We, Legility, LLC and its affiliates (collectively, “Legility”, “Company,” “we,” “us,” or “our”), respect your privacy and we are committed to protecting it through our compliance with this Privacy Policy.

We may collect Personal Information about you as our visitors to and users of our website and other owned domains, as our prospective clients, and as our prospective employees (collectively, “User(s)”, “you” or “your”) on this website, on any other Legility-owned domain, through your interactions and communications with our Legility team in any form, our social media pages that we control, and marketing communications and email messages that we may send (each a “Site” and collectively, the “Sites”). We use the term “Personal Information” to refer to any information that identifies or can be used to identify you. Common examples of Personal Information include full name, email address, information about your device, and certain metadata.

Please take a moment to review the terms of our Privacy Policy.

This Privacy Policy explains how this Personal Information is collected, used, shared, maintained, protected, and retained. It also explains your rights regarding the Personal Information collected about you, including how to update your Personal Information, and how you can ask us to access it or delete it.

You may communicate with us by using the contact information shared in the “How to Contact Us” section in case you have any questions or concerns regarding this Privacy Policy. A complete list of Legility, LLC affiliated entities may be found in the “How to Contact Us” section as well.

In addition to this Privacy Policy, European Union, United Kingdom, California, and Hong Kong residents should also review the Privacy Policy Supplements for European Union, United Kingdom, California and Hong Kong Residents at the end of this policy.

This Privacy Policy applies to and addresses the Personal Information collection and processing practices of Legility when interacting with You as visitors to and users of our Sites, as prospective clients, and as prospective employees.

This Privacy Policy does not address data collection and processing practices relating to Legility employee data, which is governed by separate privacy practices and notices.

For Personal Information we may collect, host and store as part of the services rendered by Legility to its clients, clients are the controller of such information and we are a processor. Concerns regarding privacy are covered and governed by the contractual terms and relationship with our clients and not by this Privacy Policy. See the section below entitled “Legility Clients and Data in Connection with the Performance of Services”.

Our Privacy Policy does not apply to websites or to services offered by other companies or individuals, or other sites linked from our Site, unless specifically stated otherwise in this Privacy Policy. Our Privacy Policy does not cover the information practices of other companies and organizations who advertise our services, and who may use cookies, pixel tags and other technologies to serve and offer relevant ads.

By accessing or using the Sites in any manner, you agree to be bound by Legility’s Website Terms of Use. Please read the Terms of Use carefully. If you do not accept all of the terms and conditions contained in or incorporated by reference into the Terms of Use, please do not use a Site.

By accessing or otherwise using the Sites, you agree to this Privacy Policy.

Legility is the responsible controller under applicable data protection laws for the collection and use of any Personal Information about you through our Sites. We collect information, including Personal Information, to provide better services to you and all our Users. We collect, store and process your Personal Information by different methods depending on whether you are a prospective employee, job applicant, client, vendor or website user.

1. Information You Give to Us

Institutional Users. Employers, prospective clients, corporate clients, or other institutional Users might provide Personal Information to us, such as company name, title and contact information, digital signature via a Site, in email or in person.

Vendors. We may also collect Personal Information from vendors and their employees who support us in the general course of our business, such as company name, title and business contact information, and digital signatures, via a Site, in email or in person.

Potential Employees. As a potential employee, you may provide Personal Information to us when you fill out an employment profile, job application, or other listing or profile through links we provide on a Site or through the third-party service provider which supports our recruitment efforts. For example, we may collect your education level, occupation, job history, details concerning attorney training or other similar Personal Information. If you supply a resume/CV via mail, email, or in person then you may also choose to provide us with details of your education and career history and other information such as your name, email and mailing address, and telephone number.

Other Ways in Which You May Give Us Information.

You may choose to provide us with Personal Information about you by completing forms on our website, requesting information, asking questions, or entering information necessary to sign up for events, subscriptions, promotions, newsletters, white papers, surveys, or other opportunities to participate with the Site or us.

You may provide Personal Information when you enter reviews, post comments on our social media outlets, or otherwise interact with us. You may also provide us with Personal Information about yourself when you report a problem or have a question about a Site or services. The Sites offer interactive and social features that permit you to submit content and communicate with us. You may provide Personal Information to us when you post information in these interactive and social features. Please note that your postings in these areas of the Sites may be publicly accessible or accessible to other Users.

You may provide certain Personal Information to us at a live event, such as a conference. You may also provide such Personal Information via a lead scanner device, by providing a business card, or by sending us an email or during an in-person meeting.

