General (applies to all data subjects below)

Purpose & Legal Basis of Processing

Information Security: Our web servers will log your IP address and other information (e.g., browser
information, operating system, request date/time, user agent string, referral and exiting URL) in order to
maintain an audit log of activities performed. We use this information pursuant to our legitimate
interests in tracking usage of the Websites, combating DDOS or other attacks, and removing or
defending against malicious visitors on the Websites.

Customers

Purpose & Legal Basis of Processing

Direct Marketing: Generally-speaking, we will provide email marketing (e.g., our newsletter) pursuant
to a Customer’s consent. In cases where a Customer buys, or enters into negotiation for the sale of, a
product or service, email marketing shall be sent to such Customer pursuant to our legitimate interest in
sending marketing communications to such Customers in the context of a sale.

Rewards and Promotions: Business Atelier, our promotional and marketing partners (e.g., affiliate
partners), and customers’ legitimate interest in administering our rewards and promotional offerings.
For example, after purchasing a Business Atelier product or service, we share your name and email
address with the referring affiliate partner only to the extent such affiliate partners have offered you
bonuses or rewards for following their referral link.

Testimonials or Feedback: Our legitimate interest in using testimonials, feedback, or survey
responses from Customers for marketing purposes, such as posting on the Websites or within sales
decks, pitches, or other promotional content (e.g., email marketing).

Executing Contracts and other Legal Documentation: We will process all personal data as
necessary for the performance of contracts to which Customers are a party (such as our Terms of Use
or, Privacy Policy, or a purchase of our products or services) or to take requested steps to enter into
such contracts.

General Business Development: Our legitimate interest in furthering business relationships (such as
by storing Customer information within a CRM or other database/file), ensuring customer satisfaction,
and answering inquiries.

Audience Measurement and Retargeting: Pursuant to a Visitor’s consent, we use an assortment of
marketing and analytics cookies for purposes of audience measurement, retargeting, and creating
relevant Visitor experiences (such as based on their interaction with our Websites).

Business Contacts

Purpose & Legal Basis of Processing

Affiliate Partners: We will process all personal data as necessary for the performance of contracts to
which our affiliate partners are a party (e.g., our affiliate partner terms) or to take requested steps to
enter into such contracts (e.g., completing our affiliate partner application).

Vendor Contacts: When entering into vendor relationships, we will receive the personal information of
contacts employed or otherwise associated with such vendors. We process such information in our
legitimate interest in establishing and developing our vendor relationships.

Categories of Recipients: Business Atelier personnel will process the categories of EEA Individuals’
(as listed above) information appropriately for sales, marketing, finance, and related purposes. Such
EEA Individuals’ information (or a particular category of EEA Individual, as listed in the table above) is
also disclosed to various categories of recipients to effectuate the purposes described in the table
above, including companies providing technical assistance, order fulfillment, customer service,
marketing assistance, payment processing, survey collection, promotional and marketing assistance,
and business operations.

Retention: Business Atelier retains your personal data as necessary to fulfill the purposes set forth
within this Notice and to the extent you have (or demonstrate interest in) a relationship with Business
Atelier, unless you request deletion of such data or such data is no longer relevant. In some cases, we
may have to retain data to comply with our legal obligations (e.g., accounting, finance, tax).

Your GDPR Rights: As a natural person, you have a right to: (i) request access to, correction and/or
erasure of your personal data; (ii) object to processing of your personal data; (iii) restrict processing of
your personal data; and (iv) request a copy of your personal data, or have a copy thereof sent to
another controller, in a structured, commonly used and machine readable format under the right of data portability.

You also have the right to lodge a complaint about the processing of your personal data with an
appropriate data protection authority, and, as applicable, to exercise third-party beneficiary rights under
Business Atelier’s Standard Contractual Clauses.

Contact details for the EU data protection authorities can be found at: http://ec.europa.eu/justice/data-
protection/bodies/authorities/index_en.htm.

Objecting to Legitimate Interest/Direct Marketing: You may object to personal data processed
pursuant to our legitimate interest. In such case, we will no longer process your personal data unless
we can demonstrate appropriate, overriding legitimate grounds for the processing or if needed for the
establishment, exercise, or defense of legal claims. You may also object at any time to processing of
your personal data for direct marketing purposes by clicking “Unsubscribe” within an automated
marketing email. In such case, your personal data will no longer be used for that purpose.

Transfer of Personal Data outside the EEA: We may transfer your personal data outside of the EEA,
including to our US data centers. We rely on appropriate Standard Contractual Clauses to ensure
adequate protection for your personal data when transferred internationally.

Disclosure to Public Authorities: Business Atelier may be required to disclose personal data in
response to lawful requests by public authorities, including for the purpose of meeting national security
or law enforcement requirements. We may also disclose personal data to other third parties when
compelled to do so by government authorities or required by law or regulation including, but not limited
to, in response to court orders and subpoenas.

