Privacy Policy

1. 1. This page contains Applause App Quality, Inc.'s Privacy Policy.

2. 2. Data Protection information for business partners of Applause App Quality UK Ltd, is set forth here: https://www.applause.com/data-protection-information

3. 3. Data Protection information for (i) users of Applause GmbH and (ii) business partners of Applause GmbH, see here: https://www.applause.com/de/datenschutzerklaerung

4. 4. Data Protection information for (i) users of Applause's French website (provided by Applause GmbH) and (ii) business partners of Applause GmbH are found here: https://www.applause.com/fr/politique-de-confidentialite

Applause App Quality, Inc. Privacy Policy (“Applause”). In context with the website and the services provided on the website, we process personal data. The protection of personal data is important to us. We process personal data only in accordance with the applicable data protection requirements, in particular the General Data Protection Regulation (GDPR) as well as the EU-US Privacy Shield and the Swiss-US Privacy Shield Program to best protect the personal data from European Economic Area, Switzerland and the UK to the US and other third countries. As a general business practice, we enter into Data Protection Agreements and other terms and conditions that incorporate by reference the Standard Contractual Clauses adopted by the European Commission as between Applause and our vendors and subprocessors.

Prior to July 16, 2020, Applause relied on its EU-U.S. and Swiss-U.S. Privacy Shield certifications as the legal mechanism to enable data transfers from the European Union (EU) and Switzerland to the U.S. Since July 16, 2020, we use Standard Contractual Clauses to enable data transfers from the EU, UK, and Switzerland. Although Applause no longer relies on the EU-U.S. and the Swiss-U.S. Privacy Shield Frameworks as valid legal bases for such international transfers, we continue to participate in and will maintain its compliance with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework.

In Section A of this Data Protection Information you find information on the controller of your personal data, their representative and the data protection officer of the controller.

In Section B you find information about the processing of your personal data.

In Section C you find more detailed information on the use of cookies or similar technologies.

In Section D you further find information on your rights regarding the processing of your personal data.

The technical terms relating to data protection used in this Data Protection Information have the meaning used in the General Data Protection Regulation. You find more detailed information about this in Section E.

In Section F you will find information about Applause's participation in the EU-U.S. Privacy Shield and the Swiss-US Privacy Shield Program

In Section G you will find information specific to the rights of consumers and Applause Personnel who reside in California

In Section H you will find information specific to the rights of consumers who reside in Nevada.

In Section I you will find information specific to the rights of consumers who reside in Virginia

In Section J, you will be informed of the effective date of, and changes, to this Data Protection Information

TABLE OF CONTENTS

A. Information on the controller

I. Identity and contact details of the controller

II. Identity and contact details of the controller’s representative.

III. Contact details of the controller’s data protection officer.

B. Information on the processing of personal data.

I. Informational use of the website.

II. Use of online contact forms.

III. Use of online job application forms.

IV. Use of web analysis technologies.

V. Use of web tracking technologies.

C. Information on the use of cookies.

D. Information on the rights of data subjects.

I. Right of access.

II. Right to rectification.

III. Right to erasure (“right to be forgotten”).

IV. Right to restriction of processing.

V. Right to data portability.

VI. Right to object.

VII. Right to withdraw consent.

VIII. Right to lodge a complaint with a supervisory authority.

E. Information about the General Data Protection Regulation terminology used in this information.

F. EU-U.S. Privacy Shield and Swiss-US Privacy Shield Program

G. Rights of Consumers in California

H. Rights of Consumers in Nevada

I. Rights of Consumers in Virginia

J. Effective date of and changes to this Data Protection Information.

Section A. Information about the data controller

I. Name and contact details of the data controller

Applause App Quality, Inc
100 Pennsylvania Ave., Framingham, MA 01701, United States
PrivacyDPO@applause.com
+1-844-300-2777

II. Identity and contact details of the controller’s representative

Applause GmbH
Obentrautstr. 72, 10963 Berlin, Germany
+49 (0)30 57700400
PrivacyDPO@applause.com

III. Contact details of the controller’s data protection officer

Applause Data Protection Officer
c/o Applause App Quality, Inc., 100 Pennsylvania Ave., Framingham, MA 01701, United States
PrivacyDPO@applause.com +1-844-300-2777

Section B. Information on the processing of personal data

I. Informational use of the website

When the use of the website is purely informational, certain information, for example your IP address, is sent to our server by the browser used on your device for technical reasons. We process this information in order to provide the website content requested by you. To ensure the security of the IT infrastructure used to provide the website, this information is also stored temporarily in what is referred to as a so-called “web server log file”.

