Data Privacy Framework Privacy Policy

Effective Date: March 31, 2024
Last Updated: March 31, 2024

NOTE: To access this Data Privacy Framework Privacy Policy in other languages, please visit http://www.plume.com/legal and click on the appropriate country and/or language.

Plume Design Inc. (Plume or we) complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.

Plume has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the Processing of Personal Information received from the European Union (EU) in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Plume has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) about the Processing of Personal Information received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this Privacy Statement and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the DPF Principles (defined below) shall govern. To learn more about the Data Privacy Framework program and to view our certification, please visit  https://www.dataprivacyframework.gov.

The Swiss-U.S. DPF is awaiting finalization as of the date of this Plume Data Privacy Framework Privacy Policy (DPF Policy). Please visit here for more information.

DEFINITIONS
Capitalized terms used but not otherwise defined in this DPF Policy have the following meanings:

• Agent means any third party that collects or uses Personal Information under the instructions of, and solely for, a Controller or to which a Controller discloses Personal Information for use on the Controller's behalf.  

• Data Subject  (or you) means a natural person whose Personal Information is covered by this DPF Policy.

• Controller means a person or organization which, alone or jointly with others, determines the purposes and means of the Processing of Personal Information. Plume is a Controller as to certain Processing.

• DPF Principles means, collectively, the EU-U.S. DPF Principles (defined above) and the Swiss-U.S. DPF Principles (defined above), as set forth by the U.S. Department of Commerce here.

• DPF Program means, collectively, EU-U.S. DPF, UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.

• Personal Information means any information, including Sensitive Personal Information, relating to an identified or identifiable natural person that is received by Plume in the U.S. from the EEA, Switzerland or UK/Gibraltar, and recorded in any form.

  • An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

• Process, Processes or Processing means any operation or set of operations performed on Personal Information, whether or not by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure or dissemination, and erasure or destruction.

• Sensitive Personal Information means Personal Information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, information specifying an individual’s sex life, and any Personal Information received by Plume from a third party that the third party identifies and treats as sensitive.

WHEN THIS DPF POLICY APPLIES
This DPF Policy applies to Personal Information transferred from member countries of the European Economic Area (EEA, which is the member states of the EU plus Iceland, Liechtenstein and Norway), the United Kingdom (UK), and Switzerland to Plume in the U.S. in reliance on the EU-U.S. DPF, UK Extension to the EU-U.S. DPF or the Swiss-U.S. DPF.  

Personal Information that Plume Processes in compliance with the DPF Program is covered by Plume’s other privacy-related requirements and policies (collectively, the Plume Privacy Policy), available at www.plume.com/legal.  For some of Plume’s websites or mobile applications, if a separate privacy policy, notice or statement is linked or posted, that privacy policy, notice or statement applies.

Plume is an Agent as to certain Processing for its customers and a Controller as to other Processing for its customers as described in the Plume Privacy Policy. 

Personal Information regarding Plume’s current or past employees, interns, contractors and contingent workers is subject to Plume’s Personnel Notice and to Plume’s DPF Personnel Notice, which are available to covered individuals on request to [email protected].

This DPF Policy does not apply to Personal Information transferred under Standard Contractual Clauses or any approved derogation from the EU General Data Protection Regulation, the UK General Data Protection Regulation or the Swiss Federal Data Protection Act.  While the DPF Program is an authorized international transfer mechanism to enable Plume to receive Data Subjects’ Personal Information in the U.S., Plume’s obligations and Data Subject rights under the DPF Program are separate from those under the EU General Data Protection Regulation, the UK General Data Protection Regulation and the Swiss Federal Data Protection Act. 

PLUME’S COMMITMENT TO THE DPF PRINCIPLES
Plume commits to applying the DPF Principles to all Personal Information received by Plume in the U.S. from the EEA, UK and Switzerland in reliance on the DPF Program.  Plume’s adherence to this DPF Policy may be limited to the extent required to meet Plume’s legal, regulatory, governmental or national security obligations.

The DPF Principles
The DPF Principles are: 1. Notice; 2. Choice; 3. Accountability for Onward Transfer; 4. Security; 5. Data Integrity and Purpose Limitation; 6. Access; and 7. Recourse, Enforcement and Liability.

1. Notice Principle

Plume provides notice to Data Subjects about its Processing practices for Personal Information received by Plume in the U.S. from the EEA, UK and Switzerland in reliance on the DPF Program through the Plume Privacy Policy and this DPF Policy, including: 

• the types of Personal Information it collects about them
• the purposes for which it Processes the Personal Information (see also 5. below)
• the types of Agents and other third parties to which Plume discloses Personal Information and the purposes for doing so (see also 3. below)
• the rights of Data Subjects to access their Personal Information (see 6. below)
• the choices that Plume offers Data Subjects for limiting use and disclosure of their Personal Information (see also 2. below)
• how Plume’s obligations under the DPF Program are enforced, including Plume’s designated independent dispute resolution mechanism to address complaints and provide appropriate recourse free of charge, the possibility, under certain conditions, to invoke binding arbitration (see also 7. below)
• Plume’s liability in cases of onward transfers to third parties (see also section 3. below)
• how Data Subjects can contact Plume with questions or complaints.

