Last Updated May 15, 2023
Regional Privacy Notice Supplement
This Regional Privacy Notice Supplement (“Regional Supplement”) is provided as a supplement to the Whimsical Privacy Notice to provide additional information to individuals who are residents of certain US state such as California and Nevada or are located in the European Union, United Kingdom, and Switzerland (“Relevant Regions”) as required under applicable data protection laws in those regions (“Regional Laws”). This Regional Supplement includes information such as our purposes for personal information processing, the rights you have regarding our processing of your personal information, and how to contact us if you have any questions regarding our processing of your personal information.
Your Consumer Rights
Certain Relevant Laws provide individuals in Relevant Regions certain rights regarding their personal information. If a Relevant Law applies to you, you may submit a request to exercise your right(s) in relation to your personal information, as follows:
Please note that you may designate an authorized agent to exercise these rights on your behalf by providing written materials demonstrating that you have granted the authorized agent power of attorney. Please note that if an authorized agent submits a request on your behalf, we may need to contact you to verify your identity and protect the security of your personal information.
- Know/Access: You may request access to the specific pieces of personal information we have collected about you, which may, in accordance with Relevant Laws, be limited to the information collected in the prior 12 months. You may also request additional details about our information practices, including the categories of personal information we have collected about you, the sources of such collection, the categories of personal information we share for a business or commercial purpose, and the categories of third parties with whom we share your personal information.
- Correct/Rectify: You may request that we correct or rectify the personal information we have collected about you. Please note that we may decline to correct certain information as required or permitted by applicable law, and we may deny your correction request if retaining the personal information in its current state is necessary for us or our service providers under any permitted exceptions. We are required by law to verify your identity prior to correcting your information in order to protect your privacy and security. If you request to change your personal information, certain of our Services may no longer be available to you or may no longer operate correctly.
- Limit Use of Sensitive Personal Information: You may request that we limit the use of sensitive personal information, as defined in Relevant Laws, to certain purposes as set forth in the Relevant Laws.
- Delete/Erase: You may request that we delete the personal information we have collected about you. Please note that we may retain certain information as required or permitted by applicable law, and we may deny your deletion request if retaining the personal information is necessary for us or our service providers under any permitted exceptions. If you request to delete your personal information, certain of our Services may no longer be available to you.
- Restrict or Object: You may request that we limit the way we use your personal information or object to certain forms of processing.
- Data Portability: You may request for your personal information to be transferred directly to another organization.
- Automated Decision Making and Profiling: You have the right not to be subject to automated decision-making if it produces a legal effect that significantly affects you, with certain exceptions. Please note that we do not generally engage in this activity and do not as a matter of course control or process personal information for this purpose, and if we do, we comply with Relevant Laws in connection with such data processing.
- Not to Receive Direct Marketing Communications: In some Relevant Regions, you may request to not receive our direct marketing messages, as more fully set forth below.
Certain other details regarding the processing of personal information that individuals located in Relevant Regions may be entitled to receive are contained in other provisions of the Regional Supplement.
You can usually access, correct, or delete your personal information using your account settings and tools that we offer, but if you aren’t able to do that, or you don’t have an account, or you would like to contact us about one of the other rights, our contact information is set forth in “How to Reach Us” below. Individuals in the European Economic Area, Switzerland, and United Kingdom (collectively, “Europe”) also have the right to make a complaint to a government supervisory authority.
Only you, or someone legally authorized to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child. Under some Relevant Laws, you may only make a verifiable consumer request for access twice within a 12-month period. The verifiable consumer request must (i) provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative, and (ii) describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it. We will respond to a verifiable consumer request within the time periods permitted under Relevant Laws. If we require more time, we will inform you of the reason and extension period in writing, in accordance with Relevant Laws.
We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. Relevant Laws may require us to verify your identity. Making a verifiable consumer request does not require you to create an account with us. We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request. We may not be able to provide all of the information requested, for example: (i) if the personal information was collected for a single one-time transaction and if, in the ordinary course of business, such information was not retained; (ii) we would be required to reidentify or otherwise link any data that, in the ordinary course of business, was not maintained in a manner that would be considered personal information; or (iii) the consumer used different browsers, devices or identifying information and we have not linked all such information together.
California Privacy Rights Act (“CPRA”) Notice
If you are a California resident, the CPRA requires us to disclose the following information with respect to our collection, use and disclosure of personal information.
