1. Introduction

Castle Intelligence, Inc. [and our affiliates and subsidiaries] ("Castle", "we" or "us") helps online businesses (our "Clients") detect and address user account compromise and other malicious behavior in web, mobile and API applications ("Applications"). To do so, we collect information about how Internet users ("Users") interact with our Clients' Applications.

This Policy is incorporated by reference into the Castle Terms of Service (the "Terms"). All terms not defined in this Policy will have the meanings set forth in the Terms.

2. Purpose and Scope

This Policy tells you how we use and protect personal information collected through use of the "Services", defined as our website(s) and our products and services, including the Castle Service (as that term is defined in the Service Agreement).

This Policy covers only information that is collected by us in the course of our business, including through the Services and with respect to the people we employ and manage. It does not apply to other web sites, products or services that may be linked to or available via or from the Services or used in association therewith; nor does this Policy apply to practices of companies that we do not control or to people we do not employ or manage. Except as otherwise expressly included in this Policy, this document addresses only the use and disclosure of information we collect from you.

All individuals whose responsibilities include the Processing of Personal Information on behalf of Castle are expected to protect that data by adherence to this Policy. This Policy is intended to meet requirements globally, including those in North America, Europe, APAC, and other jurisdictions.

You expressly consent to our collection, storage, use and disclosure of your personal and non-personal information as described in this Policy and to all other terms herein.

3. Transparency/Notice: Types of Personal Information we collect and use

The types of Personal Information we may collect (directly from you or from Third-Party sources) and our privacy practices depend on the nature of the relationship you have with Castle and the requirements of applicable law. Some of the ways that Castle may collect Personal Information include:

• You may provide Personal Information directly to Castle through interacting with the Services, participating in surveys or contests, and requesting Services or information.
• As you navigate the Services, certain passive information may also be collected about your visit, including through cookies and similar technologies as described below.

We endeavor to collect only that information which is relevant for the purposes of Processing. Below are the ways we collect Personal Information and how we use it:

3.1 Types of Personal Information we collect

Castle collects Personal Information regarding its current, prospective, and former Employees, clients, customers, Users, visitors, and guests (collectively "Individuals").

• Information You Provide Directly to Us.

When you use the Services or engage in certain activities, such as registering for an Account with Castle, responding to surveys, requesting Services or information, or contacting us directly, we may ask you to provide some or all of the following types of information:

• Communications with Us. We may collect Personal Information from you such as email address, phone number or mailing address when you choose to request information about our Services, register for Castle's newsletter that we may offer from time to time, request to receive customer or technical support, or otherwise communicate with us.
• Surveys. From time to time, we may contact you to participate in online surveys. If you do decide to participate, you may be asked to provide certain information which may include Personal Information. All information collected from your participation in our surveys is provided by you voluntarily. We may use such information to improve our products, Sites and/or services and in any manner consistent with the policies provided herein.
• Posting on the Site. Castle may offer publicly accessible blogs, private messages, or community forums. You should be aware that, when you disclose information about yourself on Castle's blogs, private messages, and community forums, the Site will collect the information you provide in such submissions, including any Personal Information. If you choose to submit content to any public area of the Site, such content will be considered "public" and will not be subject to the privacy protections set forth herein.
• Registration for Sweepstakes or Contests. Occasionally, Castle may run sweepstakes and contests. We ask those who enter in the sweepstakes or contests to provide contact information (e.g., an e-mail address). If you participate in a sweepstakes or contest, your contact information may be used to reach you about the sweepstakes or contest, and for other promotional, marketing and business purposes. All sweepstakes/contests entry forms will provide a way for participants to opt-out of any communications that are not related to awarding prizes.
• Automatic Data Collection. We may collect certain information automatically through our Services or other methods of web analysis, such as your Internet protocol (IP) address, cookie identifiers, mobile carrier, mobile advertising identifiers, MAC address, IMEI, Advertiser ID, Game Center ID, and other device identifiers that are automatically assigned to your computer or device when you access the Internet, browser type and language, geo-location information, hardware type, operating system, Internet service provider, pages that you visit before and after using the Services, the date and time of your visit, the amount of time you spend on each page, information about the links you click and pages you view within the Services, and other actions taken through use of the Services such as preferences.
• Information Submitted Via Services. You agree that Castle is free to use the content of any communications submitted by you via the Services, including any ideas, inventions, concepts, techniques, or know-how disclosed therein, for any purpose including developing, manufacturing, and/or marketing goods or Services. Castle will not release your name or otherwise publicize the fact that you submitted materials or other information to us unless: (a) you grant us permission to do so; (b) we first send notice to you that the materials or other information you submit to a particular part of a Service will be published or otherwise used with your name on it; or © we are required to do so by law.
• Information from Other Sources. We may receive information about you from other sources, including through Third-Party services and organizations to supplement information provided by you. For example, if you access our Services through a Third-Party application, such as an App Store or Social Network Service ("SNS"), we may collect information about you from that Third-Party application that you have made public via your privacy settings. Information we collect through App Stores or SNS accounts may include your name, your SNS user identification number, your SNS user name, location, sex, birth date, email, profile picture, and your contacts on the SNS. This supplemental information allows us to verify information that you have provided to Castle and to enhance our ability to provide you with information about our business, products, and Services.

