Thank you for visiting Onward’s online and mobile resources, and for viewing this privacy and data security statement. Our privacy statement, contained in the pages that follow, serves to give notice about the types of personal information we collect, how we use it, who we share it with and why, and what we do to try to protect it. We delve into those matters in a fair amount of detail in the pages that follow. We encourage you to read them carefully. In the meantime, we provide a quick overview below.
SUMMARY OF HOW WE HANDLE PERSONAL INFORMATION
CONTACTING OUR PRIVACY OFFICE
If you have any questions about our privacy and data security policies, procedures and practices, including anything we say in this privacy statement, we encourage you to contact our Privacy Office at firstname.lastname@example.org.
This privacy statement was amended as of June 15, 2022 and is effective as of that date. The English language version of this privacy statement is the controlling version regardless of any translation you may attempt.
SOME IMPORTANT VOCABULARY
Although not itself a contract, this privacy statement is an important document that explains how we address some of our legal obligations, and your related legal rights, involving personal information. Clarity is therefore important. We’ll use this section to let you know about some words that have special meanings whenever you see them in this statement. Let’s start by describing what parts of our corporate enterprise are covered by, and adhere to the policies and procedures explained in this statement. The Onward family of companies develop and make available technologies designed to permit merchants to enhance the post purchase experience for their shoppers by, among other things, offering shipping protection services. Those technologies are developed, and the overall services are operated by Onward. THIS PRIVACY STATEMENT APPLIES ONLY ONWARD GROUP, INC. So, wherever we say “Company”, “we”, “us”, or “our”, in this privacy statement we mean solely, Onward Group, Inc. Now for some basic vocabulary: when we reference “this statement”, “this privacy statement” and “our statement”, we mean the Privacy and Data Security Statement you are reading now. The phrase “consumer customers” means individuals who have:
WHO DO WE COLLECT PERSONAL INFORMATION FROM?
We collect personal information from four groups of data subjects:
WHAT PERSONAL INFORMATION DO WE COLLECT?
The categories of information we collect from each group of data subjects, and the ways in which we use it, differs. The immediately following paragraphs describe those varying categories and uses. As you may have noticed, it’s possible that the same person could fall into more than one group. For instance, someone who works for us might, on their day off, visit our general website.
Personal Information Collected from Merchant-Customers
Merchant-customer enter into a contracts with us. That contract is separate from this statement and has its own terms and conditions for notice of collection and governing our overall confidentiality, data privacy and data security obligations with respect to personal information about our merchants’ personnel we collect from them. As a result, those terms, and not this statement, apply to the personal information of merchants and their personnel.
Personal Information Collected from Consumer-Customers
When our shipping protection services are activated, whether through the Onward App, by choosing them on a merchant website or shopping cart, or by having a merchant provide them to you automatically as part of the benefits they offer, you become our consumer-customer and we may collect from you, or receive from our merchant-customer, the following:
In addition, depending on how you set-up your access permissions within the Onward App and with your third party mail provider (such as Google’s Gmail, Yahoo! Mail and the like) and the rules those mail providers set for third party access, we may use certain technologies such as application programming interfaces, to parse your mail as it relates to your being a consumer-customer.
Personal Information Collected from Our Workforce and Job Applicants
We collect and retain the types of professional or employment related personal information you would expect an employer to have about its existing and former workforce and new job applicants. We provide legally required notices of collection, and describe our use and sharing of the personal information of our workforce and applicants in greater detail in confidential internal human resource manuals and documents accessible to members of our workforce, or by publication on the proprietary workforce/applicant portals and apps we operate. In some cases, such portals and apps may be operated by third parties who transfer the personal information to us. In those situations, the legal responsibility to provide notice usually rests with the third party, not us.
Personal Information Collected from Vendors, Business Partners and Affiliates
Like all large corporate enterprises, we buy goods and services, lease equipment and office space and attend industry events. In doing so, we interact with many existing and potential vendors and business partners and affiliates from whom we necessarily collect certain personal information in connection with our contractual and business relationships. This information is typically limited to minimum business contact information. We use and share personal information collected from our vendors and business partners and affiliates to manage, administer and perform under our contracts with them, or share information about our products. We describe our use of vendor and business partner personal information in greater detail in our confidential contracts with those parties or on the internal vendor management portals we operate.
