DATA PRIVACY DECLARATION

Date: October 23, 2020

  1. General information
  2. What kind of data is collected and how is it used?
  3. Which cookies are used?
  4. Social media plugins
  5. Newsletters
  6. Is other personal data collected and processed?
  7. Will my data be transferred to third parties, e. g. authorities?
  8. How long will my data be stored?
  9. Do I have a right to information and rectification of my stored data? What other rights do I have with regard to my stored data?
  10. Can I withdraw my consent to the use of my data?
  11. Who is my contact person if I have questions about data protection?
  12. How long is this data privacy declaration valid?

 

  1. General information

Thank you for your interest in Bristlecone 10 Almaden Blvd, Suite 990, San Jose, CA 95113 (referred to as “Bristlecone,” “we,” “us,” or “our”). We take data protection and privacy issues very seriously and comply with the applicable state, federal, and European data protection data protection laws. One such law is the European Union’s General Data Protection Regulation (“GDPR”). In light of our obligations under applicable data protection laws, we would like to inform you with this declaration about data protection measures and which personal data we may store and how we use this personal data.

This is Bristlecone’s worldwide data privacy declaration.  It covers the privacy practices of the following “Bristlecone Group Companies”:

  • Bristlecone Inc. in the United States
  • Bristlecone Consulting Ltd. in Canada
  • Bristlecone GmbH in Germany
  • Bristlecone International AG in Switzerland
  • Bristlecone UK Limited in the United Kingdom
  • Bristlecone Middle East in the United Arab Emirates
  • Bristlecone India Limited in India
  • Bristlecone Malaysia Sdn. Bhd. in Malaysia
  • Bristlecone Singapore Pte. Ltd. in Singapore

“Bristlecone” refers to all of the Bristlecone Group companies collectively.

This privacy declaration describes the categories of personal data Bristlecone collects and their sources, how we process personal data, the circumstances in which we will disclose personal data, how we safeguard personal data, exercising individual rights regarding personal data, and resolving disputes relating to Bristlecone’s privacy practices concerning personal data.  This declaration covers:

  • Personal data collected through the Bristlecone website (referred to as the “Site”)
  • Personal data collected via Bristlecone’s social media pages
  • Personal data from representatives of current, prospective, or past customers relating to customer accounts and their management (“Account-Related Information”)
  • Personal data received, created, maintained, transmitted, or otherwise processed by Bristlecone when providing its services to its customer other than Account-Related Information (“Customer Data”)
  • Personal data from representatives of vendors, business partners, and other businesses with which we interact, or individuals doing business with Bristlecone
  • Personal data of individuals attending our company events

We are the trusted partner in supply chain transformation. We specialize in helping organizations create higher-performing environments and deliver positive customer experiences. We empower businesses with the ability to forecast accurately, increase inventory turn, maximize savings, foster customer engagement and improve overall corporate health. We create certainty and unlock value.

  1. What kind of personal data is collected and how is it used?

The table below summarizes the categories of personal data we collect from or about individuals (including California residents) within the last 12 months and the business and commercial purposes for which this personal data will be used and may have been used in the last 12 months.  See the subsections cited below for additional details.  Depending on the nature of your business relationship with Bristlecone, we may have collected and used any or all of these categories of personal information in the last 12 months.

As noted in Section 7.3 below, we do not sell personal information in the ordinary course of business.  In addition, we have not made any sales of personal information in the past 12 months.

