SRAM, LLC GLOBAL PRIVACY POLICY
Updated: February 3, 2023
This Privacy Policy applies to websites, applications, stores and Services (as defined below) operated by or on behalf of SRAM, LLC and its subsidiaries and affiliates worldwide (collectively “we”, “us” or “our”). The purpose of this Policy is to tell users of the Services what information we collect, how it is used, where it is used, and how to contact us with privacy inquiries. Your use of the Services is also subject to our Terms of Use.
We are committed to safeguarding your privacy and ensuring that your Personal Data is protected. As used herein, “Personal Data” means information that can directly or indirectly identify you or other individuals. References to Personal Data shall be deemed to include “personal data,” “personal information,” and other similar terms as defined in applicable data protection laws. This Policy also applies to our collection and use of your “Sensitive Data,” which typically includes information that reveals a consumers’ social security, driver’s license, financial accounts, debit or credit cards in combination with required access codes, precise geolocation, and genetic data. References to Sensitive Data shall be deemed to include “sensitive personal data,” “sensitive personal information,” and other similar terms as defined in applicable data protection laws.
This Policy applies to Personal Data processed by us in connection with the Services. This includes information collected when you make a purchase through our stores, participate in a forum on our site, register for contests or other promotional opportunities provided by us, answer surveys, and register for electronic newsletters or other membership services. This also includes information collected from our physical products, such as when you connect to bike components using our site or applications, upload bike ride data on our servers, use our analysis tools for your bike data, and otherwise interact with bike data on our software.
1. WHO IS RESPONSIBLE FOR WHAT HAPPENS WITH YOUR DATA?
We are responsible for processing of your Personal Data through the Services. You can contact the Data Protection Officer via mail, by phone or by email if you have any questions, as described below.
2. WHO IS THE DATA PROTECTION OFFICER?
The Data Protection Officer of SRAM, LLC is Sarah Fanto. You can contact her by email, by mail or by telephone, as follows:
Data Protection Officer
SRAM, LLC
1000 W Fulton Market, Floor 4, Chicago, Illinois 60607, USA
Email: [email protected]
Telephone: +1-312-664-3002
3. WHEN DO WE ASK FOR YOUR CONSENT?
By using our websites or applications, you acknowledge that we are processing your Personal Data in accordance with this Privacy Policy. If you do not wish that we process your Personal Data in this way, please do not use our websites or applications or otherwise provide us with your Personal Data.
We process your data to provide the Services. In certain instances, we only process your data if you have consented, for example in certain cases where we process your Personal Data for marketing purposes, use cookies or process your Sensitive Data. Where we process your data on the basis of your consent, we will ask for your consent explicitly but, in some cases and only where permitted by applicable law, we may infer in a transparent manner consent from your actions. We may also ask you to provide additional consent if we need to use your Personal Data for purposes not covered by this Privacy Policy or before sharing your Personal Data with the SRAM, LLC group of companies or relevant subsidiaries of SRAM, LLC for the purposes of marketing.
4. WHAT HAPPENS IF OUR CUSTOMER IS A CHILD?
The Services, including our websites and applications, are not intended for children under 16 years of age. No one under age 16 may provide any information to us or on the Services.
We do not knowingly collect Personal Data from children under 16. If you are under 16, do not use or provide any information on or through any of the Services or their features/registration, make any purchases through the Services, use any of the forums or interactive or public comment features of the Services or provide any information about yourself to us, including your name, address, telephone number, email address, or any screen name or user name you may use. If we learn we have collected or received Personal Data from a child under 16 without verification of any required parental consent, we will delete that information. If you believe we might have any information from or about a child under 16, please contact the Data Protection Officer at:
Data Protection Officer
SRAM, LLC
1000 W Fulton Market, Floor 4, Chicago, Illinois 60607, USA
Email: [email protected]
Telephone: +1-312-664-3002
5. FOR WHICH PURPOSES DO WE PROCESS YOUR PERSONAL DATA?
We process information, including Personal Data that you provide to us when you use the Services. We collect your Personal Data directly when you provide us with Personal Data so that you can register as a customer for our online shop, subscribe to our newsletter or other membership services, receive information or mailings, use our applications, buy a product from us, complete a survey, make a comment or enquiry or contact our customer services, and register for contests and other promotional opportunities.
We may also receive Personal Data about you from other sources, including information from commercially available sources, such as public databases and data aggregators, and information from third parties. For example, if you interact with a third party platform service when using our apps or websites, such as using a third party service to log-in to your user or customer account (e.g., Facebook Login or Google Sign-In), or if you share content from our app or websites through a third party social media platform service, we may receive Personal Data about you, such as information from your public profile, if the third party service and your account settings with such service allow us to receive such information. The information we receive will depend on the policies and your account settings with the third party service. You should exercise caution and look at the privacy statement for the third party platform services you use.
In more detail, we process the following categories of Personal Data for the following purposes (collectively, such activities are the “Services”):
5.1 Surfing on our website, using our applications
Which Personal Data do we collect about you?
