CCPA Privacy Policy Amendment
Appendix A
Privacy Information for California Residents
This Appendix applies solely to individuals who reside in the State of California (“consumers” or “you”). This Appendix complies with the California Consumer Privacy Act of 2018, as amended, (“CCPA”) and any terms defined in the CCPA have the same meaning when used in this Appendix. This Appendix does not apply to personal information outside the scope of the CCPA, including, for example:
- Personal health information collected, processed, sold, or disclosed pursuant to the Health Insurance Portability and Accountability Act (“HIPAA”).
- Personal information bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living as set forth in the Fair Credit Reporting Act.
- Standard Process as a Service Provider
When Standard Process acts as a service provider for its business customers, it collects some personal information on behalf of its customers subject to its contractual obligations. When Standard Process acts as a service provider for its business customers, it follows the instructions of its customer on how to process personal information on its customer’s behalf. The provisions of this Appendix do not apply to the personal information that Standard Process processes on behalf of our business customers.
- Disclosures
The below chart lists the categories of personal information that Standard Process may collect or has collected in the past 12 months and how it discloses such information. Standard Process may also disclose your personal information to a third party, such as a care provider, upon your request or at your direction.
Categories of Personal Information | Categories of Third Parties with whom Personal Information is Shared |
---|---|
Identifiers. This may include a real name, alias, address, email address, phone number, Social Security Number, driver’s license number, online identifier, IP address, account username and password, or other similar identifiers. | Entities that we are legally required to share with pursuant to law; service providers; prospective purchasers of our business; our affiliates; outside auditors and lawyers; your care providers; and social networks. |
Internet and network information. This may include information on your interaction with a website, application, or advertisement, such as browsing history and how you use your account. | Entities that we are legally required to share with pursuant to law; service providers; our affiliates; outside auditors and lawyers; and your care providers. |
Device information. This may include the operating system of your device, device identifier, the type of device you are using, or your geolocation information. | Entities that we are legally required to share with pursuant to law; our affiliates; and service providers. |
Order information. This may include information about what you order, shipping, returns, product complaints, or warranties. | Entities that we are legally required to share with pursuant to law; service providers; prospective purchasers of our business; our affiliates; outside auditors, insurers, and lawyers; and your care provider. |
Payment and credit information. This may include your credit or debit card information, banking information, information about your payment transaction, or other financial information you provide us. | Entities that we are legally required to share with pursuant to law; service providers; prospective purchasers of our business; our affiliates; and outside auditors and lawyers. |
Other information you submit to Standard Process or its service providers. This may include requests or communications you submit to us, emails, ratings, social media communications, or customer service call recording. | Entities that we are legally required to share with pursuant to law; service providers; our affiliates; outside auditors and lawyers; and social networks. |
Research or survey information. This may include survey results and other information about your participation in our research trials, such as information regarding your health, activities, preferences, and characteristics. | Entities that we are legally required to share with pursuant to law; service providers; our affiliates; and outside auditors and lawyers. |
Health information. This may include information about your weight, height, health goals, blood pressure, medical conditions, or physical characteristics. This does not include information processed pursuant to HIPAA. | Entities that we are legally required to share with pursuant to law; service providers; our affiliates; and your care provider. |
Inferences about you. This may include information about your preferences, characteristics, predispositions, behavior, or other trends that help us identify which products you may be interested in. | Service providers; our affiliates; and social networks. |
Applicant or employment information. This may include your name, address, resume, work history, education, cover letter, drug screening information, and background check information. | Entities that we are legally required to share with pursuant to law; our affiliates; and service providers. |
- Uses of Personal Information
Standard Process may use personal information for the following purposes:
- to process and fulfill your order(s) for products;
- to respond to any of your inquiries or questions about our products and/or services;
- for internal marketing purposes;
- to provide you with additional and updated information, materials, and other advertisements regarding Standard Process products and/or services;
- to offer you other materials and/or information that Standard Process believes may be of interest to you;
- to comply with legal obligations and cooperate with government officials or parties in litigation under process of law, to prevent a crime, or as otherwise required by law;
- to enforce or comply with Standard Process’s contracts with you, your care provider, or other third parties or protect the security or integrity of the Site;
- to protect against fraud, identity theft, or a threat of safety or destruction of property;
- to protect against legal liability;
- to create and manage user accounts;
- to process payment;
- to communicate with the user’s health care provider regarding the user’s use of the Site;
- to perform data analyses and/or research (including de-identification and aggregation of personal information) or to conduct surveys; and/or
- to evaluate you for employment at Standard Process or to begin the employment process.
Standard Process may share user product order information, including the items and quantities ordered, with the user’s health care provider who recommended the product(s).