Categories of Personal Information Purposes of Use
“Identifiers” such as a real name, alias, postal address, telephone number, online identifier, email address, and account name.
  • Social media plugins:  We receive Identifiers associated with your social media accounts when you use social media plugins.  See Section 2.4 for more details.
  • Newsletter:  We receive your name and email address when you subscribe to a newsletter.  See Section 2.5 for more details.
  • Job applicants and potential contractors:  We use your Identifiers to assist in the process of reviewing and evaluating your job application.  See Section 2.6 and our Notice of Privacy Practice to Candidates for more details.
  • Some Customer Data may include Identifiers.  We use Customer Data to facilitate providing our services and products.  See Section 2.7 for more details.
  • Account-Related Information:  We use Identifiers within Account-Related Information to provision and manage customer accounts.  See Section 2.8 for more details.
  • Identifiers of representatives of vendors, business partners, and joint marketers:  We use Identifiers to facilitate our business relationship and transact with those entities.  See Section 2.8 for more details.
Internet protocol address We collect IP addresses from visitors to our Site to help analyze how users use the Site, unless they invoke the IP anonymization on the Site or opt out of the use of Google Analytics.  See Section 2.2 for more details.
Information (other than Identifiers already described above) that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to: Signature. We receive agreements, purchase orders, other forms, and communications bearing individuals’ signatures.  We use them to transact business with customers, vendors, and business partners.
Education, employment, and employment history.
  • We may collect company name and job title of contacts we do business with, such as representatives of customers, vendors, and business partners.
  • We collect information about job applicants’ and potential contractors’ education, employment, and employment history when they submit job applications via the Site. See our Notice of Privacy Practice to Candidates for more details.
  • Some Customer Data may include company name and job title.  We use Customer Data to facilitate providing our services and products.  See Section 2.7 for more details.
Bank account number, credit card number, debit card number, or any other financial information. We collect payment information in order to collect payment from customers for our services, products, and events.
Commercial information, including records of products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
  • In connection with customer purchases from Bristlecone and Bristlecone’s purchases from vendors, we keep records of services and products purchased, obtained, or considered, and records of purchasing histories and tendencies for our accounting records and to manage our business more effectively.
  • Some Customer Data may commercial information of customers or their customers.  We use Customer Data to facilitate providing our services and products.  See Section 2.7 for more details.
Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding an individual’s interaction with an Internet Web site, application, or advertisement.
  • We collect Internet or other electronic network activity information from Site visitors.  See Sections 2.1-2.4 for more details.
  • Social media plugins:  We receive Internet activity associated with your social media accounts when you use social media plugins.  See Section 2.4 for more details.
Geolocation data. We collect IP addresses from visitors to our Site to help analyze how users use the Site, unless they invoke the IP anonymization on the Site or opt out of the use of Google Analytics.  IP addresses tend to show a user’s location.  See Section 2.2 for more details.
Audio, electronic, and visual information.
  • We may collect testimonial, informational, and other video recordings and images of customer representatives.  The video recordings also contain audio information.
  • Much of the other information in this in this table is in electronic form.
  • Video recordings (containing audio) and images are used for marketing purposes.
  • See the other sections of this table for purposes of use of the other personal information when it is in electronic form.
Professional or employment­-related information (e.g., job title and business contact information).
  • We may collect company name and job title of contacts we do business with, such as representatives of customers, vendors, and business partners.
  • We collect information about job applicants’ and potential contractors’ education, employment, and employment history when they submit job applications via the Site.  See our Notice of Privacy Practice to Candidates for more details.
  • Some Customer Data may include company name and job title.  We use Customer Data to facilitate providing our services and products.  See Section 2.7 for more details.
Inferences drawn from other personal data described in this section reflecting California residents’ preferences, characteristics, psychological trends, predispositions, behavior, abilities, or aptitudes.

Our sales team may collect notes about these characteristics.

Our sales team may collect notes about these characteristics to assist in understanding our customers’ needs and wishes in connection with marketing and selling our services and products.
Context-specific personal information not covered within the categories above. When you use web forms, mobile app forms, email, text messages, other forms of electronic communications, or postal mail to communicate with us, that communication may contain personal information.  We use that personal information to communicate with you, respond to your inquiries, or to further our business transactions and relationships with you.

The Bristlecone NEO® platform contains whatever data that customers upload to the platform.  Some of the data uploaded to the platform may contain personal data.  We process such personal data as a data processor for the purpose of providing services to Bristlecone customers using the Bristlecone NEO® platform.  See Section 2.7 for more details.

If we collect your personal information for purposes covered in this policy and seek to use the personal information for a different purpose not covered by this policy, we will notify you and, where required, seek additional consent to use personal information for the other purpose.