Personal Information Collected from Visitors and Users of our Online and Mobile Resources
If you visit and/or use our online and mobile resources, we collect, retain and share certain personal information about you. The remainder of this privacy statement applies entirely to such visitors and users of our online and mobile resources. Thus, in the remainder of this section, the words “you” and “your” mean only that category of data subjects. Generally, we collect your personal information through automated/technical means and when you voluntarily provide it to us. We describe that automatic collection here. We describe that type of voluntary submission immediately below. By using our online and mobile resources, you are signifying to us that you agree with this section of our privacy statement and that we may use and disclose your information as described. Voluntarily Submitted Information. If you choose to participate in, or make use of certain activities and features available via our online and mobile resources, you will need to provide us with information about yourself. The types of personal information you will be submitting to us in those situations is almost always limited to basic identifiers such as your name, email address, mailing address and phone number. Here are some of the ways you voluntarily give us your personal information:
If you prefer we not receive the above-described personal information, please don’t submit it. This means you shouldn’t participate in the applicable activities on, or use the applicable features available from our online and mobile resources. Such participation and use is strictly your choice. By not participating, you may limit your ability to take full advantage of the online and mobile resources, but most of the content in our online and mobile resources will still be available to you. Automatically Collected Information. When you visit or use our online and mobile resources, basic information about your internet/electronic activity is automatically collected through your browser via tracking technologies, such as “cookies.” As just about everyone knows by now, cookies are small text files downloaded onto your computer or mobile device. Cookies allow us to collect your IP address and recognize your computer or mobile device and store some information about your preferences for using our online and mobile resources or past actions, such as:
HOW DO WE USE THE PERSONAL INFORMATION WE COLLECT?
We use the personal information we collect only in the manner and through the means allowed by applicable law. That means we determine whether we have a lawful basis/legitimate business purpose to use your personal information before doing so. As stated in applicable law, such lawful bases/legitimate business purposes include receiving express consent, operating our business, performing a contract, and complying with a legal obligation. More specifically, we use the personal information of each group of data subjects as follows, but in all cases for all data subjects, we do not sell or rent personal information.
Visitors and Users of our Online and Mobile Resources
We use the automatically collected personal information described here to compile generic reports about popular pages/features of our online and mobile resources, and to see how users are accessing our online and mobile resources and in some cases (such as affinity actions) send materials to you. We use the personal information you voluntarily submitted, as described here, to respond back directly to you and/or send you the information you requested or about which you inquired. We also may use any such personal information you provide to customize our programs and newsletters to make them more relevant to you.
Merchant-Customers, Vendors and Business Partners
We use personal information received from merchant-customers and business partners to communicate with them and satisfy our contractual obligations to them and in such other ways as our separate written contracts with them permit.
We use the personal information collected from consumer-customers as may be reasonably necessary to provide, inform you about, and improve, our shipping protection service
WHEN/WITH WHOM DO WE SHARE PERSONAL INFORMATION?
We may share your personal information as described below. This sharing applies to the personal information of all four groups of data subjects.
We may share personal information with other corporate affiliates who will use such information in the same way as we can under this statement.
We may disclose personal information to government authorities, and to other third parties when compelled to do so by such government authorities, or at our discretion or otherwise as required or permitted by law, including responding to court orders and subpoenas.
To Prevent Harm
We also may disclose such information when we have reason to believe that someone is causing injury to or interference with our rights or property, or harming or potentially harming other persons or property.
If we, or any of our affiliates, sell or transfer all or substantially all of our assets, equity interests or securities, or are acquired by one or more third parties as a result of an acquisition, merger, sale, reorganization, divestiture, consolidation, or liquidation, personal information may be one of the transferred assets.
Vendors and Business Partners
We also share personal information with those of our vendors and business partners who need it to perform under the contracts we have with them. For instance, the insurance brokers and carriers who are involved in the issuance of the policies used in our shipping protection services may require that we share your personal information with them in order to cover your purchases. As part of our Security Program, we have adopted standards for those vendors and business partners who receive personal information from us. We attempt to bind such vendors and business partners to those standards via written contracts. Such standards include expectations that when we share personal information with our vendors and business partners, they will comply with all applicable privacy and data security laws and regulations and our Security Program, and will contractually require and cause their subcontractors and agents to do the same. For any personal information our vendors and business partners process or store at their own locations, we further expect them to use technology infrastructure meeting, at least at the facilities level, minimum recognized standards for security controls. Such recognized standards include those published by the International Standards Organization, the National Institute of Standards and Technology or any reasonably equivalent standards. Please note, however, that we cannot guarantee that all of our vendors and business partners will agree to the above-described contractual requirements; nor can we ensure that, even when they do agree, they will always fully comply.
