Privacy Policy

Updated October 3, 2023

Privacy Notice
This “Privacy Notice” describes the practices of Posh, Inc., and the rights and choices available to individuals, regarding personal data. Personal data means any information that relates to an identifiable individual.

Posh may provide separate privacy notices that apply to specific products or services that we offer, in which case thisPrivacy Notice does not apply. We may alter this Privacy Notice as needed for certain products and services and based on changes in the local laws and regulatory frameworks. This Privacy Notice does not apply to Posh’s processing of the personal data of its personnel, such as employees and contractors.

1. The personal data we collect 

We may collect personal data directly from individuals and the parties with which we do business, including prospects. These may include parties that interact with us directly (such as individuals who visit our web-site or job applicants), parties to which we provide goods or services (such as clients, banks or financial institutions) (collectively, “clients”), parties that provide services to us (such as vendors) (collectively, “service providers”), end-users who will interact with our Services for the purpose of effectuating a support function by disclosing PII such as your username, password, email address or information, phone number, physical address, IP address or information, locations, transcripts of conversations with our AI rendering Services (collectively, “consumers”) and other parties with whom we offer or provide products and services (such as independent network organizations, system integrators) (collectively, “partners”).

We may collect information from these parties in a variety of contexts, such as when completing one of our online forms, making an application for one of our products or services, interacting with us on social media, or corresponding with us. The types of information we obtain in these contexts include: 

• Contact information of the business entity and its personnel who interact with us, such as name, job title, address, telephone number, and email address 

• Profile information, such as username that an individual may establish on our website, along with any other information that an individual enters into their account profile 

• Information about individuals’ affiliation with a legal entity, such as an individual’s role, and whether he or she is a beneficial owner or authorized signatory 

• Feedback and correspondence, such as information you provide when you request information from us, receive customer support, or otherwise correspond with us, including by interacting with our pages on social networking online sites or services 

• Information related to the use of Posh products or services, such as account information, spending thresholds, spending activity and patterns, and information about the information we process 

• Voice based biometric identifier and information necessary for authenticating the SaaS AI application customer

• Marketing information, such as your preferences for receiving marketing communications and details about how you engage with our marketing communications 

• Other information such as job applicant data used when reviewing candidates profiles for job openings, etc.

Information that we collect about individuals who do not interact with us directly 

We may receive personal data about individuals who do not interact with us directly. For example, our clients, service providers, and partners may provide us with information about individuals other than themselves when using our products or services. If you are providing us with the personal data of another individual, please ensure you have brought this Privacy Notice to their attention. In addition, due to the unique nature of our business, in many cases, we obtain personal data from other participants in a Chatbot message processing chain from its clients. The types of information we receive about third parties includes: 

• Information about the personnel of our clients, service providers, or partners, such as the business contact information that our clients, service providers, or partners provide to us in the context of our contractual relationships with them 

• Information about potential job candidates, such as when a recruiter contacts us about an individual who may become a candidate for a job at Posh 

Information about customers of our clients (referred as “consumers”) that our clients send to us or allow us to collect in the context of the services that Posh performs, such as information related to financial transactions initiated by the customer, account registrations, and in some cases information needed to verify a customer’s identity and details of products or services purchased, and as otherwise stated in an applicable specific privacy notice for a Posh product or service. Where our technology is incorporated into a client’s mobile application or website, we also may automatically collect certain information of the types described in the section below titled “Information collected via automated means.” 

Information collected via automated means 

When you access our Artificial Intelligence (“AI”) chatbots and related services (collectively the “Services”), we, our service providers, and our partners may automatically collect information about you, your computer or mobile device, and activity on our websites or mobile applications. Typically, this information includes your computer or mobile device operating system type and version number, manufacturer and model, device identifier, browser type, screen resolution, IP address, the website you visited before browsing to our website, general location information such as city, state or geographic area; and information about your use of and actions on or in our websites, such as pages or screens you accessed, how long you spent on a page or screen, navigation paths between pages or screens, information about your activity on a page or screen, access times, and length of access. Certain products or services that we provide or which clients may incorporate into their websites or mobile applications may automatically collect additional information, as may be further described in a separate privacy notice. For clients who have opted in to voice-based biometric authentication for its customers, we will also collect voice samples transparently and pass it via API to our third-party service provider. This information is used for improving the hit ratio and positively authenticating the customers when they attempt to sign-in to the SaaS AI services. 