Corporate Restructuring: In the event of a merger, reorganization, dissolution or similar corporate
event, or the sale of all or substantially all of our assets, we expect that the information that we have
collected, including personal data, would be transferred to the surviving entity in a merger or the
acquiring entity. All such transfers shall be subject to our commitments with respect to the privacy and
confidentiality of such personal data as set forth in this GDPR Notice.

Updates to this GDPR Notice: If, in the future, we intend to process your personal data for a purpose
other than that which it was collected, we will provide you with information on that purpose and any
other relevant information at a reasonable time prior to such processing. After such time, the relevant
information relating to such processing activity will be revised or added appropriately within this GDPR
Notice, and the “Effective Date” at the top of this page will be updated accordingly.

How to Contact Us: hello@businessatelier.co

Important Notice for Residents of the European Economic Area and Switzerland

Business Atelier complies with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield
Framework as set forth by the US Department of Commerce regarding the collection, use, and
retention of personal information from European Union member countries, Switzerland, and the United
Kingdom, respectively, transferred to the United States pursuant to Privacy Shield.  Business Atelier
has certified that it adheres to the GDPR Privacy Shield Principles with respect to such data. If there is
any conflict between the policies in this privacy policy and data subject rights under the Privacy Shield
Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program,
please visit https://www.privacyshield.gov/.

Business Atelier is subject to the investigatory and enforcement powers of the Federal Trade
Commission (FTC).

In certain situations, we may be required to disclose personal data in response to lawful requests by
public authorities, including to meet national security or law enforcement requirements. We may also
disclose personal information to other third parties when compelled to do so by government authorities
or required by law or regulation including, but not limited to, in response to court orders and
subpoenas.

Business Atelier’s accountability for personal data that it receives in the United States under the
Privacy Shield and subsequently transfers to a third party is described in the Privacy Shield Principles.
In particular, Business Atelier remains responsible and liable under the Privacy Shield Principles if
third-party agents that it engages to process the personal data on its behalf do so in a manner
inconsistent with the Principles, unless Business Atelier proves that it is not responsible for the event
giving rise to the damage.

In compliance with the EU-US Privacy Shield Principles and the Swiss-U.S. Privacy Shield Principles,
Business Atelier commits to resolve complaints about your privacy and our collection or use of your
personal information transferred to the United States pursuant to the EU-US and Swiss-US Privacy
Shield Principles. EU, Swiss, and United Kingdom individuals with inquiries or complaints regarding this
Privacy Policy should first contact Business Atelier at hello@businessatelier.co with the subject
line, “Privacy Shield”.

Business Atelier has further committed to refer unresolved privacy complaints under the Privacy Shield
Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD, operated
by BBB National Programs. If you do not receive timely acknowledgment of your complaint, or if your
complaint is not satisfactorily addressed, please visit https://bbbprograms.org/privacy-shield-
complaints/ for more information and to file a complaint. This service is provided free of charge to you.

If your Privacy Shield complaint cannot be resolved through the above channels, under certain
conditions, you may invoke binding arbitration for some residual claims not resolved by other redress
mechanisms.  See Privacy Shield Annex 1 at https://www.privacyshield.gov/article?id=ANNEX-I-
introduction.

Onward Transfer to Third Parties under the Privacy Shield

Like many businesses, we contract with other companies to perform certain business-related services.
We may disclose Information, including personal information in some cases, to certain types of third-
party companies, but only to the extent needed to enable them to provide such services, including,
without limitation, technical assistance, order fulfillment, customer service, marketing assistance,
payment processing, survey collection, promotional and marketing assistance, and business
operations. All such third parties function as our agents, performing services at our instruction and on
our behalf pursuant to contracts which require they provide at least the same level of privacy protection
as is required by this Privacy Policy and implemented by Business Atelier. We may also disclose your
information, including any personal information, to any of our parent companies, subsidiaries, affiliates,
joint ventures, or other companies under common control with us in order to support delivery of our
products and services.

Retention of Personal Information under the Privacy Shield

We will retain the personal information processed pursuant to the Privacy Shield in a form that
identifies you pursuant to our data retention periods in Retention above, or as subsequently
authorized. We may continue processing your personal information for longer periods, but only for the

time and to the extent such processing reasonably serves the purposes of archiving in the public
interest, journalism, literature and art, scientific or historical research, and statistical analysis and
subject to the protection of this Privacy Policy.  After such time periods have expired, we may either
delete your personal information or retain it in a form such that it does not identify you personally.

How We Protect Personal Information under the Privacy Shield

We take commercially reasonable steps to protect personal information from loss, misuse, and
unauthorized access, disclosure, alteration, or destruction, taking into account the risks involved in
processing and the nature of such data, and in compliance with applicable laws and regulations.
 Please understand, however, that no security system is impenetrable. We cannot guarantee the
security of our databases, nor can we guarantee that the personal information that you supply will not
be intercepted while being transmitted to and from us over the Internet. In particular, e-mail sent to or
from the Websites may not be secure, and you should therefore take special care in deciding what
information you send to us via e-mail.