For this purpose we process the following Personal Data: information about the type of browser you use, details of the web pages you have viewed, your IP and device address, your Cookie ID, application ID or other passive ID information, hyperlinks or application pages that you have clicked, your user name, profile picture, gender, networks and any other information you choose to share when using Third Party Sites (such as when you use the “Like” functionality on Facebook), the websites you visited before arriving at our relevant websites and information collected by cookies or similar tracking devices.
What is the Purpose of Processing your Personal Data?
We (and third party service providers acting on our behalf or on their own behalf) use cookies and similar technologies to process data about you when you visit our relevant websites or use our application to create aggregate trend reports, find out how customers arrive at a website, how they use apps; the responses to a marketing campaign, what are the most effective marketing channels and messages, etc. Cookies are files that store information on your computer hard drive or browser that mean that we can recognise that you have visited us before. We use cookies and similar technologies (like Google Analytics, Facebook Pixel, Hotjar, and other tools) to improve our products and your experience on our websites by evaluating the use of our websites, products and services and understand your browsing and shopping habits, analysing the effectiveness of our advertisements, personalizing your website experience as well as evaluating (anonymously and in the aggregate) statistics on website activity, such as what time you visited it, whether you’ve visited it before and what website referred you to it, reviewing the products that you have searched online and ended up purchasing them in store, making our websites and applications easier to use and to better tailor our websites, applications and our products to your interests and needs, identifying that you have visited our websites or used our applications but did not purchase a product or service, collecting information about your device and linking this to your Personal Data so as to ensure that our websites and applications present the best web experience for you and supplementing the Personal Data that you provide to us with other information that we hold or that we may receive from commercially available sources, such as public databases and data aggregators, and third parties. You can learn more information on the Cookies used in our Cookie Policy.
How long do we store your Personal Data?
We store your Personal Data for up to three years after you provide it to us, unless we are required by the law to store it for a longer period.
What is the Basis for Processing your Personal Data?
Your consent and our legitimate interests in the transmission of Personal Data within a group of undertakings for internal administrative purposes and processing for the purposes of ensuring network and information security, including preventing unauthorised access to electronic communications networks and stopping damage to computer and electronic communication systems.
Additional Comments:
It is always possible for you to visit our websites without disclosing your Personal Data. This requires that you have disabled cookies on your browser or that you opt out of the processing of such information via our Cookie Consent Tool. Please note, however, that without cookies you may not be able to use all of the features of our websites or online services.
5.2 Contact with you
Which Personal Data do we collect about you?
For this purpose we process the following Personal Data: identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, or other similar identifiers.
What is the Purpose of Processing your Personal Data?
We process your Personal Data whenever you contact us and respond to your inquiries and comments. We process your Personal Data that you enter when registering for our online store or loyalty programs or placing an order or that you subsequently update or amend in your user account. We process Personal Data to provide you with our products or services that you request from us, including responding to your inquiries or comments and sending you products or samples that you have requested. We look at the products you buy at our online store and that you have viewed on the Services.
How long do we store your Personal Data?
We store your Personal Data for up to three years after you provide it to us, unless we are required by the law to store it for a longer period.
What is the Basis for Processing your Personal Data?
Performance of the contract with you, or in order to take steps at your request prior to entering into a contract (i.e. fulfill your contact request), and as applicable (such as a scenario in which you provide to us Personal Data that is considered sensitive (e.g. information on your health or ethnic origin) or otherwise authorize specific contact), your consent.
5.3 Conducting business with you, including processing, fulfilling, and following up on online, telephone and in-person purchases and customer service requests
Which Personal Data do we collect about you?
For this purpose we process the following Personal Data: name, signature, social security number, physical characteristics or description, address, email address, telephone number, bank account number, credit card number, debit card number, or any other financial information;
What is the Purpose of Processing your Personal Data?
We process your Personal Data to take and fill orders for products or services, to facilitate delivery or provision thereof, to respond to inquiries with respect to products and services you order, to respond to warranty, refunds or other claims, and to monitor and enhance our logistics operations.
How long do we store your Personal Data?
We store your Personal Data for up to twelve years after you provide it to us, unless we are required by the law to store it for a longer period.
What is the Basis for Processing your Personal Data?
Performance of the contract with you, or in order to take steps at your request prior to entering into a contract, and our legitimate interests in the transmission of Personal Data within a group of undertakings for internal administrative purposes, including client data and, where applicable, your consent.
5.4 Creating and maintaining user and customer accounts
Which Personal Data do we collect about you?
For this purpose we process some or all of the following Personal Data, depending on the status of your account and the Services of which you make use: (i) identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, date of birth and/or age, or other similar identifiers; (ii) physical characteristics or description, sex/gender, address, telephone number; (iii) commercial information, including credit card information, payment details, product preference, records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies; (iv) biometric information; (v) internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding your interaction with our websites, applications, or advertisements; and (vi) geolocation data, including information from GPS on smartphones or other devices where the chip in the device needs to provide location data in order to pick up satellite information; and (v) product usage history and performance detail, including device data (including the hardware model, operating system version, advertising identifier, unique application identifiers, unique device identifiers, browser type, language, wireless network, and mobile network information) and log files/actions within apps for product use analysis, product performance, enhancement and product development of bikes and bike components that you connect to our site or applications or otherwise interact with on our software.
