OBSIDIAN PRIVACY POLICY

Scope of Policy

This Obsidian Privacy Policy (the “Policy”) describes how Obsidian Security, Inc. (“Obsidian'', “we”, “us”) collects, uses, stores, and discloses information from users (“you”, “your”) of digital properties that link to this Privacy Policy, including our website at obsidiansecurity.com and other websites we operate (collectively, the “Websites”), our cloud-based SaaS cybersecurity platform (the “Platform”), as well as through social media, our marketing activities, our live events and other activities described in this Policy. By accessing the Websites and/or Platform, you agree to the collection, use, and transfer of personal data according to the terms of this Policy. If you do not agree to these terms, please do not access or use the Websites and/or Platform.

If you are located in the European Economic Area (“EEA”) or the United Kingdom (“UK”), see the Notice to EU and UK Residents below.

Obsidian’s Subscription Terms govern the delivery and use of the Platform, including any data imported into the Platform by a customer or provided by a customer to import into the Platform on a customer’s behalf. If you are applying to work at Obsidian, please see our Applicant Privacy Policy for additional information on how we handle your personal data during and after the application process.

Information You Share with Us

Information you provide to us. Personal data you may provide to us through the Service or otherwise includes:

• Contact data, such as your full name, employer’s name, job title, phone number, and email address. 
• Communications that we exchange with you, including when you contact us through the Service, social media, or otherwise.
• Transactional data, such as information relating to or needed to complete your orders for the Platform, including order numbers and transaction history. 
• Marketing data, such as your preferences for receiving our marketing communications and details about your engagement with them.
• Research data that you provide when you agree to participate in our surveys or promotions.
• Other data not specifically listed here, which we will use as described in this Privacy Policy or as otherwise disclosed at the time of collection.

Automatic data collection. We, our service providers, and our business partners may automatically log information about you, your computer or mobile device, and your interaction over time with the Websites, the Platform, our communications and other online services, such as:

• Device data, such as your computer’s or mobile device’s operating system type and version, manufacturer and model, browser type, screen resolution, RAM and disk size, CPU usage, device type (e.g., phone, tablet), IP address, unique identifiers (including identifiers used for advertising purposes), language settings, mobile device carrier, radio/network information (e.g., Wi-Fi, LTE, 3G), and general location information such as city, state or geographic area.
• Online activity data, such as pages or screens you viewed, how long you spent on a page or screen, the website you visited before browsing to the Service, navigation paths between pages or screens, information about your activity on a page or screen, access times and duration of access, and whether you have opened our emails or clicked links within them.

Cookies and similar technologies. We use cookies and similar technologies (such as web beacons, pixels, tags and scripts) to improve and personalize your experience, provide the Websites, analyze website performance and for marketing purposes. For more information, see our Cookie Notice.

How We Use Your Personal Data

We may use your personal data for the following purposes or as otherwise described at the time of collection:

Websites and Platform delivery. We may use your personal data to:

• provide, operate and improve the Websites, Platform and our business;
• enable security features of the Platform, such as by sending you security codes via email or SMS, and remembering devices from which you have previously logged in;
• communicate with you about the Platform, including by sending announcements, updates, security alerts, and support and administrative messages;
• understand your needs and interests, and personalize your experience with the Websites and our communications; and
• provide support for the Websites and/or Platform, and respond to your requests, questions and feedback.

Research and development. We may use your personal data for research and development purposes, including to analyze and improve the Platform and our business. As part of these activities, we may create aggregated, de-identified or other anonymous data from personal data we collect. We make personal data into anonymous data by removing information that makes the data personally identifiable to you. We may use this anonymous data and share it with third parties for our lawful business purposes, including to analyze and improve the Platform and promote our business.

