Effective Date: May 23th, 2022
We collect, use, and/or otherwise process certain personal information about you. When we do so we are subject to various laws, including in the United States, European Union, United Kingdom, and Canada. The following chart summarizes how we may be referred to concerning our personal information practices under various privacy laws:
|The General Data Protection Regulation (EU) 2016/679||“GDPR”||“Controller”|
|California Consumer Privacy Act of 2018 (Cal. Civ. Code § 1798.100)||“CCPA”||“Business”|
|Virginia Consumer Data Protection Act (Va.Code § 59.1-575)||“VCDPA”||“Controller”|
|Colorado Privacy Act (Colo. Rev. Stat. § 6-1-1301)||“CPA”||“Controller”|
|Nevada Security and Privacy of Personal Information (NRS § 603A.010)||“Nevada Privacy Law”||“Operator”|
|Personal Information Protection and Electronic Documents Act (Canada) (S.C. 2000, c. 5)||“PIPEDA”||“Organization”|
|Utah Consumer Privacy Act (S.B. 227)||“UCPA”||“Controller”|
|We, us, our||High Road Holdings, LLC (dba EBTH)|
|Personal information||Any information that identifies, relates to,
describes, is linked or could be reasonably
linked, directly or indirectly, to an identified
or identifiable natural person or household.
|Sensitive data||A category of personal information that
includes Social security number, driver’s
license number, state identification card, or
passport number; account log-ins, financial
accounts, debit or credit card numbers in
combination with a security or access code,
password, or other credentials; precise geo-
location; racial or ethnic origin, religious or
philosophical beliefs, or union membership;
contents of mail, email or text messages;
genetic or biometric data; mental or physical
health diagnosis, sexual orientation; or
personal data from a known child.
|A. Identifiers.||A real name, alias, postal address, unique personal
identifier, online identifier Internet Protocol address,
email address, account name, social security number,
driver’s license number, passport number, or other
|B. Personal information
categories listed in the
California Customer Records
statute (Cal. Civ. Code §
|A name, signature, tax identification, physical
characteristics or description, address, telephone
number, passport number, driver’s license or state
identification card number, insurance policy number,
education, employment, employment history, bank
account number, credit card number, debit card number,
or any other financial information, medical information,
or health insurance information. Some personal
information included in this category may overlap with
|C. Protected classification
California or federal law.
|Age (40 years or older), race, color, ancestry, national
origin, citizenship, religion or creed, marital status,
medical condition, physical or mental disability, sex
(including gender, gender identity, gender expression,
pregnancy or childbirth and related medical
conditions), sexual orientation, veteran or military
status, genetic information (including familial genetic
|D. Commercial information.||Records of personal property, products or services
purchased, obtained, or considered, or other purchasing
or consuming histories or tendencies.
|E. Biometric information.||Genetic, physiological, behavioral, and biological
characteristics or samples (such as breath, blood, or
urine), or activity patterns used to extract a template or
other identifier or identifying information, such as,
fingerprints, faceprints, and voiceprints, iris or retina
scans, keystroke, gait, or other physical patterns, and
sleep, health, or exercise data.
|F. Internet or other similar
|Browsing history, search history, information on a
consumer’s interaction with a website, application, or
|G. Geolocation data.||Physical location or movements.||YES|
|H. Sensory data.||Audio, electronic, visual, thermal, olfactory, or similar
|I. Professional or
|Current or past job history or performance evaluations.||NO|
|J. Non-public education
information (per the Family
Educational Rights and
Privacy Act (20 U.S.C.
Section 1232g, 34 C.F.R. Part
|Education records directly related to a student
maintained by an educational institution or party acting
on its behalf, such as grades, transcripts, class lists,
student schedules, student identification codes, student
financial information, or student disciplinary records.
|K. Inferences drawn from
other personal information.
|Profile reflecting a person’s preferences, characteristics,|
psychological trends, predispositions, behavior,
attitudes, intelligence, abilities, and aptitudes.
This personal information is required to provide products and/or services to you. If you do not provide personal information we ask for, it may delay or prevent us from providing provide products and/or services to you.
You may direct us to use this sensitive data only for purposes necessary to perform the service or
provide the goods that you request from us, with the exception of the following:
We do not knowingly collect or solicit personal information from anyone who we know to be under the age of 18, or knowingly allow such persons to use the Website. Should we learn that someone under the age of 18 has personal information through the Website without the verified supervision of a parent or guardian, we will remove that personal information as soon as possible.
