California Privacy Addendum
Updated: September 9th, 2021
This California Privacy Addendum (“Addendum”) amends and is an integral part of Branch Metrics, Inc.’s Terms & Conditions (or instead, where there is a service agreement in place between you and Branch (“Service Agreement”), of that Service Agreement), which together with one or more Order Forms, addendums, or exhibits forms the “Agreement” between you (“Business,” “you,” or “your”) and Branch
Metrics, Inc. d/b/a Branch Metrics (“Branch,” “Branch Metrics,” “we,” or “us”), each a “Party” and collectively the “Parties”. This Addendum shall prevail over any conflicting term of the Agreement with regard to the Personal Information of residents of the State of California.
The following terms will have the meanings set forth below. Capitalized terms used in this Addendum that are not defined herein shall have the meanings set forth in the Agreement.
- “CCPA” means the California Consumer Privacy Act at Cal. Civ. Code §§ 1798.100 - 1798.199.
- “Personal Information” shall have the meaning set forth in the CCPA, limited to the information that Branch processes on behalf of Business.
- The terms “Business” and “Sell” shall have the meaning set forth in the CCPA.
II. PARTIES’ ROLES
- The Parties agree that you are a Business and Branch is a Service Provider, as those terms are defined in the CCPA.
III. BRANCH’S OBLIGATIONS
- Business Instructions. Business directs Branch to collect, retain, use, disclose, and/or otherwise process Personal Information for (i) to fulfill Branch’s obligations to perform the Branch Services under the Agreement, (ii) to fulfill Branch’s obligations in this Addendum, (iii) internal use as permitted by the CCPA, (iv) to detect data security incidents or protect against fraudulent or illegal activity, and (v) as otherwise directed by Business in writing.
- Use Limitations. Branch shall not Sell Personal Information or otherwise retain, use, or disclose Personal Information for any commercial purpose other than for the specific purposes set forth herein.
- Permitted Uses. In addition to the purposes set forth above, Business understands and agrees that Branch may collect, retain, use, disclose, and otherwise process Personal Information as follows:
- To collect, use, retain, share, or disclose Personal Information that has been (A) aggregated or (B) de-identified in accordance with the CCPA.
- To comply with applicable laws.
- To comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities
- To cooperate with law enforcement agencies concerning conduct or activity that Business, Branch, or a third party reasonably and in good faith believes may violate federal, state, or local law.
- To exercise or defend legal claims.
- Access and Deletion Requests. Upon written request of Business, Branch shall assist Business in complying with Business’ obligations under the CCPA to respond to verifiable consumer requests to access or delete Personal Information. Branch shall have no obligation to reidentify or otherwise link information that is not maintained in a manner that would be considered Personal Information.
- Branch Certification. Branch certifies that it understands the restrictions and obligations set forth above.
IV. BUSINESS OBLIGATIONS.
- Compliance with Applicable Law. Business shall comply with applicable laws, including without limitation, and to the extent required: (i) providing notice; (ii) obtaining consent; (iii) honoring access, deletion, opt-out, and opt-in rights and requests; and (iv) otherwise ensuring that it and Branch have any and all rights required in order for Branch to collect, retain, use, disclose, and otherwise process Personal Information under the Agreement.
- Business Directions. Business shall not direct Branch to collect, retain, use, disclose, or otherwise process Personal Information in violation of the CCPA or other applicable laws.
- Responding to Requests. Business understands and agrees that it is solely responsible for responding to requests to exercise individual rights and that Branch shall have no responsibility to respond directly to an individual on the Business’ behalf, absent written instructions from the Business. Where Branch receives a consumer request to access or delete Personal Information, it may inform the individual that the request cannot be acted upon because the request has been sent to a Service Provider.