3.1 Account Management

We utilize your information to create, maintain, and secure user accounts, including verifying credentials and protecting against unauthorized access.

3.2 Order Processing & Fulfillment

To process transactions, facilitate product/service delivery, manage returns/refunds, and provide order-related updates.

3.3 Customer Support

To respond to inquiries, resolve disputes, conduct service quality assessments, and improve our support systems.

3.4 Marketing & Communications

With your consent where legally required:

• Deliver personalized product recommendations, promotional offers, and newsletters
• Send transactional/service-related updates via email, SMS, or phone

Opt-out options are always available per applicable laws. Visit " Your Rights & Choices" for details.

3.5 Analytics & Optimization

• Analyze usage trends, preferences, and engagement metrics
• Conduct market research to improve existing services
• Develop new features, products, or functionalities
• Generate aggregated statistical data (non-identifiable) for operational insights

3.6 Aggregated Data Usage

We anonymize and aggregate personal information to:

• Measure site traffic patterns and engagement metrics
• Benchmark service performance
• Publish industry trend analyses (no individual identification)

3.7 Security & Legal Compliance

• Detect, investigate, and prevent fraud, security breaches, or illegal activities
• Enforce Terms of Use and other contractual obligations
• Comply with applicable laws

4.1 Service Providers & Business Partners

We engage trusted third-party vendors and partners to provide essential operational services, including but not limited to:

• Payment processing (e.g., Stripe, PayPal)
• Logistics and shipping (e.g., FedEx, UPS)
• Marketing automation, analytics, and customer engagement tools
• IT infrastructure, technical support, and cybersecurity services
• Customer service operations

Third-Party Obligations

All third-party service providers are contractually bound to:

• Process data only for purposes disclosed to you and in compliance with applicable laws
• Implement industry-standard safeguards (e.g., encryption, access controls)
• Notify us immediately of any security breaches

4.2 Legal Obligations & Protection

We may disclose information where legally required or to:

• Respond to valid legal requests, including subpoenas, court orders, or governmental investigations
• Protect against fraud, threats to safety, or unlawful activities
• Defend the rights, property, or safety of COOVAVO, our users, employees, or the public

4.3 Corporate Transactions

In the event of mergers, acquisitions, asset sales, or bankruptcy proceedings:

• Transferred information remains subject to existing privacy commitments
• Affected users will receive advance notice of material ownership changes
• Successor entities must honor these obligations unless prohibited by law

4.4 Affiliated Entities

We may share your information with parent companies, subsidiaries, and affiliates under common ownership for:

• Consolidated business operations and service delivery
• Cross-promotional opportunities (opt-out options provided where legally required)

4.5 De-identified Data Usage

Aggregated or anonymized datasets (irreversibly stripped of personal identifiers) may be shared with:

• Research institutions and advertising networks
• Market analysts and government agencies
• Industry analysts and business consultants

4.6 Operational Necessity

Information may be disclosed to processors and subprocessors essential for:

• Fulfilling user requests for products/services
• Supporting critical infrastructure (e.g., cloud providers, network security platforms, communication systems)

4.7 Consent-Based Sharing

Your information may be disclosed:

• To third parties with your explicit consent
• For promotional offers or services where you have voluntarily opted in

4.7 Consent-Based Sharing

Your information may be disclosed:

• To third parties with your explicit consent
• For promotional offers or services where you have voluntarily opted in

4.8 Global Operations

For international operations, data may be transferred to subsidiaries, partners, or service providers in compliance with cross-border data transfer regulations, including:

• GDPR: Use of Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or adequacy decisions for transfers outside the EEA
• PIPEDA: Contractual clauses ensuring equivalent protection of Canadian data, and assessments of third-party jurisdictions' privacy laws

5.1 Fundamental Rights:

Depending on your geographic location and applicable data protection laws, you may exercise the following rights:

• Access & Portability: Obtain a machine-readable copy of personal data in our possession.
• Rectification: Correct incomplete/erroneous information through account settings or formal request.
• Erasure: Delete personal data, except where retention is required by law (e.g., transaction records under PIPEDA s.4.5).
• Consent Management:
  • Withdraw marketing consent via account settings or unsubscribe links (PIPEDA Principle 3.4).
  • Object to secondary data uses (e.g., research, analytics).
• Processing Restriction: Temporarily or permanently limit processing under certain conditions (EU/UK GDPR).
• Automated Decision-Making: Opt-out of profiling with legal or significant effects (applicable to EU/UK residents under GDPR Article 22).
• Compliance Accountability: Request documentation demonstrating compliance with applicable laws (PIPEDA Principle 4.1).