2. Information We Obtain from Your Use of Our Sites and Services

We collect certain information automatically, such as your operating system version, browser type, and internet service provider. We also collect information about your interaction with a Site, such as opening or interacting with a Site on your mobile device. When you use our Sites, we automatically collect and store this information in service logs. This includes details of how you used our Sites; Internet protocol address; cookies that uniquely identify your browser, the referring web page and pages visited. The information we collect automatically is statistical data and may or may not include Personal Information, but we may maintain it or associate it with Personal Information we collect in other ways or receive from third parties. We may otherwise use this information for purposes of internal research and reporting, to improve the content of our websites or our services, or develop new services, and to enforce the legal terms that govern our services.

We may aggregate and/or de-identify any information collected through our websites. We may use de-identified and/or aggregated data for any purpose, including without limitation for research and marketing purposes, and may also share such data with any third parties.

Location Data. If you grant us access to your location, we may collect information about your location when you use our Sites and services. Your location can be determined by: IP address, and information about things near your device, such as Wi-Fi access points and cell towers. When you use our Sites via a wireless device, we may solicit your permission to collect your location data. Some features within our application may only function upon confirmation of your location, and therefore such features will not be available if you choose not to provide your location data to us. The specificity of the location data collected may depend on a number of factors, including the device you are using (e.g. laptop, smartphone or tablet) and how you are connected to the Internet (e.g., via cable broadband connection, WiFi). We may associate such location data with Personal Information you provide to us.

Device ID. When using our Sites, we or our service provider may collect your unique device ID. We may use such information for internal purposes and to provide you a better experience, such as to troubleshoot application problems you may experience. We may associate device ID with Personal Information you provide to us. You may learn more about opt out of any anonymous device ID collection via the privacy settings available within your mobile device.

We use cookies and other technology to automatically collect data about you when you visit a Site or view our advertisements. We also use these technologies to collect and store information when you interact with services from our partners, such as advertising services. Our third-party advertising and analytics partners include Google, Facebook and similar partners.

The technologies we use for this automatic data collection may include:

• Cookies
• Pixels
• Clickstream Data

You can learn more about how we use Cookies in our Cookie Policy.

We may receive Personal Information about you from other sources to help us correct or supplement our records, improve the quality of our services to you, and prevent or detect fraud. Such sources may include third party marketers. We may use this information consistent with this Privacy Policy.

We receive information that you permit the applicable social media service to share with us in accordance with their privacy settings. We are not responsible or liable for the privacy practices or content of the social media service.

We collect and maintain Personal Information only for legitimate business interests, upon disclosure or with your informed consent, as otherwise required by law or for the performance of a contract with you. Any of this data can be removed at your request, unless we have a legitimate business need to retain this data or retention is required by law.

We use your Personal Information in ways that are compatible with the purposes for which it was collected or authorized by you, including for the following purposes:

• To present, operate or improve a Site, including analysis of Site activity and testing.
• To inform you about our services.
• To communicate with you, including responding to inquiries from you.
• To validate your identity or verify communications from you;
• To offer, administer and communicate about your participation in programs, events, updates, surveys and to deliver pertinent emails.
• To customize or tailor your experience of the Site;
• To manage, store and enhance your data and preferences and to customize or tailor your experience of our Sites and services offered
• To communicate about, and administer your participation in, special programs, surveys and to deliver pertinent emails;
• To send you confirmations, updates, security alerts, and support and administrative messages;
• For marketing purposes, including but not limited to, facilitating interest-based advertising, creating client profiles, creating custom audiences to target online, personalizing email marketing that we send to you, sending you other marketing materials, and notifying you about events or opportunities that may be of interest to you.
• To improve our client service, conduct client satisfaction, market research, and quality reviews.
• To use statistical information that we collect in any way permitted by law, including from third parties in connection with their commercial marketing efforts.
• To process applications for employment that you submit through links on a Site.
• For deciding whether you are a suitable candidate for an offered role.
• To administer general recordkeeping.
• To comply with all applicable legal requirements.
• To manage our contractual relationship with you.
• To investigate possible fraud or other violations of and to enforce the terms of our Terms of Use or this Privacy Policy.
• For our and third parties’ legitimate interests, such as client relationship management.
• To conduct internal business operations, including to provide, maintain or expand our services, perform business analyses, to support, improve or enhance our business.
• To otherwise fulfill the purpose for which the information was provided and for any other purpose that is disclosed to you at the point of collection of the Personal Information, for any purpose for which you provide your prior consent, or for any other lawful purpose.