Our service providers and business partners may collect this type of information over time and across third-party websites. This information is collected via various mechanisms, such as via cookies, pixels, tags, web beacons, embedded scripts, through our mobile applications, and similar technologies. This type of information may also be collected when you read our HTML-enabled emails. You can choose to disable cookies or to opt out of the use of your browsing behavior for purposes of targeted advertising. For opt out instructions, please review the “Targeted online advertising” portion of the “Your Choices” section of this Privacy Notice. 

Information we collect from private and publicly accessible sources 

We and our service providers may collect information about individuals that is publicly available, including by searching publicly accessible government lists of restricted or sanctioned persons (such as the Specially Designated Nationals And Blocked Persons List), public records databases (such as company registries and regulatory filings), and by searching media and the internet. We and or our third party verification providers may also collect information from private or commercially available sources, such as by requesting reports or information from credit reference and fraud prevention agencies, to the extent permitted under applicable law. 

We may also maintain pages for our company and our products and services on a variety of third-party platforms, such as LinkedIn, Facebook, Twitter, YouTube, Instagram, and other social networking services. When you interact with our pages on those third-party platforms, the third-party’s privacy policy will govern your interactions on the relevant platform. If the third-party platform provides us with information about our pages on those platforms or your interactions with them (e.g. for lead generation purposes), we will treat that information in accordance with this Privacy Notice. 

Sensitive personal data 

In case of specific clients who opt-in to perform voice based authentication for its customers, Posh integrates with third party service providers to collect and use voice-based biometric information. 

In the context of processing employment applications, we may also request sensitive information, such as racial or ethnic origin or information about disability, where required or permitted by law of the jurisdiction in which you are applying for employment. 

Outside of these contexts or otherwise as we specifically request, we ask that you not provide us with any sensitive personal data (meaning information revealing racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, genetic, health, or biometric information, information about sex life or sexual orientation, or criminal convictions or offenses) and in the event provided, you are solely responsible for any sensitive information provided through our Artificial Intelligence (“AI”)chatbots, our website or otherwise to us. 

2. How we use your personal data 

We use your personal data for the purposes of: 

Providing our products and services, which includes: 

• Operating, evaluating, maintaining, improving, and providing the features and functionality of our products and services 

• Authenticating customers of the SaaS AI platform using a voice-based biometric information

• Fulfilling a banking transaction initiated by you (either with us or our client) 

• Managing our relationship with you or your company 

• Carrying out our obligations, and exercising our rights, under our agreement with you or your company

• Communicating with you regarding your account with us, if you have one, including by sending you service-related emails or messages (e.g., messages regarding account verification, changes or updates to the functionality of our products or services, technical and security notices and alerts, and support and administrative messages) • Personalizing the manner in which we provide our products and services 

• Checking for fraud or money laundering and/or managing either our or our clients’ risk • Administering and protecting our business 

• Providing support and maintenance for our products and services, including responding to your service-related requests, questions, and feedback 

• We do not knowingly sell any Personal information which we collect 

For research and development 

We use the information we collect for our own research and development purposes, which include: 

•Developing or improving our products and services 

•Developing and creating analytics and related reporting, such as regarding Artificial Intelligence and Machine learning 

Marketing 

We may use your personal data to form a view on what products or services we think you may want or need, or what may be of interest to you. We may contact you with marketing communications using the personal data you have provided to us if you have actively expressed your interest in making a purchase or have made a purchase from us and, in any case, you have not opted out of receiving that marketing, to the extent permitted by applicable law. Where required by law, we will get your express opt-in consent before we disclose your personal data with any company outside of Posh for marketing purposes. 