2.1. Personal data collection by the Bristlecone Site

Whenever a user accesses the Bristlecone Site, the user’s Internet browser automatically transfers the following data to Bristlecone’s web server for technical and business reasons:

  • IP address of the requesting computer
  • date and time of access
  • name and URL of the pages viewed
  • the volume of data transmitted to the user
  • whether the user was able to access the relevant page (file transferred, file not found, etc.)
  • identification data of the user’s browser and operating system
  • name of the user’s Internet service provider
  • website from which access is made

This data is collected, processed, and used for the purpose of enabling the use of the website (connection setup), system security and technical administration of the network infrastructure. A comparison with other databases or a transfer to third parties, also in excerpts, does not take place. The legal basis for processing under GDPR is performance of a contract under Article 6 paragraph 1(b).

The personal data collected via web or mobile app forms to communicate with Bristlecone or sent to us via email, text message, or other electronic communication will be used and processed exclusively for the purposes of responding to the communications and addressing any inquiries in them, as well as to carry out the services you may have requested.

2.2. Use of Google Analytics and Cookies

This website uses Google Analytics, a web analytics service provided by Google LLC (“Google”). Google Analytics uses “cookies”, which are text files placed on your computer, to help analyze how users use the Site. We use Google Analytics to collect information about the computer or mobile device you use to access the Site, such as the operating system and version, Flash version, Java support, screen settings, and location information based on your IP address.  For a more detailed listing of information collected by Google Analytics, please refer to the article here.

For users outside the USA, the information generated by cookies about your use of the Site is usually transferred to a Google server in the USA and stored there. However, if you activate the IP anonymization on the Site, your IP address will be shortened by Google prior to storage or processing. Only in exceptional cases the full IP address is transferred to a Google server in the USA and shortened there. Google will use Google Analytics information to evaluate your use of the Site, to compile reports on Site activity and to provide us with further services related to Site and Internet use. The IP address transmitted by your browser within the scope of Google Analytics will not be aggregated with other Google data.

You may refuse the use of cookies by selecting the appropriate settings on your browser. Nonetheless, please note that if you set your browser settings to refuse cookies, you may not be able to use the full functionality of this Site. You can also prevent Google from collecting the data generated by the cookie and relating to your use of the Site (including your IP address) and from processing this data by downloading and installing the browser plug-in available under the following link  https://tools.google.com/dlpage/gaoptout. You can prevent Google Analytics from collecting information from your computer by clicking on the following link. Clicking the link sets an opt-out cookie that prevents future collection of your information when you visit this Site: https://tools.google.com/dlpage/gaoptout?hl=en

For more information on terms of use and privacy regarding Google Analytics, please visit https://marketingplatform.google.com/about/analytics/terms/us/ or https://policies.google.com/?hl=en-US. Please note that on the website Google Analytics has been extended by the code “anonymizeIp” in order to guarantee an anonymous registration of IP addresses (so-called IP masking).

The legal basis for processing under GDPR is legitimate interests under Article 6 paragraph 1(f), whereby Bristlecone’s authorization arises from the fact that, on the one hand, Bristlecone has an interest in evaluating the website data for purposes of website optimization and, on the other hand, a concerned person can reasonably foresee at the time when the personal data is collected and in view of the circumstances under which it is carried out (in particular the above-mentioned measures) that it will possibly be processed for this purpose.

2.3. Which cookies are used?

Cookies are used on this website:

We use cookies on our website. By using our website, you agree that cookies may be stored on your device.  Accordingly, the legal basis for processing cookie data under GDPR is consent under Article 6 paragraph 1(a).

What are cookies? What types of cookies does Bristlecone use?

Cookies are fragments of data that Bristlecone places on your web browser during navigation to enable seamless access to our all our web pages. Cookies enable us to identify your device, secure your access and prevent threats & breaches. Cookies also enable us to share relevant ads to you. By using cookies, we help remember your preferences and are able to serve you enhanced user experience every single time.

Session cookie – Session cookies remain only as long as a browsing session is active. It aids user inconvenience during browsing. These cookies allow websites to link the actions of a user during a browser session and expire at the end of the browsing session.

Persistent cookie – Persistent cookies are stored on a user’s device even after the end of a browsing session. It helps in recalling the preferences or actions of the user. They are used to retain the visitor’s preferences such as language and regional preference(s) at the end of each browsing session. We may use services of third-party analytics provider to analyze cookies to carry out a behavioral analysis in order to provide targeted and relevant content to visitors.