If you choose to give us your telephone number and/or e-mail address, we may, from time to time, communicate with you through those means. This communication, depending on location, may include sending you automated email messages regarding our services. See Right To Opt Out for ways to unsubscribe from such communications.

a. How We Share Your Information

Personal Information collected as described above is treated as strictly confidential. Other than the activities of third-party vendors described immediately below, we do not actively sell, rent, or otherwise share your Personal Information with third parties for that third party’s benefit or direct marketing purposes.

We engage a third-party service provider that is seated in the United States that provides a job application and a recruiting management platform for our job application process. We may engage other third-party service providers, including for marketing and analytic purposes and professional advisers to our marketing platform and client relationship management. We may allow third-party software, marketing, and advertising services to use cookies and similar technologies on a Site to collect and analyze information about use of the Site. This software may report on activities and trends, log advertisements clicked, and provide additional services related to website activity and internet usage for the purposes of market research and website design in accordance with user needs. Third party service providers may use such data for direct marketing purposes. Third-party service providers also may use the data for various authorized purposes, which may include:

• To enable our own marketing purposes, such as engaging a third-party partner to distribute newsletters, promotion notices, surveys, or other information about us.
• To help us better understand client behaviors, or any other aspects of Site usage so that we can better serve you.
• To understand aggregate patterns of usage of a Site and our services.
• To store Personal Information.
• To allow our third-party service providers to perform business functions and services on our behalf, such as administrating our Site, obtaining marketing data, perform billing, hosting and other business functions, and performing security and fraud prevention services.
• To provide data for the purposes of a reorganization, merger, sale, lease, joint venture, assignment, transfer, change of control, or other disposition of all or any portion of our business, assets, or stock (including in connection with any bankruptcy or similar proceedings).
• To share some or all of your Personal Information with our affiliated companies, in which case we require our affiliates to honor this Privacy Policy.

We only provide these third parties with the minimum amount of Personal Information necessary to provide their services.

We may also access, preserve or disclose your Personal Information if required to do so by law or in a good faith belief that such access, preservation or disclosure is reasonably necessary to: (a) comply with legal process (including to meet national security or law enforcement requirements); (b) investigate, prevent, or take action on illegal activities, potential fraud or to enforce our Terms of Use, this Privacy Policy, or other contracts; (c) respond to claims that any content violates the rights of third parties; (d) respond to your requests for client service; and/or (e) protect the rights, property or personal safety of us, our agents and affiliates, our users and/or the public. We may also disclose information to law enforcement agencies in emergency circumstances, where the disclosure of such information is consistent with the types of emergency disclosures permitted or required by law.

We reserve the right to disclose and transfer all of your information, including your contact information, in connection with a proposed or actual merger, acquisition, transfer of control, or sale of all, or components, of our business, to the extent permitted by applicable law.

We attempt to notify you about legal demands for your Personal Information when appropriate in our judgment, unless prohibited by law or court order or when the request is an emergency. We may dispute such demands when we believe, in our discretion, that the requests are overbroad, vague or lack proper authority, but we do not promise to challenge every demand.

We are fully committed to protecting the Personal Information we collect, and you share with us, both online and offline. Specifically, we aim to prevent unauthorized access to your Personal Information, to maintain data accuracy, and to ensure the correct use of information. We take commercially reasonable and appropriate technical, organizational, and administrative precautions to prevent the loss, misuse, or alteration of your Personal Information. For example, all electronic information is stored on secured servers, and hard-copy Personal Information is stored in physically secured locations. To secure your data, we may take precautions such as physical access controls, password-protection, two-factor identification for remote access, encryption, firewalls, and anonymization or pseudonymization of data. Deletion of data includes shredding, physical destruction of media, and use of data wiping technology.

Unfortunately, no data transmission or storage system can be guaranteed to be 100% secure. If you have reason to believe that your interaction with us is not secure, please immediately notify us by contacting our customer care department as described in the “How to Contact Us” section below.

We retain your Personal Information for as long as required under applicable law. Periodically, we will evaluate the age of stored Personal Information and delete data that is older than is deemed necessary in accordance with applicable law. Our data retention periods are based on the requirements of applicable data protection laws and the purpose for which the Personal Information is collected and used, taking into account legal and regulatory requirements to retain the information for a minimum period, limitation periods for taking legal action in the different jurisdictions in which we are active, good practice and our business purposes.

