CIRCA PRIVACY POLICY

Effective August 3, 2020

This Privacy Policy covers EventGeek, Inc. dba Circa (“Circa”) policies on the collection, use, and disclosure of Personal Data/Personally Identifiable Information/Personal Information (as defined by applicable law and hereinafter collectively referred to as “Personal Data”) when visitors and Subscribers (collectively “Users”) access www.Circa.com (“Site”) and/or the Circa mobile applications (collectively the “Platform”) and the software and services made available through the Platform (collectively the “Services”).

EventGeek, Inc. dba Circa is a Delaware corporation with offices in the United States. Circa collects Personal Data from its users around the world and processes, transfers and stores data within the United States.  By checking the “I consent to the Privacy Policy” box and subject to your opt-in/opt-out preferences, you consent to the collection, use and disclosure practices identified in this Privacy Policy.

1.     What Information Is Collected by Circa And How Is It Used?

Account Creation Information:  When creating an account, Subscribers must register either by providing an email and a password, or by registering through their existing Google Account.  Circa will send an email to the designated email address to verify a Subscriber’s account before finalizing registration. The collection of this information is necessary to fulfill our contractual obligations and to provide the Services to you.  Your email may also be utilized to (i) provide information regarding our Services; and/or (ii) to communicate material changes to our Terms of Service and Privacy Policy.  When registering with a Google Account, Subscribers can review and manage their privacy settings using Google’s Privacy Checkup tool.

Email Addresses & Contact Information:  Users may optionally provide their email address and/or other contact information to Circa to contact us through the Platform with questions about our Platform and Services.  Users may also optionally subscribe to our newsletters and may unsubscribe at any time through the opt-out link contained within those communications.

Cookies:  Circa utilizes cookie technology to gather information on Internet use in order to serve its Users more effectively. As described in Section 2, Circa also utilizes third party analytics services which may also use tracking cookies to provide information about the use of our Platform. Users can set your browser to remove or reject cookies and/or accept or refuse cookies on the cookie consent banner on the site itself; however, some Platform features or Services may not work properly without cookies.

2. Is Information Collected By Or Disclosed To Third Parties?

Circa does not sell, rent, or lease Personal Data to any third parties.  However, Personal Data is shared with third parties as follows:

Account Registration:  Subscribers may optionally register their account through Google. If you register an account using your Google login credentials, it will enable Google to collect a Subscriber’s Personal Data in accordance with the policies and practices disclosed in the Google Privacy Policy.  Subscribers should click on the hyperlink to review the applicable privacy policies for more detail about information collected from Google. You have the ability to modify your privacy settings through your Google account.

Integrated API’s:

● Geolocation Data: Circa has integrated the Google API to incorporate Google Maps and to utilize geolocation in connection with the Services. For more information on the privacy policy of this service, please see: Google's Privacy Policy.  Subscribers can review and manage their key privacy settings using Google’s Privacy Checkup tool.
● Event-Based Weather and Forecasts: Circa utilizes DarkSky API to provide Subscribers with event-location based weather conditions and forecasts. Personal Data is collected and processed in accordance with DarkSky's Privacy Policy.  Dark Sky utilizes Google Analytics to collect usage statistics and Subscribers may opt-out by installing Google Analytics Opt-out Browser Add-on.
● Social Media Tracking & Alerts:  Circa utilizes Twitter API’s to provide Subscribers with social media tracking and alert services based on event handles, hashtags and keywords.  Personal Data is collected in accordance with  Twitter's Privacy Policy. Subscribers can limit the data collected by Twitter through their Twitter Account Settings.
● Shipment Tracking: Circa utilizes EasyPost API to send third party shipping carrier tracking information and obtain delivery status updates.  For more information on the privacy policy of this service, please see: EasyPost's Privacy Policy.
● Automated Messaging: Circa utilizes Customer.io to create and send automated, customized email messages to its customers, leads and users pertaining to events and the Circa services.   For more information on its privacy policy, please see: Customer.io Privacy Policy.
● Business Card Data: Circa has integrated Full Contact Card Reader API to enable its Subscribers to scan their business cards and save their business card data/contacts within the Platform.  For more information on the privacy policy of this service, please see: Full Contact Privacy Policy.