Marketing. We and our service providers may collect and use your personal data for marketing purposes:

• Direct marketing. We may send you direct marketing communications (such as updates and reminders about events, webinars, and demos, newsletter, and updates about Obsidian services and features we believe may be of interest to you). You may opt-out of our marketing communications as described in the respective marketing communication.
• Third-party advertising. We may permit third party ad networks, social media companies, and other third party services to collect information about browsing behavior from visitors to our Websites through cookies, social plug-ins, or other tracking technology. We may permit third party online advertising networks to collect information about your use of our Websites over time so that they may display ads that may be relevant to your interest in our Platform on other websites or services. Typically, the information is collected through cookies or similar tracking technologies.

Compliance and protection. We may use your personal data to:

• comply with applicable laws, lawful requests, and legal process, such as to respond to subpoenas or requests from government authorities;
• protect our, your or others’ rights, privacy, safety or property (including by making and defending legal claims);
• audit our internal processes for compliance with legal and contractual requirements or our internal policies;
• enforce the terms and conditions that govern the Websites and/or Platform; and
• prevent, identify, investigate and deter fraudulent, harmful, unauthorized, unethical or illegal activity, including cyberattacks and identity theft.

Circumstances in Which We Share or Disclose Information

We may share your personal data with the following parties and as otherwise described in this Policy or at the time of collection.

Business and marketing partners

When Obsidian co-hosts, co-sponsors, or co-authors an event, webinar, or publication, we may share information with our partners regarding those who have attended the event or webinar or downloaded the publication.

Partners

We may sometimes share your personal data with partners or enable partners to collect information directly via our Websites.

Authorities and others

Obsidian may disclose your personal data if required to do so by law to law enforcement, government authorities, and private parties, as we believe in good faith to be necessary or appropriate for the compliance and protection purposes described above.

Third party services

Obsidian holds contracts with third party vendors that provide services on our behalf or help us operate the Websites or Platform or to carry out sales, marketing, recruiting, and other business functions (such as hosting, information technology, customer support, email delivery, consumer research and website analytics). The third parties may store personal data from visitors to our public facing website, social media accounts, and recruiting accounts.

Business transferees

In the event that Obsidian is involved in a bankruptcy, merger, acquisition, reorganization, or sale of assets, or other disposition of all or any portion of the business or assets of, or equity interests, your personal data may be shared with acquirers and other relevant participants in business transactions (or negotiations of or due diligence for such transactions).

Data Retention

We apply a general rule of keeping personal data only for so long as is required to fulfill the purpose for which it was collected. However, in some circumstances, we will retain your personal data for longer periods of time. We will retain personal data for the following purposes: (i) as long as it is necessary and relevant for our operations, business needs and to provide the Websites and/or Platform, e.g. so that we have an accurate record of your dealings with us in the event of any complaints or challenge; and (ii) in relation to personal data from closed accounts (e.g., due to contract termination) to comply with applicable laws, prevent fraud, collect any fees owed, resolve disputes, troubleshoot problems, assist with any investigation, enforce the Websites’ and/or Platform’s terms and take other actions as permitted by law.

Choices About Your Information

You can stop receiving promotional email communications from us by clicking on the “unsubscribe” link provided in such communications or emailing privacy@obsidiansecurity.com. We make every effort to promptly process all unsubscribe requests. You may not opt out of Platform-related communications (e.g., account verification, information about your orders, changes/updates to our products or features of the Platform, technical and security notices), unless you cease using the Platform.

If you are a user of the Platform, you may modify or delete your information by logging into your account. If you otherwise have any questions about reviewing, modifying or deleting your information, you can contact us directly at privacy@obsidiansecurity.com.

Security

We employ a number of technical, organizational and physical safeguards designed to protect the personal data we collect. However, security risk is inherent in all internet and information technologies and we cannot guarantee the security of your personal data.

Links to Third-Party Sites

Our Websites or Platform may contain links to other websites, including links to our partners and to media web sites. In addition, our content may be integrated into web pages or other online services that are not associated with us. These links and integrations are not an endorsement of, or representation that we are affiliated with, any third party. We do not control websites, mobile applications or online services operated by third parties, and we are not responsible for their actions. Please be aware that our Privacy Policy does not apply to websites, mobile applications or online services controlled by third parties. We encourage you to read the privacy policies of the other websites, mobile applications and online services you use.