You may have certain rights relating to your Personal Information, subject to local data protection law. Whenever you use our Sites and services, we aim to provide you with choices about how we use your Personal Information. We also aim to provide you with access to your Personal Information. If that information is wrong, we strive to give you ways to update it quickly or to delete it – unless we have to keep that information for legitimate business or legal purposes. Subject to applicable law, you may obtain a copy of Personal Information we maintain about you or you may update or correct inaccuracies in that information by contacting us. To help protect your privacy and maintain security, we will take steps to verify your identity before granting you access to the information. In addition, if you believe that Personal Information we maintain about you is inaccurate, subject to applicable law, you may have the right to request that we correct or amend the information by contacting us as indicated in the “How to Contact Us” section below.

The rights that you may enforce as described in this section may vary depending on the jurisdiction in which you reside. Please review the Privacy Policy Supplement for European Union, United Kingdom, California and Hong Kong Residents for more information on your rights and how to exercise your rights. Certain information contained in our Legility Privacy Notice for California Residents, where indicated, applies solely to all visitors, users, and members identified as consumers under the California Consumer Privacy Act of 2018 (CCPA). We adopt this CCPA notice to make you aware of our obligations and your rights under the CCPA.

a. How To Submit A Request

You may submit a request to exercise your rights to know, access, or delete your Personal Information by contacting us as described in the “How to Contact Us” section or by following the instructions listed in the Privacy Policy Supplement for European Union, United Kingdom, California and Hong Kong Residents.

b. Right To Opt Out

By providing an email address on a Site, you agree that we may contact you in the event of a change in this Privacy Policy, to provide you with any service related notices, or to provide you with information about our events, invitations, or related educational information.

We generally define “opt-in” as any affirmative action by a User to submit or receive information, as the case may be. We generally define “Opt-Out” as an action by a User to unsubscribe from receiving information.

We currently provide the following opt-out opportunities:

1. At any time, you can follow a link provided in offers, newsletters or other email messages (except for e-commerce confirmation or service notice emails) received from us to unsubscribe from such communications and services.

2. At any time, you can contact us through privacy@legility.com or the address or telephone number provided in the “How To Contact Us” section below, to unsubscribe from communications and service and opt-out of our right per your consent under the terms of this Privacy Policy to share your Personal Information.

Notwithstanding anything else in this Privacy Policy, please note that we always reserve the right to contact you in the event of a change in this Privacy Policy, or to provide you with any service-related notices.

c. Right To Fair Treatment After Opting Out

You have the right to be free from discrimination based on your exercise of any of your rights under applicable law. We will not discriminate against you by providing a different level or quality of services, charging different prices, or imposing penalties.

Legility is a global company with its headquarters located in the United States. Sharing data across borders may be essential in the performance of the Client services which we provide, and as a result, your Personal Information may be collected, transferred to and stored by us and our affiliates outside your jurisdiction, including outside the European Economic Area (EEA), and in countries that are not subject to an adequacy decision by the European Commission and that may not provide for the same level of data protection as your jurisdiction.

We will, subject to applicable law, rely upon legally permitted data transfer mechanisms in order to transfer, process and store your Personal Information in a jurisdiction outside of your home jurisdiction. We ensure that the recipient of your Personal Information offers an adequate level of data protection and security. For instance, for transfers of Personal Information originating from the EU, we may rely on adequacy decisions of the European Commission where available, on the Standard Contractual Clauses and other data protection clauses, intra-company data protection agreements entered into among our affiliates, or derogations for specific situations as set forth in Articles 46 and 49 of the GDPR, such as your explicit consent to such transfer; to perform a contract with you; or to fulfill a compelling legitimate interest of the Company in a manner that does not outweigh your rights and freedoms.

Privacy Shield. Our US subsidiary Inventus Solutions, Inc. and its subsidiary Inventus, LLC (collectively, “Inventus US”) has voluntarily certified to the EU-U.S. Privacy Shield Framework regarding the collection, use, and retention of Personal Information transferred from the EEA and the United Kingdom to the United States.

The Inventus US certification may be found at: https://www.privacyshield.gov/list under the name Inventus Solutions, Inc. You can learn more about the Privacy Shield program at https://www.privacyshield.gov.

While Inventus US maintains its certification under the EU-U.S. Privacy Shield Framework, it is the policy of Legility and its affiliates Inventus US when processing and transferring Personal Information from the European Economic Area and the United Kingdom to rely on executing the European Commission’s Standard Contractual Clauses as a valid transfer mechanism.

Legility requires that its service providers that have access to Personal Data received from the EEA and United Kingdom provide the same level of protection as required by the Privacy Shield Principles and applicable law. We are responsible for ensuring that our service providers process the Personal Data in a manner consistent with our obligations under the Principles and applicable law. To that end, we ensure that those providers are subject to binding contractual obligations to only process the Personal Data in accordance with our written instructions and use measures to protect the security and confidentiality of the Personal Data along with additional requirements under applicable law. Legility confirms that these third parties maintain appropriate security and data handling measures prior to transferring such Personal Data to the relevant third party.