HOW DO WE PROTECT COLLECTED PERSONAL INFORMATION?
Our Data Security Program
We have adopted, implemented and maintain an enterprise-wide corporate information security and privacy program that includes technical, organizational, administrative, and other security measures designed to protect, as required by applicable law, against reasonably anticipated or actual threats to the security of your personal information (the “Security Program”). Our Security Program includes, among many other things, procedures for assessing the need for, and as appropriate, either employing encryption and multifactor authentication or using equivalent compensating controls. We therefore have every reason to believe our Security Program is reasonable and appropriate for our business and the nature of foreseeable risks to the personal information we collect. We further periodically review and update our Security Program, including as required by applicable law.
Our Incident Response and Management Plan
Despite the significant investment we’ve made in, and our commitment to, the Security Program including enforcement of our third party oversight procedures, we cannot guarantee that your personal information, whether during transmission or while stored on our systems, otherwise in our care, or the care of our vendors and business partners and affiliates, will be free from either failed or successful attempts at unauthorized access or that loss or accidental destruction will never occur. Except for our duty under applicable law to maintain the Security Program, we necessarily disclaim, to the maximum extent the law allows, any other liability for any such theft or loss of, unauthorized access or damage to, or interception of any data or communications including personal information. All that said, as part of our Security Program, we have specific incident response and management procedures that are activated whenever we become aware that your personal information was likely to have been compromised. Those procedures include mechanisms to provide, when circumstances and/or our legal obligations warrant, notice to all affected data subjects within the timeframes required by law, as well as to give them such other mitigation and protection services (such as the credit monitoring and ID theft insurance) as may be required by applicable law. We further require, as part of our vendor and business partner oversight procedures, that such parties notify us immediately if they have any reason to believe that an incident adversely affecting personal information we provided to them has occurred.
YOUR RIGHTS AND OPTIONS
If we are using your personal information to send you marketing materials, such as newsletters or product alerts via text or email, you may opt out by following the opt-out instructions in the email or other communication (e.g., by responding to the text with “STOP”). When we receive your request, we will take reasonable steps to remove your name from our distribution lists, but it may take time to do so. You may still receive materials for a period of time after you opt out. In addition to opting out, you have the ability to access, amend and delete your personal information by contacting us using the contact information below. Opting out of or changing affinity actions or other submissions or requests made on our external social media presence, will likely require that you do so directly on that applicable platform as we do not control their procedures. Some browsers have a “do not track” feature that lets you tell websites that you do not want to have your online activities tracked. At this time, we do not specifically respond to browser “do not track” signals.
Federal law imposes special restrictions and obligations on commercial website operators who direct their operations toward, and collect and use information from children under the age of 13. We take those age-related requirements very seriously, and, consistent with them, do not intend for our online and mobile resources to be used by children under the age of 18, and certainly not by anyone under the age of 13. Moreover, we do not knowingly collect personal information from minors under the age of 18. If we become aware that anyone under the age of 18 has submitted personal information to us via our online and mobile resources, we will delete that information and not use it for any purpose whatsoever. We encourage parents and legal guardians to talk with their children about the potential risks of providing personal information over the Internet.
THE LAW VARIES FROM PLACE-TO-PLACE: CCPA AND THE GDPR
Privacy and data protection laws vary around the world and among the several United States. Most prominently, residents of California and data subjects whose personal information was obtained from them while they were in the European Economic Area, the United Kingdom and Switzerland, have certain additional rights in cases where the party collecting that information is governed by the applicable law.
The California Consumer Privacy Act
When we collect personal information from California residents we become subject to, and those residents have rights under, the California Consumer Privacy Act or “CCPA”. This section of our statement is used to allow us to fulfill our CCPA obligations and explain your CCPA rights. For purposes of this section, the words “you” and “your” mean only such California residents. What did we collect from California Residents? We collected the following categories of personal information within the last 12 months:
What Personal Information did we disclose for a business purpose? We may have disclosed the categories of personal information listed above for one or more business purposes permitted by the CCPA during the last 12 months. What Personal Information did we sell? We do not sell, and within the last 12 months have not sold, personal information to third parties. What sources did we obtain Personal Information from and why did we collect it? Please re-review this part of this privacy statement to understand the scope of purposes and the sources from which we collect it. Similarly, we urge you to re-read this part of this statement where we describe the categories of third parties with which we may share your personal information and why. Rights of California Residents You have the following rights under the CCPA. It’s important to us that you know that if you exercise these rights, we will not discriminate against you by treating you differently from other California residents who use our sites and mobile resources or purchase our services but did not exercise their rights.