5.2 Regional Entitlements

5.3 Exercising Your Rights

Submission Methods:

• Contact Privacy Office: privacy@coovavo.com
• Account Holders: Update information via profile settings
• Marketing Opt-Outs: Unsubscribe via message in communications or your account settings

Verification Requirements:

• Account authentication through existing login credentials
• Non-account holders must provide:

• Government-issued ID verification is only required where legally permissible and necessary
• Signed declaration under penalty of perjury (where mandated)
• Specific data elements matching existing records

Authorized Agent Provisions:

• Submit valid power of attorney, notarized authorization, or other legally recognized documentation (e.g., electronic authorization for EU/UK residents)
• Complete dual verification (agent and principal identities)
• Provide chain-of-custody documentation for all requests submitted by agents
• Authorization forms must comply with local legal formalities (e.g., written authorization for California residents under CCPA; electronic acceptance under GDPR)

5.4 Operational Considerations

5.5 Legal Safeguards

• No fee charged for standard requests
• Reasonable authentication costs may apply for manifestly unfounded/excessive requests
• Appeal procedures: Request a review of denied claims within 30 days. EU/UK residents may additionally lodge complaints with their national Data Protection Authority (e.g., ICO for UK residents; GDPR Article 77)
• Non-retaliation policy for rights exercise (CCPA § 1798.125; GDPR Recital 75)

6.1 Security Implementation

We employ industry-standard technical, organizational, and physical safeguards designed to protect personal data throughout its lifecycle. Our security program includes but is not limited to:

6.2 Security Limitations

Notwithstanding the safeguards implemented:

• No electronic transmission medium can guarantee absolute security
• We cannot assume liability for circumvention of security measures unrelated to our operational controls
• Users retain responsibility for maintaining authentication credential confidentiality

6.3 Incident Response

Where a personal data breach occurs that may result in material risk to rights and freedoms, we shall:

• Notify supervisory authorities within 72 hours of awareness per GDPR Article 33
• Communicate breach particulars to affected data subjects without undue delay
• Implement corrective actions through our Computer Security Incident Response Team (CSIRT)

6.4 Continuous Improvement

Our security protocols undergo annual review through:

• Threat landscape analysis
• Regulatory change impact assessments
• Technology lifecycle management

6.5 User Cooperation

You shall promptly notify our Data Protection Officer (DPO) at dpo@coovavo.com regarding:

• Suspected policy violations (within 24 hours of discovery)
• Unauthorized account access incidents
• Security vulnerability disclosures

For EEA/UK Data Subjects

When transferring personal data outside the European Economic Area (EEA) and United Kingdom, we rely on:

• EU Standard Contractual Clauses (SCCs) (2021 version, Module Two for controller-to-processor transfers) or the UK International Data Transfer Agreement (IDTA).
• Explicit consent under GDPR Article 49, which will only be requested for occasional and necessary transfers to non-adequate jurisdictions.

For Canadian Data Subjects

Transfers governed by PIPEDA and provincial laws (e.g., Quebec's Law 25) are secured through:

• Contractual clauses ensuring equivalent protection to Schedule 1 principles of PIPEDA.
• Consent where required by provincial regulations.

Security Measures

We implement proportional safeguards to protect your data, including:

• Encryption: Industry-standard encryption (e.g., TLS 1.2+) for data in transit.
• Access Controls: Role-based restrictions to limit internal access.
• Data Minimization: Secure deletion of unnecessary data under GDPR Article 17.
• Third-Party Audits: Regular vulnerability assessments of our systems.

Third-Party Processors

Recipients of your data must demonstrate compliance with:

• EU-U.S. Data Privacy Framework (DPF) for transatlantic transfers.
• GDPR Article 28/46 contractual obligations for processors.
• PCI DSS compliance for payment processing.

Payment Gateways

We use certified providers (e.g., Stripe, PayPal) that tokenize payment data. These third parties operate independently.