Accessing Your Data: European residents have certain legal rights to access certain personal information and to obtain its correction, amendment, or deletion. You may contact us at the contact information privacy@legility.com to request access, correction, amendment, or deletion. Because our personnel have a limited ability to identify and access an individual user’s personal information that our client has submitted to us, and because we process it on behalf of our clients, if you wish to request access, to limit use, limit disclosure, or request corrections, we may first refer you to the client who submitted your data, and we will support them as needed in responding to your request. Please note that the rights described in this paragraph are subject to important exceptions and restrictions, including under laws designed to protect the integrity of legal proceedings.

Privacy Shield Enforcement and Dispute Resolution: If you have any questions or concerns, please write to us at the address listed in the “How to Contact Us” section below. We will investigate and attempt to resolve complaints and disputes regarding use and disclosure of Personal Information in accordance with the Privacy Shield Principles.

Inventus US has committed to refer unresolved privacy complaints under the EU-US Privacy Shield Principles to the JAMS Privacy Shield Program. JAMS is an alternative dispute resolution provider located in the United States. Assistance from JAMS will be provided at no cost to you. If we are unable to resolve your complaints or disputes, you may contact JAMS, an alternative resolution provider, and they will investigate and assist you, free of charge, in resolving your complaint. Please refer to the JAMS website at https://www.jamsadr.com/eu-us-privacy-shield for more information or to file a complaint.

As further explained in the Privacy Shield Principles, if your complaint is not resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. Inventus US is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

Protecting Your Personal Information as an EU Resident

EU residents have certain legal rights to access certain personal information and to obtain its correction, amendment, or deletion which we detail in our Legility Privacy Supplement for European Union, United Kingdom, California and Hong Kong Residents attached to this policy. You may contact us as described in the “How to Contact Us” section below to request access, correction, amendment, or deletion. Because our personnel have a limited ability to identify and access an individual user’s personal information that our client has submitted to us, and because we process it on behalf of our clients, if you wish to request access, to limit use, limit disclosure, or request corrections, we may first refer you to the client who submitted your data, and we will support them as needed in responding to your request. Please note that the rights described in this paragraph are subject to important exceptions and restrictions, including under laws designed to protect the integrity of legal proceedings.

In compliance with the EU-US Privacy Shield Principles, Inventus Solutions, Inc. commits to resolve complaints about your privacy and our collection or use of your personal information. If you have any concerns or complaints, please contact our customer care department as described in the “How to Contact Us” section below, and we will work with you to resolve your issue.

At times, our Site may contain links to other, third-party websites. Our Privacy Policy applies only to the Site. If you click a link to another website, you should read their privacy policy to learn more about each website’s privacy practices before providing any Personal Information.

Our website is not intended for children under 16 years of age. We do not intentionally gather Personal Information about Users who are under the age of 16. If a child has provided us with Personal Information, a parent or guardian of that child may contact us to have the information deleted from our records. If you believe that we might have any information from a child under age 16 in the applicable jurisdiction, please contact us at privacy@legility.com. If we learn that we have inadvertently collected the Personal Information of a child under 16, or equivalent minimum age depending on jurisdiction, we will take steps to delete the information as soon as possible.

We may change this Privacy Policy from time to time based on our need to accurately reflect our data collection and disclosure practices. All changes to this Privacy Policy are effective when posted. Your continued use of the Sites following the posting of changes to this Privacy Policy on our website will mean you accept these changes.

In the event of any material changes to our collection, use, retention, or disclosure of Personal Information, we will notify users of our site of the change and obtain their consent to the updated Privacy Policy.

We do not track our users over time and across third party websites to provide targeted advertising and therefore do not respond to Do Not Track (DNT) signals. However, some third-party sites do keep track of your browsing activities when they serve you content, which enables them to tailor what they present to you. If you are visiting such sites, your browser may include controls to block and delete cookies, web beacons and similar technologies, to allow you to opt out of data collection through those technologies.

