Privacy Policy

Data Privacy is Important to Us

Please be assured that your privacy is of utmost importance to us. We comply with all applicable data privacy laws including the General Data Protection Regulation, the EU General Data Protection Regulation (GDPR), the UK GDPR (UKGDPR), the UK Data Protection Act 2018 (UKDPA), the Swiss Federal Act on Data Protection (FADP) regarding personal data collected and processed concerning residents of the European Union and European Economic Area, the United Kingdom and Switzerland (the “Data Privacy Requirements”).

The specific practices outlined in this privacy statement apply to privacy practices and procedures maintained by or on behalf of buyinternetdeals.com. Some of our web pages contain links to web sites outside the Company. Please be aware that when you follow a link to another site, you are then subject to the privacy policies of the new site.

Who is the Controller for the Personal Data Processed?

A “controller” is a person or organization who alone or jointly determines the purposes for which, and the manner in which, any personal data is, or is likely to be, processed. This notice is issued on behalf of buyinternetdeals.com. Unless we notify you otherwise, buyinternetdeals.com is the controller for of your personal data. Where we are acting in the capacity of a data processor, we only process the your personal data to the extent, and in such a manner, as is necessary for the business purposes in accordance with our business customer’s written instructions. We will not process your personal data for any other purpose or in a way that does not comply with those written instructions or the data protection legislation.

What Personal Data We Collect and Process

The Company collects business contact (e.g., name and title of contact, address, e-mail, phone number) and financial information (e.g., payment method and history, accounts payable) from our business customers and vendors. We collect personal contact information (e.g., name and title of contact, address, e-mail, phone number), purchase information (e.g., purchase history), and customer experience information (e.g., survey responses) from individuals who purchase products and services from our business customers.

How and Why We Process Personal Data

The Company processes personal information for the following purposes:

  • Providing products and services to our business customers. The Company collects and processes the business contact information of the individuals working for our business customers so that we can enter into and perform contracts with our business customers to provide our products and services.
  • Working with our vendors. The Company collects and processes the business contact information of the individuals working for our vendors so that we can enter into and perform contracts with our vendors.
  • Generating customers for our business customers. The Company collects and processes the personal contact information and business contact information of individuals through Company created websites, display banners, chat boxes, social media platforms, telephone calls, and interviews. Personal information is also collected through forms completed by individuals to register for events and subscribe to publications. This personal information is shared with our business customers to assist them in their customer acquisition efforts.
  • Enhancing the customer experience for the benefit of our business customers. The Company collects and processes personal contact information and business contact information about individuals who purchase products and services from our business customers as well as their impressions of their purchase experience and experience with the products and service. We collect this personal information through surveys, telephone calls and interviews. This personal information is shared with our business customers to assist them in their customer relations efforts.
  • Making our websites more useful. For each HTTP (which is what your web browser generates when you request a page or part of a page from a web site) request received, the Company automatically collects and stores only the following information: the date and time, the originating IP address, the type of browser and operating system used (if provided by the browser), the URL of the referring page (if provided by the browser), and the object requested completion status of the request pages visited. We use the information that we collect to measure the number of visitors to the different areas of our sites, and to help us make our sites more useful to visitors. This includes analyzing these logs periodically to determine the traffic through our servers, the number of pages served, and the level of demand for pages and topics of interest.

Interaction with Children

We do not collect personal data of and our websites do not target or provide content to children under the age of 16.

Cookies

Cookies are small files that web servers place on a user’s hard drive. The Company does not use “persistent cookies” or any other persistent tracking methods to collect personal information about visitors to its websites. Cookies serve several functions:

  • They allow the website to identify you as a previous visitor each time you access a site;
  • They track what information you view at a site (important to commercial sites trying to determine your buying preferences);
  • In more advanced cases, they track your movements through many websites but not the whole Web;
  • Businesses use them for customer convenience to allow them to produce a list of items to buy and pay for them all at one time and to garner information about what individuals are buying at their sites;
  • Advertisers use them to determine the effectiveness of their marketing and offer insights into consumer preferences and tastes by collecting data from many websites.
  • They are used to help a website tailor screens for each customer’s preference.

To protect your privacy, be sure to close your browser completely after you have finished conducting business with a website that does use cookies. If you are concerned about the potential use of the information gathered from your computer or mobile device by cookies, you can set your browser to prompt you before it accepts a cookie. Most Internet browsers have settings that let you identify and/or reject cookies. Before collecting personally identifiable information, we will prominently disclose why we are requesting the information; how it will be used; how long it may be retained; under what conditions, and with whom, it may be shared.