You, or an authorized agent acting on your behalf, can exercise the Right to Know up to two different times every 12 months. To exercise these rights, contact us at email@example.com or toll free number. We may ask you to fill out a request form. The CCPA only allows us to act on your request if we can verify your identity and/or your agent’s authority to make the request, so you will also need to follow our instructions for identity verification. If you make a verifiable request per the above, we will confirm our receipt and respond in the time frames prescribed by the CCPA.
The EU General Data Protection Regulation
We do not have personnel or operations in the Economic Area Union (“EEA”), or the United Kingdom (“UK”) (collectively, the “GDPR Jurisdictions”). And while we do not actively block or prohibit consumer customers located in GDPR Jurisdictions from downloading the English language version of the Onward App; nor merchant-customers there from offering our shipping protection service as a value add to their own customers, we do not direct our sales and marketing activities toward the GDPR Jurisdictions. We therefore do not believe that, as of the effective date of this policy, we are governed by the European Union’s General Data Protection Regulation (“GDPR”). We have, however, as required by the CCPA and other applicable U.S. laws such as the New York SHIELD Act, and as a good business practice generally, adopted and implemented a data security program that includes technical, organizational and administrative measures reasonably designed to protect, in a manner consistent with accepted industry standards, the privacy of those natural persons with whom we do business and to reduce the likelihood of unauthorized access to or unauthorized use of personal information we collect. We also enter into Data Protection Agreements with those of our merchant-customers who have, or believe they have, GDPR obligations that flow-down to us. For general site visitors, consumer-customers and regulators who have questions about whether or how the GDPR or other industry- or jurisdiction-specific laws apply to us, you can contact us using the contact information found here.
CHANGES TO THIS PRIVACY STATEMENT
We reserve the right to change or update this statement from time to time. Please check our online and mobile resources periodically for such changes since all information collected is subject to the statement in place at the time of collection. Typically, we will indicate the effective/amendment date at the beginning of this statement. If we feel it is appropriate, or if the law requires, we’ll also provide a summary of changes we’ve made near the end of the new statement.
If you have questions about our privacy statement or privacy practices, please contact our Privacy Office at firstname.lastname@example.org.
Thank you for visiting Onward’s online and mobile resources and viewing this Cookie Notice (this “Notice”).
Certain terms used in this Notice have the meaning given to them in the Privacy Statement.
This Notice is effective June 15, 2022.
Scope of this Notice
We interact with the world in a number of different ways. Like any company, we have a general website available from both computers and mobile devices. We also have an app that allows you to use our services. But there’s a third way you can interact with us as well, possibly without realizing it. And that’s when our merchants and shopping carts give you the benefit of our shipping protection service for a small fee or even, in some cases, for free. We want to be clear that this Notice applies only to our general website and direct consumer-customer users of our Onward App. As for the third situation, we do not control, and can’t be responsible, for the cookies placed by those third-party merchants and shopping carts, even if we did authorize them offer our shipping protection service to you. Consequently, they are responsible for notifying you of their cookie uses and practices. Finally, as explained in greater detail in our Privacy Statement, we do not do business in or direct our sales and marketing at the European Economic Area in a manner sufficient to cause us to have legal obligations under the laws of that jurisdiction, including their detailed cookie notice and right’s laws under the European Union’s ePrivacy Directive.
What is a cookie?
Additional information about cookies and tracking technologies is available here.
What types of cookies do we use?
Those third-party cookies are both session and persistent cookies and are set by our third-party service providers. For example, we use Google Analytics, a web analytics service provided by Google, Inc. (“Google”). For more information on how Google uses this data, go to www.google.com/policies/privacy/partners/. You can learn more about how to opt out of Google Analytics by going to https://tools.google.com/dlpage/gaoptout. If you do not allow cookies to be set on your computer or device, you may be unable to access certain parts of our online and mobile resources or certain parts of our online and mobile resources may have reduced functionality.
Cookies are used on our online and mobile resources in order to:
Updates to this Cookie Notice
We reserve the right to update this Notice from time to time. Please check our online and mobile resources periodically for such updates since all information collected as described herein is subject to the Notice in place at the time of collection. Typically, we will indicate the effective/amendment date at the beginning of this Notice. If we feel it is appropriate, or if the law requires, we will also provide a summary of changes we have made in the new Notice.