California residents are entitled to contact us to request information about whether we have disclosed Personal Information to third parties for the third parties’ direct marketing purposes. Under the California “Shine the Light” law, California residents may opt-out of our disclosure of Personal Information to third parties for their direct marketing purposes. You may choose to opt-out of the sharing of your Personal Information with third parties for marketing purposes. To make such a request you should send (a) an email to privacy@legility.com with the subject heading “California Privacy Rights,” or (b) a letter addressed to Legility, LLC, Attn: California Privacy Rights Request, 216 Centerview Drive, Brentwood, TN 37027. In your request, please attest to the fact that you are a California resident and provide a current California address for our response. Please be aware that not all information sharing is covered by the California privacy rights requirements and only information on covered sharing will be included in our response. We reserve our right not to respond to requests submitted to addresses other than the addresses specified in this paragraph.

Legility clients, such as law firms and legal in-house departments of enterprises (“Legility Clients”), engage us to deliver services to them, their employees, clients and other users. We may collect Personal Information our clients submit to us or instruct us to process on their behalf in connection with our services (“Client Data”).

Such Client Data and the processing thereof is governed by the Legility service agreements between Legility and the applicable Legility Client.

We process any and all Client Data only to provide our services pursuant to our agreements with the relevant Legility Client, including to prevent or address service or technical problems, to respond to client support matters, to follow the instructions of our client who submitted the data, and to fulfill other contractual requirements with our Legility Clients.

Client Data collected and processed in connection with our services is the confidential and proprietary information of our Legility Clients, subject to the terms of the Legility service agreement between Legility and the Client. We do not share Client Data with third parties unless directed to do so by our Client, as may be necessary to provide services to the Client, to our advisors, affiliates, representatives, agents, service providers, in connection with a business transaction (such as a merger or sale), as allowed under the terms of our agreement with our Client, or in response to a court order, subpoena, warrant or to comply with a legal requirement or to cooperate with an investigation. When Legility shares Client Data with third parties to process that data in connection with our services to our Clients, we ensure the third parties process the Client Data in a manner consistent with our obligations under our service agreement and under applicable law. To that end, we ensure that those providers are subject to binding contractual obligations to only process the Client Data in accordance with our and the Client’s written instructions and use measures to protect the security and confidentiality of the Client Data along with additional requirements under applicable law and pursuant to our service agreement. We may disclose Client Data for the aforementioned reasons, or in order to protect our rights or the rights of our affiliates, Legility Clients, or service providers.

We will retain Client Information we process on behalf of our Legility Clients for as long as needed to provide services to our Client, or for the period of time requested by a particular Client and in accordance with our data retention obligations under Client agreements.

We always welcome feedback regarding our Site and this Privacy Policy. If you have any questions or comments about this Privacy Policy or our use of your Personal Information, please contact us at the contact information listed below.

You can contact us by any indicated method: mail, telephone, or email. We will respond to you as expeditiously as possible, subject to business operational considerations.

EUROPEAN UNION AND UNITED KINGDOM RESIDENTS

Legal Basis on Which We Process Your Personal Information

We process your Personal Information for the purposes described in this Privacy Policy on our Site on the following legal bases under Article 6 of the GDPR:

• Performance of a contract with you, including measures necessary to enter into or terminate the contract.
• Compliance with a legal obligation to which we are subject.
• Where you have provided your prior, explicit consent.
• For our or third-party’s legitimate interests, such as cost efficiency, direct marketing or internal administrative purposes, unless such interests are overridden by your interests or fundamental rights and freedoms.

Provided that, in each circumstance, we will weigh the necessity of our processing for the purpose against your privacy and confidentiality interests, including taking into account your reasonable expectations, the impact of processing, and any safeguards which are or could be put in place. In all circumstances, we will limit such processing for our legitimate business interest to what is necessary for its purposes.

Rights and Choices for European Economic Area Residents

The European Union’s (“EU”) General Data Protection Regulation (“GDPR”), and corresponding legislation in the United Kingdom and Switzerland, provide EU, Switzerland and United Kingdom residents with certain rights in connection with Personal Information you have shared with us. If you are resident in the European Economic Area, you may have the following rights:

1. The right to access: Individuals can submit subject access requests, which oblige Legility to provide a copy of any Personal Information concerning the individual. We have 30 days to produce this information, although there are exceptions for requests that are manifestly unfounded, repetitive or excessive.

2. The right to rectification: If the individual discovers that the information we hold on them is inaccurate or incomplete, they can request that it be updated. As with the right to access, we have 30 days to do this, and the same exceptions apply.

3. The right to erasure (also known as ‘the right to be forgotten’): Individuals can request that we erase their data in certain circumstances, such as when the data is no longer necessary, the data was unlawfully processed or it no longer meets the lawful ground for which it was collected. This includes instances where the individual withdraws consent.