- Categories and Specific Pieces of Personal Information Collected: In the preceding 12 months, we have collected the following categories of personal information: certain identifiers, certain of the personal information categories listed in the California Customer Records statutes, commercial information, internet or other similar network activity, and geolocation data. For more detail regarding the personal information we collect, please see “Personal Information We Collect” in our Privacy Notice.
- Business or Commercial Purpose for Collecting and Using Personal Information: We collect personal information for the business purposes described in “How and Why We Use Your Personal Information” in our Privacy Notice.
- Categories of Sources of Personal Information: We collect personal information directly from you, automatically, and from other sources, each of which is more particularly described in “Personal Information We Collect” in our Privacy Notice.
- Categories of Personal Information Disclosed: In the preceding 12 months, we have disclosed the categories of personal information for business or commercial purposes as set forth in “Personal Information We Collect” in our Privacy Notice.
- Categories of Third Parties with whom We Share Personal Information: We may share your personal information with the third parties as described in “How and Why We Share Personal Information” in our Privacy Notice.
- “Sale” or “Sharing” of Personal Information: Whimsical does not as a matter of course “sell” or “share” (as those terms are specifically defined in the CPRA) your personal information.
- Retention of Data. Please see “How Long We Keep Personal Information” in our Privacy Notice for details regarding the time period for which we retain personal information or the criteria we use to determine how long we retain personal information.
Non-Discrimination and Non-Retaliation
We will not discriminate or retaliate against you for exercising any of your CPRA rights. Unless permitted by the CPRA, we will not deny you goods or services; charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties; provide you a different level or quality of goods or services; and/or suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.
California “Shine the Light” Law
California residents may request certain information regarding our disclosure (if any) of personal information to third parties for their direct marketing purposes, pursuant to California Civil Code Section 1798.83 (the California “Shine the Light” law). To make such a request, please contact us, identify yourself as a California resident and provide sufficient information so we can take appropriate action, such as your name, email address or any additional information required.
Though we do not as a matter of course “sell” “covered information” as those terms are defined by the Nevada Privacy Law (as amended), if you reside in Nevada and believe we have sold your covered information, please contact us as set forth below.
Individuals Located in Europe
If you are located in Europe (as defined above), the legal bases for using your personal information as set out in our Privacy Notice are as follows:
- Where use of your information is necessary in order to fulfill our commitments to you under our Terms of Service and/or other agreements with you or as necessary to administer your account (for example, in order to enable access to our Website on your device or charge you for a paid plan);
- Where use of your information is necessary for compliance with a legal obligation;
- Where use of your information is necessary in order to protect your vital interests or those of another person;
- Where use of your information is necessary for our legitimate interests or the legitimate interests of others (for example, to secure, update, and improve our Services; to communicate with you and respond to your requests and inquiries; to measure, gauge, and improve the effectiveness of our advertising; to better understand user retention and attrition; to monitor and prevent any problems with our Services; to personalize your experience; for fraud prevention and know-your-customer obligations; to conduct our recruiting activities; and to establish, exercise, or defend legal claims); or
- Where we have your consent, in accordance with applicable law (for example before we place certain cookies on your device and access and analyze them later on).
Controller and Processor Designations
With regard to the processing of Customer Data, our customer is the Controller and Whimsical is the Processor. Please see our Data Processing Addendum located at https://whimsical.com/dpa for additional details.
With regard to the processing of Registration Data, Usage Data, and Recruiting Data, Whimsical is the Controller and processes such information as set forth in this Privacy Notice.
Other Things You Should Know
Please see our Subprocessor List for information on our use of third-party data processors.
International Transfer of Data
We may transfer to, process, and store the data we collect about you in countries other than the country in which the data was originally collected, including the USA, Canada or other destinations outside Europe. Those countries may not have the same data protection laws as the country in which you provided the data. When we transfer your data to other countries, we will protect the data as described in our Privacy Notice and comply with Relevant Laws providing adequate protection for the transfer of data to countries outside Europe.
We transfer your personal information outside Europe with appropriate organizational safeguards in place. Specifically, we transfer your personal information in accordance with the Standard Contractual Clauses (“SCCs”). The SCCs are part of our Data Processing Addendum located at https://whimsical.com/dpa. By utilizing our Service, you agree to the transfer of your personal information in accordance with our Data Processing Addendum.
You may request more information about the safeguards that we have put in place in respect of transfers of personal information by contacting us as described in “How to Reach Us” below.
How to Reach Us
If you have a question about this Regional Supplement, or you would like to contact us about any of your rights mentioned herein, please contact us at firstname.lastname@example.org. You may reach us by mail at Whimsical, Inc., 1630 Welton Street, 7th Floor, Denver, Colorado 80202, USA.