Cookies are accepted by default. You may change the settings of your browser to delete existing cookies or prevent future cookies from being automatically accepted. However, if you disable cookies, certain parts and functions of our Site may not be available.

If you do not want to take advantage of our cookies, you can find out in the help function of your browser how to set your browser to prevent it from accepting new cookies or deleting existing cookies. There, you will also learn how to block new cookies from your browser or which settings you have to make in order to receive a notification of new cookies.

How can cookies help?

Cookies help us to recognize you when you visit the Bristlecone site. Cookies remember your preferences, choices and behaviors. Cookies position us to help you provide a personalized and a more customized experience that is in line with your settings. Cookies also make your interactions with Bristlecone better, quicker, seamless and secure.

Legal basis

The legal basis for processing is Art. 6 para. 1 f GDPR, whereby Bristlecone’s authorization arises from the fact that, on the one hand, Bristlecone has an interest in evaluating the website data for purposes of website optimization and, on the other hand, a concerned person can reasonably foresee at the time when the personal data is collected and in view of the circumstances under which it is carried out (in particular the above-mentioned measures) that it will possibly be processed for this purpose.

2.4. Social media plugins

We use social media plugins from various social networks (e. g. Facebook, Twitter, and LinkedIn). With the help of these plugins you can share content or recommend products. The plugins are deactivated by default and therefore do not send data to other websites.

If these plugins are activated, your browser establishes a direct connection with the servers of the respective social media network as soon as you access the Site. The content of the respective plugin is transmitted directly from the social media network to your browser and embedded into the Site.

By embedding the plugins, the social media network receives the information that you have visited certain Site pages. If you are logged in to the social media network, it can identify your account as having visited the Site. When you interact with the plugins, the corresponding information is transferred directly from your browser to the social media network and stored there.

For the purpose and scope of data collection and the further processing and use of the personal data by social media networks, as well as your rights and options for the protection of your privacy, please refer to the data protection notices of the respective social media networks.

If you do not want social media networks to collect information about you through our Site, you must log out of the social media networks or disable the social media plugins before you visit our website.

Even if you are not logged in to social media networks, websites with active social media plugins can still send data to these networks. With an active plugin, a cookie with an identifier is placed each time the Site is accessed. Since your browser sends this cookie every time you connect to a network server without being asked, the network could basically use it to create a profile of the websites visited by the user associated with the ID. And it would then also be possible to assign this
identifier to a person again at a later time – for example when logging on later to the social network.

We use the following plugins:

  • Facebook (provided by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304 USA). You can view Facebook’s privacy policy here.
  • LinkedIn (provided by LinkedIn Corp., 1000 West Maude Ave., Sunnyvale, CA 94085). You can view LinkedIn’s privacy policy here.
  • Twitter (provided by Twitter Inc., 795 Folsom St., Suite 600, San Francisco, CA 94107, USA). You van view Twitter’s privacy policy here.
  • Instagram (provided by Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA). You can view Instagram’s privacy policy here.

2.5. Newsletters

2.5.1. Which data are collected and for what purpose are they processed?

If you register for a newsletter, we use your e-mail address to send you the newsletter for which you registered, in which we inform you regularly about interesting products and services of Bristlecone. The legal basis for registering you for a newsletter under GDPR is your consent in accordance with Article 6 paragraph 1(a). The legal basis under GDPR for our transmission of the newsletters you request after registration is performance of a contract in accordance with Article 6 paragraph 1(b) — providing the newsletter as agreed.

In order to ensure your proper registration for the newsletter, i.e. to prevent unauthorized registrations on behalf of third parties, we will send you a confirmation e-mail after your initial newsletter registration using the double opt-in procedure, in which we ask you to confirm your registration. In connection with your newsletter registration we also store your registration data (e.g. e-mail address, date and time of registration/confirmation of the opt in) so that we can trace and evidence the registration at a later time. The legal basis for this storage under GDPR is a legitimate interest, Article 6 paragraph 1(f). The legitimate interest is based on the obligation to provide proof of consent.

2.5.2. How long do we store your data?

We store your email address to send you the newsletter until you unsubscribe or until we stop sending you the newsletter. After unsubscribing from the newsletter, your registration data will be stored for up to 4 years, limited to the purpose of preserving evidence.