You receive more detailed information on this below:

1. Details on the personal data that are processed

Categories of personal data that are processed	Personal data included in the categories	Data source(s)	Obligation to provide the data	Storage duration
HTTP Data.	Protocol data which accrue when visiting the website via the Hypertext Transfer Protocol (Secure) (HTTP(S)) for technical reasons. These include IP address, type and version of your internet browser, operating system used, last site accessed before visiting the site (referrer URL), date and time of visit.	User of the website.	Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data. If the data is not provided, we cannot provide the requested website content.	Data are stored in server log files in a form allowing the identification of data subject for a maximum period of 7 days, unless any security related event occurs (e.g. a DDoS attack). If there is a security related event, server log files are stored until the security relevant event has been eliminated and resolved in full.

2. Details on the processing of personal data

Purpose of processing the personal data	Categories of personal data that are processed	Automated decision-making	Legal basis, and, if applicable, legitimate interests	Recipient
Provision of the website content requested by the user: For this purpose, data are temporarily processed on our web server.	HTTP Data.	No automated decision-making takes place.	Article 6 paragraph 1 point (f) of the General Data Protection Regulation (balancing of interests). Our legitimate interest is the provision of the website content requested by the user.	Hosting provider.
Ensuring the security of the IT infrastructure used for the provision of the website, in particular for the detection, elimination and conclusive documentation of faults (e.g. DDoS attacks): For this purpose, Data are temporarily stored and evaluated in log files on our web server.	HTTP Data.	No automated decision-making takes place.	Article 6 paragraph 1 point (f) of the General Data Protection Regulation (balancing of interests). Our legitimate interest is ensuring the security of the IT infrastructure used for the provision of the website, in particular for the detection, elimination and conclusive documentation of faults (e.g. DDoS attacks).	Hosting provider.

3. Details on the recipients of personal data and the transfer of personal data to third countries and/or international organizations

Recipient	Recipient’s role	Recipient’s location	Adequacy decision or appropriate or suitable safeguards for transfers to third countries and/or international organizations
Hosting provider:Amazon Web Services, Inc.410 Terry Avenue NorthSeattle WA 98109United States	Processor	United States	There is no adequacy decision of the European Commission for the third countries in question. Transfers to the third countries in question take place on the basis of standard contractual clauses of the European Commission for the transfer of personal data to processors in third countries. You can obtain the European Commission's decision on standard contractual clauses here: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32010D0087 A copy of the standard contractual clauses can be obtained from our Data Protection Officer (Section A.III.).

II. Use of online contact forms
We offer you the possibility on the website to contact us using contact forms. We process the information provided by you in the contact forms to process your request. Where applicable, we also store the information for evidence purposes for any assertion, exercise or defence of legal claims or in order to meet statutory document retention obligations, in particular commercial and tax law document retention obligations.

When the contact forms on our website are used certain information, for example your IP address, is for technical reasons sent to our server by the browser used on your device. We process this information in order to provide the contact forms on our website and to ensure the security of the IT infrastructure used to provide the contact form.

You receive more detailed information on this below:

1. Details on the personal data that is processed

Categories of personal data that are processed	Personal data included in the categories	Data source(s)	Obligation to provide the data	Storage duration
Contact Form HTTP Data.	Protocol data which accrue via the Hypertext Transfer Protocol (Secure) (HTTP(S)) for technical reasons when the contact forms on our website are accessed. These include IP address, type and version of your internet browser, operating system used, site accessed before visiting the site (referrer URL), date and time of the visit.	User of the website.	Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data. Not providing this data means that we cannot provide the requested Website content.	Data are stored in server log files in a form allowing the identification of data subject for a maximum period of 7 days, unless any security related event occurs (e.g. a DDoS attack). If there is a security related event, server log files are stored until the security relevant event has been eliminated and resolved in full.
Contact Form Data.	Data you provide us with in website contact forms. These include title, first name, last name, street, house number, postal code, city, country, e-mail address, your request, your message (mandatory), telephone number, order number (voluntary).	User of the website.	Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data. If the mandatory data is not provided, we cannot process your request.	Data are stored until your request has been dealt with. We store these data for evidence purposes for the assertion, exercise or defence of any legal claims and also for an interim period of three years commencing at the end of the year in which you provide the data to us and in the event of any legal disputes until such have been concluded. We also store this data to the extent that statutory obligations require us to do so, in particular commercial and tax law document retention obligations.

