPIENTS:

• Advertising networks (approximate location for ad targeting)

• Analytics providers (approximate location for analytics)

• Fraud prevention services (approximate and precise when enabled)

• Service providers for location-based features you request

• Content delivery networks (for geographic content optimization)

CATEGORY: INFERENCES

(preferences, interests, behavior predictions, characteristics, propensities,

attitudes, profiles)

SOLD:

✓ YES - Interest profiles, preference predictions, audience segments,

behavioral predictions

SHARED (for cross-context behavioral advertising):

✓ YES - Interest profiles, preference predictions, audience segments

DISCLOSED TO SERVICE PROVIDERS/CONTRACTORS:

✓ YES - Inferences used for service delivery and analytics

CATEGORIES OF THIRD-PARTY RECIPIENTS:

• Advertising networks and demand-side platforms

• Marketing platforms and audience data providers

• Analytics companies

• Social media companies

• Data brokers and data management platforms

• Predictive analytics service providers

• Personalization engines

CATEGORY: SENSITIVE PERSONAL INFORMATION

(account credentials, precise geolocation if enabled, [other categories if applicable])

SOLD:

✗ NO - We do not sell any sensitive personal information

SHARED (for cross-context behavioral advertising):

✗ NO - We do not share sensitive personal information for advertising

DISCLOSED TO SERVICE PROVIDERS/CONTRACTORS:

✓ YES - Limited disclosure as follows:

• Account credentials: Only to authentication, hosting, and security

service providers (credentials are encrypted and service providers

cannot access credential content)

• Precise geolocation (if enabled): Only to service providers necessary

to deliver location-based services you specifically request

CATEGORIES OF THIRD-PARTY RECIPIENTS:

• Authentication and identity verification services (credentials only, encrypted)

• Cloud hosting and storage providers (credentials stored encrypted)

• Security and fraud prevention services (for security purposes only)

• Service providers necessary to deliver location-based services (if you enable

precise geolocation)

Note: We limit use and disclosure of sensitive personal information to purposes

permitted under CCPA regulations §7027(m). You have the right to limit use and

disclosure of your sensitive personal information (see Section 5.F).

ADDITIONAL DISCLOSURES:

Sources of Personal Information:

• Directly from you (when you create an account, make purchases, contact us,

fill out forms, or otherwise interact with our Services)

• Automatically from your device (when you visit our Site through cookies,

pixels, and similar technologies)

• From third-party data providers and data brokers

• From advertising partners and networks

• From social media platforms (when you connect your social accounts or interact

with our social media presence)

• From public databases and sources

• From our affiliated companies and business partners

Duration of Collection:

This disclosure covers personal information collected, sold, shared, or disclosed

during the 12-month period preceding the Last Updated date of this Privacy Policy.

Annual Update:

We will update this disclosure annually to reflect our practices during the

preceding 12 months.

───────────────────────────────────────────────────────────────────────

5. Your California Privacy Rights

If you are a California resident, you have the following rights regarding your personal information:

A. Right to Know / Access

You have the right to request that we disclose:

• The categories of personal information we have collected about you

• The categories of sources from which we collected your personal information

• Our business or commercial purpose for collecting, selling, or sharing personal information

• The categories of third parties to whom we disclose, sell, or share personal information

• The specific pieces of personal information we have collected about you

Lookback Period: We will provide information for the 12-month period preceding your request. If we retain your personal information for longer than 12 months and you request access to information collected before the 12-month period, we will provide access to personal information dating back to January 1, 2022, or the date we began collecting your information, whichever is later.

How to Exercise: Submit your request by:

• Email: admin@jointcommerce.com

• Subject line: "California Right to Know Request"

• Include your full name, email address, and mailing address for verification

B. Right to Delete

You have the right to request deletion of personal information we have collected from you, subject to certain exceptions.

Exceptions: We may deny your deletion request if retaining the information is necessary for us or our service providers to:

• Complete your transaction or provide requested services

• Detect and resolve security incidents or fraud

• Debug and repair errors

• Exercise free speech or ensure another consumer's right to free speech

• Comply with the California Electronic Communications Privacy Act

• Engage in research in the public interest (with appropriate safeguards)

• Comply with legal obligations

• Use the information internally in a lawful manner compatible with the context in which you provided it

How to Exercise: Submit your request by:

• Email: privacy@jointcommerce.com

• Subject line: "California Deletion Request"

• Include your full name, email address, and account information for verification

C. Right to Correct

You have the right to request correction of inaccurate personal information we maintain about you.