Age Limitations

The Platform and Websites are not directed to anyone under the age of 18. A parent or guardian who becomes aware that his or her child under the age of 18 has provided us with personal data may contact us using one of the methods in the Feedback and Contact Information section below and we will attempt to delete the child’s data as soon as possible.

Changes to the Policy

We may revise this Policy from time to time. The most current version of the Policy will always be at obsidiansecurity.com/privacy-policy.

If we make a change to our website privacy policy that, in our sole discretion, is material, we will notify you by updating the date of this Policy and posting it on the Service or other appropriate means. Any modifications to this Policy will be effective upon our posting the modified version (or as otherwise indicated at the time of posting). In all cases, your use of the Websites or Platform after the effective date of any modified Policy indicates your acceptance of the modified Policy.

Notice to California Residents

This Policy contains a list of the categories of personal data we collect, and have collected for the past twelve months.

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (“CCPA”) and California Privacy Rights Act (“CPRA”) that include the right to:

• Request access, correction and deletion of your personal information;
• Opt out of the sale or sharing of your personal information; and
• Not be discriminated against for exercising one of your CCPA/CPRA privacy rights.

Please note that we do not sell the personal data that we collect.

To exercise your rights, please contact us as provided in the Feedback and Contact Information section. You will not be discriminated against for exercising your privacy rights under the CCPA and CPRA. In order to protect your personal data from unauthorized access or deletion, we may require you to provide additional information for verification. If we can’t verify your identity, we will not provide or delete your data.

Notice to EU and UK Residents

If you are located in the European Economic Area, Switzerland, or United Kingdom, you have additional data privacy rights outlined in this section.

Legal bases for processing

The legal bases of our processing of your personal data as described in this Privacy Policy will depend on the type of personal data and the specific context in which we process it. However, the legal bases we typically rely on are set out in the table below. If you have questions about the legal basis of how we process your personal data, contact us at privacy@obsidiansecurity.com.

Use for new purposes. We may use your personal data for reasons not described in this Policy where permitted by law and the reason is compatible with the purpose for which we collected it. If we need to use your personal data for an unrelated purpose, we will notify you and explain the applicable legal basis.

Special Categories of data / Sensitive personal data. We ask that you not provide us with any sensitive personal data (e.g., social security numbers, information related to racial or ethnic origin, political opinions, religion or other beliefs, health, biometrics or genetic characteristics, criminal background or trade union membership) on or through the Websites and/or Platform, or otherwise to us.

Your rights. Subject to certain exemptions, and in some cases dependent upon the processing activity we are undertaking, you may have the following rights under data protection laws:

• to request that we provide you with a copy of your personal data that we hold, and you have the right to be informed of; (a) the source of your personal data; (b) the purposes, legal basis and methods of processing; (c) the data controller’s identity; and (d) the entities or categories of entity to whom your personal data may be transferred;
• to request that we cease processing your personal data, in whole or in part, as you direct us, for any purpose, save to the extent it is lawful to do so without consent;
• to request that we restrict the processing of your personal data where: (a) the accuracy of the personal data is contested; (b) the processing is lawful but you object to the processing of the personal data; (c) we no longer require the personal data for the purposes for which it was collected, but it is required for the establishment, exercise or defense of a legal claim;
• to request that we erase your personal data in limited circumstances where it is no longer necessary in relation to the purpose(s) for which it was collected or processed;
• to challenge processing which we have justified on the basis of a legitimate interest;
• to request that we not transfer your personal data to unaffiliated third parties for the purposes of direct marketing or any other purposes;
• to request that we change the manner in which we contact you for marketing purposes;
• to request that we correct any errors in your personal data;
• to request that we update your personal data as required. Note that you may also correct, update or remove certain parts of such personal data by yourself, or completely deactivate your SodaStream account, through your account settings;
• to obtain a copy of the safeguards under which your personal data is transferred outside the EU; and
• to lodge a complaint with your local supervisory authority for data protection. However, we encourage you to first contact us.