2. Details on the processing of the personal data

Purpose of processing the personal data	Categories of personal data that are processed	Automated decision-making	Legal basis, and, if applicable, legitimate interests	Recipient
Provision of the contact forms on the website. For this purpose data are processed temporarily on our web server.	Contact Form HTTP Data.	No automated decision-making takes place.	Article 6 paragraph 1 point (f) of the General Data Protection Regulation) (balancing of interests). Our legitimate interest is the provision of the website content requested by the user.	Hosting Provider.
Ensuring the security of the IT infrastructure used for the provision of the form, in particular for the detection, elimination and conclusive documentation of disruptions (e.g. DDoS attacks): For this purpose, data are temporarily stored and evaluated in log files on our web server.	Contact Form HTTP Data.	No automated decision-making takes place.	Article 6 paragraph 1 point (f) of the General Data Protection Regulation) (balancing of interests). Our legitimate interest is ensuring the security of the IT infrastructure used to provide the website, in particular to identify, eliminate and preserve evidence of disruptions (e.g. DDoS attacks).	Hosting Provider.
Processing of your request. If your request concerns other companies of the Applause group, this may include forwarding your request to the relevant Applause entity.	Contact Form Data.	No automated decision-making takes place.	If your request concerns a contract to which you are party or the performance of pre-contractual measures: Article 6 paragraph 1 point (b) of the General Data Protection Regulation (performance of a contract to which the data subject is party or steps at the request of the data subject prior to entering into a contract). Otherwise: Article 6 paragraph 1 point (f) of the General Data Protection Regulation. (balancing of interests). In this case, our legitimate interest is the processing of your request.	Customer database provider,Applause companies.
Storage and processing for evidence purposes for any assertion, exercise or defence of legal claims.	Contact Form Data.	No automated decision-making takes place.	Article 6 paragraph 1 point (f) of the General Data Protection Regulation. (balancing of interests). Our legitimate interest is assertion, exercise or defence of legal claims.	Customer database provider.
Storage of data in order to meet statutory document retention obligations, in particular commercial and tax law document retention obligations.	Contact Form Data.	No automated decision-making takes place.	If storage is required to comply with EU law or EU Member State law, the legal basis is point (c) of Article 6 paragraph 1 of the General Data Protection Regulation (compliance with a legal obligation) If storage is required to comply with other laws and/or regulations, the legal basis is point (f) of Article 6 paragraph 1 of the General Data Protection Regulation (balancing of interests). Our legitimate interest is the compliance with the relevant laws and/or regulations.	Customer database provider.

3. Details on the recipients of personal data and the transfer of personal data to third countries and/or international organizations

Recipient	Recipient’s role	Recipient’s location	Adequacy decision or appropriate or suitable safeguards for transfers to third countries and/or international organizations
Hosting provider: Amazon Web Services, Inc.410 Terry Avenue NorthSeattle WA 98109United States	Processor	United States	There is no adequacy decision of the European Commission for the third countries in question. Transfers to the third countries in question take place on the basis of standard contractual clauses of the European Commission for the transfer of personal data to processors in third countries. You can obtain the European Commission's decision on standard contractual clauses here: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32010D0087 A copy of the standard contractual clauses can be obtained from our Data Protection Officer (Section A.III.).
Customer database provider: Salesforce.com, Inc.The Landmark @ One Market. Suite 300, San Francisco, CA 94105, United States Marketo, Inc.901 Mariners Island Boulevard, Suite #500 (Reception), San Mateo, CA 94404United States	Processor	United States	There is no adequacy decision of the European Commission for the third countries in question. Transfers to the third countries in question take place on the basis of standard contractual clauses of the European Commission for the transfer of personal data to processors in third countries. You can obtain the European Commission's decision on standard contractual clauses here: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32010D0087 A copy of the standard contractual clauses can be obtained from our Data Protection Officer (Section A.III.).
Applause companies: Applause GmbHObentrautstr. 7210963 Berlin Germany Applause App Quality UK Ltd.3rd Floor 12 Gough Square, London, England, EC4A 3DWUnited Kingdom	Controller	EU	-

III. Use of online application forms
We offer you the possibility on the website to contact us using online job application forms. We process the information provided by you in the job application forms to process your application. Where applicable, we also store the information for evidence purposes for any establishment, exercise or defense of legal claims or in order to meet statutory document retention obligations.

When the application forms on our website are used certain information, for example your IP address, is for technical reasons sent to our server by the browser used on your device. We process this information in order to provide the application forms on our website and to ensure the security of the IT infrastructure used to provide the application form.