If you are under the age of 18, you should not use our Website, register on our Website, make any purchases through our Website, or provide any information about yourself to us, including your name, address, telephone number, email address, or any screen name or user name you may use without the verified supervision of a parent or guardian. To the extent possible, any personal information from anyone who we know to be under the age of 18 will be destroyed.
If you believe we might have any information from or about a child under 18, please contact us at
If you are a child under the age of 18, you may opt-in to allow us to sell your personal information with the permission of your parent or guardian by emailing us at email@example.com.
We collect most of this personal information directly from you—in person, by telephone, text or
email and/or via our website. However, we may also collect information:
A cookie is a small file containing a string of characters that may be sent to your web browser when you visit a website. Cookies might be used for the following purposes: (1) to enable certain functions; (2) to provide analytics; (3) to store your preferences; and (4) to enable ad delivery and behavioral advertising.
Cookies can either be session cookies or persistent cookies. A session cookie expires automatically when you close your browser. A persistent cookie will remain until it expires or you delete your cookies. Expiration dates are set in the cookies themselves; some may expire after a few minutes while others may expire at a later time. Cookies placed by the website you’re visiting are sometimes called “first party cookies,” while cookies placed by other companies are sometimes called “third party cookies.”
B. Third-Party Service Providers and Additional Technology
We sometimes utilize third-party service providers to help us track the activity within the Website. Our third-party service providers include the following:
• Google Cloud Platform (https://cloud.google.com/privacy)
Third-party vendors, including Google, show our ads across the internet. We use ad-tracking along with third-party vendors. These use first-party cookies (such as the Google Analytics cookies) and third-party cookies (such as the DoubleClick cookie). Together, these cookies report if you have seen our ads (ad impressions) and how you have interacted with our ads and ad services. We want this information so we can make sure our advertising that you see is relevant to you.
We may also use additional technologies to help track user activities and preferences. The following Information may automatically be received and/or collected from you through the Site: IP address, browser type, browser language, internet service provider (ISP), resource requested, date and time of resource request, and HTTP referring resource (if provided by the browser), operating system, and/or clickstream data. We aggregate this data, and may combine this data with other information we collect about you to better understand how visitors use our site, improving user experience, and to help manage, maintain, and report on use of our website. We also store IP addresses for fraud detection and prevention purposes. This Website does not alter their practices when it receives Do-Not-Track (“DNT”) signals. To find out more about DNT, you may wish to visit the following third-party website: www.allaboutdnt.com.
C. Canadian Right to Opt-Out
geolocation and IP address tracking. If you would like to opt out of this data processing, contact
us at firstname.lastname@example.org.
We partner with third parties to display advertising on our Website and manage our advertising on other websites. As described above, our third party partners may use technologies such as cookies to gather information about your activities on our Website and other websites in order to provide you advertising based upon your browsing activities and interests. Our use of personal information for cross-contextual behavioral advertising purposes constitutes the “sharing” of personal information under the CCPA.
Some of the advertisers and service providers that perform advertising-related services for us and third parties may participate in the Digital Advertising Alliance’s (“DAA”) Self-Regulatory Program for Online Behavioural Advertising. To learn more about how you can exercise certain choices regarding Interest-based Advertising, visit http://www.aboutads.info/choices, http://www.aboutads.info/appchoices for information on the DAA’s opt-out program for mobile apps.
Some of these companies may also be members of the Network Advertising Initiative (“NAI”). To learn more about the NAI and your opt-out options for their members, see http://www.networkadvertising.org/choices.
If you are a resident of California, Virginia, Colorado, or Utah, you have the right to opt out of our use of your personal information for the purpose of serving you interest-based ads. Residents of these states may opt-out by [clicking the link titled “Do Not Share My Personal Information” in the footer of this page and following the instructions or emailing us at email@example.com.
To successfully opt out, you must have cookies enabled in your web browser (see your browser’s instructions for information on cookies and how to enable them). Your opt-out only applies to the web browser you use so you must opt-out of each web browser on each computer you use. Once you opt out, if you delete your browser’s saved cookies, you will need to opt-out again. Please note this does not opt you out of being served advertisements. You will continue to receive generic advertisements.
We may also partner with third-party service providers to engage in “profiling” which is defined in the VCPA and CPA as “any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable natural person’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.” Residents of Virginia and Colorado may opt out of processing of your personal information for purposes of profiling by emailing us at firstname.lastname@example.org.
We use your personal information for a number of reasons, including the following:
A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests.