3.1.1 Information about Clients

• Name and identity, email address, physical and virtual and physical contact information (including for example your business address), professional information, log-in data, and financial information, including credit card and/or bank account numbers.
• Information responsive to surveys, or requested in order to provide brochures or information about our business, products or services.
• Transactional information based on your activities with or on the Services.
• Shipping, ordering, billing and other similar information you provide to purchase or ship an item or service.
• Community discussions, chats, dispute resolution, and correspondence sent to us.
• Computer sign-on data, statistics on page views and traffic to and from the Site.
• Other technical information or data collected from traffic, including IP address and standard web log information.
• Supplemental or additional information we may request from you in the event previous information you've provided cannot be verified.
• Information that you voluntarily provide to us, information that we collect as per the Service Agreement, and information set forth in the Order Form (as that term is defined in the Service Agreement).

3.1.2 Information about Users

Castle may have access to Personal Information about Users ("User Data") in the course of providing its Services to a Client.

We consider User Data to be confidential and do not use such data for any purpose other than to provide the Services to our Clients.

Our Clients use code such as JavaScript code or software development kits ("SDKs"), collectively "Agents" within their mobile, web and other services that enables the Castle Service to collect information from and, where available, link Users across Clients. Our Clients have control over the Agents and may remove or disable it at any time. The information collected automatically via the Castle Service includes information about their Users' computers and other devices, such as: the types and number of fonts installed, the types and number of plugins installed, MIME types supported, version strings for Windows Media Player, Flash, PDF, VLC, SVG, Real Player, Shockwave, Silverlight, Java and QuickTime. The Service also automatically collects information about the device's screen width, height and color depth, the operating system in place on the device, the user agent, the local time zone, and DST time zone, navigation data such as page views in browsers, device interactions such as keystroke timings and mouse movements.

In many instances, Castle receives User Data only from the Client and never interacts with the User directly. In some instances, depending on the level of Services selected by the Client, the Clients may allow Users to interact with Castle directly, for example when Castle sends a security alert directly to the User. Castle has access to User Data only as requested by the Client and only for the purposes of performing Services on the Client's behalf.

If a User contacts Castle with a question about our Service, we will collect Personal Information from that User only as necessary to respond to the User's request and direct the User to contact the User's Client, and we will then delete or anonymize the personal data about the User after providing our response.

3.1.3 Information about prospective, current, and former Employees

• Information responsive to applications for employment, disclosed in resumes, or requested in order to provide brochures or information about employment, including:
  • name, address, phone number, email address
  • title
  • date of birth, passport number, driver's license number, Social Security number or other government-issued identification number
  • financial information related to credit checks, bank details for payroll
  • language abilities
  • details of health and disability, including mental health, medical leave, and maternity leave
  • information about national origin or immigration status
  • ptional demographic information such as race, which helps us achieve our diversity goals
• Contact information in case of a medical emergency.
• Beneficiary information under any insurance or other policy.

3.2 How we use Personal Information

We acquire, hold, use, and Process Personal Information about Individuals for a variety of business purposes, including:

• To Provide Services or Information Requested.