Managing our recruiting and processing employment applications 

We process personal data, such as information submitted to us in a job application, to facilitate our recruitment activities and process employment applications, such as by evaluating a job candidate for an employment activity, and monitoring recruitment statistics. 

Complying with law and regulations 

We use your personal data as we believe necessary or appropriate to comply with applicable laws and regulations, lawful requests and legal process, such as to respond to subpoenas or requests from government authorities. 

Compliance, fraud prevention and safety 

We use your personal data as we believe necessary or appropriate to (a) enforce the terms and conditions that govern our products and services; (b) protect our rights, privacy, safety or property, and/or that of you or others; and (c) protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity. 

For any other purposes with your consent 

In some jurisdictions, applicable law may require us to request your consent to use your personal data in certain contexts, such as when we use certain cookies or similar technologies or would like to send you certain marketing messages. If we request your consent to use your personal data, you have the right to withdraw your consent any time in the manner indicated when we requested the consent or by contacting us. If you have consented to receive marketing communications from our third party partners, you may withdraw your consent by contacting those partners directly. 

We will require consent and Opt-in from the customers of our clients, before requesting any voice-based biometric identifier and information. 

To create anonymous data 

We may create anonymous, de-identified, or aggregate data from your personal data and other individuals whose personal data we collect. We make personal data into anonymous, de-identified, or aggregate data by excluding information that makes the data personally identifiable to you, and use that anonymous data for our lawful business purposes. We may disclose aggregated information and information that does not identify any individual, without restriction. 

3. How we disclose your personal data 

Service providers 

We may employ third party companies and individuals to administer and provide services on our behalf (such as companies that provide customer support, companies that we engage to host, manage, maintain, and develop our website, SaaS AI applications, and IT systems). Please reference our “Data Protection Addendum” DPA for the list of the third-party service providers used and relevant to the delivery of the SaaS AI applications. 

Our clients 

When we perform services for our clients, we may disclose personal data with those entities. For example, we may collect information about a client’s customers from or on behalf of the client, such as when we process the messages posted via the Chatbot, we may provide personal data about those customers back to the client. We are not responsible for the privacy practices of our clients. 

Compliance with Laws and Law Enforcement; Protection and Safety 

Posh may disclose information about you to government or law enforcement officials (including tax authorities) or private parties as required by law, and disclose and use such information as we believe necessary or appropriate to (a) comply with applicable laws and lawful requests and legal process, such as to respond to subpoenas or requests from government authorities; (b) enforce the terms and conditions that govern our products and services; (d) protect our rights, privacy, safety or property, and/or that of you or others; and (e) protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity. 

To Other Parties with Your Permission or to Fulfill a Contract They Have With You 

Posh may transfer your personal data to any third party who is not otherwise covered by the other listed categories above where you have given us permission to do so, or with whom you have entered into a contract when we need to transfer your personal data to that party in order to fulfill that contract. 

Marketing communications 

You can ask us to stop sending you marketing messages at any time by clicking on the opt-out link included in each marketing message. You may continue to receive service-related and other non-marketing messages. 

Targeted online advertising 

Some of the business partners that collect information about users’ activities on our websites may be members of organizations or programs that provide choices to individuals regarding the use of their browsing behavior or mobile application usage for purposes of targeted advertising. 

Do Not Track Signals Some Internet browsers may be configured to send "Do Not Track" signals to the online services that you visit. We currently do not respond to do not track signals. To find out more about "Do Not Track," please visit http://www.allaboutdnt.com. 

Accessing, modifying or deleting your information 

In some jurisdictions, applicable law may provide a right for individuals to access their personal data, correct inaccurate personal data, or delete their personal data in some circumstances. You may contact us directly at privacy@posh.tech to request access to, or modify or delete your information in accordance with the law in your jurisdiction. We may not be able to provide access to, modify, or delete your information in all circumstances. Please view the Data Protection

Addendum of this Privacy Notice for additional information on how you may exercise these rights if you live in these jurisdictions. 