What is the Purpose of Processing your Personal Data?
To maintain and provide services relating to individual user and customer accounts, including purchase history, product registration, performance data, provide personalized service and communications, direct marketing and targeted advertising services.
How long do we store your Personal Data?
We store your Personal Data for up to five years after you stop interacting with your account, unless we are required by the law to store it for a longer period.
What is the Basis for Processing your Personal Data?
Your consent, and our legitimate interests in the transmission of personal data within a group of undertakings for internal administrative purposes, including client data.
5.5 Suggestion of our products and services which may be of interest for you; marketing communication
Which Personal Data do we collect about you?
For this purpose we process the following Personal Data: identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, telephone number, account name, date of birth and/or age, or other similar identifiers, physical characteristics or description, sex/gender, commercial information, including credit card information, payment details, product preference, records of products or services purchased, obtained, or considered, and other purchasing or consuming histories or tendencies, internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding your interaction with our websites, applications, or advertisements, and your product usage history and performance detail.
What is the Purpose of Processing your Personal Data?
To provide relevant information to customers and users relating to our products and services based both on customer history and user activity.
How long do we store your Personal Data?
We store your Personal Data for up to twelve years after you provide it to us, unless we are required by the law to store it for a longer period.
What is the Basis for Processing your Personal Data?
Our legitimate interests in pursuing direct marketing services to you, and where applicable, your consent.
Additional Comments: You can opt out of receiving such communications from us directly from the communications we send you.
5.6 Competitions, sweepstakes, promotions, contests and games
Which Personal Data do we collect about you?
For this purpose we process the following Personal Data: identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, telephone number, account name, date of birth and/or age, or other similar identifiers, physical characteristics or description, and your sex/gender.
What is the Purpose of Processing your Personal Data?
To inform you about our contests and promotions, to facilitate your participation therein and to fulfil any of our obligations thereunder.
How long do we store your Personal Data?
We store your Personal Data for up to three years after you provide it to us, unless we are required by the law to store it for a longer period.
What is the Basis for Processing your Personal Data?
Your consent.
5.7 Fraud prevention.
Which Personal Data do we collect about you?
For this purpose we process the following Personal Data: (i) identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, date of birth and/or age, or other similar identifiers; (ii) name, signature, social security number, physical characteristics or description, sex/gender, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information; (iii) commercial information, including credit card information, payment details, product preference, records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
What is the Purpose of Processing your Personal Data?
To identify and prevent potential fraudulent acts in connection with the use of our Services, including to check identities when purchases are deemed as potentially fraudulent, to confirm warranty or other claims or for insurance purposes.
How long do we store your Personal Data?
We store your Personal Data for up to ten years after you provide it to us, unless we are required by the law to store it for a longer period.
What is the Basis for Processing your Personal Data?
Our legitimate interests in preventing fraud and in reporting possible criminal acts or threats to public security to a competent authority.
5.8 Process employment applications.
Which Personal Data do we collect about you?
For this purpose we process the following Personal Data: identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, telephone number, account name, date of birth and/or age, or other similar identifiers, physical characteristics or description, your sex/gender, professional or employment-related information, including work experience, job titles, company names and dates of employment, education and education degree(s) and related information.
What is the Purpose of Processing your Personal Data?
To facilitate applications for employment, conduct background checks, complete hiring, administer compensation and benefits, monitor employee performance and to otherwise manage employment relationship and interaction between employees.
How long do we store your Personal Data?
We store your Personal Data for up to ten years if your application does not result in employment and we store your Personal Data permanently if you are hired as a SRAM employee, unless we are required by the law to store it for a different period.
What is the Basis for Processing your Personal Data?
Our legitimate interests in the transmission of personal data within a group of undertakings for internal administrative purposes, including employee data, and where applicable, your consent.
5.9 Product development, engineering, performance, and enhancement
Which Personal Data do we collect about you?
For this purpose we process the following Personal Data: (i) identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, date of birth and/or age, or other similar identifiers; (ii) records of products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies; (iii) biometric information; (iv) geolocation data, including information from GPS on smartphones or other devices where the chip in the device needs to provide location data in order to pick up satellite information; and (v) product usage history and performance detail, including device data (including the hardware model, operating system version, advertising identifier, unique application identifiers, unique device identifiers, browser type, language, wireless network, and mobile network information) and log files/actions within apps for product use analysis, product performance, enhancement and product development.
What is the Purpose of Processing your Personal Data?
To learn about the usage, and improve the performance and features, of our products and services, and improve research and product development.
How long do we store your Personal Data?
We store your Personal Data for up to seven years after you provide it to us, unless we are required by the law to store it for a longer period.
What is the Basis for Processing your Personal Data?
Our legitimate interests in processing data collected from our services or products in order to deliver services, to design our products and services and to continuously improve them, and where applicable, your consent.
5.10 Information, system, network and cyber security
Which Personal Data do we collect about you?
For this purpose we process the following Personal Data: internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding your interaction with our websites, applications, products or advertisements, and product usage history and performance detail.