CRM Integration:  To the extent CRM Integration is part of a Subscriber’s subscription plan, Circa shares its Subscribers’ account credentials with salesforce.com. Processing is necessary to provide the Services in accordance with the CRM Integration-related Services. For more information on its privacy policy, please see: Salesforce.com Privacy Policy.

Web Hosting Services: Personal Data is stored on cloud servers maintained by Heroku. For more information on its privacy policy, please see Heroku.

Third Party Calendar Integration: Subscribers can opt to integrate their event and task dates with third party calendars, including, Google, Outlook &  iCal.  Subscribers should review the privacy policy of those third party sites for more information on their data collection and use practices.

Anonymous Data - Analytics: Circa uses third party analytics services to learn how Users use the Platform and Services so that we can review and improve our Services:

● Google Analytics: Google Analytics is a web analytics tool collects information anonymously. It provides a report to Circa with website trends without identifying individual visitors.  For more information on its privacy policy, please see: Privacy Policy. However, if you do not want your Personal Data to be used by Google Analytics, you may opt-out by installing Google Analytics Opt-out Browser Add-on.
● Segment.com: Segment.com collects information regarding Circa’s Subscribers’ use of the Platform and Services, as well as third-party applications and services available in connection with the Platform and Services (“Subscriber User Data”).  Subscriber User Data may include, without limitation, information about the identity of Subscribers (such as name, postal address, e-mail address, IP address and phone number), as well as information about the pages that users visit and the features that they use, and the actions that they take while using the Platform. For more information on the privacy policy of this service, please see:  Segment Privacy Policy
● Amplitude:  Amplitude collects user data and information regarding the behavior and usage patterns of users of the Platform. Data collected by Amplitude Inc. in the United States is transferred to servers of Amplitude Inc. in the United States. For more information on the privacy policy of this service, please see: Amplitude Data Security and Privacy Policy
● FullStory: FullStory records User sessions on their website, enabling meaningful insight into Users' experience, as an effective way to identify usability problems and other areas for improvement. For more information on the privacy policy of this service, please see:  FullStory Privacy Policy and its Acceptable Use Policy.  If you wish to prevent all websites using the FullStory Services to be able to record activity, you can  opt-out of the FullStory Services. Opting out will create a cookie that tells FullStory to turn off recording on any site which uses the FullStory Services. The presence of this cookie is required to continue opting out, so if you clear your browser cookies, you will have to opt-out again.

Third Party Advertising/Re-Targeting Services: When accessing the Platform, third party advertising services may place a cookie on your browser, which may be used to target relevant advertisements to you when you visit third party websites.  Users may opt-out from receiving targeted advertisements by visiting the (1) Network Advertising Consumer Opt-Out page, (2) Digital Advertising Alliance Opt-Out page, and/or (3) the opt-out provisions pertaining to the applicable advertising services/retargeting provider.

Social Plug-Ins:  Users may follow Circa and/or share information on Facebook, Twitter, Google and LinkedIn. Users should click on the hyperlinks for each site to review the applicable privacy policies for more detail about information collected from these sites.

Payment Processing Information: Circa does not itself store debit or credit card information on its servers.  Circa utilizes a third party payment processor, Stripe, to manage and process payments in order to guarantee the security of Subscriber’s Personal Data.  For more information on its privacy policy, please see Stripe's Privacy Policy.

Other Potential Third Party Disclosures: Personal Data may also be disclosed to third parties to serve our legitimate business interests as follows: (1) as required by law, such as to comply with a subpoena, or similar legal process, (2) if Circa is involved in a merger, acquisition, or sale of all or a portion of its assets, (3) to investigate, prevent, or take action regarding suspected or actual illegal activities or to assist government enforcement agencies; (4) enforce our agreements with you, and/or (5) investigate and defend ourselves against any third-party claims or allegations. We will use commercially reasonable efforts to notify users about law enforcement or court ordered requests for data unless otherwise prohibited by law.

