This United States Privacy Law Addendum (the “Addendum”) supplements the Terms and Conditions (the “Agreement”) entered into by and between you (“Customer”) and Trackstar, Inc. (“Trackstar”) (and, collectively, the “Parties”) and includes the terms required by the applicable Privacy Laws (defined below). Capitalized terms used herein that are not otherwise defined shall have the meanings set forth in the Agreement.
1. Definitions. Certain definitions used in this Agreement are set forth below, other capitalized terms used herein shall have the respective meanings set forth elsewhere in this Agreement or in the Order Form.
- 1.1 “Consumer” means a natural person who is a resident of, as applicable: (1) California, however identified, including by any unique identifier; or (2) Virginia acting only in an individual or household context.
- 1.2 “Controller” means the natural or legal person that, alone or jointly with others, determines the purpose and means of Processing Personal Data. “Controller” includes a “Business” as defined by the CCPA.
- 1.3 “Personal Data” means any information that is linked or reasonably linkable to an identified or identifiable Consumer that is processed by Trackstar on behalf of the Customer pursuant to the Agreement. “Personal Data” includes “Personal Information” as defined by the CCPA.
- 1.4 “Privacy Laws” means (i) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (Cal. Civ. Code §§ 1798.100 et seq.) (“CCPA”),and (ii) the Virginia Consumer Data Protection Act (VA. Code §§ 59.1-575 et seq.) (“VCDPA”), in each case as updated, amended or replaced from time to time.
- 1.5 “Process” or “Processing” means any operation or set of operations that are performed on Personal Data or on sets of Personal Data, whether or not by automated means.
- 1.6 “Processor” means a natural or legal entity that Processes Personal Data on behalf of a Controller or a Business. “Processor” includes “Service Provider” as defined by the CCPA.
2. Relationship of the Parties; Processing of Data
The Parties acknowledge and agree that Customer is a Controller and Trackstar is a Processor for purposes of the CCPA and the VCDPA, each to the extent applicable, and Trackstar is receiving Personal Data from Customer in order to provide the Services pursuant to the Agreement. Trackstar shall adhere to Customer’s lawful instructions with respect to the Processing of Personal Data to be performed by Trackstar pursuant to the Agreement.
3. Nature and Purpose of Processing
- 3.1 Nature and Purpose of Processing: Trackstar shall Process Personal Data provided by Warehouse Management System Provider on behalf of Customer under the Agreement as necessary to provide the Services under the Agreement, for the purposes specified in the Agreement and this Addendum, and in accordance with Customer’s instructions as set forth in this Addendum. Such purposes shall include processing Warehouse Data provided by Warehouse Management System Providers on behalf of Customers to enable Customers to perform business activities.
- 3.2 Duration of Processing: Trackstar shall Process Personal Data provided by Warehouse Management System Provider on behalf of Customer as long as required (i) to provide the Services to Customer under the Agreement, or (ii) by applicable law or regulation.
- 3.3 Categories of Consumers: The Trackstar may Process the following categories of Personal Data provided by Customer: Customer’s end-customers, Customer’s employees, and end-consumers of Customer’s end-customers.
- 3.4 Categories of Personal Data: Trackstar may Process the following categories of Personal Data provided by Customer and Customer’s end-customer: name, location, email address, phone number, and address.
4. California-Specific Terms
- 4.1 Additional Definitions
4.1.1 For purposes of this Section 4, the terms “Business Purpose,” “Commercial Purpose,” “Personal Information,” “Sell,” “Service Provider,” and “Share” shall have the meanings set forth in the CCPA.
- 4.2 Obligations
4.2.1 Trackstar shall not Sell or Share Personal Information provided by Customer under the Agreement.
4.2.2 Trackstar shall not retain, use, or disclose Personal Information provided by Customer pursuant to the Agreement outside of the direct business relationship with Customer or for any purpose, including a Commercial Purpose, other than as necessary for the specific purpose of performing the Services for Customer pursuant to the Agreement, or as otherwise set forth in the Agreement or as permitted by the CCPA.
4.2.3 Trackstar shall notify Customer if Trackstar makes a determination that it can no longer meet its obligations under the CCPA.
4.2.4 Trackstar shall comply with all obligations applicable to Service Providers under the CCPA, including by providing Personal Information provided by Customer under the Agreement the level of privacy protection required by the CCPA.
4.2.5 Trackstar will not combine Personal Information received from, or on behalf of, Customer with other Personal Information except to the extent a Service Provider is permitted to do so under the CCPA.
4.2.6 Customer shall promptly notify Trackstar upon receipt of any consumer request made pursuant to the CCPA that requires Trackstar to take any action with respect to a consumer’s personal information.
4.2.7 Customer may, upon written notice to Trackstar, (1) take such reasonable and appropriate steps as may be necessary to ensure that Trackstar’s collection and use of Personal Information is consistent with requirements under the CCPA, and (2) take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Information by Trackstar. Any measures implemented by Customer under this Section 4.2.7 shall be limited to Personal Information relevant to Customer.
5. Fees & Payment Terms.
- 5.1 Obligations
5.1.1 Trackstar shall maintain the confidentiality of Personal Data provided by Customer under the Agreement and require that each person Processing such Personal Data be subject to a duty of confidentiality with respect to such Processing.
5.1.2 Upon Customer’s written request, Trackstar shall delete or return all Personal Data provided by Customer under the Agreement, unless retention of such Personal Data is required or authorized by law or the Addendum and/or Agreement. If return or destruction is impracticable or prohibited by law, rule or regulation, Trackstar shall take measures to block such Personal Data from any further Processing (except to the extent necessary for its continued hosting or Processing required by law, rule or regulation) and shall continue to appropriately protect such Personal Data remaining in its possession, custody, or control.
5.1.3 In the event that Trackstar engages a new Processor to assist Trackstar in providing the Services to Customer under the Agreement (“Sub-Processor”), Trackstar shall enter into a written contract with the Sub-Processor requiring Sub-Processor to meet the obligations of a Processor with respect to the Personal Data.
5.1.4 Upon Customer’s written request at reasonable intervals, and subject to reasonable confidentiality controls, Trackstar shall either (1) make available for Customer’s review copies of certifications or reports demonstrating Trackstar’s compliance with prevailing data security standards applicable to the Processing of Personal Data provided by Customer under the Agreement, or (2) if the provision of reports or certifications pursuant to (1)is not reasonably sufficient under the VCDPA, Trackstar shall arrange for an independent third party to conduct an assessment of the Processor’s policies and technical and organizational measures using an appropriate and accepted control standard or framework and assessment procedure for such assessments. In such event, the report produced by the independent third party shall be provided to the controller upon request. Customer shall be responsible for the costs of any such audits or inspections, including without limitation a reimbursement to Trackstar for any time expended for on-site audits.