4. The right to restrict processing: Individuals can request that we limit the way we use Personal Information. It’s an alternative to requesting the erasure of data, and might be used when the individual contests the accuracy of their Personal Information or when the individual no longer needs the information but we require it to establish, exercise or defend a legal claim.

5. The right to data portability: Individuals are permitted to obtain and reuse their Personal Information for their own purposes across different Services. This right only applies to Personal Information that an individual has provided to data controllers by way of a contract or consent.

6. The right to object: Individuals can object to the processing of Personal Information that is collected on the grounds of legitimate interests or the performance of a task in the interest/exercise of official authority. We must stop processing information unless they can demonstrate compelling legitimate grounds for the processing that overrides the interests, rights and freedoms of the individual or if the processing is for the establishment or exercise of defense of legal claims.

7. Rights related to automated decision-making including profiling: The GDPR includes provisions for decisions made with no human involvement, such as profiling, which uses Personal Information to make calculated assumptions about individuals. There are strict rules about this kind of processing, and individuals are permitted to challenge and request a review of the processing if they believe the rules aren’t being followed.

8. Right to withdraw your consent: If the processing of your Personal Information is based on your consent, you have the right to withdraw your consent at any time for the future without giving reason. The withdrawal of consent does not affect the lawfulness of processing based on consent before the withdrawal.

9. Right to lodge a complaint with a data protection supervisory authority at any time.

You may also have the right to make a GDPR complaint to the relevant Supervisory Authority. A list of Supervisory Authorities is available here: http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm.

To exercise your rights, please submit your request to privacy@legility.com or by using the contact information provided below and we will consider your request in accordance with applicable law. For your protection, we may need to verify your identity before responding to your request, such as verifying that the email address from which you send the request matches your email address that we have on file. If we no longer need to process Personal Information about you in order to provide our Services or our Site, we will not maintain, acquire or process additional information in order to identify you for the purpose of responding to your request.

In some cases our ability to uphold these rights for you may depend upon our obligations to process Personal Information for security, safety, fraud prevention reasons, compliance with regulatory or legal requirements, or because processing is necessary to deliver the Services you have requested. Where this is the case, we will inform you of specific details in response to your request.

We endeavor to respond to a verifiable consumer request within 30 days of its receipt consistent with applicable law.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Calfornia Residents – CCPA

Information Collected Related to California Residents

During the last twelve (12) months, we have collected the following categories of Personal Information from consumers:

We obtain the categories of Personal Information listed above from the categories of sources listed in Section VI, “How We Use The Personal Information We Collect and Purposes of Our Use”, of our Privacy Policy.

Legility will not collect additional categories of Personal Information or use the Personal Information we collected for materially different, unrelated, or incompatible purposes without providing you notice.

Information We Share

In the preceding twelve (12) months, we have disclosed the following categories of Personal Information for one or more business purposes:

• Identifiers;
• California Customer Records Personal Information categories;
• Internet or other network activity information;
• Commercial information;
• Internet or other similar network activity;
• Employment; and
• Geolocation Data.

We obtain the categories of Personal Information listed above from the categories of sources listed in Section VI, a. “How We Share Your Information”, of our Privacy Policy.

We Do Not Sell Personal Information As Such Activity Would Be Defined Under CCPA

In the preceding twelve (12) months, we have not sold Personal Information.

Your Rights and Choices Under CCPA

The CCPA provides California residents with specific rights regarding their Personal Information. This section describes those rights and explains how Californians may exercise those rights.

1. Right to Access Your Data. You have the right to request that we disclose certain information to you about our collection and use of your Personal Information over the past 12 months. Any disclosures we provide will only cover the 12-month period preceding the receipt of your request. The response we provide will also explain the reasons we cannot comply with a request, if applicable.

2. Right to Data Portability. You have the right to a “portable” copy of your Personal Information that you have submitted to us. Generally, this means you have a right to request that we move, copy or transmit your Personal Information stored on our servers or information technology environment to another service provider’s servers or information technology environment.

3. Right to Delete Your Data. You have the right to request that we delete any of your Personal Information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your Personal Information from our records, unless an exception applies.

4. Right to Non-Discrimination for the Exercise of Your Privacy Rights. You have the right not to receive discriminatory treatment by us for exercising your privacy rights conferred by the California Consumer Privacy Act.

We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:

1. Complete the transaction for which we collected the Personal Information, provide a service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.

2. Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.

3. Debug products to identify and repair errors that impair existing intended functionality.

4. Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).

5. Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement if you previously provided informed consent.

6. Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.

7. Comply with a legal obligation and any instructions from courts of lawful jurisdiction.

8. Make other internal and lawful uses of that information that are compatible with the context in which you provided it.