You may submit these requests by email to privacy@obsidiansecurity.com or our postal address provided in the Feedback and Contact Information Section below. We may ask you for additional information to confirm your identity and for security purposes, before disclosing the personal data requested to you. We reserve the right to charge a fee where permitted by law, for instance if your request is manifestly unfounded or excessive.

EU/UK Representatives. Pursuant to Article 27 of the General Data Protection Regulation (GDPR), Obsidian Security, Inc, has appointed the European Data Protection Office (EDPO) as its GDPR Representative in the EU. You can contact EDPO regarding matters pertaining to the GDPR:

• by using EDPO’s online request form: https://edpo.com/gdpr-data-request/
• by writing to EDPO at Avenue Huart Hamoir 71, 1030 Brussels, Belgium

Pursuant to Article 27 of the UK GDPR, Obsidian Security, Inc, has appointed EDPO UK Ltd as its UK GDPR representative in the UK. You can contact EDPO UK regarding matters pertaining to the UK GDPR:

• by using EDPO’s online request form: https://edpo.com/uk-gdpr-data-request/
• by writing to EDPO UK at 8 Northumberland Avenue, London WC2N 5BY, United Kingdom

Cross-border data transfer. We may share your personal data with third parties who may be based outside of the EEA and/or UK. In such circumstances, those parties’ processing of your personal data will involve a transfer of your personal data outside of the EEA and/or UK where privacy laws may not be as protective as those in your state, province, or country.

You can obtain further information or a copy of or access safeguards under which your personal data is transferred outside of the EEA and/or UK by contacting us at privacy@obsidiansecurity.com.

Feedback and Contact Information

Obsidian is on a continual quest for improvement. We invite feedback from customers, interested third parties, and visitors to the Websites.

If you would like to provide feedback, have questions about this Policy, or if you would like to exercise your statutory rights, you may contact us using any of the options below:

Email — privacy@obsidiansecurity.com

Physical mail –Obsidian Securityc/o Privacy Team660 Newport Center Drive #200Newport Beach, CA 92660

Anonymous feedback — Submit here.

This Cookie Notice explains how Obsidian Technologies Inc. (“Obsidian”, “we”, “us” or “our”) use cookies and similar technologies in connection with its digital properties that link to this Cookie Notice, including our websites (collectively, the “Websites”) and the purposes for using them.

For more information about how we collect, use and share your personal data, see our Privacy Policy.

Our Websites use cookies, in combination with other tracking technologies (collectively, “cookies” unless otherwise noted) to distinguish you from other users of the Websites.

You do not need to allow cookies to visit most of the Websites. However, enabling cookies may allow for a more tailored browsing experience and is required for certain parts of the Websites to work. In the majority of cases, a cookie does not provide us with any of your personal data.

1. What are cookies?

Cookies are small data files containing a unique identifier that are placed on your computer or mobile device when you visit a Service. Cookies and similar technologies (which include pixels, tags, web beacons and software development kits (“SDKs”) and local browser storage technologies) (together “cookies”) enable operators of website/apps to recognize your device and collect information from it when you interact with them. They use this information to understand how the website is being used, letting you navigate between pages efficiently, remembering your preferences and generally improving your browsing experience. Cookies are also used to make the advertising you see online more relevant to your interests.

Our Websites may use both session cookies (which expire once you close your web browser) and persistent cookies (which stay on your computer or mobile device until you delete them).

2. Who places cookies on your device?

When you visit our Websites, both first-party cookies and third-party cookies may be placed on your device:

• first party cookies, served directly by us to your computer or mobile device, which we use to recognize your computer or mobile device when it revisits our Websites; and 
• third party cookies, which are served by service providers or business partners on our Websites, and can be used by these parties to recognize your computer or mobile device when it visits other websites. Third party cookies can be used for a variety of purposes, including service analytics, advertising and social media features. We do not control how these third parties use your information, which is subject to their own privacy policies. 