The table below explains what we use (process) your personal information for and our reasons for doing so:
|What we use your personal information for||Our reasons|
|To provide products and/or services to you||For the performance of our contract with you or to take steps at your request before entering into a contract|
|To prevent and detect fraud against you or our organization||For our legitimate interests or those of a third party, i.e. to minimize fraud that could be damaging for us and for you|
|To display advertisements to our advertisers’ target audiences.||For our legitimate interests or those of a third party, i.e., to efficiently and accurately advertise to you so we can deliver the best service for you at the best price.|
|Processing necessary to comply with professional, legal and regulatory obligations that apply to our business, e.g. under health and safety regulation or rules issued by our professional regulator||To comply with our legal and regulatory obligations|
|Gathering and providing information required by or relating to audits, enquiries or investigations by regulatory bodies||To comply with our legal and regulatory obligations|
|Ensuring business policies are adhered to, e.g. policies covering security and internet use||For our legitimate interests or those of a third party, i.e. to make sure we are following our own internal procedures so we can deliver the best service to you|
|Operational reasons, such as improving efficiency, training and quality control||For our legitimate interests or those of a third party, i.e. to be as efficient as we can so we can deliver the best service for you at the best price|
|Ensuring the confidentiality of commercially sensitive information||For our legitimate interests or those of a third party, i.e. to protect trade secrets and other commercially valuable information
To comply with our legal and regulatory obligations
|Statistical analysis to help us manage our business, e.g. in relation to our financial performance, customer base, product range or other efficiency measures||For our legitimate interests or those of a third party, i.e. to be as efficient as we can so we can deliver the best service for you at the best price|
|Preventing unauthorized access and modifications to systems||For our legitimate interests or those of a third party, i.e. to prevent and detect criminal activity that could be damaging for us and for you
To comply with our legal and regulatory obligations
|Updating and enhancing customer records||For the performance of our contract with you or to take steps at your request before entering into a contract
To comply with our legal and regulatory obligations
For our legitimate interests or those of a third party, e.g. making sure that we can keep in touch with our customers about existing orders and new products
|Statutory returns||To comply with our legal and regulatory obligations|
|Ensuring safe working practices, staff administration and assessments||To comply with our legal and regulatory obligations
For our legitimate interests or those of a third party, e.g. to make sure we are following our own internal procedures and working efficiently so we can deliver the best service to you
|Marketing our services to existing and former customers, third parties who have previously expressed an interest in our services and/or third parties with whom we have had no previous dealings.||For our legitimate interests or those of a third party, i.e. to promote our business to existing and former customers|
|External audits and quality checks, e.g. for ISO or Investors in People accreditation and the audit of our accounts||For our legitimate interests or a those of a third party, i.e. to maintain our accreditations so we can demonstrate we operate at the highest standards
To comply with our legal and regulatory obligations
We routinely share personal information with:
We only allow our service providers to handle your personal information if we are satisfied they take appropriate measures to protect your personal information. We also impose contractual obligations on service providers relating to ensure they can only use your personal information to provide services to us and to you. We may also share personal information with external auditors.
We may also disclose your personal information:
We may also need to share some personal information with other parties, such as potential buyers of some or all of our business or during a re-structuring. We will typically anonymize information, but this may not always be possible. The recipient of the information will be bound by confidentiality obligations.
We may provide aggregated, de-identified or other information that is not personally identifiable to third parties for any purpose that complies with applicable law with or without your consent.
In the preceding 12 months, we have not sold your personal information to third parties.
We may use your personal information to send you updates (by email, text message, telephone and/or social media post) about our products and services, including exclusive offers, promotions or new products and services.
We have a legitimate interest in processing your personal information for promotional purposes (see above “Why We Use Your Personal Information”). This means we do not usually need your consent to send you promotional communications. However, where consent is needed, such as for Canadian residents, we will ask for this consent separately and clearly.
You have the right to opt out of receiving promotional communications at any time by contacting us at email@example.com or using the “unsubscribe” link in emails.
From time to time, we may ask you to confirm or update your marketing preferences if you instruct us to provide further products and/or services in the future, or if there are changes in the law, regulation, or the structure of our business.
We will keep your personal information for as long as necessary to fulfill the purposes we collected it for and in accordance with any applicable laws. We will retain and use personal information as long as you have an account with us or we are providing products and/or services to you. Thereafter, we will keep your personal information for as long as is necessary:
Under some circumstances, we may anonymize your personal information so that it can no longer be associated with you. We reserve the right to use such anonymous and de-identified data for any legitimate business purpose without further notice to you or your consent.