2.5.3. How can I cancel my newsletter subscription?

You can revoke your consent to receive newsletters from Bristlecone at any time in the future by clicking on the unsubscribe link at the end of a newsletter received.

2.6. What are your privacy practices regarding job candidates?

We place job postings on our website with the assistance of Workday functionality linked from our Site. Job candidates can apply for a listed job on the Site and upload a cover letter and resume. We will collect whatever information job candidates provide to us using the Workday functionality. A more detailed privacy notice is provided to candidates for jobs and contractor positions when they seek work with Bristlecone. Our privacy notice to candidates appears on our website here. For more information on Workday’s privacy practices, please refer to its privacy statement here.

2.7. Bristlecone’s Processing of Customer Data

While Bristlecone acts as a data “controller” under GDPR by collecting personal data from individuals, it also acts as a processor when it receives Customer Data containing personal data from customers in connection with the use of Bristlecone’s services.  When Bristlecone receives personal data as a processor, it is the customer (or its customers) that have direct contact with the individuals whose personal information was uploaded to the services or other processed by Bristlecone.

One example of a service that Bristlecone offers as a data processor is the Bristlecone NEO® platform.  As a SaaS data platform, Bristlecone NEO® hosts business data on behalf of Bristlecone’s customers and therefore acts as a data processor.  The platform, through various methodologies, provides for data ingestion from enterprise resource planning systems and other systems of records such as SAP, Salesforce, and Oracle.

Bristlecone NEO® does not specifically require the ingestion of personal data from its customers or their employees or suppliers or contractors, or partners or any other parties associated with our customer.  Rather, the Bristlecone NEO® platform processes whatever data that customers upload to the platform through specific business processes, workflows and data pipelines implemented for the customers using the platform.  Some of the data uploaded to the platform may contain personal data.  We do not monitor or review the customer data that customers upload to the platform except, if and to the extent necessary, to verify that a customer is in compliance with its agreement with Bristlecone, or in response to a customer’s request to provide customer support.

When processing such Customer Data, Bristlecone processes personal data within that Customer Data strictly in accordance with the actions of the applicable customer using Bristlecone’s tools, queries, or instructions. Bristlecone has an obligation under its agreement with the customer not to disclose or disclose Customer Data to third parties, except to provide Bristlecone’s services or to follow our customer’s instructions.  Bristlecone may use third party data processors to assist in processing Customer Data and delivering its services to its customers.

2.8. Is other personal data collected and processed?

We collect and process Account-Related Information — personal data from representatives of our past, present, or prospective customers. For instance, we collect names and email addresses to identify these representatives.  This Account-Related Information relates to customer accounts and their management. For example, Bristlecone collects contact information from such representatives to discuss sales of Bristlecone’s services and to provision or manage user accounts when representatives of a customer use Bristlecone’s services. We receive this Account-Related Information when the individual representatives provide it to us, and the basis for processing this personal data is consent.

At times, a representative of a customer may provide us with Account-Related Information of other representatives or contacts working for the customer. The basis for processing this personal data is legitimate interest. In specific, the interest of Bristlecone and the customer to create and maintain a business relationship is the interest justifying the processing of representatives’ and contacts’ personal data not provided by the representatives and contacts themselves.

In addition, we collect process personal data from representatives of vendors, business partners, and other businesses with which we interact, or individuals doing business with Bristlecone. We also collect personal data from individuals attending our company events, such as webinars. Examples of uses for such personal data include:

  • Communications with past, present, or future vendors of Bristlecone to discuss their products or services provided to Bristlecone
  • Communications with past, present, or future business partners to discuss partnership arrangements with such entities
  • Communications with representatives of those who market services in collaboration with Bristlecone.

We may process such personal data to fulfill our agreements with a business or if you have voluntarily given us your express consent. The legal bases for processing under GDPR are consent and performance of a contract under Article 6 Paragraphs 1(a) and 1(b).

Some individuals provide us with personal data, for example, by completing a registration form or sending us an email, ordering products or services, submitting inquiries to us, requesting materials or registering. Unless otherwise required by law, we will only use your personal data for the purposes for which you have given your consent. For special services such as newsletters, data protection provisions specific to those services will apply.