3. What types of cookies and similar tracking technologies are used on the Service and why?

The cookies used on our Websites are categorized as follows:

• Strictly Necessary cookies are necessary for the Websites to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the Websites will not then work. In particular, we use these Strictly Necessary cookies to remember your privacy choices and for security purposes. If you prevent these cookies, we cannot guarantee how the Websites or the security on the Websites will perform during your visit.
• Functional cookies enable us to provide you with enhanced functionality and personalisation. These cookies may be set by third party providers whose services we have added to our pages. If you do not add these cookies, then some of these services may not function properly.
• Performance/Analytics cookies collect information about how you use our Websites (e.g., which pages you visit and if you experience any errors). These cookies are used to help us improve how our Websites work, understand what interests our users and measure how effective our content is. Some of our performance/analytics cookies are managed for us by third parties.
• Targeting cookies record your visit to our Websites, the pages you have visited and the links you have followed. We or third party providers may use this information to personalize the content you see on the internet. Our advertising third party providers may use this information to build a profile of your interests and show you relevant adverts on other sites. If you do not allow these cookies, you will experience less targeted advertising.

You can find more information regarding the cookies we use on our Websites below:

4. Your choices

Strictly necessary cookies do not require your consent.

For performance/analytical, functional and targeting cookies, we request your consent before placing them on your device. You can give your consent by clicking on the appropriate button on the banner displayed to you. If you wish to avoid cookies placed on Obsidian Security’s behalf,  simply check “I decline”.

Additionally, most browsers let you remove or reject cookies, or set rules to manage cookies on a site by site basis. To do this, follow the instructions in your browser settings. For more information about cookies, including how to see what cookies have been set on your computer or mobile device and how to manage and delete them.

To learn more about cookies, clear gifs/web beacons and related technologies and how you may opt-out of some of this tracking, you may wish to visit one or more of the following sites:

http://www.allaboutcookies.org
http://www.networkadvertising.org
http://www.aboutads.info/choices

For more information about how we collect, use and share your information, see our Privacy Policy.

5. Changes to this Cookie Notice

Information about the cookies we use may be updated from time to time, so please check back on a regular basis for any changes. In all cases, your use of the Service after the effective date of any modified Cookie Notice indicates your acceptance of the modified Cookie Notice.

6. Questions

If you have any questions about this Cookie Notice, please contact us by email at privacy@obsidiansecurity.com.

The purpose of this Applicant Privacy Policy (“Policy”) is to provide you with information about how Obsidian Security, Inc. (the “Company,” “Obsidian,” “we,” “us” and/or “our”) processes your personal data collected during the recruitment process. This Policy describes the categories of personal information collected by the Company and the purposes for which such information may be collected and used. This Policy applies to any individuals who submit an application for an advertised position, provide their personal data for general employment inquiries, or otherwise seek to work for Obsidian, regardless of the manner in which you provide your personal data. This Policy applies in addition to our general Privacy Policy. Please refer to the Privacy Policy for our practices related to personal data submitted for other purposes.

This Policy may be updated from time to time. We will post any changes to this page. For additional information about the Company’s data privacy practices, please review our Privacy Policy.

Categories of Personal Information Collected

During the recruitment process, we may need to collect certain data about you, either from you directly, or from third parties with your approval.  This data may include the following:

Identifiers and Contact information. This category includes names, addresses, telephone numbers, mobile numbers, email addresses, signatures, account names, dates of birth, bank account information, and other similar contact information and identifiers.

Protected Classification Information. This category includes characteristics of protected classifications under California or federal law.

Internet or Other Electronic Network Activity Information. This category includes, without limitation:

• all activity on the Company’s information systems, such as internet browsing history, search history, intranet activity, email communications, social media postings, stored documents and emails, usernames and passwords
• all activity on communications systems, including phone calls, call logs, voice mails, text messages, chat logs, app use, mobile browsing and search history, mobile email communications, and other information regarding an employee’s use of company-issued devices.