Complaints 

If you have a complaint about our handling of your personal data, you may contact our data protection officer at privacy@posh.tech. We request that a complaint be made in writing. Please provide details about your concern or complaint so that our data protection officer can investigate it. We will take appropriate action in response to your complaint, which may include conducting internal discussions with relevant business representatives. We may contact you for additional details or clarification about your concern or complaint. We will contact you to inform you of our response to your complaint. You also may have a right to file a complaint with a national or local regulatory agency. 

4. How we keep your data safe 

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. We ensure privacy data is encrypted at rest and also in transit with commercially reasonable industry standard encryption algorithms. You also acknowledge and agree that the transmission of information via the Internet is not completely secure. Although we have implemented commercially reasonable measures to protect your personal data, we cannot guarantee the security of such information. Any transmission of personal data is at your own risk. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so. 

5.This Website May Link to Other Websites 

Posh may also link to third-party websites, mobile applications, and other content. We are not responsible for the privacy practices of any third party, and this privacy notice does not apply to such third party’s websites, mobile applications, or other content. We do not guarantee, approve, or endorse any information, material, services, or products contained on or available through any linked third-party website, mobile application, or other content. We are not responsible for any content on third-party properties to which we link. We provide links to third-party properties or content as a convenience, and visiting or using linked third-party properties or content is at your own risk. 

You acknowledge and agree that we do not control these service provider and business partner tracking technologies or how they may be used. If you have any questions about an advertisement or other targeted content, you should contact the responsible service provider and business partner directly. For further information related to your right to privacy; please review our Data Processing Addendum.

Data Processing Addendum

October 3, 2023

The following Data Processing Addendum (the “Addendum”) sets out the summary of data processing responsibilities between Posh Technologies (Processor or Posh), Cloud Hosting Services Provider (Subprocessor) and “you” (Data Controller).

PROCESSING OF PERSONAL DATA 

Roles of the Processor, Sub-Processor and Data Controller.  

Posh will be acting on behalf of the Data Controller to process categories of personal data categorized below (collectively, Personal Data) that are submitted by Data Controller end users (including members) (collectively, “Data Subjects”) through the Posh Conversational AI chatbots or Posh Content Management System pursuant to the requirements set forth in this Addendum. The Cloud Hosting Provider will be referred to as the Sub-Processor in this Addendum.

Data Controller - Processing of Personal Data. 

The Data Controller, in the use of Services, as defined in this Addendum, is responsible for defining the processing of Personal Data applicable in the use of the Service. The Data Controller is solely responsible for ensuring the accuracy, integrity and applicability of the Personal Data submitted as part of the Services and solely responsible for the legality by which means the Data Controller acquired Data Subject data. The Data Controller agrees that as part of using the Services, the Data Controller will not violate the rights of a Data Subject and, further, the Data Controller will allow the Data Subject to exercise their rights under applicable federal, state, and local data protection laws, rules, and regulations.  Personal Data does not include:  (i) de-identified or aggregated consumer information or (ii) personal information covered by the Gramm-Leach-Bliley Act. 

Revision History

15th April 2022 - Initial Notice Creation
1st December 2022 - Notice Revision Updates
1st August 2023- Sub-processor added
3rd October 2023- Updates to sensitive personal data

Notification Date

3rd October2023

Data Privacy Requirement

Posh Technologies Data Processing Addendum

Data Privacy Legislation concerning the processing of personal data and protection of privacy in electronic communication

Not limited to:
California Consumer Privacy Act of 2018, Cal. Civil Code § 1798.100 et seq., (“CCPA”),

European Commission, European Data Protection Board and applicable national supervisor y authorities including without limitation the UK Data Protection Act 2018, UKGDPR, GDPR and Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002

Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426)
Swiss Data Protection Act 2020

Systems

Software-as-a-Service platform providing Artificial Intelligence conversational agents through a B2B service.

Duration of Processing

As per the request of the data controller in line with the  terms of service

Purpose and Legal Basis For Processing

In accordance with GDPR Art.6, the lawful processor of data is done to meet the contractual terms of service. A Data Processing Impact Assessment (DPIA) to ensure personal identifiable information is not collected.