- Sensitive Personal Information
Sensitive Personal Information consists of: (1) government identifiers, such as Social Security Numbers and drivers’ license numbers; (2) account log-in information (e.g., financial account or credit card numbers in combination with any required access codes or passwords); (3) precise geolocation information; (4) racial or ethnic origin, religious or philosophical beliefs, or union membership; (5) content of postal mail, email, and text messages, unless the business is the intended recipient of the subject communications; (6) genetic data; and (7) biometric information that uniquely identifies a consumer or information concerning a consumer’s health, sex life, or sexual orientation. To the extent we collect information that is considered Sensitive Personal Information under CCPA, it is listed in the chart above. Standard Process may use information regarding your health to make inferences that allow us to provide you with information and recommendations regarding our products.
- Sources of Information
Standard Process may collect personal information from the following sources: you, your agents, through our third-party service providers, data analytics providers, social media networks, and your care provider.
- Sale and Sharing of Personal Information
CPRA defines “Sharing” as any disclosure of personal information to third parties for cross-context behavioral advertising, whether or not for monetary or other valuable consideration. “Cross-context behavioral advertising” is defined as the targeting of advertising based on your personal information obtained from your activity across websites, applications, or services outside of the Sites or Standard Process Services.
In the past 12 months, we have not sold personal information. To ensure we can share our products with you and tailor our advertisements, we do allow some of our advertising partners to use cookies, pixels and other technologies to collect personal information on our website or services, which may constitute Sharing under CPRA.
- Data Retention
We will retain your personal information for no longer than is necessary for the purpose stated in this Privacy Policy, unless otherwise extending the retention period is required or permitted by law or subject to our retention policies as may be in place from time to time. The data storage period may vary with scenario, product, and service. The standards we use to determine the retention period are as follows: the time required to retain personal information to fulfill business purposes, including providing products and services; maintaining business records; controlling and improving the performance and quality of the Sites; handling possible user queries or conducting assessments of user complaints; whether you agree to a longer retention period; and whether the laws, contracts, and other equivalencies have special requirements for data retention.
- California Residents’ Rights and Choices
The CCPA provides California residents with specific rights regarding their personal information, described below. Below are your CCPA rights and how to exercise those rights.
a. Access to Specific Information and Data Portability Rights (“Right to Know”)
You have the right to request that Standard Process disclose certain information to you about its collection and use of your personal information over the past 12 months. You may request:
- The categories of personal information Standard Process collected about you;
- The categories of sources of personal information Standard Process collected about you;
- Standard Process’ business or commercial purpose for collecting that personal information;
- The categories of third parties with whom Standard Process shares that personal information;
- The specific pieces of personal information Standard Process collected about you including whether or not Standard Process collects Sensitive Personal Information; or
- Whether information, if any, is Sold or Shared by Standard Process.
b. Deletion Request Rights
You have the right to request that Standard Process delete some or all of the personal information that it has collected from you and retained, subject to a number of exceptions. Standard Process is not required to delete personal information that is: (i) necessary to complete a transaction with you or for warranty or product recalls; (ii) used for security purposes, to prevent fraud, to fix errors, or to comply with law; (iii) reasonable for Standard Process to use for internal purposes given its relationship with you; or (iv) compatible with the context in which you provided the information. The list of exceptions above is not exhaustive, and we may also deny a deletion request as otherwise permitted by law.
c. Correction Rights
You have the right to request that Standard Process amend your personal information if it is inaccurate or outdated, such as an outdated address. Standard Process is not required to correct information that is subjective, such as an opinion.
d. Limiting Our Use of Your Information
In certain circumstances, you have the right to limit our non-essential use of your personal information, including Sensitive Personal Information.
e. Exercising Your Rights
To exercise your rights described above, please submit a verifiable consumer request to Standard Process by either:
- Calling us at 800-558-8740.
- Visiting CCPA Request Form.
Only you, or a person that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child. If you are making a request on behalf of another person, you must provide written legal documentation that you are authorized to act on behalf of that individual.
You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:
- Provide sufficient information that allows Standard Process to reasonably verify you are the person about whom it collected personal information or an authorized representative; and
- Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
Standard Process may not be able to fulfill your request or provide you with personal information if it cannot verify your identity or authority to make the request and confirm the personal information relates to you. To verify your identity, Standard Process may request up to three pieces of personal information about you, and Standard Process reserves the right to take additional steps as necessary to verify your identity if it has reason to believe a request is fraudulent.
f. Response Timing and Format
Standard Process endeavors to respond to a verifiable consumer request within 45 days of its receipt. If Standard Process requires more time (up to 90 days), it will inform you of the reason and extension period in writing. Standard Process will deliver the written response by mail or electronically, at your option.
Any disclosures Standard Process provides will only cover the 12-month period preceding the date it receives your verifiable consumer request. The response Standard Process provides will also explain the reasons it cannot comply with a request, if applicable. For data portability requests, Standard Process will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.
Standard Process does not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If Standard Process determines that the request warrants a fee, it will tell you why it made that decision and provide you with a cost estimate before completing your request.
e. Non-Discrimination
You have the right to not be discriminated against for exercising any of your CCPA rights. Unless permitted by the CCPA, Standard Process will not:
- Deny you goods or services;
- Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties;
- Provide you a different level or quality of goods or services; or
- Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.