What is the Purpose of Processing your Personal Data?
To monitor, detect and protect our organisation, its systems, network, infrastructure, computers, information, intellectual property and other rights from unwanted security intrusion, unauthorised access, disclosure and acquisition of information, data and system breaches, hacking, industrial espionage and cyberattacks.
How long do we store your Personal Data?
We store your Personal Data for up to seven years after you provide it to us, unless we are required by the law to store it for a longer period.
What is the Basis for Processing your Personal Data?
Our legitimate interests in preventing unauthorized access, intrusion, misuse of company systems, networks, computers and information, including prevention of personal data breaches and cyber-attacks, piracy and malware prevention, IP rights protection and IP theft prevention and website security.
5.11 General Corporate Operations and Due Diligence
Which Personal Data do we collect about you?
For this purpose we process the following Personal Data: (i) identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, date of birth and/or age, or other similar identifiers; (ii) name, signature, social security number, physical characteristics or description, sex/gender, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information; commercial information, including credit card information, payment details, product preference, records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies; (iii) internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding your interaction with our websites, applications, or advertisements; and (iv) product usage history and performance detail.
What is the Purpose of Processing your Personal Data?
To develop or operate financial/credit/conduct and risk models, conduct internal analysis of customers, plan strategy and growth, collate reporting and management information to support business reporting, sharing information with other members of the corporate group, conduct back-office operations, monitoring physical access to offices, visitors and CCTV operations in reception and any other restricted areas, producing aggregate analytics, business intelligence, managing third party relationships (vendors, suppliers, media, business partners) and processing identifiable data for the purpose of anonymising/de-identifying/re-identifying it for the purposes of using the anonymised data for other purposes (product improvement, analytics, etc.).
How long do we store your Personal Data?
We store your Personal Data for up to three years after you provide it to us, unless we are required by the law to store it for a longer period.
What is the Basis for Processing your Personal Data?
Our legitimate interests in the day-to-day operation of our business and planning for strategic growth, including management of customer, client, vendor and other relationships, sharing intelligence with internal stakeholders, implementing safety procedures, and planning and allocating resources and budgeting.
6. WHO IS RECEIVING YOUR PERSONAL DATA?
We employ other companies and people (“Third Parties”) to perform tasks on our behalf and we need to share, and may internationally transfer, your information with them to provide products or services to you. We do not sell, trade, rent or otherwise provide your Personal Data to Third Parties without prior permission from you, provided however, those Third Parties do not include our subsidiaries, affiliates, licensees, partners, hosting partners, other parties who assist us in operating the Services, or organizations providing services to support our functions, such as our mail and email processing companies, payment processing companies, and market research firms.
We may share your data in an aggregate format, as well as aggregate usage information, with Third Parties for both advertising and promotional purposes. Further, we cooperate with all law enforcement inquires, and with all Third Parties, to enforce applicable intellectual property or other legal rights.
Do Not Track (DNT) is a privacy preference that users can set in their web browsers. At this time, our website does not support DNT codes. However, except in the case of analytics cookies, remarketing and other features of Google Display Advertising described herein, our website limits tracking to the uses described above. Except in the case of analytics cookies, remarketing and other features of Google Display Advertising described herein, our website does not track your use across multiple websites other than the affiliated websites included within this Global Privacy Policy, however, other websites to which we link may. Please review their privacy policies to understand how you may be tracked.
We do not control these third parties’ tracking technologies or how they may be used. If you have any questions about an advertisement or other targeted content, you should contact the responsible provider directly. Also, if you wish to opt out of interest-based advertising, please visit http://optout.aboutads.info to manage your preferences. Alternatively, if you are located in the European Union, you may visit http://www.youronlinechoices.eu/. Please note that you may continue to receive generic ads.
7. WHERE DO WE TRANSFER YOUR PERSONAL DATA?
When we transfer personal data to countries other than the country where it was provided, we do so in compliance with applicable data protection laws. We may transfer personal data from persons outside of the U.S. to our entities located either in the U.S. or otherwise; provided that transfers to the U.S. from the E.U. will comply GDPR.
If we transfer Personal Data subject to GDPR to a third party, the recipient will have the same level of protection as required of us under GDPR. All such service providers are bound by contract to refrain from using the Personal Data we collect from you for any purpose other than providing the service to us.
We will not transfer Personal Data relating to you to a country outside the European Economic Area (“EEA”), Switzerland, or the United Kingdom, unless: (1) the country or recipient is covered by an adequacy decision of the European Commission under GDPR Article 45; (2) appropriate safeguards have been put in place which meet the requirements of GDPR Article 46 (for example using the European Commission’s Standard Model Clauses for transfers of Personal Data outside the EEA); or (3) one of the derogations for specific situations under GDPR Article 49 is applicable to the transfer. These include (in summary) if the transfer is necessary to perform, or to form, a contract to which we are a party; the transfer is necessary for the establishment, exercise or defense of legal claims; you have provided your explicit consent to the transfer; or the transfer is of a limited nature, and is necessary for the purpose of our compelling legitimate interests.