Nature of Processing







Right to Process







Rights of a Data Subject

Data defined by the Data Controller to optimize the service of the platform. Data Subject information, if inadvertently processed through our platform, is deleted through technological measures in a manner to where the data is irrecoverable. Data Subject information as defined in the personal data categories above is not persisted in Posh Systems.

The Processor retains the right to process Personal Data submitted by the Data Controller as part of the services. The duration of processing will exist for the term of the Services provided. The Personal Data Categories submitted as part of the Service will solely be determined by the Data Controller.


The Processor will respond to requests from the Data Controller as it relates to the right of a Data Subject. Data Controller will be solely responsible for (i) providing Data Subjects with contact information on how to submit a request to exercise their rights under the CCPA, (ii) verifying the identity of any Data Subject, and (iii) obtaining all necessary information from the Data Subject, in sufficient detail, to allow Processor to properly understand, evaluate, and respond to any request made by the Data Subject.  All requests from a Data Subject will be referred to the Data Controller as it relates to:

The right of access
The right to rectification The right to delete* 
The right to restrict processing
The right to data portability
The right to object
The right not to be subject to a decision based solely on automated processing

*As applicable, Processor may deny a deletion request if, in Processor’s sole discretion, retaining the information is necessary for Processor or a Sub-Processor(s) to:

Provide a good or service that Data Controller requested, take actions reasonably anticipated within the context of the ongoing business relationship between Processor and Data Controller, fulfill the terms of a written warranty in accordance with federal law, or otherwise for Processor to perform its contractual obligations with Data Controller.

Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.

Debug Services to identify and repair errors that impair existing intended functionality.

Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.

Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).

Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information's deletion may likely render impossible or seriously impair the research's achievement, if Data Controller previously provided informed consent.Enable solely internal uses that are reasonably aligned with consumer expectations based on the relationship between Processor and Data Controller.

Comply with a legal obligation.

Make other internal and lawful uses of that information that are compatible with the context in which the Data Controller provided it.Applicable Data Controller requests can be sent to: privacy@posh.tech

Personal Data Categories

Data Subject First Name
Data Subject Middle Name
Data Subject Last Name
Data Subject Email Address
Data Subject Geolocation Information (Cookies, IP, address, etc.)
Data Subject Non-Identifying Information (e.g. Redacted Data Subject Number)
Data Subject Phone Number
Data Subject voice based biometric information

For any Personal Data categories not described above, the Data Controller acknowledges and agrees that it will be solely responsible for ensuring all other sensitive, personal data categories will not be submitted or used by Data Subjects during the transmission of data to Posh. The Data Controller is solely responsible for informing their Data Subjects of their privacy rights. Posh will  only collect voice-based biometric information to perform voice-based authentication to the Services, as defined in this Addendum.


Other Data Categories






Special Categories of Personal Data


Duties of the Processor

The data controller acknowledges they will be responsible for ensuring sensitive data categories will not be used by data subjects during the transmission of data. The data controller is responsible for informing their members/end-users of their privacy rights. Posh Technologies may collect other data attributes if advised by the data controller.


Data Subject Account Number (only via authenticated mechanisms will this data be processed).


Use of Sub-Processors

The Data Controller acknowledges and agrees that the following sub-processors will be used in the course of the Services provided.

Current list of authorized Sub-Processors:
Google Inc
1600 Amphitheatre Parkway Mountain View, CA 94043 
Salesforce Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105
Twilio 375 Beale Street, Suite 300. San Francisco, CA 94105
OpenAI 3180 18th St, San Francisco, CA 94110
Illuma Labs Inc. 7700 Windrose Ave. Ste G300 Plano, TX 75024
Right to object: The Data Controller can object within 30 days upon notification of the use of Sub-Processors or a change of a Sub-Processor in course of the duration of the Services. 

