Effective August 3, 2020
1. What Information Is Collected by Circa And How Is It Used?
Email Addresses & Contact Information: Users may optionally provide their email address and/or other contact information to Circa to contact us through the Platform with questions about our Platform and Services. Users may also optionally subscribe to our newsletters and may unsubscribe at any time through the opt-out link contained within those communications.
2. Is Information Collected By Or Disclosed To Third Parties?
Circa does not sell, rent, or lease Personal Data to any third parties. However, Personal Data is shared with third parties as follows:
Anonymous Data - Analytics: Circa uses third party analytics services to learn how Users use the Platform and Services so that we can review and improve our Services:
Third Party Advertising/Re-Targeting Services: When accessing the Platform, third party advertising services may place a cookie on your browser, which may be used to target relevant advertisements to you when you visit third party websites. Users may opt-out from receiving targeted advertisements by visiting the (1) Network Advertising Consumer Opt-Out page, (2) Digital Advertising Alliance Opt-Out page, and/or (3) the opt-out provisions pertaining to the applicable advertising services/retargeting provider.
Social Plug-Ins: Users may follow Circa and/or share information on Facebook, Twitter, Google and LinkedIn. Users should click on the hyperlinks for each site to review the applicable privacy policies for more detail about information collected from these sites.
Other Potential Third Party Disclosures: Personal Data may also be disclosed to third parties to serve our legitimate business interests as follows: (1) as required by law, such as to comply with a subpoena, or similar legal process, (2) if Circa is involved in a merger, acquisition, or sale of all or a portion of its assets, (3) to investigate, prevent, or take action regarding suspected or actual illegal activities or to assist government enforcement agencies; (4) enforce our agreements with you, and/or (5) investigate and defend ourselves against any third-party claims or allegations. We will use commercially reasonable efforts to notify users about law enforcement or court ordered requests for data unless otherwise prohibited by law.
3. How Does Circa Comply With The Children’s Online Privacy Protection Act and GDPR Regulations Relating to Children?
Only persons age 18 or older are authorized to create an Circa account. We do not knowingly collect Personal Data from anyone under the age of 18. If a parent or guardian becomes aware that his or her child (a) under the age of 16 in applicable EU Member Countries, or (b) under the age of 13 in the U.S. and applicable EU Member Countries, has provided us with Personal Data without their consent, he or she should contact Circa at privacy@Circa.com. We will delete such Personal Data from our files within a commercially reasonable time, but no later than required under the applicable law relating to the child’s country of residence.
4. How Long Does Circa Retain Personal Data Collected?
We will retain account and purchase data as long as it is necessary to provide our Services to our Subscribers. When a Subscriber’s account is terminated or expires, Personal Data collected through the Platform will be deleted in accordance with the requirements of applicable law. Personal Data obtained from Site visitors will be maintained as long as it is necessary to provide requested communications and information-based services or until a Visitor exercises its right to opts-out of requested communications or information-based services. Anonymized and Pseudo-anonymized data will be retained as long as Circa determines such data is commercially necessary for it legitimate business interests.
5. EU General Data Protection Regulation (“GDPR”) Notices
Data Processor. Circa is the processor of all Subscriber Data (as defined in the applicable Terms of Service), including Personal Data input by Subscriber, and its authorized users, in connection with Subscriber’s use of the Circa Services.
Data Controller. The Personal Data input by (a) visitors in general, and (b) Subscriber for purposes of establishing a commercial account with Circa, is controlled by Circa, Circa, 314 S. Guadalupe St, STE 107, Santa Fe, New Mexico 87501. You may contact us at any time by emailing us at privacy@Circa.com.
We will only collect and process Personal Data about you where we have lawful bases. Lawful bases include consent (where you have given consent), contract (where processing is necessary for the performance of a contract with you, and “legitimate interests.” Where we rely on your consent to process personal data, you have the right to withdraw or decline your consent at any time and where we rely on legitimate interests, you have the right to object. If you have any questions about the lawful bases upon which we collect and use your personal data, please contact us at privacy@Circa.com.
Users within the EU may email Circa at privacy@Circa.com in order to exercise their GDPR rights to:
● Access, review, restrict processing of, or otherwise request erasure of your Personal Data;
● Obtain the identity of the source of any Personal Data collected;
● Request correction of any errors contained within your Personal Data;
● Request transfer your Personal Data to another service provider;
● Object to the manner in which your Personal Data is processed; or
● Lodge a complaint with a supervisory authority.