2.9. Minors

Our services and the Site are intended for use by adults 18 years and older. We do not market or sell services to minors or knowingly collect personal data from children under age 18. If you believe that we have inadvertently gathered personal data about a minor, please contact us as described in Section 10 below.

Note that social media companies are subject to the California online erasure law, California Business & Professions Code Section 22581. It allows minors who have posted information on social media or other online services on which they have an account to request and obtain removal of information posted by them.  Minors wishing to exercise these rights concerning information posted on Bristlecone social media pages should contact the social media platform on which the posts appear. For additional assistance from Bristlecone in the removal process, please contact us as described in Section 10 below.

Despite a minor’s rights under Section 22581, the law may not permit or require removal in all cases, and a request for removal is not a guarantee of complete removal.

  1. Will my data be transferred to third parties?

We may share your personal data with vendors or outsource service providers that help us provide services to our customers, or that assist with support functions such as billing, payment card processing, and data analysis. Service providers may also be Bristlecone Group companies or service providers for IT services (e. g. for technical administrative tasks and for usage analysis), telecommunications, consulting and advisory services as well as sales and marketing. They may process personal data on our behalf and therefore act as “processors” for purposes of GDPR. We will require any such vendors or service providers to manage your personal data with privacy and security safeguards consistent with this privacy policy.

When Bristlecone uses vendors or providers, Bristlecone remains responsible for the protection of your personal data. In addition, the processor may also be responsible. The service provider works strictly in accordance with our instructions. We oversee such vendors and providers with strict contractual requirements, technical and organizational safeguard measures, and supplementary controls.

For instance, the Bristlecone NEO® platform is designed, developed, and hosted on AWS Cloud.  Moreover, Bristlecone enlists the services of third-party data processors such as OKTA, Tableau, GitHub, etc. to provide for a comprehensive solution to Bristlecone customers using the Bristlecone NEO® platform.  In such cases, these third-party services then become sub-processors of Bristlecone supporting the Bristlecone NEO® platform.

From time to time, we may be required to respond to a subpoena, court order, search warrant, administrative or judicial process, requests by law enforcement agencies, or other requests that we must respond to under applicable law. We may disclose your personal data in response to any of these requirements. Also, we may disclose your personal information to preserve the security of our Site, systems, or social media accounts, resolve disputes, or to assess any possible wrongdoing. The legal basis for processing under GDPR is compliance with a legal obligation (Article 6 Paragraph 1(c)).

Bristlecone Group Companies may share personal data within Bristlecone for purposes of providing, supporting, maintaining, and administering the services it offers. Bristlecone may transfer your personal data to Bristlecone Group companies in order to carry out a business relationship with you or for the purposes of legitimate interests.

If personal data of residents of member states of the European Union (“EU”) or European Economic Area (“EEA”) are exported, they will either be:

  • Transferred to a country based within the EU or the EEA or in a country which, according to a decision of the European Commission, has an appropriate level of data protection.
  • In the case of data transfers to Bristlecone Group companies domiciled in other countries, transferred in a manner with assurances that the data-importing Bristlecone Group Company has been obligated to provide an appropriate level of data protection consistent with this privacy declaration and applicable data protection law; or
  • Transferred to a recipient in another manner with assurances that the importing entity that has been obligated to provide an appropriate level of data protection consistent with this privacy declaration and applicable data protection law.

For instance, when Bristlecone provides Bristlecone NEO® platform services, all data ingestion, transformation, and processing is covered by a data processing addendum (DPA) with each customer.  Bristlecone NEO® relies on the European Commission-approved Standard Contractual Clauses (“SCCs”) incorporated in a DPA as a legal mechanism for data transfers from EU or EEA member states for its customer data that contains or may contain personal data.

We may share or transfer personal data about you in connection with a merger, acquisition, reorganization, or sale of assets of our business, in the event of bankruptcy, or during the negotiations leading to such an event. We will seek assurances from any buyer that your personal data will be used, shared, maintained, and disclosed consistent with the terms of this privacy declaration.

Beyond this, we do not transfer data to third parties unless you have given your express consent, the transfer is obviously necessary for the provision of an offer or service requested by you or this is provided for by law. We also do not intend to transfer your data beyond this to a third country or international organization.

