INFORMATION COLLECTION AND USE
Exosomes is the sole owner of the information collected on this site. We will not sell, share, or rent this information to others in ways different from what is disclosed in this statement. Exosomes may collect information from our customers at several different points on our website, as needed to service our customers, as outlined below.
There are several types of cookies related to the web browsing experience. Neither cookie type contains any personally identifiable information. A temporary cookie, technically known as a Session Cookie, is one that your browser sets by default to communicate your browsing experience between you and the server. This session cookie is automatically destroyed in your browser when you close the web browsing session on the Exosomes site.
The second cookie type is known as a persistent cookie. A persistent cookie is a tiny bit of data stored locally on your machine that helps with the overall browsing experience.
Exosomes does not utilize the use of persistent cookies for the site to function correctly. However, these cookies can help us provide a more tailored experience for Customers based on the type of product the Customer has expressed interest in and how a customer chooses to utilize the services. The types of persistent cookies Exosomes uses to track how and when you initially found Exosomes, including what page you first landed on. Additionally, third-party cookies such as Google and Facebook are set to help us track our advertising effectiveness.
For added control by customers related to the various control panels utilized, cookies have options for helping with login conveniences and customization of their control panel.
INFORMATION COLLECTED DURING THE ORDER PROCESS
We request information from the user on our order form(s). To service a Customer account, a user must provide contact information (email, name, address, phone) and, depending on the payment method and financial information (credit card number, expiration date, bank information). Additionally, the IP is recorded in the billing system. This information is used for billing purposes and to fill customer’s orders. If we have trouble processing an order, this contact information is used to contact the user. We use a high encryption SSL certificate for securely gathering the requested information. We also encrypt the credit card information for your security, and the CVV code of the card is NOT stored.
Log files automatically collect certain types of information related to your browser, including your IP address. We use IP addresses to analyze trends and help provide an insight into how visitors transition from one page to another to optimize the visitor experience and gather broad demographic information like the type of browser for aggregate use. IP addresses are not linked to personally identifiable information.
SHARING OF INFORMATION
Exosomes does NOT share any personal information with any outside company except as outlined here:
Credit/Payment Card Processors – Exosomes uses a credit/payment card processing company (just like every business that accepts credit cards has to) to bill users for goods and services. Exosomes only passes the required information to the credit card company, including the name, card number, expiration date, and billing zip code. Exosomes does NOT forward any personally identifiable information to these card processing companies.
Domain Registration/Transfer – Domain Registrars require domain ownership information. Exosomes is required to provide the domain owner information to the Domain Registrars. NOTE: Exosomes STRONGLY suggests adding Domains Whois Privacy so that your information is not made public.
SSL Certificates – Certain information must be provided to the certificate issuing authority. This information varies based on the certificate type and, at a minimum, requires an email address for approval of the certificate. For EV (Extended Validation – green bar) certificates, the certificate-issuing authority requires email, company name, address, phone, and contact information.
CloudFlare – CloudFlare is used by some customers as a CDN (content distribution network) to help filter site requests and spread the site assets around the globe for faster load times. CloudFlare requires a customer email address for the CloudFlare account.
SmarterMail Bundle – SmarterMail provides an introductory bundle for customers that are new to SmarterMail. To receive the bundle, SmarterTools, the makers of SmarterMail, require a Customer email address.
SpamExperts – SpamExperts is a premium Anti-Spam solution that many customers love. SpamExperts requires a customer email for the account, allowing the Customer to log in and review quarantined messages and manage settings.
Exosomes will comply with State and Federal law and therefore comply with the lawful request (i.e., court orders, subpoenas, etc.). When allowed, Exosomes will notify the customer of such a request.
Company websites contain links to third-party sites. These third-party websites have their own privacy policies, and that we do not accept any responsibility or liability for their policies. We encourage our visitors to be aware when they leave our site and read each website’s privacy statements that collect personally identifiable information. This privacy statement applies solely to information collected by Company Web sites.
If a visitor wishes to subscribe to our newsletter, we ask for contact information such as name and email address.
SURVEYS & CONTESTS
From time to time, our site requests information from visitors or customers via surveys or contests. Participation in these surveys or contests is completely voluntary, and the participant has a choice whether or not to disclose this information. Information requested may include contact information (name and address) and demographic information (zip code and age). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the use and satisfaction of this site.
This website takes every precaution to protect our visitors’ information. When visitors submit sensitive information via the website, the information is protected both online and offline.