Your Rights

You may:

• Request a Transfer Impact Assessment via privacy@coovavo.com
• Object to specific transfers under GDPR Article 21.
• Withdraw consent (where applicable).
• Access, correct, or delete your data under GDPR, PIPEDA, or CCPA* (*small businesses may be exempt from CCPA).

Legal Basis for Transfers

Transfers are strictly limited to:

• Contractual Necessity: Order fulfillment and service delivery.
• Legal Obligations: Compliance with customs or tax laws.
• Legitimate Interests: Fraud prevention and network security.

Additional Disclosures

• Data Retention: Personal data is retained for 7 years post-transaction to comply with tax obligations, unless a shorter period applies.
• Breach Notification: Unauthorized access to your data will be reported to regulators within 72 hours (where required by law).
• Children's Privacy: We do not knowingly process data from individuals under 13.

9.1 Legal and Operational Retention Periods

9.2 Security Measures

To protect retained data, we implement:

• Encryption: SSL/TLS protocols for data transmission and storage.
• Access Controls: Role-based permissions restricted to authorized personnel.
• Internal Audits: Biannual reviews of data practices to ensure compliance and identify risks.
• Employee Training: Mandatory annual training on GDPR, CCPA, PIPEDA, and internal security protocols.

9.3 Data Deletion and Anonymization

• Upon expiry of retention periods, personal data is securely deleted or irreversibly anonymized (e.g., cryptographic erasure).
• Exceptions apply for legal holds or public interest requirements

9.4 User Rights

• Access/Deletion Requests: Submit via privacy@coovavo.com. We respond within 30 days (EU/Canada) or 45 days (U.S.), as mandated by GDPR, PIPEDA, and CCPA.
• Denial Grounds: Requests may be refused if data is needed for legal compliance, contractual performance, or fraud detection.

9.5 Jurisdictional Compliance

Disclaimer of Responsibility

We do not control, endorse, or assume responsibility for:

• The content, accuracy, or security practices of third-party services;
• Any data collected, processed, or shared by third parties;
• Compliance with applicable laws by third-party operators.

Your Responsibilities

By using third-party services linked through our website:

• You acknowledge that their data practices are governed by their respective privacy policies and terms of use, not ours.
• You are encouraged to review their policies before sharing personal information.

Data Transfers (GDPR Specific):

For EU/EEA users, be advised that Third-Party Services may operate in jurisdictions without adequacy decisions. By proceeding, you:

• Consent to potential cross-border data transfers
• Acknowledge varying levels of data protection oversight

Compliance Notes

• GDPR (EU/EEA): If you reside in the European Economic Area, note that third parties transferring data outside the EEA must provide adequate safeguards under GDPR Article 46. Contact them directly for details.
• CCPA/CalOPPA (California): California residents may have additional rights to opt out of data sharing. Direct requests to the relevant third party.
• PIPEDA (Canada): Third parties must obtain meaningful consent for data collection. Report non-compliant practices to the Office of the Privacy Commissioner of Canada.

2.1 Categories of Personal Information Collected

In the preceding twelve months, we may have collected the following categories of personal information as defined by the CCPA/CPRA:

• Identifiers: Name, alias, postal address, email address, IP address, account name, unique personal identifier, online identifier.
• Commercial Information: Purchase history, transaction records, products/services considered.
• Internet/Network Activity: Browsing behavior, search history, interactions with websites/applications, cookies.
• Geolocation Data: Precise physical location (e.g., latitude/longitude).
• Sensory Information: Audio, electronic, visual, or similar data (e.g., customer service call recordings).
• Professional/Employment Information: Job application details, employment history, resumes.
• Protected Classifications: Gender, age (voluntarily provided).
• Inferences: User preferences, characteristics, behavioral profiles derived from the above data.
• Sensitive Personal Information: Account log-in credentials (e.g., username/password combinations), precise geolocation data (limited to purposes necessary for service delivery).

Additional Use Limitation: Sensitive personal information will only be used as necessary for service delivery (e.g., account authentication). We will not use it for other purposes (e.g., advertising targeting) without your explicit consent.

2.2 Sources of Personal Information

We collect personal information from the following sources:

• Direct interactions (e.g., forms, purchases, account registrations).
• Automated technologies (e.g., cookies, device identifiers, analytics tools).
• Affiliates and third parties (e.g., social networks, data analytics providers, data brokers, advertising partners).