3. How Does Circa Comply With The Children’s Online Privacy Protection Act and GDPR Regulations Relating to Children?

Only persons age 18 or older are authorized to create an Circa account.  We do not knowingly collect Personal Data from anyone under the age of 18.  If a parent or guardian becomes aware that his or her child (a) under the age of 16 in applicable EU Member Countries, or (b) under the age of 13 in the U.S. and applicable EU Member Countries,  has provided us with Personal Data without their consent, he or she should contact Circa at privacy@Circa.com. We will delete such Personal Data from our files within a commercially reasonable time, but no later than required under the applicable law relating to the child’s country of residence.

4.     How Long Does Circa Retain Personal Data Collected?

We will retain account and purchase data as long as it is necessary to provide our Services to our Subscribers.  When a Subscriber’s account is terminated or expires,  Personal Data collected through the Platform will be deleted in accordance with the requirements of applicable law.  Personal Data obtained from Site visitors will be maintained as long as it is necessary to provide requested communications and information-based services or until a Visitor exercises its right to opts-out of requested communications or information-based services.  Anonymized and Pseudo-anonymized data will be retained as long as Circa determines such data is commercially necessary for it legitimate business interests.

5.     EU General Data Protection Regulation (“GDPR”) Notices
 
Data Processor.   Circa is the processor of all Subscriber Data (as defined in the applicable Terms of Service), including Personal Data input by Subscriber, and its authorized users, in connection with Subscriber’s use of the Circa Services.

Data Controller.  The Personal Data input by (a) visitors  in general, and  (b) Subscriber for purposes of establishing a commercial account with Circa, is controlled by Circa, Circa, 314 S. Guadalupe St, STE 107, Santa Fe, New Mexico 87501.  You may contact us at any time by emailing us at privacy@Circa.com.

We will only collect and process Personal Data about you where we have lawful bases. Lawful bases include consent (where you have given consent), contract (where processing is necessary for the performance of a contract with you, and “legitimate interests.” Where we rely on your consent to process personal data, you have the right to withdraw or decline your consent at any time and where we rely on legitimate interests, you have the right to object.  If you have any questions about the lawful bases upon which we collect and use your personal data, please contact us at privacy@Circa.com.

Data Processing Addendums for Subprocessors: Circa has executed a Data Processing Addendum with those subprocessors that process end-user Personal Data to ensure compliance with Circa’s obligations under applicable data protection laws and regulations. Each of those subprocessors are EU-US Privacy Shield certified as of the Effective Date of this Privacy Policy.

Users within the EU may email Circa  at privacy@Circa.com in order to exercise their GDPR rights to:

●     Access, review, restrict processing of, or otherwise request erasure of your Personal Data;
●   Obtain the identity of the source of any Personal Data collected;
●   Request correction of any errors contained within your Personal Data;
●   Request transfer your Personal Data to another service provider;
●   Object to the manner in which your Personal Data is processed; or
●    Lodge a complaint with a supervisory authority.

You may also have the right to make a GDPR complaint to the relevant Supervisory Authority. A list of Supervisory Authorities is available here:  http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm.  If you need further assistance regarding your rights, please contact us using the contact information provided below and we will consider your request in accordance with applicable law. In some cases our ability to uphold these rights for you may depend upon our obligations to process personal information for security, safety, fraud prevention reasons, compliance with regulatory or legal requirements, or because processing is necessary to deliver the services you have requested. Where this is the case, we will inform you of specific details in response to your request.
Where we rely on your consent to collect Personal Data, you may withdraw your consent either through the opt-out links provided in this Privacy Policy or through the contact information contained within this Section.

For all GDPR-based requests made pursuant to this section, Circa will (a) respond as required under applicable law, (b) provide a copy of any requested Personal Data in a structured, commonly used and machine-readable format, and (c) transmit such Personal Data to another service provider without restriction in accordance with applicable law.

6.     Privacy Shield Notice For Users In The European Union

Circa complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries (and Iceland, Liechtenstein, and Norway) and Switzerland transferred to the United States pursuant to Privacy Shield.