Applicants: We disclose your personal information to our private equity sponsor, Vista Equity Partners, and its affiliates, including Vista Consulting Group (collectively, “Vista”), for administration, research, database development, workforce analytics and business operation purposes, in line with the terms of this Privacy Policy. Vista processes and shares your personal information with its affiliates, including other Vista portfolio companies, on the basis of its legitimate interests in managing, administering and improving its business and overseeing the recruitment process and, if applicable, your employment relationship with Applause. If you have consented to us doing so, we also share your personal information with other Vista portfolio companies for the purpose of being considered for other job opportunities in the pooling system, both inside and outside the European Economic Area (EEA). Please find a full list of all Vista portfolio companies at: https://www.vistaequitypartners.com/companies/ and Vista’s privacy policy at https://www.vistaequitypartners.com/privacy. Where this requires us to transfer your personal information outside of the EEA, please refer to Section B of the Privacy Policy for further details on cross-border transfers. In connection with the recruitment process, your personal data may be transferred outside of the EEA to Hirebridge, LLC and Criteria Corp., which provide applicant tracking and evaluation services. Hirebridge, LLC and Criteria Corp. have agreed to comply with the EU Standard Contractual Clauses to ensure that your personal information is adequately protected whilst outside of the EEA.

You receive more detailed information on this below:

1. Details on the personal data that is processed

Categories of personal data that are processed	Personal data included in the categories	Data source(s)	Obligation to provide the data	Storage duration
Application Form HTTP Data.	Protocol data which accrue via the Hypertext Transfer Protocol (Secure) (HTTP(S)) for technical reasons when the application forms on our website are accessed. These include IP address, type and version of your internet browser, operating system used, last site accessed before visiting the site (referrer URL), date and time of visit.	User of the website.	Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data. If the data is not provided, we cannot provide the requested website content.	24 months.
Application Form Data.	Data that you provide us with in the job application forms on the website. These include the information you provide in the relevant application on the website. This can above all include the following data: first and last name, e-mail address, telephone number, covering letter, additional information, links to your profiles in social networks (e.g. LinkedIn, Facebook).	User of the website.	Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data. If the data is not provided, we may not be able to process your application.	At least for the duration of the application process. After completion of the application process for a maximum of 3 months, unless the applicant has consented to longer storage in order to be informed about future potential vacancies.

2. Details on the processing of the personal data

Purpose of processing the personal data	Categories of personal data that are processed	Automated decision-making	Legal basis, and, if applicable, legitimate interests	Recipient
Provision of the job application forms on the website. For this we use the recruiting tool Hirebridge offered by Hirebridge.	Application Form HTTP Data.	No automated decision-making takes place.	Point (f) of Article 6 paragraph 1 of the General Data Protection Regulation (balancing of interests). Our legitimate interest is providing the website content requested by the user.	Application management provider.
Ensuring the security of the IT infrastructure used for the provision of the form, in particular for the detection, elimination and conclusive documentation of disruptions (e.g. DDoS attacks): For this purpose, data are temporarily stored and evaluated in log files on our web server.	Application Form HTTP Data.	No automated decision-making takes place.	Article 6 paragraph 1 point (f) of the General Data Protection Regulation) (balancing of interests). Our legitimate interest is ensuring the security of the IT infrastructure used to provide the website, in particular to identify, eliminate and preserve evidence of disruptions (e.g. DDoS attacks).	Application management provider.
Processing your application. If your application concerns other companies of the Applause group, this may include forwarding your application to the relevant Applause entity.	Application Form Data.	No automated decision-making takes place.	Article 6 paragraph 1 point (b) of the General Data Protection Regulation (steps at the request of the data subject prior to entering into a contract).	Application management provider, Applause companies.
Storage and processing for evidence purposes for any assertion, exercise or defence of legal claims	Application Form Data.	No automated decision-making takes place.	Article 6 paragraph 1 point (f) of the General Data Protection Regulation. (balancing of interests). Our legitimate interest is assertion, exercise or defence of legal claims.	Application management provider.
Storage of data in order to meet statutory document retention requirements.	Application Form Data.	Application Form Data. No automated decision-making.	If storage is required to comply with EU law or EU Member State law, the legal basis is point (c) of Article 6 paragraph 1 of the General Data Protection Regulation (compliance with a legal obligation). If storage is required to comply with other laws and/or regulations, the legal basis is point (f) of Article 6 paragraph 1 of the General Data Protection Regulation (balancing of interests). Our legitimate interest is the compliance with the relevant laws and/or regulations.	Application management provider.

