Avantage Entertainment USA Privacy and Data Protection Policy
Version 1.4.1, September 17, 2019
Avantage® Entertainment USA, LLC (Avantage) is a US-based entity under Delaware registration number 4634638. A marketing and entertainment company that develops and operates online and mobile platforms for data sharing and community interaction services. Avantage collects specific types of customer data to enable these services and to create and optimize the Customer Experience (CX) across our platforms. Avantage considers personal data to be anything that can or could be used to identify an individual or individual's online activity either directly or indirectly. As outlined in this policy, Avantage is committed to a consent-based strategy of collecting only that data which is necessary and securing all processed and stored data to safeguard our customers' privacy and sensitive data.
All Avantage staff (i.e. Ownership, Executive Leadership, and personnel in every department) are responsible for executing this policy and immediately reporting any actual or suspected violations to the Data Protection Officer (DPO). This policy explains data Avantage collects, how the data is used (processed, stored, and shared), how the data is protected, and customers' rights relating to their personal data. This policy describes the lawful basis for processing and sharing data and provides relevant contact details.
Avantage collects, processes, displays, and/or stores the following data types:
- full name,
- postal addresses,
- email address,
- electronic or Internet Protocol (IP) address,
- telephone numbers
- on-line usernames/personas/identifiers
- device identifiers (e.g. MAC Address), and
- performance and behavioral analytics
This policy is designed to meet the legal obligations under the European Union (EU)'s General Data Protection Regulation (GDPR), the Privacy Shield Framework, Privacy Shield Data Protection Act 2018 (DPA) and Privacy and Electronic Communications Regulation (PECR).
2.1 GDPR and Privacy Shield Compliance
2.2 Avantage Commitment to Privacy Shield Principles
In compliance with the Privacy Shield Principles, Avantage commits to resolve complaints about our collection or use of your personal information. Individuals with inquiries or complaints regarding our Privacy and Data Protection Policy, processes, and associated procedures should first contact Avantage via the Help Center Link on our web pages and within our applications or via email at: firstname.lastname@example.org.
- Avantage is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC),
- Under certain conditions, individuals may invoke binding arbitration, and
- Avantage is liable in cases of onward transfers to third parties
3.0 Why We Collect and How We Use Customer Data
Avantage's goal is to be a premier entertainment provider and to deliver a world-class CX to each user every time they use one of our products or services. Achieving this level of service requires an in-depth understanding of our users' preferences, what they like about the products and services, and what can be improved upon. Accordingly, Avantage collects data that provides our marketing and development teams with the insight needed to customize the users' experience. It is Avantage's intention to only collect the minimum data required to meet legal and regulatory requirements (e.g. Know Your Customer (KYC) and Customer Due Diligence (CDD)), and to enable an optimal CX for each customer. Elements of personal data described in Section 4.0 will be exported outside the European Economic Area (EEA) to other countries, including the US, for processing and analysis.
4.0 The Personal and Sensitive Data We Collect
Avantage will securely collect, process, use, store, and transfer the following categories of personal and engagement data to enable optimal operations, meet regulatory requirements, and continuously improve our products, services, and customer's experiences:
- Personal Data - this data will include proof of who a customer/potential customer is, account information (i.e. User ID and Password), preferences and trends, and associated account data (i.e. social media accounts that the customer chooses to link to their profile) to help ensure the customer's identity for use of Avantage's products and services.
- Contact, Marketing, and Communication (CMC) Data - this data includes customer's telephone number, communications preferences, email address, phone number, and records of consent to marketing communications from Avantage (e.g. special offers, promotions, and newsletter). With Personal Data, we use CMC data to ensure that only age-appropriate and legal marketing strategies are used.
- Technical and Behavioral Data - customer location, login data, browser info, time zone, device ID, operating system/platform, other technologies on the device, and IP address will be all be collected when accessing Avantage products and services. This information will help build the customer's profile, will be used to expedite user authentication, and will be anonymized for correlation with and trend analysis of other users' data.
5.0 Data Collection Methods
Avantage uses three methods to collect data: direct collection of data that customers provide, indirect system-to-system collection, and third-party collection.
Direct Collection - a customer uses Avantage's websites and mobile applications to manually enter data or upload artifacts and content during activities such as:
- creating an account or updating a profile,
- signing up for a newsletter, service, or membership program, and/or
- communicating with Avantage via the website, mobile application, or phone.