Certification. Circa has certified that it adheres to the Privacy Shield Principles with respect to such data. If there is any conflict between the policies in this privacy policy and data subject rights under the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov/

Accountability for Onward Transfer.

Circa requires that its integrated service providers that have access to personal information from EU consumers have either self-certified to the Privacy Shield Principles, are subject to the EU Privacy Directive, or enter into a written agreement with us that requires them to provide at least the same level of privacy protection as is required by the relevant Privacy Shield Principles. Circa is potentially liable if such third party service providers process your personal information in a manner that is inconsistent with the Privacy Shield Principles.

In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Access and Choice. Pursuant to the Privacy Shield Frameworks, EU and Swiss individuals have the right to obtain our confirmation of whether we maintain personal information relating to you in the United States.  Upon request, we will provide you with access to the personal information that we hold about you.  You may also correct, amend, or delete the personal information we hold about you.  An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data transferred to the United States under Privacy Shield, should direct their query to privacy@Circa.com.  If requested to remove data, we will respond within a reasonable timeframe.

We will provide an individual opt-out choice, or opt-in for sensitive data, before we share your data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized.  To request to limit the use and disclosure of your personal information, please submit a written request to privacy@Circa.com.

Complaints.  In compliance with the EU-US Privacy Shield Principles, Circa. commits to resolve complaints about our collection or use of your personal information. Individuals in the European Union with inquiries or complaints regarding our Privacy Shield policy should first contact Circa at privacy@Circa.com or by mail to: Circa, 314 S. Guadalupe St, STE 107, Santa Fe, New Mexico 87501.

No Cost Dispute Resolution. Circa has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD, operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers for more information and to file a complaint. This service is provided free of charge to you.

●      FTC Jurisdiction. The Federal Trade Commission has jurisdiction over Event Geek's compliance with this Privacy Policy and the EU-US Privacy Shield Framework.

Privacy Shield Panel – Binding Arbitration. If your Privacy Shield complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms.  See Privacy Shield Annex 1 at https://www.privacyshield.gov/article?id=ANNEX-I-introduction

7.     Your California Privacy Rights.
California Consumer’s Request to Disclose, Right to Delete, Right to Opt-Out of Sale Rights:  For Information on your California Consumer Rights, please see: California Consumer Privacy Rights Notice (“Notice”)
A verifiable Consumer Request may be submitted to Circa effective January 1, 2020 by emailing Circa at privacy@Circa.com or through the account or as otherwise designated in the Notice.

Circa will verify all requests with the Consumer email address on file with the email address submitted in the applicable request form.  Consumers may designate an authorized agent to make a request on the Consumer’s behalf at privacy@Circa.com or as otherwise designated in the Notice.

8. What Is Circa Security Policy?

We have implemented reasonable administrative, technical and physical security measures in accordance with the Circa's Enterprise Security Policy to protect your personal information against unauthorized access, destruction or alteration. However, although we endeavor to provide reasonable security for information we process and maintain, no security system can ever be 100% secure.

In addition, Circa utilizes a PCI-DSS compliant third party payment processor to ensure the security of Subscriber’s Personal Data. Subscribers should review Stripe’s Security Policy for more information on their security practices.

9.     How Does The Platform Respond To “Do Not Track” Signals?

“Do Not Track” is a feature enabled on some browsers that sends a signal to request that a website disable its tracking or cross-Platform user tracking. At present, the Platform does not respond to or alter its practices when a Do Not Track signal is received.

10.  How Will I Be Notified Of Changes To Your Privacy Policy?

If we make material changes to our Privacy Policy, we will notify you by (1) changing the Effective Date at the top of the Privacy Policy, (ii) sending an email to all active account holders, and (iii)  add a banner/notification to the Platform itself.  Express consent will be obtained when required for any material changes in Circa’s collection and use practices.

11.  Contact Us

If you have any questions regarding your Personal Data or about our privacy practices, please contact us at: Circa, ATTN: Privacy Department, Circa, 314 S. Guadalupe St, STE 107, Santa Fe, New Mexico 87501 or at privacy@Circa.com.