Marketing and Exercising Your Right to Opt-Out of Marketing

We will not use your personal data to send you marketing materials if you have requested not to receive them. If you request that we stop processing your personal data for marketing purposes, we shall stop processing your personal data for those purposes.

We Also Collect and Use Non-Personal Data

In addition to personal information, we collect and store non-personal (such as search engine queries and anonymous survey responses) to help us better understand and meet the needs of our visitors. We may share non-personal information with others, including the public, in aggregated form (for instance, in a list of our most popular search engine queries), in partial or edited form (such as in a report summarizing responses to a questionnaire), or verbatim (for example, in a complete listing of survey responses).

Data Subject Rights of EU, EEA, Swiss and UK Residents

EU, EEA, Swiss and UK residents have the following rights regarding their personal data:

  • Right of Access: You have the right to obtain confirmation from the Company as to whether or not personal data concerning you is being processed and how, what when, why and for how long your personal data is processed and to whom it is disclosed.
  • Right to Rectification: You have the right to request the Company to correct inaccurate personal data and to complete incomplete personal data.
  • Right to Erasure (Right to be Forgotten): You have the right to request the Company to erase personal data concerning you where your personal data is no longer needed for the purposes for which it was collected or processed or has otherwise been improperly processed.
  • Right to Object: You have the right to object to the processing of your personal data if the processing is based upon the Company’s legitimate interest or for the performance of a task carried out in the public interest, including any profiling based on such processing, or if the processing is for direct marketing.
  • Right to Restrict Processing: You have the right to request the Company to restrict the processing of your personal data while your data subject rights requests are being investigated and answered.
  • Right to Portability: You have the right to receive personal data that you have provided to the Company and transmit such personal data to another entity where the processing of such personal data is based on consent and is processed by automated means. Additionally, you have the right to require the Company to transmit such personal data directly to another entity, where technically feasible.
  • Right not to be Subject to Automated Decision-Making, Including Profiling: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or significantly affects you.

In some cases, the Company may need to ask for proof of identification before the request can be processed. The Company will inform you if it needs to verify your identity and the documents it requires. The Company normally will respond to a request within a period of one month from the date it is received. In some cases, such as where the Company processes large amounts of an individual's personal data, it may respond within three months of the date the request is received. The Company will write to you within one month of receiving the original request to tell you if this is the case.

The EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss –U.S.DPF

The Company complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.

International Transfers

The Company relies upon the DPF certification for cross-border transfers of Personal Data, but takes additional steps to protect Personal Data.  We ensure at least one of the following safeguards is implemented, which require the recipient to treat the Personal Data in accordance with all applicable Data Privacy Requirements:

  • we transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission (in the case of transfers out of the EEA) or the UK Government (in the case of transfers out of the UK); and/or
  • where we use certain service providers, we may use specific contracts approved by the European Commission (in the case of transfers out of the EEA) and/or the UK Government (in the case of transfers out of the UK), in both cases which give personal data the same protection it has within the EEA and/or UK as applicable.

In addition to the protections provided under other sections of this Data Privacy Policy, the Company will provide the following protections for personal data transferred from the EU, UK or Switzerland to the U.S.:

  • Choice

You will be offered a clear, conspicuous, and readily available mechanism to choose (opt out) whether your personal information is (1) to be disclosed to a third party (other than a third party acting as an agent to perform tasks on behalf of and under the instruction of the Company or (2) to be used for a purpose that is materially different than or incompatible with the purpose for which it was originally utilized or subsequently authorized by the individual.

Additionally, you will be offered a similar choice mechanism to give affirmative or explicit (opt in) choice whether your sensitive personal information is to be disclosed to a third party or used for a purpose other than the purposes for which it was originally collected or subsequently authorized by the individual by opt-in choice. However, explicit (opt in) choice is not required when the disclosure of the sensitive personal information is (1) in the vital interests of the individual or another person; (2) necessary for the establishment of legal claims or defenses; (3) required to provide medical care or diagnosis; (4) necessary to carry out the organization’s obligations in the field of employment law, or (5) related to personal information that is manifestly made public by the individual.

  • Transfer of Personal Data from the EU, UK, EEA or Switzerland to Processors in the U.S.

A “processor” is a third party who processes personal information on behalf of and in accordance with the instructions of the Company’s EU, UK and/or Swiss entities. When personal information is transferred from the EU, UK and/or Switzerland to the United States solely for processing purposes, the Company’s EU, UK and/or Swiss entities will comply with the applicable data protection laws including the EU General Data Protection Regulation (GDPR), the UK GDPR (UKGDPR), the UK Data Protection Act 2018 (UKDPA), the Swiss Federal Act on Data Protection (FADP), respectively and enter into a contract with the processor to ensure that the processor (1) acts only on instructions of the Company’s EU, UK and/or Swiss entities; (2) provides appropriate technical and organizational measures to protect the personal information against unlawful destruction or accidental loss, alteration, unauthorized disclosure or access; and understands whether onward transfers are allowed; and (3) assists the Company’s EU, UK and/or Swiss entities in responding to individuals exercising their rights under the DPF principles, taking into account the nature of the processing.