- Third-Party Collection - when a customer uses a social media profile (e.g. Facebook, or LinkedIn) to expedite the account creation or login process, Avantage will use the data provided in the associated profile to build profiles and customize marketing. If a customer chooses to participate in customer research efforts managed by third-party collection and analysis agencies, Avantage will also gain access to the feedback and the data that customers voluntarily and consensually provide.
6.0 Data and Privacy Protection Methods
In accordance with GDPR and DPA guidelines, Avantage is committed to protecting customer personal data through encryption, anonymization, and pseudonymization of sensitive and Privacy data or Personally Identifiable Information (PII).
6.1 GDPR Requirements
GDPR (Article 5) requires that personal data be:
- Processed fairly, lawfully, transparently, and with express consent;
- Collected for a specified, explicit, and legitimate purpose, and not be used outside of those purposes it has been collected for;
- Adequate, relevant, and limited to only what is needed for the expressed purposes;
- Stored in a secure form which limits identification of data subjects for no longer than necessary for the expressed purposes;
- Be provided to the data subject or data subject-approved third party,
- Be forgotten or deleted at the data subject's request, and
- Processed in a technically secure manner to protect against unauthorized/unlawful use, accidental loss, destruction, damage, or compromise.
6.2 DPA Requirements
The DPA of 2018 requires that personal data:
- Be processed fairly and lawfully;
- Be obtained only for specific, lawful purposes;
- Be adequate, relevant and not excessive;
- Be accurate and kept up to date;
- Not be held for any longer than necessary;
- Processed in accordance with the rights of data subjects;
- Be protected in appropriate ways; and
- Not be transferred outside the European Economic Area (EEA), unless that country or territory also ensures an adequate level of protection.
6.3 Avantage Privacy and Data Protection Safeguards
In accordance with the processes and procedures outlined in Avantage's Information Security Management Plan (ISMP) and Information Security Policy (ISP), Avantage proactively enables and continuously monitors a robust system of layered security controls specifically designed to limit and protect the collection, processing, storage and use of personal data. The following safeguards are designed to educate Avantage users about the personal data collection, use, sharing and protection.
- Upon first collection and at any point when the data use changes, Avantage informs the user of what data types are being collected, for what purpose(s), how long it will be stored, and requests the data subject's consent.
- Avantage has defined a lean data scheme that minimizes data collection to that which is lawful and needed for expressed purposes.
- Through direct and indirect collection, Avantage will verify data accuracy and encrypt stored data to promote the integrity of the data.
- Prior to sharing any personal data with outside parties, Avantage will obtain an informed, active consent from data subjects for the data sharing.
- Avantage's Data Protection Officer (DPO) oversees staff training, data protection standards implementation, updates to applicable processes, policies and procedures, data-related question response, and complaint and potential compromise investigation. The Avantage DPO can be reached via email: email@example.com.
6.4 Alternative Dispute Resolution (ADR)/Independent Recourse Mechanism (IRM)
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.
7.0 Data Sharing
Avantage's data sharing policy is to only share personal data when informed consent has been given by the data subject, it has been requested by the data subject, or it is required by law. Personal data will be protected from access by persons within Avantage unless expressly required for job-related functions as outlined in the user consent.
7.1 Lawful Data Processing
To optimize users' CX, collected data may be exported out of the EEA/EU and shared with the following groups for the expressed purposes:
- Avantage Entertainment Marketing (US) - Personal contact information will be shared to enable distribution of consented to marketing promotions and informational updates. CMC and behavioral data will be anonymized and used to assess capability use, functionality of features, and user preferences to help optimize the CX.
- Instapage (US and EEA), Google Analytics (US), Upfluence (US and France), and Bucket.io (US) - CMC and behavioral data will be anonymized and shared with these companies to enable product and service performance and user preference analytics and identification of potential improvements for Avantage offerings.
- TypeForm (US) - Is used to enable user profile development and personalization, and data is encrypted for storage and transmission for continuous protection.
- ActiveCampaign (US) - Personal contact information is shared with ActiveCampaign to enable encrypted communication of promotional materials to consenting users.
- Survey Monkey (US) and HotJar (Malta) - Personal and behavioral data will be collected by and shared with Survey Monkey and HotJar to enable user identification, capture preferences, and enable customization of SG functionality.
- Facebook (US) - Personal and behavioral data will be collected, processed, and shared via Facebook Messenger and ManyChat to enable customized, direct marketing to and communications with users and to optimize CX. Users will also have the ability to voluntarily share personal information using the services provided by these products.