3. Details on the recipients of personal data and the transfer of personal data to third countries and/or international organizations

Recipient	Recipient’s role	Recipient’s location	Adequacy decision or appropriate or suitable safeguards for transfers to third countries and/or international organizations
Application management provider: Hirebridge, LLC3200 N University Dr #214 Coral Springs, FL 33065United States	Processor	United States	There is no adequacy decision of the European Commission for the third countries in question. Transfers to the third countries in question take place on the basis of standard contractual clauses of the European Commission for the transfer of personal data to processors in third countries. You can obtain the European Commission's decision on standard contractual clauses here: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32010D0087 A copy of the standard contractual clauses can be obtained from our Data Protection Officer (Section A.III.).
Applause companies: Applause GmbHObentrautstr. 7210963 Berlin Germany Applause App Quality UK Ltd.3rd Floor 12 Gough Square, London, England, EC4A 3DWUnited Kingdom	Controller	EU	_
Applause companies: Applause GmbHObentrautstr. 7210963 Berlin Germany Applause App Quality UK Ltd.3rd Floor 12 Gough Square, London, England, EC4A 3DWUnited Kingdom	Controller	UK	-

IV. Use of web analysis technologies

If you have given your consent to this, we use web analysis technologies on the website in order to record and analyze the usage behavior on our website to improve the website and better achieve the objectives of the website (e.g. frequency of visits, increase in number of page visits).

You will find more detailed information on this in the following:

1. Details on the personal data that is processed

Categories of personal data processed	Personal data included in the categories	Sources of data	Obligation to provide the data	Storage duration
Google Analytics HTTP Data.	Protocol data which accrue via the Hypertext Transfer Protocol (Secure) (HTTP(S)) for technical reasons when the web analysis tool Google Analytics is used. These include IP address, type and version of your internet browser, operating system used, site accessed before visiting the site (referrer URL), date and time of the visit.	User of the website.	Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data. If the data is not provided, we cannot carry out a web analysis by means of Google Analytics.	IP anonymisation is used on this website for the use of the web analysis tool Google Analytics. This means that the IP address transmitted via the browser for technical reasons is anonymised before being stored by shortening the IP address (by deleting the last octet of the IP address). Other HTTP Data are stored for 26 months.
Google Analytics Profile Data.	Data generated by the web analysis tool Google Analytics and stored in pseudonym usage profiles.These include a unique visitor ID for recognising returning visitors, data about the use of the website, in particular page visits, frequency of visits and time spent on the pages visited.	Generated autonomously.	-	26 months

2. Details on the processing of personal data

Purpose of the processing of personal data	Categories of personal data processed	Automated decision-making	Legal basis and, where applicable, legitimate interests	Recipient
Improvement of the website and further achievement of the objectives of the website (e.g. increase in number of page visits). For this purpose, the behaviour of users on our website is recorded and analysed in pseudonymised form. Users of the website are marked in pseudonymised form so that they can be recognised again on the website. Pseudonymised usage profiles are created from this information. The pseudonymised usage profiles are not combined with data regarding the bearer of the pseudonym. The objective of this process is to examine where users come from, which areas of the website they visit and how often and how long which subpages and categories are looked at. For these purposes we use the web analysis tool Google Analytics provided by Google.	Google Analytics HTTP Data, Google Analytics Profile Data.	No automated decision-making takes place.	Article 6 paragraph 1 point (a) of the General Data Protection Regulation (Consent).	Web analysis provider.

3. Details on the recipients of personal data and the transfer of personal data to third countries and/or international organizations

Recipient	Recipient’s role	Recipient’s location	Adequacy decision or appropriate or suitable safeguards for transfers to third countries and/or international organizations
Web analysis provider: Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA.	Processor.	USA	There is no adequacy decision of the European Commission for the third countries in question. Transfers to the third countries in question take place on the basis of standard contractual clauses of the European Commission for the transfer of personal data to processors in third countries. You can obtain the European Commission's decision on standard contractual clauses here: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32010D0087 A copy of the standard contractual clauses can be obtained from our Data Protection Officer (Section A.III.).

V. Use of web tracking technologies

If you have granted your consent to this, we use web tracking technologies on the website in order to record and analyze usage behavior on our website for the purposes of (conversion) tracking and (re-)targeting.

You will find more detailed information on this in the following:

1. Details on the personal data that is processed

Categories of personal data processed	Personal data included in the categories	Sources of data	Obligation to provide the data	Storage duration
Google AdWords HTTP Data.	Protocol data which accrue via the Hypertext Transfer Protocol (Secure) (HTTP(S)) for technical reasons when the web tracking tool Google AdWords is used. These include IP address, type and version of your internet browser, operating system used, site accessed before visiting the site (referrer URL), date and time of the visit.	User of the website.	Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.If the data is not provided, we cannot carry out any web tracking by means of Google AdWords.	30 days.
Google AdWords Profile Data.	Data collected by the web tracking tool AdWords and stored in pseudonymised usage profiles. These include a unique visitor ID for recognising returning visitors, data about the use of the website, in particular page visits, frequency of visits and time spent on the pages visited.	Generated autonomously.	-	30 days.