Castle may use information about you to fulfill requests for Services or information, including information about potential or future Services. With respect to Users, we combine and analyze data related to a User from multiple sources, including the data obtained across all or most of our Clients in order to provide the Services. Other ways we may use Personal Information to provide the Services or information requested include:

• Generally manage Individual information and Accounts;
• Respond to questions, comments, and other requests;
• Provide access to certain areas, functionalities, and features of Castle's Services;
• Contact you to answer requests for customer support or technical support;
• Allow you to register for events.
• Administrative Purposes.

We may use and combine Personal Information with information we collect from other sources for administrative purposes, including to:

• Measure interest in Castle's Services;
• Develop new products and Services;
• Ensure internal quality control;
• Verify Individual identity;
• Communicate about Individual Accounts and activities on Castle's Services and systems, and, in Castle's discretion, changes to any Castle policy;
• Send email to the email address you provide to us to verify your Account and for informational and operational purposes, such as Account management, customer service, or system maintenance;
• Process payment for products or services purchased;
• Process applications and transactions;
• Prevent potentially prohibited or illegal activities;
• Enforce our Terms.
• Marketing Castle Products and Services.

Castle may use Personal Information about you, in combination with other information we collect from other sources to provide you with materials about offers, products, and Services that may be of interest, including new content or Services. Castle may provide you with these materials by phone, postal mail, facsimile, or email, as permitted by applicable law. Such uses include:

• To tailor content, advertisements, and offers;
• To notify you about offers, products, and services that may be of interest to you;
• To provide Services to you and our sponsors;
• For other purposes disclosed at the time that Individuals provide Personal Information; or
• Otherwise with your consent.

You may contact us at any time to opt-out of the use of your Personal Information for marketing purposes, as further described in Section 6 below.

• Research and Development. Castle may use Personal Information to create non-identifiable information that we may use alone or in the aggregate with information obtained from other sources, in order to help us to optimally deliver our existing products and Services or develop new products and Services. From time to time, Castle may perform research (online and offline) via surveys. We may engage Third-Party service providers to conduct such surveys on our behalf. All survey responses are voluntary, and the information collected will be used for research and reporting purposes to help us better serve Individuals by learning more about their needs and the quality of the products and services we provide. The survey responses may be utilized to determine the effectiveness of our Services, various types of communications, advertising campaigns, and/or promotional activities. If an Individual participates in a survey, the information given will be used along with that of other study participants. We may share anonymous Individual and aggregate data for research and analysis purposes.
• Direct Mail, Email and Outbound Telemarketing. Individuals who provide us with Personal Information, or whose Personal Information we obtain from Third Parties, may receive periodic emails, newsletters, mailings, or phone calls from us with information on Castle's or our business partners' products and services or upcoming special offers/events we believe may be of interest. We offer the option to decline these communications at no cost to the Individual by following the instructions in Section 6 below.
• Services via Mobile Devices. From time to time, Castle may provide Services that are specifically designed to be compatible and used on mobile devices. Castle will collect certain information that your mobile device sends when you use such Services, like a device identifier, user settings, location information, mobile carrier, and the operating system of your device. Mobile versions of Castle's Services may require that Clients or Users log in with an Account. In such cases, information about use of mobile versions of the Services may be associated with Accounts. In addition, Castle may enable Individuals to download an application, widget, or other tool that can be used on mobile or other computing devices. Some of these tools may store information on mobile or other devices. These tools may transmit Personal Information to Castle to enable Individuals to access Accounts and to enable Castle to track use of these tools. Some of these tools may enable Users to email reports and other information from the tool. Castle may use personal or non-identifiable information transmitted to Castle to enhance these tools, to develop new tools, for quality improvement and as otherwise described in this Privacy Policy or in other notices Castle provides.
• Anonymous and Aggregated Information Use. Castle may use Personal Information and other information about you to create anonymized and aggregated information, such as de-identified demographic information, de-identified location information, information about the computer or device from which you access Castle's Services, or other analyses we create. Anonymized and aggregated information is used for a variety of functions, including the measurement of visitors' interest in and use of various portions or features of the Services. Anonymized or aggregated information is not Personal Information, and Castle may use such information in a number of ways, including research, internal analysis, analytics, and any other legally permissible purposes. We may share this information within Castle and with Third Parties for our or their purposes in an anonymized or aggregated form that is designed to prevent anyone from identifying you.
• Other Uses. Castle may use Personal Information for which we have a legitimate interest, such as direct marketing, individual or market research, anti-fraud protection, or any other purpose disclosed to you at the time you provide Personal Information or with your consent.

