Thrive TRM — GDPR FAQ Frequently Asked Questions Is Thrive TRM, LLC GDPR Compliant? How does Thrive TRM, LLC protect users’ privacy and keep that information secure? Is the Thrive TRM, LLC GDPR policy specific only to citizens and residents of the EU? How can I exercise my Personal Privacy Rights with Thrive TRM, LLC? How can I exercise my Personal Privacy Rights at a company that uses Thrive TRM, LLC products to manage data that pertains to me? What does Thrive TRM, LLC do with data we collect? What are my rights in relation to my information? Request my personal data – GDPR Form Thrive TRM, LLC has always been committed to customers’ privacy rights, and our compliance with GDPR is a natural extension of that commitment. Below are answers to some commonly asked questions about Thrive TRM, LLC’s GDPR compliance and our privacy policy in general. Is Thrive TRM, LLC GDPR Compliant? Yes, Thrive TRM, LLC is GDPR compliant, both as a trusted data controller and as a trusted data processor. As a business focused on a great experience for our customers, we need to collect and store certain data about our users in order to properly serve them. However, our privacy policy and internal process are designed to limit the dissemination of any personal information beyond the business systems required to service our customers. Our business systems are all third-party data processors that guarantee their ability to implement the technical and organizational requirements of the GDPR. Built onto these policies and systems are GDPR-specific processes to execute GDPR-related transactions upon the request of any person that has done business with Thrive TRM, LLC. How does Thrive TRM, LLC protect users’ privacy and keep that information secure? As a company which develops and markets online products, we take very seriously issues associated with information security, including keeping private the personal data of our users, customers, partners, and employees. Our approach to securing personal data is based on both following the guidelines of United States National Institute of Standards and Technology Cyber Security Framework and the mandates of the European Union General Data Privacy Regulation (GDPR). We employ a combination of best of breed cybersecurity products, including our own, together with a comprehensive set of internal policies and procedures to collect, store and restrict access to all personal data. Is the Thrive TRM, LLC GDPR policy specific only to citizens and residents of the EU? Thrive TRM, LLC’s privacy policy applies to all the parties (customers, prospects, partners, vendors, employees, etc.) we work with, regardless of whether those parties are part of the GDPR regulatory scope. How can I exercise my Personal Privacy Rights with Thrive TRM, LLC? The thrivetrm.com website.com provides a link to “Request My Personal Data” form that will allow users who have interacted with Thrive TRM, LLC to request Thrive TRM, LLC to delete, restrict, access, and/or rectify your data. This page is a person’s starting point for all data privacy-related transactions between you and Thrive TRM, LLC, the company. These requests can also be made by sending an email to: contactus@thrivetrm.com. How can I exercise my Personal Privacy Rights at a company that uses Thrive TRM, LLC products to manage data that pertains to me? If you interact with a company that uses Thrive TRM, LLC products to manage data, and you want to exercise your privacy rights as it relates to that data, you must contact the company that manages your data; i.e. Thrive TRM, LLC’s customer. Thrive TRM, LLC provides tools and services to our customers that allow them to manage the data on our systems to comply with GDPR, but Thrive TRM, LLC itself cannot manage the data directly. In this context, Thrive TRM, LLC has the role of what the GDPR terms “Data Processor”, whereas the company collecting and managing the data is the “Data Controller”; You must initiate your privacy rights with the “Data Controller”. What does Thrive TRM, LLC do with data we collect? Internally, Thrive TRM, LLC uses industry leading, GDPR compliant systems and processes to manage our relationship with our customers, typically businesses, and the people representing those businesses; these are Marketing systems, Sales systems, and Support systems that all use some personal data to better serve our user community. Externally, Thrive TRM, LLC hosts several products that, by the nature of the services the products provide, collect some user data. For products and services available to the general public, our systems anonymize any user data we collect, so that any person accessing this data does not get access to any personal information associated with that data. For products and services that are used by business entities to manage user data, any data collected and stored on our systems is only accessible to that specific business, and we provide those businesses the tools and processes required for them to be GDPR compliant Thrive commits to attempt to resolve any complaints about our collection or use of your personal data. European Union citizens with inquiries or complaints should first contact Thrive using the contact information provided in the “contact information” section below. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed by Thrive, please visit the JAMS Privacy Shield Dispute Resolution page here (https://www.jamsadr.com/eu-us-privacy-shield). You also may be able to invoke binding arbitration, under certain circumstances where permitted by the Privacy Shield program, if you believe that there has been a violation of Privacy Shield requirements that has not been appropriately addressed by Thrive. In some jurisdictions you may also be permitted to lodge a complaint to your national data protection authority. Thrive’s compliance with its Privacy Shield obligations is subject to investigation and enforcement by the U.S. Federal Trade Commission. What are my rights in relation to my information? You have the following rights regarding your Personal Data which you can invoke by filling out this form and following the steps described there. Below is a summary of your rights: 1. Right of Access. You have the right to access your Personal Data that we hold about you, i.e. the right to require free of charge: information whether your Personal Data is retained, access to duplicates of the Personal Data retained, Upon your request, along with a duplicate of the data we retained, we will provide you information related to – purpose of the processing, personal data we collect, entities to which we transferred them, time we keep your Personal Data, if possible, and the criteria we used to decide the period, your rights as European Union Citizen, unless the data was collected directly from you, the source of the data, and whether there is an automated decisional process, If the effort of identifying data may be too much, or it may infringe the rights of other people, we have the right to refuse your request, in which case You may file a complaint with a supervisory authority or invoke a dispute resolution process as described below. 2. Right to Rectification. When we process your Personal Data, we shall try to ensure that your Personal Data is accurate and up to date for the purposes for which it was collected. If your Personal Data is inaccurate or incomplete, you can change the information. 3. Right to suspend processing You have the right to request the termination of the processing with or without deletion of the data we have collected where one of the following applies: the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data. the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead. the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims. the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject. 4. Right to data portability You have the right to receive the Personal Data concerning you, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance. 5. Right to delete. You have the right to obtain deletion by us of Personal Data concerning you. If we delete your Personal Data, you may lose access to Thrive TRM, LLC services which require creation and registration with us of a user account (“User Account”) by you. In some cases, deletion of Personal Data used to create the User Account, is complicated. Namely, if your User Account has a commercial business relationship with Thrive TRM, LLC (in other words, a relationship where you are making payments to us or we are making payments to you), you will only be able to obtain deletion by us your Personal Data after you and Thrive TRM, LLC have dissolved the commercial business relationship associated to that User Account. In some cases, considering the complexity and number of the requests, the period we take to delete your Personal Data may be extended, but for no longer than two further months after the dissolution of the commercial business relationship. 6. Right to Object. When our processing of your Personal Data is based on legitimate interests according to Article 6(1)(f) of the GDPR, you have the right to object to this processing. If you object we will no longer process your Personal Data unless there are compelling and prevailing legitimate grounds for the processing as described in Article 21 of the GDPR; in particular, if the data is necessary for the establishment, exercise or defense of legal requirements.