How to Exercise: Submit your request by:

• Email: privacy@jointcommerce.com

• Subject line: "California Correction Request"

• Specify what information you believe is inaccurate and provide correct information

D. Right to Opt-Out of Sale or Sharing

You have the right to opt out of:

• The "sale" of your personal information (disclosure for monetary or valuable consideration)

• The "sharing" of your personal information for cross-context behavioral advertising

How to Exercise:

• Online: Visit our "Do Not Sell or Share My Personal Information" page at: [INSERT LINK]

• Email: Send a request to privacy@jointcommerce.com with subject line "Do Not Sell or Share"

• Global Privacy Control: We honor browser-based Global Privacy Control (GPC) signals as a valid opt-out request for the device and browser from which the signal is sent

Effect of Opt-Out: Once you opt out, we will not sell or share your personal information unless you later authorize us to do so. We will wait at least 12 months before asking you to opt back in.

E. Right to Opt-Out of Targeted Advertising

You may opt out of targeted advertising by:

• Using our opt-out page at [INSERT LINK]

• Enabling Global Privacy Control (GPC) in your browser

• Adjusting your cookie preferences through our cookie banner or cookie settings page

• Using industry opt-out tools:

- Network Advertising Initiative: https://optout.networkadvertising.org

- Digital Advertising Alliance: https://optout.aboutads.info

F. Right to Limit Use and Disclosure of Sensitive Personal Information

You have the right to limit our use and disclosure of your sensitive personal information to:

• Uses necessary to perform the services or provide the goods you reasonably expect

• Certain enumerated business purposes specified in CCPA regulations

How to Exercise: Submit your request by:

• Email: privacy@jointcommerce.com

• Subject line: "Limit Sensitive Personal Information"

G. Right to Data Portability

You have the right to request a copy of your personal information in a portable and, to the extent technically feasible, readily usable format that allows you to transmit the information to another entity without hindrance.

How to Exercise: Include "Data Portability" in the subject line when submitting a Right to Know request.

H. Right to Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. This means we will not:

• Deny you goods or services

• Charge you different prices or rates, including through discounts or other benefits, or imposing penalties

• Provide you a different level or quality of goods or services

• Suggest that you may receive a different price, rate, level, or quality of goods or services

Financial Incentives: We may offer financial incentives for the collection, sale, or retention of personal information as permitted by law. Any such program will include material terms, the right to withdraw at any time, and an explanation of how the incentive is reasonably related to the value of the consumer's data. We currently do not offer any financial incentive programs.

I. Verification Process

To protect your privacy and security, we will verify your identity before fulfilling your requests. Our verification process may include:

For Requests to Know (Categories):

• Verification of at least two data points you previously provided (e.g., email address and order number)

For Requests to Know (Specific Pieces) or Delete:

• Verification of at least three data points you previously provided

• For account holders: Login to your account using multi-factor authentication

• For non-account holders: Submission of a signed declaration under penalty of perjury that you are the consumer whose personal information is the subject of the request

Unable to Verify: If we cannot verify your identity to a reasonable or reasonably high degree of certainty, we will notify you and explain why we cannot process your request.

Authorized Agents: You may designate an authorized agent to make requests on your behalf. The authorized agent must:

• Provide written authorization signed by you

• Verify their own identity

• You may also need to verify your identity directly with us and confirm you gave the agent permission

J. Response Timeliness

Acknowledgment: We will acknowledge receipt of your request within 10 business days

Response: We will respond to your request within 45 days of receipt

Extension: If we need more time (up to an additional 45 days), we will notify you of the reason and extension period

Free of Charge: We will provide information and respond to requests free of charge. If requests are manifestly unfounded or excessive, we may charge a reasonable fee or refuse the request

Contact Information for Privacy Requests:

Email: admin@jointcommerce.com

Subject Lines Use specific subject lines as indicated above for each right

Mailing Address: [INSERT PHYSICAL MAILING ADDRESS]

Online Form: [INSERT LINK IF APPLICABLE]

5A. Financial Incentives

Current Programs:

We currently do not offer any financial incentive programs for the collection, retention, sale, or sharing of personal information.

Future Programs:

If we offer financial incentive programs in the future (such as discounts, rewards, or special offers in exchange for providing personal information), we will:

• Provide you with a clear description of the material terms of the program

• Explain how the incentive is reasonably related to the value of your personal information

• Allow you to opt in to the program

• Allow you to withdraw from the program at any time

• Not discriminate against you for declining to participate

Notice of Financial Incentive:

Before enrolling you in any financial incentive program, we will provide a separate Notice of Financial Incentive that describes the program's terms and your rights.

6. Children’s Privacy and Minors Under Age 16

Age Restriction:

Our Services are not intended for, and we do not knowingly collect personal information from, individuals under the age of 18. We do not knowingly sell or share the personal information of consumers under 16 years of age.

Children Under 13:

We do not knowingly collect, use, or disclose personal information from children under 13 years of age. If we learn that we have collected personal information from a child under 13, we will delete that information as quickly as possible. If you believe we have collected information from a child under 13, contact us immediately at admin@jointcommerce.com.