Geolocation Data. This category includes, without limitation, GPS location data from company-owned or issued mobile devices, applications, or vehicles.

Audio, Electronic, Visual, Thermal, Olfactory, or Similar Information. This category includes, for example, information collected from cameras, thermometers, and similar devices.

Biometric Information. This category includes the use of biometric equipment, devices, or software to record your time worked, to enter or exit facilities or rooms, to access or use equipment, or for other business purposes.

Professional and Employment-Related Information. This category includes, without limitation:

• data submitted with employment applications, including salary history, employment history, employment recommendations, etc.
• background check and criminal history
• work authorization
• performance and disciplinary records
• salary and bonus data
• benefit plan enrollment, participation, and claims information
• leave of absence information, including religious and family obligations, and physical and mental health data, concerning employees and their family members

Education Information. This category includes, without limitation, education history.

Sensitive Personal Information. This category includes sensitive information such as:

• social security, driver’s license, state identification card, or passport number
• financial account information that allows access to an account, including log-in credentials, financial account numbers, passwords, etc.
• precise geolocation
• racial or ethnic origin,
• content of mail, email, and text messages (unless the Company is the intended recipient of the communication) and
• health information.

Purposes Personal Information, Including Sensitive Personal Information, Is Used

Data we collect about you as part of our recruitment process may be used for the following purposes:

• Collecting and processing employment applications, including confirming eligibility for employment, background and related checks, onboarding, and related recruiting efforts.
• Processing payroll, other forms of compensation, and employee benefit plan and program design and administration including enrollment and claims handling, and leave of absence administration.
• Maintaining physician records and occupational health programs.
• Maintaining personnel records and record retention requirements.
• Communicating with employees and/or employees’ emergency contacts and plan beneficiaries.
• Complying with applicable state and federal health, labor, employment, benefits, workers compensation, disability, equal employment opportunity, workplace safety, and related laws, guidance, or recommendations.
• Preventing unauthorized access to, use, or disclosure/removal of the Company’s property, including the Company’s information systems, electronic devices, network, and data.
• Ensuring and enhancing employee productivity and adherence to the Company’s policies.
• Providing training and development opportunities.
• Investigating complaints, grievances, and suspected violations of Company policy.
• Designing, implementing, and promoting the Company’s diversity and inclusion programs.
• Facilitating the efficient and secure use of the Company’s information systems.
• Ensuring compliance with the Company information systems policies and procedures. 
• Improving safety of employees, customers and the public with regard to use of Company property and equipment.
• Improving efficiency, logistics, and supply chain management.
• Improving accuracy of time management systems and attendance, including vacation, sick leave, and other leave of absence monitoring.
• Evaluating an individual’s appropriateness for a particular position at the Company, or promotion to a new position.
• Managing customer engagement and other legitimate business purposes.
• Responding to and managing legal claims against the Company and/or its personnel, including civil discovery in litigation.
• Facilitating other business administrative functions and strategic activities, such as risk management, information technology and communications, financial management and reporting, workforce and succession planning, merger and acquisition activities, and maintenance of licenses, permits and authorization applicable to Company operations.

Retention. If you accept a position with Obsidian, your data will become part of your employment records. At that point, your data will be subject to our applicable employee privacy policies. If you are not hired, or elect to withdraw or decline our employment offer, we will retain your applicant data for three years unless a longer period is required by applicable law or to establish, exercise, or defend legal challenges related to our recruitment processes. We hold your data for three years so that we may consider you for other positions that arise within our organization and to comply with our regulatory requirements.  