3.3 Cookies, pixel tags/web beacons, analytics information, and interest-based advertising

We, as well as Third Parties that provide content, advertising, or other functionality on our Services, may use cookies, pixel tags, local storage, and other technologies ( "Technologies" ) to automatically collect information through the Services. We use Technologies that are essentially small data files placed on your computer, tablet, mobile phone, or other devices (referred to collectively as a " device" ) that allow us to record certain pieces of information whenever you visit or interact with our sites, services, applications, messaging, and tools, and to recognize you across devices.

• Cookies. Cookies are small text files placed in visitors' computer browsers to store their preferences. Most browsers allow you to block and delete cookies. However, if you do that, the Site may not work properly.
• Pixel Tags/Web Beacons. A pixel tag (also known as a web beacon) is a piece of code embedded on the Site that collects information about Users' engagement on that web page. The use of a pixel allows us to record, for example, that a user has visited a particular web page or clicked on a particular advertisement.
• Social Media Widgets. Our Website includes social media features such as the Facebook "Like" button and LinkedIn (that might include widgets such as the share this button or other interactive mini-programs). These features may collect your IP address, which page you are visiting on our site, and may set a cookie to enable the feature to function properly. These social media features are either hosted by a Third Party or hosted directly on our Website. Your interactions with these features are governed by the privacy policy of the company providing it.
• Analytics. We may also use Google Analytics and Google Analytics Demographics and Interest Reporting to collect information regarding visitor behavior and visitor demographics on some of our Services, and to develop website content. This analytics data is not tied to any Personal Information. For more information about Google Analytics, please visit google.com/policies/privacy/partners/. You can opt out of Google's collection and Processing of data generated by your use of the Services by going to http://tools.google.com/dlpage/gaoptout.

Our uses of such Technologies fall into the following general categories:

• Operationally Necessary. We may use cookies, web beacons, or other similar technologies that are necessary to the operation of our sites, services, applications, and tools. This includes technologies that allow you access to our sites, services, applications, and tools; that are required to identify irregular site behavior, prevent fraudulent activity and improve security; or that allow you to make use of our functions such as shopping-carts, saved search, or similar functions;
• Performance Related. We may use cookies, web beacons, or other similar technologies to assess the performance of our websites, applications, services, and tools, including as part of our analytic practices to help us understand how our visitors use our websites, determine if you have interacted with our messaging, determine whether you have viewed an item or link, or to improve our website content, applications, services, or tools;
• Functionality Related. We may use cookies, web beacons, or other similar technologies that allow us to offer you enhanced functionality when accessing or using our sites, services, applications, or tools. This may include identifying you when you sign into our sites or keeping track of your specified preferences, interests, or past items viewed so that we may enhance the presentation of content on our sites;
• Advertising or Targeting Related. We may use first-party or third-party cookies and web beacons to deliver content, including ads relevant to your interests, on our sites or on third party sites. This includes using technologies to understand the usefulness to you of the advertisements and content that has been delivered to you, such as whether you have clicked on an advertisement.

It may be possible for you to browse our websites without telling us who you are or revealing any information that enables us to directly identify you as an individual. However, you may lose anonymity once you give us Personal Information about you, and by doing so, you agree to the transfer and storage of that information to our servers and to the terms of this Policy. If you would like to opt-out of the Technologies we employ on our sites, services, applications, or tools, you may do so by blocking, deleting, or disabling them as your browser or device permits.

3.4 Third-Party websites, social media platforms, and software development kits

The Site may contain links to other websites and other websites may reference or link to our Site or other Services. These other domains and websites are not controlled by us, and Castle does not endorse or make any representations about Third-Party websites or social media platforms. We encourage our Users to read the privacy policies of each and every website and application with which they interact. We do not endorse, screen or approve, and are not responsible for the privacy practices or content of such other websites or applications. Visiting these other websites or applications is at your own risk. Castle's Services may include publicly accessible blogs, community forums, or private messaging features. The Site and our other Services may also contain links and interactive features with various social media platforms (e.g., widgets). If you already use these platforms, their cookies may be set on your device when using our Site or other Services. You should be aware that Personal Information which you voluntarily include and transmit online in a publicly accessible blog, chat room, social media platform or otherwise online, or that you share in an open forum may be viewed and used by others without any restrictions. We are unable to control such uses of your information when interacting with a social media platform, and by using such services you assume the risk that the Personal Information provided by you may be viewed and used by third parties for any number of purposes. We use Third-Party software development kits ("SDKs"), such as the Google Analytics, Intercom and Amplitude SDK, on our websites. Third-Party SDKs may allow Third Parties including advertisers to collect your personal information to provide content that is more relevant to you. You may opt out of tracking by sending a request to privacy@castle.io.