2. Details on the processing of personal data

Purpose of the processing of personal data	Categories of personal data processed	Automated decision-making	Legal basis and, where applicable, legitimate interests	Recipient
Conversion tracking: For this purpose, the behaviour of users on our website is recorded and analysed in pseudonymised form. Users of the website are marked in pseudonymised form so that they can be recognised again on the website. Pseudonymised usage profiles are created from this information. The pseudonymised usage profiles are not combined with data regarding the bearer of the pseudonym. The objective of this process is to measure the effectiveness with which an addressed target group is prompted to carry out the desired actions. For these purposes we use the web tracking tool Google AdWords provided by Google.	Google AdWords HTTP Data, Google AdWords Profile Data.	No automated decision-making takes place.	Article 6 paragraph 1 point (a) of the General Data Protection Regulation (Consent).	Web tracking provider.
(Re-)targeting users of the website through advertisements. For this purpose, the behaviour of users on our website is recorded and analysed in pseudonymised form. Users of the website are marked in pseudonymised form so that they can be recognised on the website or another website. Pseudonymised usage profiles are created from this information. The pseudonymised usage profiles are not combined with data regarding the bearer of the pseudonym. The objective of this process is to draw the attention of a user who has already shown interest in a website or a product to this website or product again to increase the advertising relevance and therefore the click rate and conversion rate (e.g. order rate). For these purposes we use the web tracking tool Google AdWords provided by Google.	Google AdWords HTTP Data, Google AdWords Profile Data.	No automated decision-making takes place.	Article 6 paragraph 1 point (a) of the General Data Protection Regulation (Consent).	Google.

3. Details on the recipients of personal data and the transfer of personal data to third countries and/or international organizations

Recipient	Recipient’s role	Recipient’s location	Adequacy decision or appropriate or suitable safeguards for transfers to third countries and/or international organizations
Web tracking provider: Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA.	Processor.	USA	There is no adequacy decision of the European Commission for the third countries in question. Transfers to the third countries in question take place on the basis of standard contractual clauses of the European Commission for the transfer of personal data to processors in third countries. You can obtain the European Commission's decision on standard contractual clauses here: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32010D0087 A copy of the standard contractual clauses can be obtained from our Data Protection Officer (Section A.III.).

Section C. Information on the use of cookies

Section D. Information on the rights of data subjects

As a data subject, you have the following rights with regard to the processing of your personal data:

• Right of access (Article 15 of the General Data Protection Regulation)
• Right of access (Principle 8 of the Privacy Shield Framework)
• Right to rectification (Article 16 of the General Data Protection Regulation)
• Right to erasure (“right to be forgotten”) (Article 17 of the General Data Protection Regulation)
• Right to restriction of processing (Article 18 of the General Data Protection Regulation)
• Right to data portability (Article 20 of the General Data Protection Regulation)
• Right to object (Article 21 of the General Data Protection Regulation)
• Right to withdraw consent (Article 7 paragraph 3 of the General Data Protection Regulation)
• Right to lodge a complaint with a supervisory authority (Article 77 of the General Data Protection Regulation)

You may contact us for the purpose of exercising your rights using the contact information in Section A

Where applicable, you find information on any specific modalities and mechanisms which facilitate the exercise of your rights, in particular the exercise of your rights to data portability and to object, in the information on the processing of personal data in Section B of this Data Protection Information.

Below you find more detailed information on your rights with regard to the processing of your personal data:

[For a multi-layer presentation of the information (“layered information”), the following information may be hidden at the first layer]

I. Right of access

As a data subject, you have a right to obtain access and information under the conditions provided in Article 15 of the General Data Protection Regulation.

This means in particular that you have the right to obtain confirmation from us as to whether we are processing your personal data. If so, you also have the right to obtain access to the personal data and the information listed in Article 15 paragraph 1 of the General Data Protection Regulation. This includes information regarding the purposes of the processing, the categories of personal data that are being processed and the recipients or categories of recipients to whom the personal data have been or will be disclosed (Article 15 paragraph 1 points (a), (b) and (c) of the General Data Protection Regulation).

You can find the full extent of your right to access and information in Article 15 of the General Data Protection Regulation, which can be accessed using the following link: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679.

In compliance with the EU-US and Swiss-US Privacy Shield Principles, citizens in the European Union, Switzerland, and United Kingdom have the right of access to, or correction, amendment or deletion of, Personal Data transferred to the United States pursuant to this Policy by contacting us at privacydpo@applause.com or via . Data subjects have the right to opt out of (a) disclosures of their Personal Data to third parties not identified at the time of collection or subsequently authorized, and (b) uses of Personal Data for purposes materially different from those disclosed at the time of collection or subsequently authorized.