Security of Processing

In processing Personal Data, the Processor and Sub-Processor will utilize the following industry accepted security standards to safeguard such data:
Encrypt Personal Data processed and (if applicable) stored. Use industry accepted security standards to ensure the confidentiality and integrity of Personal Data
Provide periodic testing and auditing of system and technological measures to evaluate the effectiveness of the Processor’s internal controls

Processor and Sub-Processor Security Measures

Measures  taken by Posh Technologies Inc. and our cloud service providers to maintain  the confidentiality of data. (Article 32(1)(b) GDPR).
Posh Technologies uses  technical measures to delete data subject information once transmitted to  Posh Systems. The following controls (albeit not all controls) may apply in  some manner during the processing of information.

Access control to premises and facilities

Measures  must be taken to prevent unauthorized physical access to premises and  facilities holding End User Personal Data:
·          Access control system
·          ID reader, magnetic card, chip card
·          (Issue of) keys
·          Door locking (electric door openers etc.)
·          Surveillance facilities
·          Alarm system, video/CCTV monitor
·          Logging of facility exits/entries

Access to Control Data

·       Differentiated access rights
·       Access rights defined according to duties
·       Automated log of user access via IT systems
·       Measures to prevent the use of automated data- processing systems by unauthorized persons using data communication equipment
-         Data Obfuscation and/or Data Deletion
-         Access Reviews

Integrity

(Article32(1)(b) GDPR)
·       Compulsory use of encrypted private networks for all data transfers
·       Creating an audit trail of all data transfers
-       File Integrity Monitoring

Disclosure Control

·       Compulsory use of encrypted private  networks for all data transfers
·       Creating an audit trail of all data  transfers

Input Control

·     Logging user activities on IT systems
·     That it is possible to verify and establish to which bodies End User Personal Data have been
·       or may be transmitted or made available using data communication equipment.
·       That it is possible to verify and establish which End User Personal Data have been input into
·           automated data-processing systems and when and by whom the data have been inputted for processing (data controller party).

Job Control

·   Unambiguous wording of contractual instructions
·   Monitoring of contract performance

Segregation Control

·      Restriction of access to data stored for different purposes according to staff duties
·      Segregation of business IT systems
·      Segregation of IT testing and production environments -      Role-based access control / least privilege access

Availability Control

·   Installed systems may, in the case of interruption, be restored
·   Systems are functioning, and that faults are reported
·   Data is processed while incorporating security measures to mitigate corruption
·   Uninterruptible power supply (UPS)
·   Business Continuity procedures
·   Remote storage
·   Antivirus/firewall systems

Data Subject Rights

Right to Access Personal Data

Right to Access Personal Data Posh Technologies uses technological measures to ensure personal data as defined above is removed, if processed by the data controller. The Data Controller is  responsible for ensuring data subject’s rights are maintained.

Right to Rectification.

Posh Technologies uses technological measures to ensure personal data as defined above is removed, if processed by the data controller. The Data Controller is responsible for ensuring data subject’s rights are maintained.

Right to Erasure

Posh Technologies uses technological measures to ensure personal data as defined above is removed, if processed by the data controller. The Data Controller is responsible for ensuring data subject’s rights are maintained.

Right to Restrict Data Processing

The Data Controller is responsible for addressing and exercising the data subject’s rights and informing Posh Technologies Inc. within 30 days of being notified of this action. All requests can be sent to our privacy team at: privacy@posh.tech. Once the requested personal data of the data subject is deleted or obfuscated, Posh Technologies will inform the Data Controller.

Right to be Notified

The Data Controller is responsible for addressing and exercising data subject’s rights and informing Posh Technologies Inc. within 30 days of being notified of this action. All requests can be sent to our privacy team at: privacy@posh.tech

Right to Data Portability

Posh Technologies uses technological measures to ensure personal data as defined above is removed, if processed by the data controller. The Data Controller is responsible for ensuring data subject’s rights are maintained.