You may also have the right to make a GDPR complaint to the relevant Supervisory Authority. A list of Supervisory Authorities is available here: http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm. If you need further assistance regarding your rights, please contact us using the contact information provided below and we will consider your request in accordance with applicable law. In some cases our ability to uphold these rights for you may depend upon our obligations to process personal information for security, safety, fraud prevention reasons, compliance with regulatory or legal requirements, or because processing is necessary to deliver the services you have requested. Where this is the case, we will inform you of specific details in response to your request.
For all GDPR-based requests made pursuant to this section, Circa will (a) respond as required under applicable law, (b) provide a copy of any requested Personal Data in a structured, commonly used and machine-readable format, and (c) transmit such Personal Data to another service provider without restriction in accordance with applicable law.
6. Privacy Shield Notice For Users In The European Union
Circa complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries (and Iceland, Liechtenstein, and Norway) and Switzerland transferred to the United States pursuant to Privacy Shield.
Accountability for Onward Transfer.
Circa requires that its integrated service providers that have access to personal information from EU consumers have either self-certified to the Privacy Shield Principles, are subject to the EU Privacy Directive, or enter into a written agreement with us that requires them to provide at least the same level of privacy protection as is required by the relevant Privacy Shield Principles. Circa is potentially liable if such third party service providers process your personal information in a manner that is inconsistent with the Privacy Shield Principles.
In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Access and Choice. Pursuant to the Privacy Shield Frameworks, EU and Swiss individuals have the right to obtain our confirmation of whether we maintain personal information relating to you in the United States. Upon request, we will provide you with access to the personal information that we hold about you. You may also correct, amend, or delete the personal information we hold about you. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data transferred to the United States under Privacy Shield, should direct their query to privacy@Circa.com. If requested to remove data, we will respond within a reasonable timeframe.
We will provide an individual opt-out choice, or opt-in for sensitive data, before we share your data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized. To request to limit the use and disclosure of your personal information, please submit a written request to privacy@Circa.com.
Complaints. In compliance with the EU-US Privacy Shield Principles, Circa. commits to resolve complaints about our collection or use of your personal information. Individuals in the European Union with inquiries or complaints regarding our Privacy Shield policy should first contact Circa at privacy@Circa.com or by mail to: Circa, 314 S. Guadalupe St, STE 107, Santa Fe, New Mexico 87501.
No Cost Dispute Resolution. Circa has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD, operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers for more information and to file a complaint. This service is provided free of charge to you.
Privacy Shield Panel – Binding Arbitration. If your Privacy Shield complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See Privacy Shield Annex 1 at https://www.privacyshield.gov/article?id=ANNEX-I-introduction
7. Your California Privacy Rights.
California Consumer’s Request to Disclose, Right to Delete, Right to Opt-Out of Sale Rights: For Information on your California Consumer Rights, please see: California Consumer Privacy Rights Notice (“Notice”)
A verifiable Consumer Request may be submitted to Circa effective January 1, 2020 by emailing Circa at privacy@Circa.com or through the account or as otherwise designated in the Notice.
Circa will verify all requests with the Consumer email address on file with the email address submitted in the applicable request form. Consumers may designate an authorized agent to make a request on the Consumer’s behalf at privacy@Circa.com or as otherwise designated in the Notice.
8. What Is Circa Security Policy?
We have implemented reasonable administrative, technical and physical security measures in accordance with the Circa's Enterprise Security Policy to protect your personal information against unauthorized access, destruction or alteration. However, although we endeavor to provide reasonable security for information we process and maintain, no security system can ever be 100% secure.
In addition, Circa utilizes a PCI-DSS compliant third party payment processor to ensure the security of Subscriber’s Personal Data. Subscribers should review Stripe’s Security Policy for more information on their security practices.
9. How Does The Platform Respond To “Do Not Track” Signals?
“Do Not Track” is a feature enabled on some browsers that sends a signal to request that a website disable its tracking or cross-Platform user tracking. At present, the Platform does not respond to or alter its practices when a Do Not Track signal is received.
11. Contact Us
If you have any questions regarding your Personal Data or about our privacy practices, please contact us at: Circa, ATTN: Privacy Department, Circa, 314 S. Guadalupe St, STE 107, Santa Fe, New Mexico 87501 or at privacy@Circa.com.