To protect your personal information in our custody or control from theft, unauthorized access, use, modification and disclosure, and to maintain its accuracy and integrity, we have implemented reasonable technical, physical and administrative security measures through the use of Google
Cloud Platform. Details about this security measure can be found at https://cloud.google.com/solutions/security.
Although we have implemented reasonable safeguards, please note that no electronic transmission of information can be guaranteed to be entirely secure. You acknowledge and agree that we are not responsible for the theft, destruction, or inadvertent disclosure of your personal information. In the unfortunate event that your personal information is compromised, we may notify you by e- mail (at our sole and absolute discretion) to the last e-mail address you have provided us in the most expedient time reasonable under the circumstances; provided, however, delays in notification may occur while we take necessary measures to determine the scope of the breach and restore reasonable integrity to the system as well as for the legitimate needs of law enforcement if notification would impede a criminal investigation.
Information may be held at our offices and those of our third party agencies, service providers, representatives and agents as described above (see above: “Who We Share Your Personal Information with”). Some of these third parties may be based outside the United States. For more information, including on how we safeguard your personal information when this occurs, see below: “Transferring Your Personal Information”.
We may transfer personal information that we collect or that you provide as described in this policy to contractors, service providers, and other third parties we use to support our business (such as analytics and search engine providers that assist us with Website improvement and optimization) and who are contractually obligated to keep personal information confidential, use it only for the purposes for which we disclose it to them, and to process the personal information with the same standards set out in this police.
We may process, store, and transfer your personal information in and to a foreign country, with different privacy laws. In these circumstances, the governments, courts, law enforcement, or regulatory agencies of that country may be able to obtain access to your personal information through the laws of the foreign country. Whenever we engage a service provider, we require that its privacy and security standards adhere to this policy and applicable state privacy legislation.
This Website is hosted in the United States. This Website may function in countries other than the United States. If you use the Website from outside the United States and submit your personal information or engage with the Website, you explicitly consent to the transfer, storage, or processing of your personal information in a country other than the United States where laws regarding processing of personal information may differ from the laws of other countries. You are
responsible for compliance with the laws of the jurisdiction in which you choose to use the Website.
You are welcome to contact us to obtain further information about Company policies regarding service providers outside of the United States. See “How to Contact Us” below.
By submitting your personal information or engaging with the Website, you consent to this transfer, storage, or processing.
If you are a resident of the states of California, Virginia, Colorado, Utah, or Nevada, you have certain rights under applicable data privacy laws. Such rights include the following:
A. The Right to Know / Confirm & Right to Access
You have the right to know/confirm whether we are processing your personal data and
access any personal data we have processed, including:
You also have the right to obtain a copy of the personal information you have provided to us in a portable, readily usable format that can be easily transferred to a third party.
Please note that we are not required to:
B. The Right to Delete or Correct
You have the right to delete or correct the information we have retained about you. Subject to certain exceptions, on receipt of a verifiable request from you, we will:
Your request to know or delete may be denied for any reason allowable under applicable state privacy law. For example, we may deny your request to delete if the personal information is necessary for us or a service provider to complete the transaction for which we collected the personal information, comply with a legal obligation, or make other internal or lawful uses of that information that are compatible with the context in which you provided.
C. The Right to Opt-Out
You have the right to opt-out of the following uses of your personal information:
Additionally, residents of Virginia and Colorado may opt out of our processing of personal information for the purposes of profiling, as described above at “Notice Regarding Targeted (Behavioral) Advertising.”
We will act upon your request to opt-out no later than 15 days from the date we received the request. Note that we may deny a request to opt-out if we have a good-faith, reasonable, and documented belief that the request is fraudulent or for any other reason allowable under applicable state privacy law. Once you make an opt-out request, we will wait at least twelve (12) months before asking you to reauthorize personal information sales. However, you may change your mind and opt back in to personal information sales at any time by contacting us at firstname.lastname@example.org.
D. The Right to Non-Discriminatory Treatment
You have the right to not be discriminated against by us because you exercised any of your rights under the applicable state privacy law. This means we cannot, among other things:
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes. If you are a resident of California, Virginia, Colorado, Utah, or Nevada, you may exercise the rights described above, subject to limited exceptions under applicable law.