  • Onward Transfers to Third-Party Agents

After personal information is transferred from the EU, EEA, UK and/or Switzerland to Company entities in the United States, the Company may thereafter transfer the personal information to third parties acting as controllers. A “controller” is a person or organization which, alone or jointly with others, determines the purposes and means of the processing of personal information. Examples of third party controllers may include banks and healthcare providers, or management personnel in other Company offices outside of the U.S. When the Company makes such onward transfers to third party controllers, the Company will comply with the DPF notice and choice principles and enter into a contract with the third party controller that provides that (1) such personal information may be processed only for limited and specified purposes consistent with the consent provided by the individual; (2) the third party controller will provide the same level of protections as the DPF principles; (3) the third party controller will notify the Company if the third party can no longer meet its obligation to provide the same level of protection for the personal information as required by the DPF principles; and (4) upon such notice by the third party controller, the third party controller will cease processing the personal information and/or take reasonable and appropriate steps to remediate any unauthorized processing.

  • Onward Transfers to Public Authorities

The Company may be required to disclose Personal Data in response to lawful requests by public authorities to comply with national security or law enforcement requirements.

  • Verification

The Company has verified and will verify annually through self-assessment that the attestations and assertions made about its DPF privacy practices are true and that those privacy practices have been implemented as represented and in accordance with the DPF principles. This verification has been and will be signed by an officer of the Company or other authorized representative of the Company at least once a year and is available upon request by individuals or in the context of an investigation or a complaint about non-compliance. The verification includes the following:

  • That the Policy is accurate, comprehensive, prominently displayed, completely implemented and accessible;
  • That the Policy conforms to the DPF Principles;
  • That individuals are informed of any in-house arrangements for handling complaints and of the independent mechanisms through which they may pursue complaints;
  • That it has in place procedures for training employees in the implementation of this Policy and disciplining them for failure to follow it;
  • That it has in place internal procedures for periodically conducting objective reviews of compliance with the above.
  • Recourse Mechanisms For Personal Data Transferred Under the DPF

Inquiries or complaints regarding transfers of personal data from the EU, UK or Switzerland to the U.S. pursuant to the DPF should be directed to our Data Privacy Office.

If a complaint remains unresolved, EU residents should contact the state or national data protection authority in the jurisdiction where they reside for resolution. A listing of the EU Data Protection Authorities (DPAs) is located at: http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm.

Individuals in Switzerland should contact the Swiss Federal Data Protection and Information Commissioner (the Commissioner) for resolution. Information regarding the Commissioner is located at: https://www.edoeb.admin.ch/?lang=en.

Individuals in the UK should contact the UK’s Information Commissioner’s Office (the ICO). Information about the ICO is located at www.ico.org.uk.

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, the Company commits to cooperate and comply, respectively, with the advice of the panel established by the EU data protection authorities (DPAs), the UK Information Commissioner’s Office (ICO) and the Gibraltar Regulatory Authority (GRA), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. In the event that the DPAs, the ICO and/or the Commissioner determines that the Company did not comply with this Policy or DPF principles, the Company will take appropriate steps to address any adverse effects and to promote future compliance, comply with any advice given by the DPAs, the ICO and/or the Commissioner with regard to data transferred from the EU, UK and/or Switzerland where the DPAs, the ICO and/or the Commissioner has determined that the Company needs to take specific remedial or compensatory measures for the benefit of individuals affected by any non-compliance with this Policy or the DPF principles, and provide the DPAs, the ICO and/or the Commissioner with written confirmation that such action has be taken.

Under certain conditions specified by the DPF Privacy Principles, you may also be able to invoke binding arbitration to resolve your complaints regarding DPF compliance not resolved by any of the other DPF mechanisms.  Please reference Annex I of the DPF for additional information: https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2.

  • Enforcement

The Federal Trade Commission has jurisdiction over the Company’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).

  • Liability

In the context of an onward transfer of personal information, the Company has responsibility for the processing of personal information it receives under the DPF and subsequently transfers to a third party agent. The Company will remain liable under the DPF principles if its third party agent processes such personal information in a manner inconsistent with the DPF principles, unless the Company proves that it is not responsible for the event giving rise to the damage.

  • Training

All employees who handle personal data transferred from the EU, UK or Switzerland to the U.S. will receive training regarding the data privacy principles and procedures under DPF Principles and this Policy.