- FreshWorks360 (US and EEA) and Shadow Solutions (Philippines) - To facilitate customer relationship management and customer service, some personal, CMC and behavioral data will be shared with the FreshWorks360 platform. This limited subset of data will be accessed by Avantage employees and customer service agents at Shadow Solutions. Customer service agents will only be able to view a limited subset of data required to verify a user's identity and to support individuals on a case-by-case basis.
- HelloBar (US) and Netlify (US) - Using cookies and other analytics, HelloBar and Netlify help customize the CX by enabling analysis of CMC and behavioral data of users to Avantage's social platforms.
- iOvation (US) and Onfido (UK) - Personal and CMC data will be shared with iOvation and Onfido to enable identity verification for KYC and CDD, as necessary.
- Proficio (US) - Limited personal and behavioral data will be shared with Proficio to enable real-time monitoring of Avantage platforms, products, and services.
7.2 Incident Response Support
To effectively and efficiently investigate, respond to and resolve suspected or actual data breaches and/or security incidents, Avantage maintains communication with and contacts for local, state, and federal authorities, Internet Service Providers (ISPs), utilities, and applicable Supervisory Authorities including, but not limited to:
- UK Information Commissioner's Office (ICO) for General Data Protection Regulation (GDPR)/Data Protection Act (DPA) breaches - https://ico.org.uk/for-organisations/report-a-breach/
- Carlsbad Police Department - +1 (760) 931-2197 (non-emergency contact number)
- California Cyber Crime Center (C4) - C4@doj.ca.gov
- US Computer Emergency Readiness Team (CERT) - https://www.us-cert.gov/forms/report
- Internet Crime Compliant Center (IC3) - https://www.ic3.gov/complaint/default.aspx/
- Amazon Web Services (AWS) Support - https://aws.amazon.com/premiumsupport/
- Continent 8 Hosting Support - firstname.lastname@example.org
- San Diego Gas and Electric (SDGE) - http://webarchive.sdge.com/safety/report-an-outage
To stay abreast of current threats and vulnerabilities, Avantage subscribes to the US CERT National Cyber Awareness System Mailing Lists. Prior to reporting suspected or actual security incidents, Avantage personnel collects the appropriate information in accordance with our Incident Response Plan (IRP). This information is shared to foster a prompt response to and containment of risks to information, associated Avantage operations, the safety of Avantage customers and their PII/privacy data, and to facilitate widespread awareness of the threats and/or vulnerabilities associated with the incident. As deemed appropriate by the DPO and based on the nature and extent of the security incident, data subjects will be informed of suspected and/or actual breaches that have potentially compromised their PII/privacy data within 72 hours of identification and reporting of the concern.
8.0 Data Retention
Avantage will only retain personal data for as long as necessary to fulfill the purposes it was collected it for, including compliance with any applicable legal, accounting or reporting requirements. To determine the appropriate retention period for personal data, Avantage will take into account its legal and regulatory obligations the amount, nature and sensitivity of the personal data and the potential risk from unauthorized use or disclosure of personal data. Electronically stored data will be backed up and protected in accordance with processes and procedures outlined in the ISMP and ISP. Avantage will continually assess the purposes for which the data is collected and processed to determine whether those aims might be achieved through other means. Customer data may be anonymized, such that it can no longer be associated with a specific user, for research or statistical purposes. In these cases, we may use this information indefinitely without further notice to customers or data subjects. Unless otherwise required by law, personal data will be deleted after five years or upon request of the user.
9.0 Customer Rights and Responsibilities
Avantage has a legal obligation to protect customer data as a controller of personal data. For the customers' part, data should be kept up-to-date, accurate, and secure from public disclosure or easy unauthorized access. Customers will have access and the ability to update their personal data via the websites and mobile applications. Customers should never share accounts, user IDs, or passwords, and passwords should be complex.
Customers have the right to:
- Know and have access to what personal data Avantage collects and uses,
- Request correction of any incomplete or inaccurate data,
- Request erasure of personal data (subject to legal obligations that Avantage has in relation to data retention, of which the customer will be notified, if applicable, at the time of the request),
- Object to automated decision making or profiling,
- Request to suspend the processing of personal data,
- Request to transfer personal data to a third party,
- Withdraw consent to the processing of their personal data (where a customer withdraws consent, Avantage may not be able to provide products or services to that customer),
- Close their account.
Data subject access requests should be sent to (email@example.com). All requests will be responded to within one month, unless a request is particularly complex, or a significant number of requests have been made. Avantage may refuse to comply with a customer request in certain circumstances such as clearly unfounded, repetitive or excessive requests. As part of its handling of the requests, Avantage may need to contact the customer to confirm their identity to process the request.