3.5 Third-party Payment processing

Although we do not sell merchandise through our Services, Clients may purchase our Services through Third-Party applications, such as Stripe. A Third-Party payment application may collect certain financial information from Clients to process a payment on behalf of Castle, including a Client's name, email address, address and other billing information.

4. Human Resources Data

Castle collects Personal Information from current, prospective, and former Employees, their contact points in case of a medical emergency, and beneficiaries under any insurance policy. We acquire, hold, use and Process Human Resources Data for a variety of business purposes including: Workflow management, including assigning, managing and administering projects;

• Human Resources administration and communication;
• Payroll and the provision of benefits;
• Compensation, including bonuses and long-term incentive administration, stock plan administration, compensation analysis, including monitoring overtime and compliance with labor laws, and company recognition programs;
• Job grading activities;
• Performance and employee development management;
• Organizational development and succession planning;
• Benefits and personnel administration;
• Absence management;
• Helpdesk and IT support services;
• Regulatory compliance;
• Internal and/or external or governmental compliance investigations;
• Internal or external audits;
• Litigation evaluation, prosecution, and defense;
• Diversity and inclusion initiatives;
• Restructuring and relocation;
• Emergency contacts and services;
• Employee safety;
• Compliance with statutory requirements;
• Processing of Employee expenses and travel charges; and
• Acquisitions, divestitures, and integrations.

5. Sharing Information/Onward Transfer

5.1 Information we share

We may share your personal information as described in this Policy (e.g., with our Third-Party service providers; to comply with legal obligations; to protect and defend our rights and property) or with your permission, including:

• To protect us or others: We may access, preserve, and disclose Personal Information, other Account information, and content, including to members of our corporate family, if we believe doing so is required or appropriate to: (i) to help detect and prevent potentially illegal acts, comply with law enforcement or national security requests and legal process, such as a court order or subpoena; (ii) respond to your requests; (iii) protect yours', ours' or others' rights, property, or safety; (iv) to enforce Castle policies or contracts; (v) to collect amounts owed to Castle; (vi) when we believe disclosure is necessary or appropriate to prevent physical harm or financial loss or in connection with an investigation or prosecution of suspected or actual illegal activity; (vii) if we, in good faith, believe that disclosure is otherwise necessary or advisable, and (viii) provide joint services to requesting Users.

In addition, from time to time, server logs may be reviewed for security purposes – e.g., to detect unauthorized activity on the Services. In such cases, server log data containing IP addresses may be shared with law enforcement bodies in order that they may identify Users in connection with their investigation of the unauthorized activities.