If you or an authorized representative want to review, verify, correct, or withdraw consent to the use of your personal information you may send us an email at email@example.com or call us at (888) 965-9872 to request access to, correct, or delete any personal information that you have provided to us. We may not accommodate a request to change information if we believe the change would violate any law or legal requirement or cause the information to be incorrect. We may request specific information from you to help us confirm your identity and your right to access, and to provide you with the personal information that we hold about you or make your requested changes. Any personal information we collect from you to verify your identity in connection with you request will be used solely for the purposes of verification. To verify a request, you will need to provide:
If we are unable to verify your request, we may deny the request or ask you for additional information that is reasonably necessary to authenticate your identity in connection with the consumer request.
Once submitted, you will receive an email within 10 days that we will use to verify your identity and provide confirmation of your request. We will respond to your request to know or delete or correct within 30 days from the day we receive the request. If necessary, we may extend the time period to a maximum of 30 additional days from the day we receive the request. In such case, you will receive an email notifying you of the extension and explaining the reason for the extension. Any disclosure in response to a request to know will cover the 12 month period preceding the business’s receipt of the request and will be delivered in a readily useable format, by mail or electronically at the consumer’s option.
Applicable law may allow or require us to refuse to provide you with access to some or all of the personal information that we hold about you, or we may have destroyed, erased, or made your personal information anonymous in accordance with our record retention obligations and practices. If we cannot provide you with access to your personal information, we will inform you of the reasons why, subject to any legal or regulatory restrictions.
If you are a resident of Virginia or Colorado, you also have the right to appeal our decision if we deny your consumer request. If we deny your consumer request, you can send an email to firstname.lastname@example.org to request an appeal of the denial. Within 45 days of receipt of your appeal, we will inform you of the action we took or did not take in response to your appeal. We may extend the 45-day period by an additional 15 days where reasonably necessary and inform you of the delay and the reasons for the delay. If your appeal is denied, we will provide you with an online mechanism to contact the Attorney General to submit a complaint in your respective state.
We will provide access to your personal information, subject to exceptions set out in applicable privacy legislation. Examples of such exceptions include:
If you are concerned about our response or would like to correct the information provided, you may contact our Privacy Officer at email@example.com.
A. Canadian Rights Under PIPEDA
If you are a citizen of Canada, in addition to the rights described within, you are entitled to the following rights under the Personal Information Protection and Electronic Documents Act:
Withdrawing Your Consent. Where you have provided your consent to the collection, use, and transfer of your personal information, you may have the legal right to withdraw your consent under certain circumstances, including the following:
To withdraw your consent, if applicable, contact us as described below in “How to Contact Us.” Please note that if you withdraw your consent we may not be able to provide you with a particular product or service. We will explain the impact to you at the time to help you with your decision.
Accessing and Correcting Your Personal Information. By law, you have the right to request access to and to correct the personal information that we hold about you. If you want to review, verify, correct, or withdraw consent to the use of your personal information pursuant to the process described in “How to Exercise Your Rights” above, you may also send us an email at firstname.lastname@example.org to request access to, correct, or delete any personal information that you have provided to us.
B. European / United Kingdom Rights Under the GDPR
If you are a citizen of the United Kingdom (“UK”) or the European Economic Area (“EEA”), in addition to the rights described within, you are also entitled to the following rights under the General Data Protection Regulation:
|Right to Access||The right to be provided with a copy of your personal information (the right of access)|
|Right to Rectification||The right to require us to correct any mistakes in your personal information|
|Right to be Forgotten||The right to require us to delete your personal information—in certain situations|
|Right to Restriction of Processing||The right to require us to restrict processing of your personal information—in certain circumstances, e.g. if you contest the accuracy of the data|
|Right to Data Portability||The right to receive the personal information you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party—in certain situations|
|Right to Object||The right to object:
⎯ at any time to your personal information being processed for direct marketing (including profiling);
⎯ in certain other situations to our continued processing of your personal information, e.g. processing carried out for the purpose of our legitimate interests.
|Right Not to be Subject to Automated Individual Decision-Making||The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you|
We hope that we can resolve any query or concern you raise about our use of your information.
How to File a GDPR Complaint. The GDPR also gives you right to lodge a complaint with a supervisory authority, in the European Union (or EEA) state where you work, normally live, or where any alleged infringement of data protection laws occurred. For contact details of your local Data Protection Authority, please see: https://ec.europa.eu/justice/article-29/structure/data- protection-authorities/index_en.htm.
We have procedures in place to receive and respond to complaints or inquiries about our handling of personal information, our compliance with this policy, and with applicable privacy laws. To discuss our compliance with this policy, please contact our Privacy Officer using the contact information listed above.
If you would like this notice in another format (for example, audio, large print, or braille) please contact us via the methods above in “How to Contact Us.”