8. HOW LONG DO WE PROCESS YOUR PERSONAL DATA?
We will store your Personal Data only until the aforementioned purposes for which we have collected or received your Personal Data is fulfilled and once our statutory obligations to preserve records have expired as further described in the Summary Record Retention Period at the end of this Policy. In addition, SRAM may retain anonymized Personal Data (data that is no longer in a form identifying or making identifiable the individual to which the Personal Data relates).
9. WHAT ARE YOUR RIGHTS?
To the extent that GDPR or other applicable data protection laws apply, you have the right to obtain from us:
- Confirmation as to whether or not we process Personal Data from you and, where that is the case, access to the Personal Data;
- Rectification of inaccurate Personal Data;
- Erasure of Personal Data;
- Restriction of processing of Personal Data; and
- Receive the Personal Data which you have provided to us and transmit those data to another data controller without hindrance.
You may exercise any of these applicable rights by contacting us at:
Data Protection Officer
SRAM, LLC
1000 W Fulton Market, Floor 4, Chicago, Illinois 60607, USA
Email: [email protected]
Telephone: +1-312-664-3002
We will respond to your requests in accordance with, and within the appropriate timeframe determined by, the applicable law and/or regulation governing the use of the given personal information. In most cases, we will respond to requests within one month; provided, however, if the request is complex, we may extend its response time in accordance with applicable law and regulation. Please note that we may require additional information from you in order to honor the request, such as to ensure proper authentication or to verify the SRAM, LLC entity to which the information was provided.
There are additional disclosures for residents of certain U.S. states in the SPECIAL U.S. PRIVACY INFORMATION Section below.
10. CAN YOU WITHDRAW YOUR CONSENT TO THE PROCESSING OF PERSONAL DATA?
You may withdraw your consent to some or all of our processing of your Personal Data by contacting us at:
Data Protection Officer
SRAM, LLC
1000 W Fulton Market, Floor 4, Chicago, Illinois 60607, USA
Email: [email protected]
Telephone: +1-312-664-3002
We will respond to your requests in accordance with, and within the appropriate timeframe determined by, the applicable law and/or regulation governing the use of the given personal information. In most cases, we will respond to requests within one month; provided, however, if the request is complex, we may extend its response time in accordance with applicable law and regulation. Please note that we may require additional information from you in order to honor the request, such as to ensure proper authentication or to verify the SRAM, LLC entity to which the information was provided.
As set out above, you are entitled to withdraw your consent to the processing of your Personal Data but please note that if you do withdraw your consent, we may not be able to carry out our contractual obligations to you or provide you with access to all or certain parts of the Services.
11. CAN YOU COMPLAIN WITH THE APPLICABLE LEGAL AUTHORITIES?
You also have the right to lodge your complaints with the applicable legal authorities, including, without limitation, the applicable European Union (“E.U.”) supervisory authority(ies) (if you are an E.U. citizen).
12. DO YOU HAVE TO PROVIDE YOUR PERSONAL DATA TO UTILIZE THE SERVICES?
Typically, to use our online store or utilize the Services, you will need to provide some Personal Data. For example, orders on the online store will require a name, your shipping address, and contact information. Our Services are designed around user-specific personalization, so not all of the Services require you to provide Personal Data. If you do not log into an account or consent to cookies then you will not need to provide any Personal Data. However, you may not be able to use all of the features of the Services.
13. HOW DO WE PROTECT YOUR PERSONAL DATA?
The security of all Personal Data associated with users of the Services is of great concern to us. We maintain appropriate technical and organizational measures to protect the Personal Data you provide to us against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to your Personal Data.
Any account information you enter on the Services is password‑protected so that only you can access it. You should not divulge your password or user identification number to anyone. Unfortunately, no data transmission over the Internet can be guaranteed to be 100% secure. As a result, while we strive to protect your Personal Data, we can’t ensure or warrant the security of any information you transmit to us, and you do so at your own risk.
Our relevant websites and applications may contain links to other websites provided by third parties. We do not control these third party websites or any of the content contained on those websites. Once you have left our relevant Sites, we cannot be responsible for the protection and privacy of any information which you provide. You should exercise caution and look at the privacy statement for the website you visit.
14. SPECIAL U.S. PRIVACY INFORMATION
Some of the Personal Data and Sensitive Data we collect constitutes “personal information” or “sensitive personal information” under the California Consumer Privacy Act of 2018 (“CCPA”) and the California Privacy Rights Act of 2020 (“CPRA”) or “personal data” or “sensitive data” under the Virginia Consumer Data Protection Act (“VCDPA”), the Colorado Privacy Act (“ColoPA”), the Connecticut Data Privacy act (“CTDPA”), the Utah Consumer Privacy Act (“UCPA”), or other similar state laws. In particular, within the last twelve (12) months, SRAM has collected the following categories of Personal Data that constitute “personal information” under the CCPA and CPRA or “personal data” under the VCDPA, ColoPA, CTDPA, UCPA or other similar state laws, listed in the table below. Any such collection has been for of the purposes included in the appropriate section of the FOR WHICH PURPOSES DO WE PROCESS YOUR PERSONAL DATA? section above and retained as set forth in the appropriate section of the FOR WHICH PURPOSES DO WE PROCESS YOUR PERSONAL DATA? section above or as further described in the Summary Record Retention Period at the end of this Policy.