• Vendors and Service Providers: We may share any information we receive with vendors service providers, consultants or similar contractors to support or enhance the Services or our business operations, or to whom we contract in order to carry out transactions initiated by you, such as credit card processing organizations or hosting service providers. The types of service providers (processors) to whom we entrust Personal Information include service providers for: (i) provision of IT and related services; (ii) provision of information and services you have requested; (iii) payment processing; (iv) customer service activities; and (v) in connection with the provision of the Site. Castle has executed appropriate contracts with the service providers that prohibit them from using or sharing Personal Information except as necessary to perform the contracted services on our behalf or to comply with applicable legal requirements.
• Business Partners: Castle may share Personal Information with our business partners, and affiliates for our and our affiliates' internal business purposes or to provide you with a product or service that you have requested. Castle may also provide Personal Information to business partners with whom we may jointly offer products or services, or whose products or services we believe may be of interest to you. In such cases, our business partner's name will appear, along with Castle. Castle requires our affiliates and business partners to agree in writing to maintain the confidentiality and security of Personal Information they maintain on our behalf and not to use it for any purpose other than the purpose for which Castle provided them.
• Other Third Parties: Castle may disclose Personal Information to other third parties to whom you explicitly ask us to send your information (or about whom you are otherwise explicitly notified and solicited consent when using a specific service).
• Other Users: Your user ID may necessarily be displayed throughout the Services and to the public. All of your activities as such will be traceable to your user ID. Please understand that if you link your name with your user ID, others will be able to personally identify your activities. We are not responsible for privacy practices of the others who will view and use the posted information.
• Marketing – Interest-Based Advertising and Third Party Marketing. Through our Services, Castle may allow Third-Party advertising partners to set tracking tools (e.g., cookies) to collect information regarding your activities (e.g., your IP address, page(s) visited, time of day). We may also share such de-identified information as well as selected Personal Information (such as demographic information and past purchase history) we have collected with Third-Party advertising partners. These advertising partners may use this information (and similar information collected from other websites) for purposes of delivering targeted advertisements to you when you visit non-Castle related websites within their networks. This practice is commonly referred to as "interest-based advertising" or "online behavioral advertising. We may allow access to other data collected by the Site to facilitate transmittal of information that may be useful, relevant, valuable or otherwise of interest to you. If you prefer that we do not share your Personal Information with Third-Party advertising partners, you may opt-out of such sharing at no cost by following the instructions in Section 6 below.
• Merger, sale, or other asset transfer: If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, then your information may be sold or transferred to other business entities, as part of such a transaction as permitted by law and/or contract. In such event, Castle will endeavor to direct the transferee to use Personal Information in a manner that is consistent with the Privacy Policy in effect at the time such Personal Information was collected.

5.2 Data Transfers

All Personal Information collected via or by Castle may be stored anywhere in the world, including but not limited to the United States, the European Union, in the cloud, on our servers, on the servers of our affiliates or the servers of our service providers. Personal Information may be accessible to law enforcement or other authorities pursuant to a lawful request. By providing information to Castle, you consent to the storage of your Personal Information in these locations.

6. Opt-out rights

6.1 General

You have the right to opt out of certain uses and disclosures of your Personal Information. Where you have consented to Castle's Processing of your Personal Information, you may withdraw that consent at any time and opt-out to further Processing by contacting privacy@castle.io. Even if you opt-out, we may still collect and use non-Personal Information regarding your activities on our Sites and/or information from the advertisements on Third-Party websites for non-interest based advertising purposes, such as to determine the effectiveness of the advertisements. You can see, review and change most of your personal information by logging into our websites. You must promptly update your personal information if it changes or is inaccurate. We retain personal information from closed accounts in order to comply with law, prevent fraud, collect any fees owed, resolve disputes, troubleshoot problems, assist with any investigations, enforce our Services-related agreements, and take other actions otherwise permitted by law or as specified elsewhere in this Policy.

6.2 Email and telephone communications

If at any time you choose to opt out from allowing us to use your Personal Information in the future to provide you with special offers or information regarding new products or services, check the "opt-out" box, either at the time you provide your personal information or via any subsequent marketing communication that we send you.

If you receive an unwanted email from us, you can use the unsubscribe link found at the bottom of the email to opt-out of receiving future emails. We will process your request within a reasonable time after receipt. Note that you will continue to receive transaction-related emails regarding products or services you have requested. We may also send you certain non-promotional communications regarding Castle and our Services and you will not be able to opt out of those communications (e.g., communications regarding updates to our Terms or this Privacy Policy).

We maintain "do-not-call" and "do-not-mail" lists as mandated by law. We process requests to be placed on do-not-mail, do-not-phone and do-not-contact lists within 60 days after receipt, or such shorter time as may be required by law.

6.3 Mobile devices

Castle may occasionally send you push notifications through our mobile applications with game updates, high scores and other notices that may be of interest to you. You may at any time opt-out from receiving these types of communications by changing the settings on your mobile device. Castle may also collect location-based information if you use our mobile applications. You may opt-out of this collection by changing the settings on your mobile device.

6.4 Human Resources Data

With regard to Personal Information that Castle receives in connection with the employment relationship, Castle will use such Personal Information only for employment-related purposes as more fully described above. If Castle intends to use this Personal Information for any other purpose, Castle will notify the Individual and provide an opportunity to opt-out of such uses.