European Union, Swiss, and United Kingdom individuals with Privacy Shield access requests can contact Applause’s Data Protection Officer by emailing us at privacydpo@applause.com or Data Privacy Officer, Applause App Quality, Inc, 100 Pennsylvania Ave., Framingham, MA 01701

II. Right to rectification

As a data subject, you have the right to rectification under the conditions provided in Article 16 of the General Data Protection Regulation.

This means in particular that you have the right to receive from us without undue delay the rectification of inaccuracies in your personal data and completion of incomplete personal data.

You can find the full extent of your right to rectification in Article 16 of the General Data Protection Regulation, which can be accessed using the following link: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679.

III. Right to erasure (“right to be forgotten”)

As a data subject, you have a right to erasure (“right to be forgotten”) under the conditions provided in Article 17 of the General Data Protection Regulation.

This means that you have the right to obtain from us the erasure of your personal data and we are obliged to erase your personal data without undue delay when one of the reasons listed in Article 17 paragraph 1 of the General Data Protection Regulation applies. This can be the case, for example, if personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed (Article 17 paragraph 1 point (a) of the General Data Protection Regulation).

If we have made the personal data public and are obliged to erase it, we are also obliged, taking account of available technology and the cost of implementation, to take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you have requested the erasure by such controllers of any links to, or copy or replication of those personal data (Article 17 paragraph 2 of the General Data Protection Regulation) .

The right to erasure (“right to be forgotten”) does not apply if the processing is necessary for one of the reasons listed in Article 17 paragraph 3 of the General Data Protection Regulation. This can be the case, for example, if the processing is necessary for compliance with a legal obligation or for the establishment, exercise or defence of legal claims (Article 17 paragraph 3 points (b) and (e) of the General Data Protection Regulation).

You can find the full extent of your right to erasure (“right to be forgotten”) in Article 17 of the General Data Protection Regulation, which can be accessed using the following link: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679.

IV. Right to restriction of processing

As a data subject, you have a right to restriction of processing under the conditions provided in Article 18 of the General Data Protection Regulation.

This means that you have the right to obtain from us the restriction of processing if one of the conditions provided in Article 18 paragraph 1 of the General Data Protection Regulation applies. This can be the case, for example, if you contest the accuracy of the personal data. In such a case, the restriction of processing lasts for a period that enables us to verify the accuracy of the personal data (Article 18 paragraph 1 point (a) of the General Data Protection Regulation).

Restriction means that stored personal data are marked with the goal of restricting their future processing (Article 4 paragraph 3 of the General Data Protection Regulation).

You can find the full extent of your right to restriction of processing in Article 18 of the General Data Protection Regulation, which can be accessed using the following link: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679.

V. Right to data portability

As a data subject, you have a right to data portability under the conditions provided in Article 20 of the General Data Protection Regulation.

This means that you generally have the right to receive your personal data with which you have provided us in a structured, commonly used and machine-readable format and to transmit those data to another controller without hindrance from us if the processing is based on consent pursuant to Article 6 paragraph 1 point (a) or Article 9 paragraph 2 point (a) of the General Data Protection Regulation or on a contract pursuant to Article 6 paragraph 1 point (b) of the General Data Protection Regulation and the processing is carried out by automated means (Article 20 paragraph 1 of the General Data Protection Regulation).

You can find information as to whether an instance of processing is based on consent pursuant to Article 6 paragraph 1 point (a) or Article 9 paragraph 2 point (a) of the General Data Protection Regulation or on a contract pursuant to point (b) of Article 6 paragraph 1 of the General Data Protection Regulation in the information regarding the legal basis of processing in Section C of this Data Protection Information.

In exercising your right to data portability, you also generally have the right to have your personal data transmitted directly from us to another controller if technically feasible (Article 20 paragraph 2 of the General Data Protection Regulation).

You can find the full extent of your right to data portability in Article 20 of the General Data Protection Regulation, which can be accessed using the following link: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679.

VI. Right to object

As a data subject, you have a right to object under the conditions provided in Article 21 of the General Data Protection Regulation.

At the latest in our first communication with you, we expressly inform you of your right, as a data subject, to object .

More detailed information on this is given below:

1. Right to object on grounds relating to the particular situation of the data subject

As a data subject, you have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on point (e) or (f) of Article 6 paragraph 1, including profiling based on those provisions.

You can find information as to whether an instance of processing is based on point (e) or (f) of Article 6 paragraph 1 of the General Data Protection Regulation in the information regarding the legal basis of processing in Section C of this Data Protection Information.