California Minors (Ages 13-15):

We do not sell or share the personal information of consumers we have actual knowledge are between 13 and 15 years of age, unless we receive affirmative authorization (opt-in consent) from the minor.

California Minors (Age 16-17):

We do not sell or share the personal information of consumers we have actual knowledge are 16 or 17 years of age, unless the consumer has opted in to such sale or sharing, or their parent or guardian has opted in on their behalf.

Parental Rights:

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@jointcommerce.com to request access to, correction of, or deletion of your child's information.

7. Data Security

We implement administrative, technical, and physical safeguards designed to protect your information. However, no online system is completely secure.

8. International Users (GDPR Considerations)

If you access the Site from outside the United States: - Your data may be transferred to servers in the U.S.
- By using the Site, you consent to this transfer.
- Where required, we rely on consent or legitimate interest for processing.
- You may exercise GDPR rights (access, delete, restrict, object) by contacting us.

9. Data Retention Periods

CATEGORY: ACCOUNT INFORMATION

(name, email, address, phone number, account credentials, account preferences)

RETENTION PERIOD:

• Active Account: Duration of active account relationship

• Closed Account: 3 years after account closure

REASON FOR RETENTION:

• Account management and service delivery

• Customer support and relationship history

• Legal compliance and dispute resolution

• Fraud prevention and security monitoring

• Reinstatement of account if requested

• Defense of legal claims

DELETION AFTER RETENTION:

Securely deleted or anonymized after 3 years from account closure, unless longer

retention is required by law or for ongoing litigation.

CATEGORY: TRANSACTION AND PAYMENT RECORDS

(purchase history, invoices, payment records, transaction details, refund records)

RETENTION PERIOD:

7 years from transaction date

REASON FOR RETENTION:

• Tax compliance (IRS and state tax law requirements)

• Accounting and financial record-keeping requirements

• Audit requirements

• Dispute resolution (chargebacks, refunds, payment disputes)

• Warranty and product liability claims

• Legal compliance with financial record-keeping laws

DELETION AFTER RETENTION:

Securely deleted or anonymized after 7 years, unless longer retention is required

for ongoing litigation, unresolved disputes, or specific legal obligations.

CATEGORY: MARKETING COMMUNICATIONS DATA

(email addresses for marketing, communication preferences, marketing interaction

history, email open/click data)

RETENTION PERIOD:

• Active Subscribers: Until you unsubscribe, plus 90 days

• Unsubscribed: Indefinitely on suppression list (email address only to honor

opt-out)

REASON FOR RETENTION:

• Deliver requested marketing communications

• Honor unsubscribe requests and maintain suppression list

• Comply with email marketing laws (CAN-SPAM, CASL)

• Prevent re-subscription errors

• Marketing analytics during active subscription

DELETION AFTER RETENTION:

Marketing interaction data deleted 90 days after unsubscribe. Email address

retained indefinitely on suppression list to honor your opt-out preference.

CATEGORY: WEBSITE ANALYTICS AND COOKIES

(browsing behavior, pages viewed, session data, cookie identifiers, device information)

RETENTION PERIOD:

26 months from collection date

REASON FOR RETENTION:

• Website analytics and performance measurement

• User experience improvement

• Trend analysis and business intelligence

• Marketing attribution and campaign effectiveness

• A/B testing and feature optimization

• Industry standard analytics retention period

DELETION AFTER RETENTION:

Automatically deleted or anonymized after 26 months.

Note: You can delete cookies

from your browser at any time, and you can opt out of analytics tracking.

CATEGORY: CUSTOMER SUPPORT RECORDS

(support tickets, chat transcripts, email correspondence, call recordings,

support interaction history)

RETENTION PERIOD:

5 years from last interaction date

REASON FOR RETENTION:

• Reference for ongoing or future support issues

• Quality assurance and training

• Dispute resolution

• Product and service improvement

• Pattern analysis for common issues

• Legal compliance and defense of claims

DELETION AFTER RETENTION:

Securely deleted after 5 years from last interaction, unless longer retention

is required for ongoing matters or litigation.

CATEGORY: SECURITY AND FRAUD PREVENTION LOGS

(security event logs, fraud detection data, access logs, IP address logs,

authentication logs)

RETENTION PERIOD:

2 years from collection date

REASON FOR RETENTION:

• Security incident investigation and response

• Fraud detection and prevention

• Audit trail for security compliance

• Threat analysis and pattern detection

• Legal compliance and law enforcement cooperation

• Defense against security-related claims

DELETION AFTER RETENTION:

Automatically deleted after 2 years, unless longer retention is required for

ongoing security investigations, litigation, or law enforcement requests.