Category of Personal Data Collected |
Examples |
Collected in the Past Twelve Months |
Disclosed for a Business Purpose in the Past Twelve Months |
Identifiers |
Real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name |
Yes |
Yes |
California Customer Records personal information |
Name, signature, physical characteristics or description, address, telephone number, passport number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information |
Yes |
No |
Protect classification characteristics under state or federal law |
Characteristics of protected classifications under applicable state or federal law such as age (40 years or older, race, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, or genetic information (including familial genetic information) |
Yes |
No |
Commercial information |
Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies |
Yes |
Yes |
Biometric information |
Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as fingerprints, face prints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data. |
Yes |
No |
Internet or other similar network activity |
Browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement |
Yes |
Yes |
Geolocation data |
Physical location or movements. |
Yes |
No |
Sensory Data |
Audio, electronic, visual, thermal, olfactory, or similar information. |
Yes |
No |
Professional or employment-related information |
Current or past job history or performance evaluations |
Yes |
No |
Non-public education information |
Information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99) |
Yes |
No |
Inferences drawn from other personal information |
Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. |
No |
N/A |
Within the last twelve (12) months, SRAM has collected the following categories of Sensitive Data that constitute “sensitive personal information” under the CCPA and CPRA or “sensitive personal data” under the VCDPA, ColoPA, CTDPA, UCPA or other similar state laws, listed in the table below. Any such collection has been for of the purposes included in the appropriate section of the FOR WHICH PURPOSES DO WE PROCESS YOUR PERSONAL DATA? section above and retained as set forth in the appropriate section of the FOR WHICH PURPOSES DO WE PROCESS YOUR PERSONAL DATA? section above or as further described in the Summary Record Retention Period at the end of this Policy.
Category of Sensitive Data Collected |
Examples |
Collected in the Past Twelve Months |
Disclosed for a Business Purpose in the Past Twelve Months |
Government identifiers |
Social security driver’s license or state identification card number, or passport number. |
Yes |
Yes |
Complete account access credentials |
User names, account numbers, or card numbers combined with required access/security code or password |
No |
N/A |
Precise geolocation |
N/A |
Yes |
No |
Racial or ethnic origin |
N/A |
Yes |
Yes |
Religious or philosophical beliefs |
N/A |
No |
N/A |
Union membership |
N/A |
No |
N/A |
Genetic Data |
N/A |
No |
N/A |
Mail, email, or text messages not directed to us |
N/A |
No |
N/A |
Unique identifying biometric information |
N/A |
Yes |
No |
Health, sex life, or sexual orientation |
N/A |
Yes |
Yes |
SRAM obtains the categories of Personal Data and Sensitive Data listed above from the following categories of sources:
- Directly from you. For example, from forms you complete or from our communications.
- Indirectly from you. For example, from observing your actions on our Services.
- From our affiliates and subsidiaries.
- From third party sources, including information from commercially available sources, such as public databases and data aggregators.
We disclosed this Personal Data and Sensitive Data for a business purpose to the following categories of third parties:
- email service providers;
- consumer relations, including consumer complaint response services;
- employee recruitment, career portal and job applicant services; and
- legal representation, including with regard to prevention harm to our company, its subsidiaries, our products or services or a person or property (e.g., fraud prevention).
As applicable, certain state privacy laws, such as the CCPA, CPRA, ColoPA, VCDPA, CTDPA, and UCPA provide their residents, respectively, with specific rights regarding their Personal Data:
- Right to Disclosure and Data Portability of Personal Data Collected: the right to request disclosure of the categories of Personal Data and Sensitive Data that we collect, the categories of sources from which the Personal Data and Sensitive Data is collected, the business or commercial purpose for which we collect the Personal Data and Sensitive Data, the categories of third parties with whom we disclose the Personal Data and Sensitive Data, the specific pieces of Personal Data and Sensitive Data collected about you in the preceding twelve months (also called a data portability request), and if we disclosed your Personal Data or Sensitive Data for a business purpose, a list disclosing the Personal Data or Sensitive Data categories that we disclosed for a business purpose and for each category identified, the categories of third parties to whom we disclosed that particular category of Personal Data or Sensitive Data, as applicable.
- Right to Correct Specific Information: the right to request that we correct inaccurate Personal Data or Sensitive Data about you. Once we receive and verify your request (please see HOW TO EXERCISE YOUR CONSUMER RIGHTS), we will use commercially reasonable efforts to correct the information to comply with your request. This right is not afforded to residents of Utah.
- Right to Deletion of Personal Data Collected: the right to request deletion of Personal Data or Sensitive Data that we collect about a consumer, subject to certain exception. For example, detecting and protecting against data breaches and completing transactions for which we collected the Personal Data. Once we receive and verify your request (please see HOW TO EXERCISE YOUR CONSUMER RIGHTS), we will delete (and direct our service providers to delete) your Personal Data or Sensitive Data, as applicable from our records, unless an exception applies. In responding to your request, we will inform you whether or not we have complied with the request, and if we have not complied, provide you with an explanation as to why.