When our order form(s) asks visitors to enter sensitive information (such as credit card number), that information is encrypted and is protected with the best encryption software in the industry – SSL. While on a secure page, such as our order form(s), the lock icon in the Web browser becomes locked. Exosomes has taken additional steps to ensure SSL encryption is used at all times when browsing our site.
While we use SSL encryption to protect sensitive information online, we also do everything in our power to protect user-information offline. Our users’ information is restricted in our offices, not just the sensitive information mentioned above. Only employees who need the information to perform a specific job (for example, our billing clerk or a customer service representative) are granted access to personally identifiable information. ALL employees are kept up-to-date on our security and privacy practices. Any time new policies are added, our employees are notified and/or reminded about the importance of privacy and what they can do to protect our customers’ information. Finally, the servers that we store personally identifiable information on are kept in a secure environment.
Exosomes’s website and services are not intended for, nor designed to attract, individuals under the age of 18. Exosomes does not knowingly collect personally identifiable information from any person under the age of 18.
When paying by Credit Card, upon initial payment, you will be required to enter the CVV code for the card. We do NOT store this code. It is only asked for this once. The card itself is encrypted and stored for your security.
We send all new accounts an email providing further account information. Established customers will occasionally receive information on new services and/or special promotions. Out of respect for the privacy of our users, we present the option not to receive these types of communications.
CORRECTING/UPDATING/DELETING PERSONAL INFORMATION
If a user’s personally identifiable information changes (such as your phone number or email address), or if a user no longer desires our service, we will endeavor to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the contact us or by submitting a support ticket.
CUSTOMER INFORMATION AND CUSTOMER PRIVACY
Company shall act in accordance with industry practice in protecting Customer Information submitted by Customer to Company (“Customer Information”) and shall not sell or otherwise transfer Customer Information to third parties for marketing activities in any circumstance. Company shall be entitled to use the Personal Information of Customer in the due performance of the Services, this Agreement, and (unless opted out in writing) for communication to Customer of Company’s marketing information.
As to Personal Information, also referred hereinto as Personal Data, supplied by or through Customer in the course of its business with Company, the following shall apply:
(1) Both parties will comply with their respective obligations under the applicable requirements of the Data Protection Laws.
As a Customer of Company, personal data submitted to Company by Customer means Customer is a data subject. When a Customer utilizes Company servers for handling Customer’s customers, Customer is a Data Controller as defined in the Data Protection Laws. (2) The parties acknowledge that for the purposes of the Data Protection Laws, the Customer can be both the data subject and the data controller as described herein.
The parties also acknowledge that for the purposes of the Data Protection Laws, Company can be both a data processor and data controller as described herein. Regarding Customer data submitted to Company, Company is a Data Controller. As a supplier of server services to Customer, the company is a Data Processor as defined in the Data Protection Laws.
The following sets out the scope, nature, and purpose of processing by Company, the duration of the processing and the types of Personal Data (as defined in the Data Protection Laws), and categories of Data Subject:
(a) Processing by Company: The provision of data or application hosting services for Customers and indirectly its customers.
(b) Company does not control what personal or non-personal data Customers collect from their customers. Customer’s responsibility is to have their own Data Protection guidelines in place for their own protection related to data Customer collects from its customers; additionally, it is Customer’s responsibility to keep their applications up to date and secure from a code/software perspective.
The customer is responsible for the cleansing, updating, timely deletion, and maintenance of Personal Data. (3) Customer declares and acknowledges that Company has no control, involvement, role or responsibility as to the type or use of data put by Customer itself or third parties generally nor, without limitation, Customer’s employees, contractors, agents, customers or suppliers or end-users of Customer’s services or those of Customer’s customers and Company merely provides an IT repository for data with a specified conduit for its movement to and from Customer or third-party infrastructure. The company’s processing does not include the manipulation, selection, ordering, searching, or monitoring of such Personal Data other than in a generic sense of storage in the scope of the Services.
(4) Customer acknowledges and consents to the lawful transmission of Personal Data to Company and its processing in accordance with this Agreement for the duration and purposes of this Agreement. Additionally, the Customer will ensure that it has all necessary and appropriate consents and notices, when applicable, in place to enable lawful transmission of Personal Data to Company and its processing in accordance with this Agreement for the duration and purposes of this Agreement. Customers may withdraw consent at any time. However, Company cannot provide service to the Customer without permission.