CATEGORY: BACKUP DATA

(copies of data maintained in backup systems)

RETENTION PERIOD:

90 days in active backup systems

REASON FOR RETENTION:

• Disaster recovery

• System integrity and business continuity

• Protection against data loss from technical failures

• Ransomware and cyberattack recovery

DELETION AFTER RETENTION:

Automatically deleted from backup systems after 90 days through our automated

backup rotation cycle.

Note: Even if you request deletion of your data, copies

may remain in backup systems for up to 90 days before permanent deletion.

CATEGORY: LEGAL HOLD DATA

(any data subject to litigation hold, regulatory investigation, or law enforcement

request)

RETENTION PERIOD:

Duration of legal hold, investigation, or litigation, plus applicable statute

of limitations

REASON FOR RETENTION:

• Legal obligation to preserve evidence

• Regulatory investigation compliance

• Litigation defense and response

• Law enforcement cooperation

• Avoiding spoliation of evidence

DELETION AFTER RETENTION:

Deleted after legal matter concludes and all appeal periods and statutes of

limitations expire, unless other retention obligations apply.

CATEGORY: AGGREGATED AND DE-IDENTIFIED DATA

(data that has been aggregated or de-identified so it cannot reasonably be used

to identify you)

RETENTION PERIOD:

Indefinitely

REASON FOR RETENTION:

• Business analytics and insights

• Product development and improvement

• Research and statistical analysis

• Industry benchmarking

• No privacy risk (data cannot identify individuals)

DELETION AFTER RETENTION:

Not applicable. Aggregated and de-identified data is not subject to deletion

requests because it is not personal information under CCPA.

GENERAL RETENTION PRINCIPLES:

Data Minimization:

We continuously review our data collection and retention practices to ensure we

collect and retain only the personal information necessary for our stated purposes.

Secure Deletion:

When personal information reaches the end of its retention period, we securely

delete or destroy it using industry-standard methods:

• Electronic data: Secure deletion using multiple-pass overwriting or

cryptographic erasure

• Backup media: Physical destruction or secure erasure

• Third-party data: Deletion instructions to service providers

Retention Period Extensions:

Retention periods may be extended when:

• Required by law or regulation

• Necessary for ongoing litigation, investigation, or dispute

• You have consented to longer retention

• Needed to defend legal claims within applicable statutes of limitations

• Required for ongoing business relationship

California Residents' Rights:

Regardless of the retention periods listed above, California residents may

request deletion of their personal information at any time, subject to legal

exceptions described in Section 5.B.

Review and Updates:

We review our retention schedule annually and update it as needed to reflect

changes in legal requirements, business needs, and industry best practices

10. Third-Party Links and Advertisers

Third-party websites and advertisers have their own privacy policies. We are not responsible for their practices.

11. Changes to This Privacy Policy

We may update this Privacy Policy periodically. The “Last Updated” date indicates the most recent revision. Continued use of the Site after changes constitutes acceptance.

11A. Dark Patterns Prohibition

No Dark Patterns:

We do not use "dark patterns" or deceptive user interfaces that:

• Have the substantial effect of subverting or impairing user autonomy, decision-making, or choice

• Make it significantly harder to opt out of sale/sharing than to opt in

• Use confusing language, conflicting information, or contradictory choices

• Are designed to trick or manipulate you into taking an action you did not intend

Accessible Opt-Out Mechanisms:

Our "Do Not Sell or Share My Personal Information" link and other privacy controls are:

• Clearly and conspicuously posted on our homepage and in our privacy policy

• Easy to find and use

• Presented in a format at least as noticeable as other links on the same page

• Designed to be accessible to consumers with disabilities

Cookie Consent:

Our cookie consent mechanisms allow you to:

• Easily accept or reject cookies

• View clear information about what cookies do before accepting

• Change your cookie preferences at any time through our cookie settings

Equal Ease of Consent Withdrawal:

If we request your consent for data processing, withdrawing consent will be as easy as giving consent. You will not need to navigate through multiple pages or complete unnecessary steps to withdraw consent.

12. Contact Us

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or need to contact us for any privacy-related matter:

For General Privacy Questions:

Email: admin@jointcommerce.com

Website: https://app.jointcommerce.com

Mailing Address: [INSERT COMPLETE PHYSICAL MAILING ADDRESS]

For California Privacy Rights Requests:

Email: admin@jointcommerce.com

(Use specific subject lines as indicated in Section 5 for each type of request)

Online Request Form: [INSERT LINK IF AVAILABLE]

Do Not Sell or Share My Information: [INSERT DIRECT LINK]

Response Time:

We will acknowledge receipt of your inquiry or privacy request within 10 business days and respond substantively within 45 days (with possible extension to 90 days for complex requests).

Additional Resources:

• California Privacy Protection Agency: https://cppa.ca.gov/

• California Attorney General's CCPA Information: https://oag.ca.gov/privacy/ccpa