A service provider shall not be required to comply with a deletion request submitted by the consumer directly to the service provider.
We may deny your deletion request if retaining the information is necessary for us, or our service provider(s), to:
- Complete the transaction for which we collected the Personal Data or Sensitive Data, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.
- Help safeguard security and integrity of your Personal Data and Sensitive Data to the extent the use of your Personal Data or Sensitive Data is reasonable necessary and proportionate for those purposes.
- Debug products to identify and repair errors that impair existing intended functionality.
- Exercise free speech, ensure the right of another consumer to exercise his/her free speech rights, or exercise another right provided by for law.
- Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).
- Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adhere to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent.
- Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
- Comply with a legal obligation.
Right to Limit Use and Disclosure of Sensitive Data. You may have the right, at any time, to direct us to limit our use and disclosure of your Sensitive Data to use which is necessary for certain purposes enumerated in applicable law (“Enumerated Purposes”). To the extent we use or disclose your Sensitive Data for purposes other than the Enumerated Purposes, you have the right to limit such use or disclosure. To the extent applicable, you may also have the right to limit such use or disclosure. To the extent applicable, you may also have the right to withdraw consent you provided for our use and disclosure of your Sensitive Data.
The Enumerated Purposes include the following:
- To perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services.
- To help to safeguard security and integrity of your Personal Data to the extent the use of your Personal Data is reasonably necessary and proportionate for those purposes.
- To resist malicious, deceptive, fraudulent, or illegal actions directed at us and to prosecute those responsible for those actions.
- To ensure the physical safety of natural persons.
- For short-term, transient use, including, but not limited to, nonpersonalized advertising shown as part of a consumer’s current interaction with us, provided that we will not disclose the Sensitive Data, to another third party and will not use it to build a profile about the consumer or otherwise alter the consumer’s experience outside the current interaction with us.
- To perform services on behalf of us, such as maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of our business.
- To verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by us, and to improve, upgrade, or enhance the service or device that is owned, manufactured by, manufactured for, or controlled by us.
- For purposes that do not infer characteristics about you.
Currently, we do not use Sensitive Data for purposes other than the Enumerated Purposes above or for purposes described elsewhere in this Policy.
Right to Non-Discrimination: the right for a consumer to not be discriminated against for exercising any of the consumer’s rights under the applicable law unless by a permissible method or financial incentive. We will not:
- Deny you goods or service.
- Charge you different price or rates for goods or services, including through granting discounts or other benefits or imposing penalties.
- Provide you a different level or quality of goods or services.
- Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.
However, we may offer you certain financial incentives permitted by applicable law that can result in different prices, rates, or quality levels. Any legally-permitted financial incentive we offer will reasonable relate to your Personal Data’s value to use and contain written terms that describe the program’s material aspects. Participation in a financial incentive program requires your prior opt in consent, which you may revoke at any time.
Right to Opt Out of the Sales or Sharing of Personal Data: the right to opt out from the sales or sharing of Personal Data or Sensitive Data to third parties until and unless the sale or share is expressly authorized. As used herein, “share” refers to sharing for purposes of cross-contextual behavioural advertising or targeted advertising, as contemplated under applicable law, such as the CPRA, VCDPA, ColoPA, CTDPA, and UCPA.
In the previous twelve (12) month period, SRAM has not sold or shared (as each term is defined in the CCPA/CPRA) Personal Data or Sensitive Data about consumers.
Further, we do not have actual knowledge that we sell or share the Personal Data, including any Sensitive Data, of individuals under 16 years of age. We will not sell or share the personal data of individuals we actually know are less than 16 years of age except in compliance with applicable law, including, as applicable, unless we receive affirmative authorization from either the individual who is between 13 or 16 years of age, or the parent of guardian of an individual less than 13 years of age. Individuals who opt-in to the sale or sharing of personal data may opt-out of future sale or sharing at any time.
To exercise your Right to Disclosure and Data Portability of Personal Data Collected, Right to Correct Specific Information, or Right to Deletion of Personal Data Collected please contact us at:
Data Protection Officer
SRAM, LLC
1000 W Fulton Market, Floor 4
Chicago, Illinois 60607
Email: [email protected]
Telephone: 312-664-3002
or call toll-free: 1-800-230-2387
When you use a request method above, we will request certain information for verification purposes, such as your name, address, and e-mail address. We will use this information to verify this is a permitted request, such as by matching your name and address with information in our records. Depending on the type of request, we may require a certain number of data points to allow for verification. We will only use Personal Data provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.
Only you, or a person properly authorized to act on your behalf, may make a verifiable consumer request related to your Personal Data and Sensitive Data. You may also make a verifiable consumer request on behalf of your minor child, as applicable.
An authorized agent may make a request on your behalf using the request methods designated above. Additionally, if you use an authorized agent to submit a consumer request, we may require the authorized agent to provide proof that you gave the agent signed permission to submit the request. We may also require you to verify your own identity directly with us or directly confirm with us that you provided the authorized agent permission to submit the request.