Exercising CCPA Rights

This section explains how California residents can exercise their rights. To exercise your rights under the CCPA to access, data portability, and data deletion as described above, please submit a verifiable consumer request to us by either:

• Calling us at 1-888-LEGILITY (1-888-534-4548)
• Emailing us at privacy@legility.com
• Sending written correspondence to us at the United States mailing address listed under “How To Contact Us”.

Only you, or a person that you authorize to act on your behalf, may make a verifiable consumer request related to your Personal Information. You may also make a verifiable consumer request on behalf of your minor child.

You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:

• Provide sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Information or an authorized representative.
• Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you.

Making a verifiable consumer request does not require you to create an account with us.

We will only use Personal Information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.

Our Response to Your Request

Upon receiving your request, we will confirm receipt of your request by sending you an email confirming receipt. To help protect your privacy and maintain security, we may take steps to verify your identity before granting you access to the information. In some instances, such as a request to delete Personal Information, we may first separately confirm that you would like for us to in fact delete your Personal Information before acting on your request.

We will respond to your request within forty-five (45) days. If we require more time, we will inform you of the reason and extension period in writing. If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option.

In some cases our ability to uphold these rights for you may depend upon our obligations to process Personal Information for security, safety, fraud prevention reasons, compliance with regulatory or legal requirements, listed below, or because processing is necessary to deliver the Services you have requested. Where this is the case, we will inform you of specific details in response to your request.

HONG KONG RESIDENTS

Legility is required to comply with the Hong Kong law in respect of its operations there. Legility seeks to comply with the requirements of Hong Kong’s Personal Data (Privacy) Ordinance (“PDPO”).

Legility’s Privacy Policy shall apply to its operations in Hong Kong, and this section should be read along with the Privacy Policy, including Section VI, “How We Use the Personal Information We Collect and Purposes of Our Use.”

Use of Personal Data for Direct Marketing in Hong Kong

As in other jurisdictions, Legility intends to use Personal Data collected from Hong Kong residents to send them marketing communications offering or advertising the availability of our Services (“Direct Marketing”). Under the PDPO, we may not use such Personal Data for Direct Marketing unless we have received consent from these individuals for that intended use.

1. Types of Personal Data

We may use your name, email address, mailing address and phone number and information about your preferences for Direct Marketing. These preferences may relate to both the business lines which you prefer for receiving Direct Marketing from us and the types of Services in which you are interested.

2. Classes of Marketing Subjects

Your Personal Data may be used for Direct Marketing in relation to the following:

• News and information, including Legility publications;
• Professional development offerings and opportunities;
• Job opportunities;
• Services offered by Legility

3. Communication of Your Consent

You may communicate your consent to our use of your Personal Data for Direct Marketing when:

• Providing us with your Personal Data through our website, clicking on the button indicating your consent;
• Providing us with your Personal Data through a form, signing the form to indicate your consent;
• Following the instructions in the document on which you are providing your Personal Data to us.

If you do not agree to the use of your Personal Data for Direct Marketing, you may opt-out from receiving marketing communications from us at any time by following the opt-out instructions found in Section VIII(b) of Legility’s Privacy Policy.

Retention of Personal Data

All Personal Data that has been collected from you will only be kept for as long as required under applicable law. Our data retention periods are based on the requirements of applicable data protection laws and the purpose for which your Personal Data is to be used and for as long as required by applicable law.

Your Rights and Choices Under PDPO

The PDPO grants Hong Kong residents with specific rights regarding their Personal Data. This section describes PDPO rights and explains how to exercise those rights if they apply to you.

1. Right to Access Your Data. You have the right to request that we disclose certain information to you about our collection and use of your Personal Data. We have 40 days to produce this information. The response we provide will also explain the reasons we cannot comply with a request, if applicable.

2. The right to rectification: If the individual discovers that the information we hold on them is inaccurate or incomplete, they can request that it be updated. As with the right to access, we have 40 days to do this, and the same exceptions apply.

Exercising PDPO Rights

To exercise your rights, please submit your request to privacy@legility.com or by using the contact information provided above and we will consider your request in accordance with applicable law. For your protection, we may need to verify your identity before responding to your request, such as verifying that the email address from which you send the request matches your email address that we have on file. If we no longer need to process Personal Data about you in order to provide our Services or our Site, we will not maintain, acquire or process additional information in order to identify you for the purpose of responding to your request.

We endeavor to respond to a verifiable consumer request within forty (40) days of its receipt consistent with applicable law.

We may charge a reasonable administrative fee to process or respond to your verifiable consumer request. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.