2.3 Business Purposes for Collection and Use

In the preceding twelve months, we may have used personal information for the following purposes:

• Service Delivery: Account maintenance, order fulfillment, customer support, payment processing.
• Security: Detecting and preventing fraudulent, malicious, or illegal activity.
• Auditing: Verifying ad impressions, transaction compliance, and service quality.
• Debugging: Identifying and repairing technical errors.
• Research and Development: Improving services, products, and technological capabilities.
• Legal Compliance: Responding to lawful requests and regulatory obligations.
• Short-Term Use: Contextual ad customization within a single interaction.
• Advertising: Cross-context behavioral advertising (subject to opt-out rights).
• Recruitment: Processing job applications for COOVAVO and its affiliates.

2.4 Disclosure of Personal Information

In the preceding twelve months, we may have disclosed personal information to the following categories of third parties:

• Service Providers/Vendors: For payment processing, IT vendors, analytics, customer support, and marketing.
• Affiliates and Acquirers: During mergers, acquisitions, or business transfers.
• Data Analytics Providers: To analyze user interactions and improve services.
• Social Networks: For advertising and engagement purposes.
• Legal/Government Entities: As required by law or regulatory obligations.
• Partners in Mergers/Acquisitions: During business transfers, sales, or asset transactions.
• Advertising Networks: For targeted marketing (e.g., Google Ads, Meta) and ad impression verification.

Note: "Partners" refers to entities not contractually restricted from using data independently, which may constitute "sharing" under CPRA.

2.5 Sale or Sharing of Personal Information

We do not sell personal information for monetary consideration. However, under the CCPA/CPRA, "sharing" refers to disclosing data to third parties for cross-context behavioral advertising. In the preceding twelve months, we may have shared the following categories for advertising purposes:

• Identifiers (e.g., IP addresses, email).
• Commercial information (e.g., purchase history).
• Internet/network activity (e.g., browsing history).
• Geolocation data.
• Inferences drawn from the above.

Third Parties Involved in Sharing:

• Advertising networks
• Data brokers
• Merchant partners
• Social networks

3.1 Right to Know

You may request:

• Categories and specific pieces of personal information we collected about you.
• Categories of sources from which we collected such information.
• Business or commercial purposes for collecting, selling, or sharing your information.
• Categories of third parties with whom we share your information.

3.2 Right to Delete

You may request deletion of personal information we collected, subject to legal exceptions (e.g., fraud prevention, legal compliance).

3.3 Right to Opt-Out of Sale/Sharing

You have the right to opt out of the sharing of your personal information for cross-context behavioral advertising. To exercise this right, click the "Do Not Sell or Share My Personal Information" in the footer of our website or submit a request using the methods provided below, or enable the Global Privacy Control (GPC) signal in supported browsers (e.g., Brave, DuckDuckGo).

3.4 Right to Correct

Request correction of inaccurate personal information. We will process requests within 30 days and notify you in writing if an extension is needed.

3.5 Right to Non-Discrimination

We will not discriminate against you for exercising your rights, including denying services, charging different prices, or providing a lower quality of services.

3.6 Right to Limit Use of Sensitive Personal Information

You may request limits on the use of sensitive personal information beyond what is necessary for service delivery.

Verification Process:

We will verify your identity by matching information provided with our records. Authorized agents must submit proof of authorization.

Response Timeline:

We will respond within 45 days (extendable by an additional 45 days with prior notice).

10.1 Types of Incentives:

• Discount coupons for future purchases (e.g., 10% off for newsletter sign-up).
• Exclusive offers based on purchase history.
• Loyalty points redeemable for rewards.

10.2 Categories of Personal Information Used:

• Identifiers: Email address, account name.
• Commercial Information: Purchase history, transaction records.
• Internet Activity: Browsing behavior (if used for personalized offers).

10.3 Value Calculation:

The value of the Incentives is reasonably related to the estimated value of your data to our business, based on factors such as marketing costs and consumer benefit.

10.4 How to Opt-In:

• Check the box during checkout or account registration to enroll.
• Agree to terms when redeeming a promotional code.

10.5 Withdrawal Rights:

You may withdraw from any program at any time by:

• Clicking "Unsubscribe" in program-related emails.
• Contacting us via privacy@coovavo.com.
• Visiting your account settings to disable participation.

Note: Opting out of a program will not affect prior rewards but may limit future eligibility.