Data Security

The Company takes the security of personal data seriously. The Company has internal policies and technical measures in place to protect personal data against loss, accidental destruction, misuse or disclosure. Such internal policies and technical measures include:

  • The use of pseudonymization and encryption of personal data where appropriate;
  • Procedures and controls to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • Procedures and controls to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  • Procedures for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing; and
  • Procedures to ensure that data is not accessed, except by employees in the proper performance of their duties.

For site security purposes and to ensure that this service remains available to all users, this computer system employs software programs to monitor network traffic to identify unauthorized attempts to upload or change information, or otherwise cause damage to the information on our websites. Unauthorized attempts to upload information or change information on this service are strictly prohibited and may be punishable under the Computer Fraud and Abuse Act of 1986.

The Company retains personal information only for the period of time necessary to meet the purposes for which it was collected, to fulfil the legitimate business interests of the Company, and to comply with any data retention laws or legal requirements.

When the Company engages third parties to process personal data on its behalf, such third parties are required by contract to process the personal data based on the Company’s written instructions, are under a duty of confidentiality, and are required to implement appropriate technical and organizational measures to ensure the security of the personal data.

When the Company shares personal information of EU, EEA, UK or Swiss residents with affiliated companies, vendors, and business customers located outside of the EU, EEA, UK or Switzerland, such as the U.S., the Company uses appropriate safeguards such as standard contract clauses to protect the personal information.

Changes to Our Privacy Policy

It is our policy to post any changes we make to our privacy policy on this page. If we make material changes to how we handle personal information, we will provide notice of the changes on the website home page.

Addendum:  Privacy Rights of California Residents

This part of this policy is intended to comply with applicable data privacy laws and regulations, including the California Consumer Privacy Act (“CCPA”) and California Privacy Rights Act (“CPRA”).

Collection

For information about what we collect, and how this information is processed and shared, please see the “What Personal Data We Collect and Process” and “How and Why We Process Personal Data” sections above.

Consumer Rights

California residents have the following privacy rights regarding your personal information:

  • The right to know and right to access the personal information we have collected about you, including the categories of personal information; the categories of sources from which the personal information is collected; the business or commercial purpose for collecting, selling, or sharing personal information; the categories of third parties to whom the business discloses personal information; and the specific pieces of personal information the business has collected about the consumer;
  • The right to delete personal information that we have collected from you, subject to certain exceptions;
  • The right to correct inaccurate personal information that we maintain about you;
  • The right of portability, or right to have us transfer your personal information to other persons or entities upon your request;
  • The right to limit the use of your sensitive information if we decide in the future to use such information for purposes other than the purposes listed above;
  • The right to opt out of any sale of personal information; and
  • The right not to be discriminated or retaliated against for exercising your of privacy rights.

You can exercise you privacy rights by submitting a request to us by calling us at: (855) 573-1435; or asking our Human Resources department for a written request form.  To protect the security of your personal information, we will require you to provide us with identifying information for you such as personal email address, personal telephone number, employee identification number, and/or other information that we can match with the personal information we have collected about you to verify your identity.

You may use an authorized agent to request access to or deletion of your personal information. We will require your authorized agent to provide us with either (1) a power of attorney authorizing the authorized agent to act on your behalf or (2) your written authorization permitting the authorized agent to request access to your personal information on your behalf.  Further, we will require you or your authorized agent to provide us with identifying information to verify your identity.  We may also require you to either verify your own identity directly with us or directly confirm with us that you provided the authorized agent permission to submit the request.

Within 10 days of receiving your request to know, we will confirm receipt of your request and provide information about how we will process your request.  Generally, we will respond to your request within 45 days.  If we need more time to respond, we will provide you with notice and an explanation of the reason we need more time to respond.  We may deny your request if we cannot verify your identity or are legally permitted to deny your request.  If we deny your request, we will explain the basis for the denial, provide or delete any personal information that is not subject to the denial, and refrain from using the personal information retained for any purpose other than permitted by the denial. We will maintain a record of your request and our response for 24 months.

Data Retention

We will only retain your personal information for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.  Generally, we retain personal information for the duration of our relationship with you plus any legally required record or data retention period and/or any period of time necessary to exercise our legal rights.  Thereafter, we will securely destroy your personal information in accordance with the Company’s record retention policies.

In some circumstances, we may anonymize your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.

Personal Information of Minors

As noted above, the Company does not sell or share personal information for individuals under the age of 16.

Code Section 1798.83 Rights

Pursuant to Californian Civil Code Section 1798.83, California residents have the right to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes.

Security Incidents

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

This privacy policy was last updated on November 10, 2023.