(5) Without prejudice to the generality of the above clause, Company shall, in relation to any Personal Data processed in connection with the performance by Company of its obligations under this Agreement:
(a) process that Personal Data only in accordance with the performance of Services and otherwise either required under this Agreement (this Agreement being agreed to constitute written instructions from Customer for processing of Personal Data) or by variation of Services agreed with Company; or
(b) process that Personal Data if required by the laws of any member of the European Union or by the laws of the European Union applicable to Company to process Personal Data (Applicable Laws). Where Company is relying on laws of a member of the European Union or European Union law as the basis for processing Personal Data outside of pre-agreed processing, Company shall promptly notify Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit Company from so notifying Customer;
(c) ensure that it has in place appropriate, industry-standard for England, technical and organizational measures to protect against unauthorized or unlawful processing of that Personal Data and against accidental loss or destruction of, or damage to, those Personal Data, having regard to the state of technological development and the cost of implementing any;
(d) ensure that all personnel who have access to and/or process those Personal Data are obliged not to permit disclosure of the Personal Data except as required by law or for the purposes of this Agreement; and
(e) not transfer any of those Personal Data, other than Customer Submitted information required for servicing Customer account (i.e., US and UK based systems/support/billing teams), outside of the European Economic Area (other than Customer’s transmission and receipt of data over the Internet and the use of similar networks that may involve part of the network being located outside the European Economic Area and/or the UK), unless the prior written consent of Customer has been obtained;
(f) assist Customer, at Customer’s expense using Company’s then-current standard time rates, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Laws with respect to security, breach notifications, impact assessments, and consultations with supervisory authorities or regulators;
(g) notify Customer without undue delay on becoming aware of a material Personal Data breach committed by Company, its employees or agents and take reasonable steps to prevent further disclosure or breach and mitigate the potential adverse effects on affected data subjects in cooperation with Customer;
(h) at the written direction of Customer, delete or return to Customer or allow Customer to retrieve Personal Data and copies thereof on termination of Agreement unless required by Applicable Law to store Personal Data;
(i) maintain appropriate records and information to demonstrate its compliance with this clause;
(j) in accordance with Data Protection Laws, make available to Customer such information as is reasonably necessary to demonstrate Company’s compliance with its obligations under Article 28 of the GDPR (and under any Data Protection Laws equivalent to that Article 28), and allow for and contribute to audits, including inspections, by Customer’s professional appointee for this purpose, subject to Customer:
(j.1) giving Company reasonable prior notice of such information request, audit and/or inspection being required by Customer;
(j.2) ensuring that all information obtained or generated by Customer or its auditor(s) in connection with such information requests, inspections, and audits is kept strictly confidential (save for disclosure to the supervisory authority under Data Protection Laws or as otherwise required by Applicable Laws);
(j.3) ensuring that such audit or inspection is undertaken during regular business hours, with minimal disruption to Company’s business, any sub-processors business and the business of other customers of Company; and
(k) paying Company’s costs using the then-current standard time rates of Company for assisting with the provision of information and allowing for and contributing to inspections and audits; and
(j) Customer may view and/or update their Personal Data via the billing control panel.
(6) Company has a designated Data Protection Officer (DPO), in the US and separately in the EU, as a point of contact for all data privacy and protection issues within the scope of the Agreement and pending notification. The DPO can be reached at email@example.com.
(7) If Company informs Customer that it considers that an instruction violates Data Protection Laws, then it shall be entitled to suspend the execution of the relevant instructions until Customer satisfactorily confirms compliance or changes them. Further, if Company follows the Customer’s instructions, the Customer indemnifies the Company for any and all such current and future items or incidences related to such instruction.
(8) Customer shall, without undue delay and in a comprehensive fashion, inform Company of any defect that Customer considers has occurred in their and/or Company’s compliance with Data Protection Laws.
(9) Customer shall be obliged to maintain the public register of processing in accordance with Article 30 (1) GDPR.
The first step in resolving any concern is to contact Company (see Inquiries or Complaints below) with any details. Unresolved issues will be resolved via binding Arbitration as a sole remedy.
INQUIRIES OR COMPLAINTS
INDEMNIFICATION AND LIMITATION OF LIABILITY
Customer, as Controller, shall indemnify and hold harmless on demand Company for any loss, damage, liabilities, penalties, expenses, or fines incurred (whether foreseeable or unforeseeable or direct or indirect) as a result of:
Controller breaching its Data Processing obligations; and any unsuccessful claim by a data subject when such claim holds both Controller and Company as jointly and severally liable under the Data Protection Laws.
NOTIFICATION OF CHANGES