  1. How long will my data be stored?

We store data for as long as it is legally necessary, as long as necessary for the provision of the service requested by you (e.g., to manage a customer account or for the duration of one of our supply chain services or newsletter subscription), as long as necessary for another business purpose for its use, or as long as it has been agreed upon in a declaration of consent.

Depending on the purpose of the storage, the processing, storage and use of personal data may in individual cases also extend beyond the duration of the provision of services. An example of this is the storage of the collected and processed personal data for the purpose of fulfilling post-contractual obligations and exercising subsequent rights.

Data collected and processed on the basis of legitimate interests (under Article 6 paragraph 1(f) of GDPR) will be stored for as long as this is permitted on the basis of the legitimate interests.

In addition, we may have a legal obligation to preserve personal data in case of reasonably anticipated legal disputes or other preservation obligations under applicable law.  For this category of personal data, the basis for processing is compliance with a legal obligation (under Article 6 paragraph 1(c) of GDPR).

  1. Security Measures

Bristlecone maintains (an requires its service providers to maintain) an information security program establishing reasonable and appropriate information security controls over personal data.  In particular, Bristlecone is committed to maintaining reasonable and appropriate industry-standard administrative, physical, and technical safeguards to:

  • Provide assurances of the integrity and confidentiality of personal data covered by this privacy declaration,
  • Protect against reasonably anticipated threats or hazards to the security or integrity of personal data, and unauthorized uses or disclosures of such personal data, and
  • Maintain compliance with legal frameworks of requirements under applicable data protection laws.
  1. Do I have a right to information and rectification (correction) of my personal data? What other rights do I have with regard to my personal data?

You may at any time and free of charge request information about the scope, origin and recipients of collected personal data in our possession as well as the purpose of the storage; in addition, you have the right to rectification, erasure or restriction of the processing of your personal data in accordance with applicable data protection laws, a right to object to the processing as well as a right to data portability.

  1. California Privacy Rights

Bristlecone provides California residents with the rights in this policy, although these rights are not yet required under the California Consumer Protection Act (“CCPA”).  We offer these rights so that representatives of customers and other businesses we transact with will have confidence that they are working with a business committed to excellence and protecting the data of business representatives.  (We used the term “personal information” in this section to refer to personal data because CCPA uses the term “personal information.”)

7.1. Right of Access to Information and Data Portability

Upon request, we will tell a California resident the categories and specific pieces of personal information we have collected about that resident in the previous 12 months.  In addition, we will disclose to a California resident:

  • The categories of personal information we have collected about that California resident.
  • The categories of sources from which the personal information is collected.
  • The business or commercial purpose for collecting that California resident’s personal information.
  • The categories of third parties with whom we share personal information.
  • The specific pieces of personal information we have collected about that California resident (subject to applicable law).

The identity of any person making such a request must be verified as a condition of providing the requested personal data.  See Section 7.6 regarding identification verification procedures.

7.2. Right of Deletion

You may request that we delete any of your personal information that we collected from you and retained by us, subject to certain conditions and exceptions under the law. For instance, we have the right to retain personal information needed to:

  • Complete the transaction for which the personal information was collected, provide a good or service requested by the California resident, or reasonably anticipated within the context of our ongoing business relationship with the California resident, or otherwise perform a contract between our business and the California resident.
  • Detect security incidents; protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.
  • Conduct solely internal uses that are reasonably aligned with the expectations of the California resident based on the California resident’s relationship with us.
  • Comply with a legal obligation.
  • Use the personal information internally, in a lawful manner that is compatible with the context in which the California resident provided it.

The identity of any person making such a request must be verified as a condition of deleting the personal information as requested.  See Section 7.6 regarding identification verification procedures.

7.3. No Sale of Personal Information

Bristlecone does not sell personal information in its possession in the ordinary course of business and has not done so in the preceding 12 months.  See Section 3 regarding the sale of personal information in connection with corporate transactions.

7.4. Non-Discrimination

It is our policy not to discriminate against individual California residents for exercising any of their rights under this privacy declaration or applicable law, including by:

  • Denying goods or services to the California resident;
  • Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties;
  • Providing a different level or quality of goods or services; or
  • Suggesting that the California resident will receive a different price or rate for goods or services or a different level or quality of goods or services.