Right to Object

The Data Controller is responsible for addressing and exercising data subject’s rights and informing Posh Technologies LLC within 30 days of being notified of this action. All requests can be sent to our privacy: privacy@posh.tech

Right to Reject Automated Individual Decision-Making

Posh Technologies uses technological measures to ensure personal data as defined above is removed, if processed by the data controller. The Data Controller is responsible for ensuring data subject’s rights are maintained.

Additional Data Processing Obligations

Right To Audit

Posh performs annual independent audits to test the effectiveness of its security, privacy and availability controls. Upon the Data Controller’s reasonable request and upon Posh’s prior consent, not to exceed once annually, Posh agrees to share such audit reports. In the event this action is requested, the Data Controller can contact the Posh Data Privacy team: privacy@posh.tech.

Data Protection Officer

Please contact our Data Protection Officer at privacy@posh.tech

Compliance with Data Protection Legislation

Each party  will comply with their applicable obligations under the Data Protection  Legislation as it relates to the processing of personal data or data owned by  the controller. All parties will include compliance with Data Protection  Legislation for example but not limited to Article 31 of GDPR

Right to Restrict Data Processing

The Data Controller is responsible for addressing and exercising the data subject’s rights and informing Posh Technologies Inc. within 30 days of being notified of this action. All requests can be sent to our privacy team at: privacy@posh.tech. Once the requested personal data of the data subject is deleted or obfuscated, Posh Technologies will inform the Data Controller.

Data Transfer





Data Breach Notification

Processors shall not transfer data outside of the United States without the prior written consent of the Data Controller.

In the event of discovery of a security related data breach directly affecting the Personal Data of a Data Subject or confidential information of the Data Controller, the Posh Legal Team will inform the impacted Data Controller(s) within 72 hours of discovery.

Data Controller Obligations

The Data Controller shall at all times recognize and use a legal basis for processing Personal Data through the Processor or Subprocessor systems. Data Controller is responsible for notifying the Processor in the event any data privacy rights are exercised by their end-users (or members).




Deleting Information

Once Posh receives a request from the Data Controller to delete Personal Data of a Data Subject, Posh periodically investigates whether their technological measures delete such Personal Data. In the event that Data Controller believes that any Personal Data continues to be stored by Posh, despite Posh data deletion measures, please contact the Posh data privacy team at privacy@posh.techProcessor will confirm receipt of any request made by the Data Controller within ten (10) business days. If the Data Controller does not receive confirmation within the 10-day timeframe, please contact privacy@posh.tech.

Processor endeavors to substantively respond to a verifiable consumer request within forty-five (45) days of its receipt. If the Processor requires more time (up to another 45 days), the Processor will inform the Data Controller of the reason and extension period in writing.Any disclosures Processor provides will only cover the 12-month period preceding Processor’s receipt of Data Controller’s request. The response provided will also explain the reasons that Posh cannot comply with a request, if applicable. For data portability requests, the Processor will select a format to provide Personal Data that is readily usable and should allow the Data Controller to transmit the data from one entity to another entity without hindrance.

Processor does not charge a fee to process or respond to any Data Controller verifiable Data Subject request unless it is, in Processor’s sole discretion, excessive, repetitive, or manifestly unfounded. If the Processor determines that the request warrants a fee, the Processor will tell the Data Controller why the Processor made that decision and provide the Data Controller with a cost estimate before completing the request.

Non-Discrimination

Processor will not discriminate against any request from the Data Controller for its Data Subjects to exercise any CCPA rights. Unless permitted by the CCPA, Processor will not, as it pertains to the specific requesting Data Subject:Deny the Data Controller any goods or Services.Charge different prices or rates for goods or Services, including through granting discounts or other benefits, or imposing penalties.Provide a different level or quality of goods or Services.Suggest that Data Controllers may receive a different price or rate for goods or Services or a different level or quality of goods or Services.

Changes to this Addendum

Processor reserves the right to amend this Addendum at its discretion at any time. When Processor makes changes to this Addendum, Processor will post the updated Addendum at [https://www.posh.ai/security-privacy-policy  and update the Addendum's effective date.

Data Controller’s continued use of the Services following the posting of changes constitutes Data Controller’s acceptance of such changes.