1. Scope of this page
This page summarizes the privacy rights available to individuals under the EU and UK General Data Protection Regulation (the “GDPR”), the California Consumer Privacy Act as amended by the California Privacy Rights Act (the “CCPA/CPRA”), and similar United States state privacy laws. It supplements, and should be read together with, our Privacy Policy at /legal/privacy.
Who handles your request — the business that uses Thorbis, or Thorbis
For an End Customer's or an employee's personal data, the business that uses Thorbis is the controller (or “business”) that decides why and how the data is processed, and Thorbis acts as that business's processor (or “service provider”). Direct rights requests about that data to the business you interact with; Thorbis will assist that business in responding. Thorbis acts as a controller for the limited data it processes about its own account holders and website visitors, as described in the Privacy Policy.
2. We do not sell or share personal information
No sale; no sharing for cross-context behavioral advertising
Thorbis does not sell personal information, and does not share personal information for cross-context behavioral advertising, as those terms are defined under the CCPA/CPRA.
3. GDPR / UK GDPR rights
If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights with respect to your personal data, subject to the conditions and exceptions in applicable law:
- Access — to obtain confirmation of whether we process your personal data and a copy of that data.
- Rectification — to have inaccurate personal data corrected and incomplete data completed.
- Erasure — to have your personal data deleted in certain circumstances (the “right to be forgotten”).
- Restriction — to restrict the processing of your personal data in certain circumstances.
- Portability — to receive certain personal data in a structured, commonly used, machine-readable format and to have it transmitted to another controller where technically feasible.
- Objection — to object to processing based on legitimate interests, and to object to direct marketing at any time.
- Withdraw consent — to withdraw consent at any time where processing is based on consent, without affecting processing carried out before withdrawal.
- Lodge a complaint — to lodge a complaint with your local data protection supervisory authority.
Legal bases for processing
Where the GDPR applies, we process personal data on one or more of the following legal bases: performance of a contract with you; our legitimate interests (such as operating, securing, and improving the Service), balanced against your rights; your consent, where we ask for it; and compliance with a legal obligation. The Privacy Policy describes which basis applies to a given processing activity.
4. California (CCPA/CPRA) rights
If you are a California resident, you have the following rights with respect to your personal information, subject to the conditions and exceptions in the CCPA/CPRA:
- Right to know and access — to request the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purpose for collecting it, and the categories of third parties with whom we disclose it.
- Right to delete — to request deletion of personal information we collected from you.
- Right to correct — to request correction of inaccurate personal information.
- Right to opt out of sale or sharing — to opt out of the sale of personal information or its sharing for cross-context behavioral advertising. Thorbis does neither, so there is nothing to opt out of.
- Right to limit use of sensitive personal information — to limit the use and disclosure of sensitive personal information to what is necessary to provide the Service.
- Right to non-discrimination — to not receive discriminatory treatment for exercising any of these rights.
The categories of personal information we collect, the sources, the purposes for collection, and the categories of recipients are described in the Privacy Policy at /legal/privacy.
5. How to submit a request
To exercise a right described above with respect to data for which Thorbis is the controller, email privacy@thorbis.com. We will take reasonable steps to verify your identity before fulfilling your request, and may ask for information to confirm that you are the person whose data is the subject of the request.
We will respond within the timeframes required by applicable law. Under the CCPA/CPRA, we generally respond within 45 days of receiving a verifiable request, with the ability to extend by an additional 45 days when reasonably necessary and with notice to you. Under the GDPR, we generally respond within one month, extendable by up to two further months for complex or numerous requests, with notice to you.
Where applicable law provides an appeal process, you may appeal a decision we make about your request by replying to our response or by contacting the Privacy Contact below.
6. Authorized agents
You may use an authorized agent to submit a request on your behalf. We may require the agent to provide proof that you authorized them to act for you, and we may still require you to verify your own identity directly before we fulfill the request.
7. Non-discrimination
We will not discriminate against you for exercising any of your privacy rights — for example, by denying you the Service, charging different prices, or providing a different level or quality of service.
8. Contact
Privacy rights and data requests: privacy@thorbis.com (the Privacy Contact). Other legal inquiries: legal@thorbis.com.
Related documents
- Terms of Service
- Acceptable Use Policy
- Payments & Money-Movement Terms
- AI Disclosure & Acceptable Use
- Privacy Policy
- Data Processing Addendum
Questions about this document? Email legal@thorbis.com. Privacy requests: privacy@thorbis.com.