Plume is not required to apply the Notice Principle or the Choice or Accountability for Onward Transfer Principles (see 2. and 3. below)  to public record information  (i.e., records kept by government agencies or entities at any level that are open to consultation by the public in general) or information that is already publicly available to the public at large if this information is not combined with non-public record information and, for public record information, and any conditions for consultation established by the relevant jurisdiction are respected. 

2. Choice Principle

Plume provides Data Subjects with choices about their Personal Information before Plume uses Personal Information covered by this DPF Policy for a new purpose that is materially different from the purpose for which the Personal Information was originally collected or subsequently authorized or before disclosure to a non-Agent third party that was not already authorized. 

Plume will obtain affirmative consent (i.e., opt-in) from Data Subjects before Sensitive Personal Information is disclosed to a third party.  

Plume will obtain the Data Subject’s affirmative express consent (i.e., opt in) before Sensitive Personal Information covered by this DPF Policy is (i) disclosed to a third party or (ii) used for a new purpose that is different from that for which the Personal Information was originally collected or subsequently authorized by the Data Subject (subject to some limitations set forth here).  Under the DPF Principles, Plume is not required to provide choice when disclosure is made to a third party that is acting as an Agent if Plume enters into a written contract with the Agent (see 3. below). 

To opt out of these uses or disclosures of Personal Information or Sensitive Personal Information, please contact Plume as follows:

• Send an email to [email protected]  
• Complete the form available here (in English) (For other languages: https://www.plume.com/legal/).

Plume may engage with a Data Subject to request sufficient information to allow Plume to confirm the identity of the Data Subject making an opt-out request.  Plume may use Personal Information for certain direct marketing purposes when it is impracticable for Plume to provide a Data Subject with an opportunity to opt out before using the Personal Information. Plume will promptly offer the Data Subject the opportunity at the same time (and upon request at any time) to decline (at no cost) to receive any further direct marketing communications and Plume complies with the individual’s wishes.

3. Accountability for Onward Transfer Principle

Plume offers Data Subjects the opportunity to choose (i.e., opt out) whether their Personal Information is (i) disclosed to a third party or (ii) used for a purpose that is materially different from the purpose(s) for which the Personal Information was originally collected or subsequently authorized.  

Transfers to Controllers: Plume will transfer Personal Information covered by this DPF Policy to a third party acting as a Controller consistent with the relevant Plume Privacy Policies provided to each affected Data Subject and the Data Subject’s consent given to Plume.  

Plume will make these transfers only if the Controller has agreed in a written contract that it will (i) Process the Personal Information for limited and specified purposes consistent with the consent provided by the Data Subjects, (ii) provide at least the same level of protection as is required by the DPF Principles and notify us if it makes a determination that it cannot do so; and (iii) cease Processing of the Personal Information or take other reasonable and appropriate steps to remediate the Processing if it makes such a determination. 

Plume will take reasonable and appropriate steps to prevent, stop or remediate the Processing if Plume becomes aware that a Controller is Processing Personal Information covered by this DPF Policy contrary to the DPF Principles. 

Transfers to Agents: Plume will transfer to each Agent only the Personal Information needed for the Agent to provide the services or products as Plume has instructed.  

Plume will require that each Agent:

• Process the Personal Information only for limited and specified purposes as instructed by Plume; 
• Provide at least the same level of privacy protection as is required by the DPF Principles; 
• Take reasonable and appropriate steps to ensure that the Agent effectively Processes the Personal Information transferred in a manner compliant with Plume’s obligations under the DPF Principles; and 
• Notify Plume if the Agent determines that it can no longer meet its obligation to provide the same level of protection as is required by the DPF Principles. 

Upon receiving notification from an Agent that the Agent can no longer meet its obligation to provide the same level of protection as is required by the DPF Principles, Plume will take reasonable and appropriate steps to stop and remediate the unauthorized Processing.  Plume also provides summaries of the relevant privacy provisions of its contracts with Agents to the Department of Commerce upon request.

In certain situations, Plume may be required to disclose Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. 

Plume remains liable under the DPF Principles if an Agent Processes Personal Information covered by this DPF Policy in a manner inconsistent with the DPF Principles unless Plume proves that Plume is not responsible for the event giving rise to the damages.

4. Security Principle

Plume takes reasonable and appropriate measures to protect Personal Information covered by this DPF Policy from loss, misuse and unauthorized access, disclosure, alteration, and destruction, considering the risks involved in the Processing and the nature of the Personal Information.