7.5. Exercise of Individual Rights

If you are a California resident and wish to exercise any of the rights described in this Section 7, please contact us in the manner described in Section 10.  If you are an agent authorized to act on behalf of a California resident, we will need proof of your authority from the California resident and you will to identify yourself and the California resident on whose behalf you are acting.  We will use the procedures in Section 7.6 to verify the identity of the California resident and/or an authorized agent.

7.6. Identity Verification

Bristlecone will verify the identity of any individual or authorized agent seeking to exercise rights under this privacy declaration.  We will verify the identity of California residents and their agents using one or more of the following means:

  • For California residents with a password-protected account with Bristlecone, we can verify an identity by proof of access to the account.
  • For California residents without a password-protected account, we will identify a requestor via pieces of personal information that we have on record.
    • We will require that you provide two pieces of information that we already have on file for you, such as items of contact information and/or information from communications or transactions with you.
    • Also, in the case of a request for specific pieces of personal information, we will ask for an additional piece of information in addition to the two pieces requested above, together with a signed declaration under penalty of perjury that the requestor is the California resident whose personal information is the subject of the request or an authorized agent acting on behalf of that California resident.
  • If we are unable to verify identity by one of the above means or have reason to believe the request may be fraudulent, we may ask you to provide a copy of an identification credential. We will use the credential only for purposes of identity verification and thereafter will delete it.

An authorized agent seeking to exercise rights on behalf of an individual California resident must prove the agent’s authority by providing a power of attorney under the California Probate Code or some or all of the following:

  • Providing a copy of a writing signed by the California resident giving the agent permission to act on the California resident’s behalf;
  • Verification of the California resident’s and the authorized agent’s own identity under the procedures in this section; or
  • Communicating with the California resident directly to confirm the status of the agent as authorized to act on behalf of the California resident.

If we are unable to verify the identity of the requestor and the authority of any authorized agent acting on behalf of a California resident, we will not be able to respond to the request to exercise individual rights.

We may ask for additional verification if we suspect fraud, such as a copy of an identification credential from the requestor.

We will use any information collected in connection with identity verification (beyond what Bristlecone had already collected as otherwise described in this policy) strictly for identity verification purposes, and it will be deleted following the completion of the verification process (except to the extent Bristlecone is required to retain such information under CCPA or other applicable law).

  1. Can I withdraw my consent to the use of my personal data?

Where consent was the basis for our collecting your personal data, you have the right to withdraw your consent to the use of your personal data at any time. To exercise this right, please send a letter to the following address:

Bristlecone, 10 Almaden Blvd, Suite 990, San Jose, CA 95113

The data processing performed on the basis of your consent is legal until the time of withdrawal.

  1. Do Not Track Signals

Browser software manufacturers may offer “do not track” settings to allow users to communicate a “do not track” preference. Currently, there is no standard governing what, if anything, a website operator should do when receiving a “do not track” signal. Accordingly, Bristlecone does not currently take action in response to a “do not track” browser setting. Bristlecone will reconsider this policy if an industry standard regarding such settings emerges.

  1. Who is my contact person if I have questions about data protection?

If you have any questions or comments or wish to exercise any of your individual rights described in this privacy declaration, please feel free to contact Bristlecone at San Jose, 10 Almaden Blvd, Suite 990, San Jose, CA 95113.

  1. What should I do if I have a complaint about Bristlecone’s privacy practices?

If you have a complaint, please provide information relevant to your complaint by contacting us as described in the previous section. Our privacy team will evaluate your complaint based on the information you provide and send you a response. We may need to ask you for additional information to evaluate your complaint. We will promptly investigate and respond to your communications about a complaint. You may have other rights under law. Also, you have the right to contact the privacy regulator in your country or jurisdiction about your complaint.

  1. How long is this data privacy declaration valid?

This data privacy declaration is up-to-date and dates from October 8, 2020. We reserve the right to amend the data privacy declaration at any time, and the terms of any amendments will have effect on and after the effective date of the amendment.

We will make changes by posting a revised copy of this privacy declaration to our website or, if Bristlecone deems it necessary, by email notice to you. Your continued use of our website and social media accounts after a revised version of this privacy declaration appears on the website will constitute your approval of the amended version.