You may only make a verifiable request for access or data portability twice within a 12-month period. The verifiable consumer request must:
- Provide sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Data or Sensitive Data or an authorized agent of such person.
- Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
We cannot respond to your request or provide you with Personal Data if we cannot verify your identify or authority to make the request and confirm the Personal Data relates to you. Making a verifiable consumer request does not require you to create an account with us.
If we deny your request, you may have the right to appeal our decision under certain laws. Further, if you appeal and your appeal is denied, you may have the right to complain to your state’s attorney general. You may appeal your decision by contacting us at [email protected].
In accordance with applicable law, we endeavor to respond to a request within forty-five (45) days of its receipt. If we requires more time (up to forty-five (45) additional days), we will inform you of the reason and extension period in writing.
If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option.
The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your Personal Data that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.
We do not charge a fee to process or respond to your request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
Other California Privacy Rights
California Civil Code Section 1798.83 permits our visitors who are California residents to request certain information regarding our disclosure of Personal Data to third parties for their direct marketing purposes. To make such a request, please contact us at:
Data Protection Officer
SRAM, LLC
1000 W Fulton Market, Floor 4
Chicago, Illinois 60607
Email: [email protected]
Telephone: 312-664-3002
15. CAN WE CHANGE OUR PRIVACY POLICY?
As we continue to provide additional services and as the privacy laws and regulations evolve, it may be necessary to revise or update this Privacy Policy. We reserve the right, at our discretion, to change, modify, add or remove portions of this Privacy Policy at any time. If we make any material changes to this Privacy Policy, including, any material changes to how we collect, use, process, and/or share your information, we will prominently post a notice of such changes on the website(s) and mobile applications covered by this Privacy Policy. To the extent required by applicable law, we will contact you with regard to changes to this Privacy Policy.
16. HOW CAN YOU CONTACT US?
If you have questions about this Privacy Policy or any subject discussed herein, please feel free to contact us at one of the following:
- By email at: [email protected]
- By mail at: 1000 W Fulton Market, Floor 4, Chicago, Illinois 60607, USA or
- By telephone at: +1-312-664-3002.
In most cases, we will respond to requests within one month; provided, however, if the request is complex, we may extend its response time in accordance with applicable law and regulation. Please note that we may require additional information from you in order to honor the request, such as to ensure proper authentication or to verify the SRAM, LLC entity to which the information was provided.
SUMMARY RETENTION PERIOD
This Summary Retention Period table lists categories of Records retained, examples of information contained in those Records, and the retention period in the absence of an approved request for deletion from an individual or a legal requirement mandating a different retention period.
Category | Information description (includes but not limited to) | Retention Period (in absence of a deletion request or legal requirement) |
---|---|---|
Customer Data (Non-Account Member Data) | Names; Addresses; Transaction Information; Payment details; E-mail Addresses; Telephone Numbers; Purchasing history | 12 years after use |
Account Member Data | Names; Addresses; Transaction Information; Payment details; E-mail Addresses; Telephone Numbers; Product preference; Purchasing history; IP address; DOB’s | 12 years after use |
Contest, Sweepstake, or Promotion Participant Data | Names; Addresses; E-mail Addresses; Telephone Numbers; IP address; DOB’s | 3 years after use |
Temporary Employee Data and Employment Records | DOB’s; Addresses; Phone numbers; Self-reviews; Job description; Resumes; Policy acknowledgement forms; Exit interview data | Permanent |
Tax Withholding | DOB’s; Addresses; Employee eligibility forms | Permanent |
Tax Records |
Tax returns; Payroll tax documentation; Federal and State Form W-4; Form W-2 | 8-10 years after employment ceases/completion depending on the Record |
Medical information | Maternity records; Disability certificates; Employee medical records; Related medical data | 10 years after employment ceases/completion |
Health and Safety | Accident records; Accident investigation record; Records of reportable accidents or dangerous occurrences | 10 years after employment ceases/completion |
HR Forms |
Background Check Disclosure Release Form; Garnishments; Background check records; Appointment books |
7 years after employment ceases/completion |
Employee Benefits | Health/Workers Insurance documents; Pension documents; Social Insurance documents; FMLA paperwork; Contribution accounts | 7-10 years after employment ceases/completion depending on the particular Record |
Rewards & Recognition | Reward documents; Anniversary documents | 7-10 years after employment ceases/completion depending on the Record |
Employee Payroll and Salary | Payroll list; Pay slips; Documents to determine pay; Pay scales; Sick pay supplement documents; Salary, benefits, bank details, pension details | 10 years after employment ceases/completion |
Time and Attendance | Time sheets; Short-time working allowance lists; Shift report; Overtime lists | 10 years after employment ceases/completion |
Contracts and Service Agreements | Customer rebate agreements; Contracts for services; Related sub-contracts | 12 years after the Record is no longer active |
Unsuccessful applicants (did not result in employment) | Name; Application correspondence; Addresses; Phone numbers | 10 years after application |
Product Development, Engineering, Performance, and Enhancement | Name; Address; Purchasing history; GPS data; Product usage data | 7 years after use |