5. Data Integrity and Purpose Limitation Principle

Plume limits its collection of Personal Information to information that is relevant for the purposes of Processing. Plume does not Process Personal Information in a way that is incompatible with the purposes for which it was collected or subsequently authorized by the Data Subject.

Plume takes reasonable steps to ensure that such Personal Information is reliable for its intended use, accurate, complete, and current. Plume takes reasonable and appropriate measures to comply with the requirement under the DPF Program to retain Personal Information in identifiable form only for as long as it serves a purpose of Processing. Specifically, Plume will retain Personal Information in accordance with Plume’s legitimate business purposes and legal obligations, unless a longer retention period is required or permitted by law.  

Plume will adhere to the DPF Principles for as long as it retains Personal Information covered by this DPF Policy.

6. Access Principle

Data Subjects whose Personal Information is covered by this DPF Policy have the right (i) to obtain from Plume confirmation of whether or not Plume is Processing Personal Information relating to them and to access that Personal Information and (ii) to correct, amend, or delete their Personal Information if it is inaccurate or if Plume Processes it in violation of the DPF Principles - except when the burden or expense of providing access, correction, amendment, or deletion would be disproportionate to the risks to the Data Subject’s privacy, when the rights of persons other than the Data Subject would be violated or when disclosure is likely to interfere with the safeguarding of important countervailing public interests, such as national security, national defense or public security.  

Plume will make good-faith, reasonable and practical efforts to comply with requests, so long as our doing so would be consistent with applicable law and/or Plume’s contractual requirements.   

Plume may engage with a Data Subject to request sufficient information to allow Plume to confirm the Data Subject’s identity or if an access request is vague or broad in scope or to better understand the motivation for the request and to locate responsive information.  Plume also may inquire about how the Data Subject interacted with Plume or about the nature of the Personal Information or its use that is the subject of the request. Plume may deny or limit access to the extent that granting full access would reveal Plume’s own proprietary or confidential commercial information, such as the confidential commercial information of another that is subject to a contractual obligation of confidentiality.  Plume may set reasonable limits on the number of times within a given period that access requests from a particular Data Subject will be met.  

To make a data access request, Data Subjects may contact Plume by:

• Sending an email to [email protected]  
• Completing the form available here (For other languages: https://www.plume.com/legal/).

Plume will respond to access requests within a reasonable time.

7. Recourse, Enforcement, and Liability

The Federal Trade Commission (FTC) has jurisdiction over Plume’s compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF. 

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Plume commits to resolve complaints about our collection or use of Personal Information transferred to the U.S. pursuant to the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.   

EU, UK and Swiss individuals with inquiries or complaints should first contact Plume by email to [email protected].

Plume has further committed to refer unresolved DPF Principles-related complaints to a U.S.-based independent dispute resolution mechanism, BBB NATIONAL PROGRAMS.  If you do not receive timely acknowledgment of your complaint or if your complaint is not satisfactorily addressed, please visit  www.bbbprograms.org/dpf-complaints  for more information and to file a complaint. The service of BBB NATIONAL PROGRAMS is provided free of charge to you.

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may be able to invoke binding arbitration for some residual claims not resolved by other redress mechanisms. 

See https://www.dataprivacyframework.gov/framework-article/ANNEX-I-introduction for information. (Note that Paragraph C of Annex I of the DPF Principles explains the Pre-Arbitration Requirements.)

* * * * *

Plume agrees to periodically review and verify its compliance with the DPF Principles and to remedy any issues arising out of Plume’s failure to comply with the DPF Principles. Plume acknowledges that its failure to provide an annual self-certification to the U.S. Department of Commerce will remove it from the Department’s list of DPF participants.

All Plume personnel who have access in the U.S. to Personal Information covered by this DPF Policy are responsible for ensuring that Personal Information Processing complies with this DPF Policy. Plume personnel are also responsible for ensuring that Agents or other unaffiliated third parties that Process Personal Information subject to this DPF Policy comply with this DPF Policy and Process Personal Information in accordance with the DPF Principles, including contracts required by the DPF Program.

CHANGES TO THIS DATA PRIVACY FRAMEWORK POLICY
This DPF Policy may be amended from time to time consistent with the requirements of the DPF. When we make changes to this DPF Policy, we will revise the “Last Updated” date at the beginning of this DPF Policy. We will also take appropriate measures to inform you in advance of changes we feel are significant so that you have an opportunity to review the revised DPF Policy before it is effective. If your consent is required by the DPF Principles, we will obtain your consent. We encourage you to regularly check this DPF Policy to ensure you are aware of the updated version.

QUESTIONS?
Plume is committed to protecting the privacy of your Personal Information. If you have any questions or comments about this DPF Policy, please contact [email protected].