6.5 "Do Not Track"

Do Not Track ("DNT") is a privacy preference that Users can set in certain web browsers. DNT is a way for Users to inform websites and services that they do not want certain information about their webpage visits collected over time and across websites or online services. Please note that we do not respond to or honor DNT signals or similar mechanisms transmitted by web browsers.

6.6 Cookies and interest-based advertising

As noted above, you may stop or restrict the placement of cookies on your computer or remove them from your browser by adjusting your web browser preferences. Please note that cookie-based opt-outs are not effective on mobile applications. However, on many mobile devices, application Users may opt out of certain mobile ads via their device settings.

The online advertising industry also provides websites from which you may opt-out of receiving targeted ads from our data partners and our other advertising partners that participate in self-regulatory programs. You can access these, and also learn more about targeted advertising and consumer choice and privacy, at https://www.networkadvertising.org/managing/opt_out.asp, or https://www.youronlinechoices.eu and https://www.aboutads.info/choices. You can also choose not to be included in Google Analytics here.

To be clear, whether you are using our opt-out or an online industry opt-out, these cookie-based opt-outs must be performed on each device and browser that you wish to have opted-out. For example, if you have opted-out on your computer browser, that opt-out will not be effective on your mobile device. You must separately opt-out on each device. Advertisements on Third-Party websites that contain the AdChoices link and that link to this Privacy Policy may have been directed to you based on anonymous, non-Personal Information collected by advertising partners over time and across websites. These advertisements provide a mechanism to opt-out of the advertising partners' use of this information for interest-based advertising purposes.

7. Rights of access, rectification, erasure, and restriction

You may inquire as to whether Castle is Processing Personal Information about you, request access to Personal Information, and ask that we correct, amend or delete your Personal Information where it is inaccurate. Where otherwise permitted by applicable law, you may send an e-mail to privacy@castle.io or use any of the methods set out in this Privacy Policy to request access to, receive (port), seek rectification, or request erasure of Personal Information held about you by Castle. Please include your full name, email address associated with your Account, and a detailed description of your data request. Such requests will be processed in line with local laws.

Although Castle makes good faith efforts to provide Individuals with access to their Personal Information, there may be circumstances in which Castle is unable to provide access, including but not limited to: where the information contains legal privilege, would compromise others' privacy or other legitimate rights, where the burden or expense of providing access would be disproportionate to the risks to the Individual's privacy in the case in question or where it is commercially proprietary. If Castle determines that access should be restricted in any particular instance, we will provide you with an explanation of why that determination has been made and a contact point for any further inquiries. To protect your privacy, Castle will take commercially reasonable steps to verify your identity before granting access to or making any changes to your Personal Information.

8. Data retention

Castle retains the Personal Information we receive as described in this Policy for as long as you use our Services or as necessary to fulfill the purpose(s) for which it was collected, provide our Services, resolve disputes, establish legal defenses, conduct audits, pursue legitimate business purposes, enforce our agreements, and comply with applicable laws.

9. How we protect your information

We take steps (such as administrative, technical, and physical procedures) to ensure that your information is treated securely and in accordance with this Policy. Some of the steps we take are limiting access to information through username and password credentials and multi-factor authentication and using industry-standard Secure Socket Layer (SSL) encryption technology to safeguard the account registration process and sign-up information. Other security safeguards include but are not limited to data encryption, firewalls, and physical access controls to building and files.

Unfortunately, the Internet cannot be guaranteed to be 100% secure, and we cannot ensure or warrant the security of any information you provide to us. We do not accept liability for unintentional disclosure.

By using the Site or providing Personal Information to us, you agree that we may communicate with you electronically regarding security, privacy, and administrative issues relating to your use of the Site. If we learn of a security system's breach, we may attempt to notify you electronically by posting a notice on the Site or sending an e-mail to you. You may have a legal right to receive this notice in writing.

To discuss the security programs, procedures and policies that we have selected and utilize to reasonably secure the Services, please contact security@castle.io. We will be happy to discuss our security program with you.

10. International Users

10.1 Data Transfers

By using the Site, Castle will transfer data to the United States, the cloud, our servers, the servers of our affiliates or the servers of our service providers. By choosing to visit the Site, utilize the Services or otherwise provide information to us, you agree that disputes over privacy or the terms contained in this Policy will be governed by the laws of California and the adjudication of any disputes arising in connection with Castle or the Site will be in accordance with the Terms.