We retain your personal information for as long as is necessary to process your application for employment, process your payroll, administer your benefits, etc. and in accordance with the Company’s data retention schedule. We may retain your personal information for longer if it is necessary to comply with our legal or reporting obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, enforce our legal agreements and policies, address other legitimate business needs, or as permitted or required by applicable law. We may also retain your personal information in a deidentified or aggregated form so that it can no longer be associated with you. To determine the appropriate retention period for your personal information, we consider various factors such as the amount, nature, and sensitivity of your information; the potential risk of unauthorized access, use or disclosure; the purposes for which we collect or process your personal information; and applicable legal requirements. Personal information does not include certain categories of information, such as publicly available information from government records, and deidentified or aggregated consumer information.

Disclosure. To carry out the purposes outlined above, the Company may disclose personal information to service providers or other third parties, such as background check vendors, third-party staffing vendors, information technology vendors, outside legal counsel, and state or federal governmental agencies. In addition to the parties listed in the Privacy Policy, we may share your personal data with your references and your previous or current employers to perform professional reference and employment checks.  The Company does not sell or share, as those terms are defined under applicable law, the above categories of personal information. The Company may add to the categories of personal information it collects and the purposes for which it uses that information.

California Resident Individual Rights Requests. Individuals who are residents of the State of California have certain individual rights, which are outlined below.

Right To Know About Personal Information Collected or Disclosed. As a California resident, you have the right to request additional information, beyond that disclosed above, regarding the following, to the extent applicable:

• the categories of personal information the Company collected about you
• the categories of sources from which that personal information was collected
• the business or commercial purposes for which that information was collected, sold, or shared
• the categories of third parties to whom the information was disclosed
• the specific pieces of personal information collected

Upon receipt of a verifiable request to know (see below), and as required by applicable law, we will provide a response to such request.

Right To Request Deletion of Your Personal Information. You have the right to request that we delete the personal information we collected or maintain about you. Once we receive your request, we will let you know what, if any, personal information we can delete from our records, and will direct any service providers and contractors to whom we disclosed your personal information to also delete your personal information from their records.

There may be circumstances where we cannot delete your personal information or direct service providers or contractors to delete your personal information from their records. Such instances include, without limitation, when the information at issue is maintained: (a) to enable solely internal uses that are reasonably aligned with your expectations based on your relationship with the Company and compatible with the context in which you provided the information, or (b) to comply with a legal obligation.

Upon receipt of a verifiable request to delete (see below), and as required by applicable law, we will provide a response to such requests.

Right to Request Correction. You have the right to request that the Company correct any inaccurate personal information we maintain about you, taking into account the nature of that information and purpose for processing it. Upon receipt of a verifiable request to correct (see below), and as required by the CCPA, we will provide a response to such requests.

Right to Limit Use or Disclosure of Sensitive Personal Information. You have the right, subject to certain exceptions, to request that we limit the use and disclosure of your sensitive personal information, as that term is defined in the CCPA. Upon receipt of a verifiable consumer request, and as required by the CCPA, we will take appropriate steps to respond to your request.

Right to Non-Discrimination for the Exercise of Your Privacy Rights. We will not discriminate or retaliate against you for exercising any of the rights described above.

Submitting CCPA Rights Requests. To submit a CCPA Rights request as outlined above, please contact us at privacy@obsidiansecurity.com or submit a General Inquiry form on https://www.obsidiansecurity.com/contact/. We reserve the right to only respond to verifiable consumer requests that are submitted as instructed.

We reserve the right to amend this notice at any time without advance notice. Please direct questions about this notice to privacy@obsidiansecurity.com.

European Union, UK or European Economic Area Residents. If you are a resident of the European Union, UK or European Economic Area we may rely on one or more of the following lawful bases for processing your applicant data:

• Our legitimate interests, which are summarized above in the section titled “Purposes Personal Information, Including Sensitive Personal Information, Is Used”;
• To comply with applicable laws and regulations;
• To take steps to enter into an employment contract with you; and/or
• Where we have your consent to process your data.

Spouses, Dependents, and Associates. If you have knowledge that the Company collected personal information related to your spouse, dependent, or associate, please share a copy of this notice with all such individuals.