If you are visiting from the European Union or other regions with laws governing data collection and use, please note that Data servers used by Castle to provide the Website and Product may be located in the United States. By interacting with the Website or using the Product, you understand that your personal data may be transferred to the United States and you consent to such transfer.

To the extent Castle collects or processes personal data transferred from the European Union or Switzerland to the United States, Castle complies with the EU-U.S. and the Swiss-U.S. Privacy Shield Frameworks as set forth by the U.S. Department of Commerce regarding the collection, use and retention of personal data transferred from the European Union and Switzerland to the United States, respectively. Castle has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program and to view the certification for Castle, please visit: https://www.privacyshield.gov/.

For the actions of third party agents Castle engages to process data on our behalf, Castle remains responsible and liable under the Privacy Shield Principles if a third party agent processes the personal data in a manner inconsistent with the Privacy Shield Principles, unless Castle proves that it is not responsible for the event giving rise to the damage.

10.2 Privacy Concerns or Disputes

As part of our commitment to the Privacy Shield Principles, if you are a resident of the European Union or Switzerland and you have a privacy or data use concern, please contact Castle directly at privacy@Castle.com and Castle will use its best efforts to address your concern within one month of receipt of your complaint. For an unresolved privacy or data use concern that Castle has not addressed satisfactorily, please contact our U.S. based third party dispute resolution provider (free of charge) at https://www.jamsadr.com/file-an-eu-us-privacy-shield-or-safe-harbor-claim.

For any Privacy Shield disputes that cannot be resolved by the methods above, you may be able to invoke a binding arbitration process under certain conditions. To find out more about the Privacy Shield's binding arbitration scheme, please see: https://www.privacyshield.gov/article?id=ANNEX-I-introduction.

The Federal Trade Commission has investigation and enforcement authority over Castle's compliance with the Privacy Shield Framework.

11. Children

The Services are not directed to those under 13 years of age, and we do not knowingly collect personal information from children. If you are younger than thirteen, please do not provide any personal information to us. If a person 13 years of age or younger has provided personal information to us, a parent or guardian of such person should contact us at privacy@castle.ioso that we can remove such personal information from our database. We reserve the right to limit participation in particular programs, offers or promotions to those over 18 years of age.

12. Redress/Compliance and accountability

If you have any questions about our privacy practices or this Policy, please contact Castle by email at privacy@castle.io. We will address your concerns and attempt to resolve any privacy issues in a timely manner.

13. Other rights and important information

13.1 Changes to our Privacy Policy

Castle may modify or update this Privacy Policy from time to time so you should review this page periodically. Click here to see all changes to this Privacy Policy. You understand and agree that you will be deemed to have accepted the updated Privacy Policy if you use the Services after the updated Privacy Policy is posted on the Services. If at any point you do not agree to any portion of the Privacy Policy then in effect, you must immediately stop using the Services. If we change the policy in a material manner, for example if we seek to use personal information in a materially different way than we had previously, we will provide at least 30 days' notice to the Clients so that you have sufficient time to evaluate the change in practice. Of course, you can always opt-out by deleting your account before the changes take effect.

13.2 California privacy rights

California law permits Users who are California residents to request and obtain from us once a year, free of charge, a list of the Third Parties to whom we have disclosed their Personal Information (if any) for their direct marketing purposes in the prior calendar year, as well as the type of Personal Information disclosed to those parties. Castle does not share Personal Information with Third Parties for their own marketing purposes.

14. Definitions

The following capitalized terms shall have the meanings herein as set forth below.

• "Agent" means any Third Party that Processes Personal Information pursuant to the instructions of, and solely for, Castle or to which Castle discloses Personal Information for use on its behalf.
• "Employee" refers to any current, temporary, permanent, prospective or former employee, director, contractor, worker, or retiree of Castle or its subsidiaries worldwide.
• "Personal Information" is any information relating to an identified or identifiable natural person ("Individual").
• "Process" or "Processing" means any operation which is performed upon Personal Information, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
• "Third Party" is any company, natural or legal person, public authority, agency, or body other than the Individual, Castle or Castle's Agents.

15. Revision history

Title	Effective Date
Castle Privacy Policy	2016-02-28
Updated Castle Privacy Policy	2018-05-24
Updated Castle Privacy Policy	2019-09-23