In the event of an objection relating to your particular situation, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

You can find the full extent of your right to objection in Article 21 of the General Data Protection Regulation, which can be accessed using the following link: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679.

2. Right to object to direct marketing

Where your personal data are processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing.

You can find information as to whether and to what extent personal data are processed for direct marketing purposes in the information regarding the legal basis of processing in Section C of this Data Protection Information.

If you object to processing for direct marketing purposes, we no longer process your personal data for these purposes.

You can find the full extent of your right to objection in Article 21 of the General Data Protection Regulation, which can be accessed using the following link: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679.

VII. Right to withdraw consent

Where an instance of processing is based on consent pursuant to Article 6 paragraph 1 point (a) or Article 9 paragraph 2 point (a) of the General Data Protection Regulation, as a data subject, you have the right, pursuant to Article 7 paragraph 3 of the General Data Protection Regulation, to withdraw your consent at any time. The withdrawal of your consent does not affect the legitimacy of the processing that occurred based on your consent until the withdrawal. We inform you of this before you grant your consent.

You can find information as to whether an instance of processing is based on Article 6 paragraph 1 point (a) or Article 9 paragraph 2 point (a) of the General Data Protection Regulation in the information regarding the legal basis of processing in Section C of this Data Protection Information.

VIII. Right to lodge a complaint with a supervisory authority

As a data subject, you have a right to lodge a complaint with a supervisory authority under the conditions provided in Article 77 of the General Data Protection Regulation.

Section E. Information about the General Data Protection Regulation terminology used in this information

The technical terms relating to data protection used in this Data Protection Information have the meaning used in the General Data Protection Regulation.

The full scope of the definitions of the General Data Protection Regulation can be found in Article 4 of the General Data Protection Regulation, which can be downloaded from the following link: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679.

You will find more detailed information on the most important technical terms of the General Data Protection Regulation used in this Data Protection Information below:

[For a multi-layer presentation of the information (“layered information”), the following information may be hidden at the first layer]

“Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

“Data Subject” means the respective identified or identifiable natural person, to which the personal Data refers to;

“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

“Recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

“Third party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

“International organisation” means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries;

“Third country” means a country which is not a member state of the European Union (“EU”) or the European Economic Area (“EEA”);

“Special categories of personal data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Section F. EU-U.S. Privacy Shield and Swiss-US Privacy Shield Program

Applause complies with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States, respectively. Applause has certified that it adheres to the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability. If there is any conflict between the policies in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov/. With respect to personal data transferred pursuant to the EU-US and Swiss-US Privacy Shield Framework, Applause is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.

Prior to July 16, 2020, Applause relied on its EU-U.S. and Swiss-U.S. Privacy Shield certifications as the legal mechanism to enable data transfers from the European Union (EU) and Switzerland to the U.S. Since July 16, 2020, we use Standard Contractual Clauses to enable data transfers from the EU, UK, and Switzerland. Although Applause no longer relies on the EU-U.S. and the Swiss-U.S. Privacy Shield Frameworks as valid legal bases for such international transfers, we continue to participate in and will maintain its compliance with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework.

Applause commits to resolve complaints about your privacy and our collection or use of your personal information. Where you have a complaint regarding our collection, storage, or use of your personal information, you may make a complaint to Applause via email to PrivacyDPO@applause.com or via mail to Data Privacy Officer, Applause App Quality, Inc, 100 Pennsylvania Ave., Framingham, MA 01701.We will respond to you within 45 days of receiving your request.

Applause has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD, operated by BBB National Programs. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://bbbprograms.org/privacy-shield-complaints/ for more information and to file a complaint. This service is provided free of charge to you.Under the EU-US and Swiss-US Privacy Shield Principles, Applause will promptly respond to your rights of access to, or correction, amendment or deletion of, Personal Data as set forth in Section D of this Policy.

Applause commits to cooperate with EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) and comply with the advice given by such authorities with regard to human resources data transferred from the EU and Switzerland in the context of the employment relationship.

Please note that if your complaint is not resolved through these channels, under limited circumstances, a binding arbitration option may be available before a Privacy Shield Panel.

Third parties, as documented in previous sections, may have access to some of your Personal Information to perform specific tasks on our behalf and are under written obligation not to disclose or use your Personal Information for any purpose other than those disclosed in this Privacy Policy. Notwithstanding such legal and contractual obligations between us and such service providers, we remain potentially liable for any misuse of your Personal Information. We will only disclose Personal Information when we are required to do so in response to a lawful request by public authorities, including to meet national security or law enforcement requirements.

We’ll regularly review our continued adherence to these privacy obligations. Further, we acknowledge our potential liability for misuse of your Personal Information by us or our third-party service providers, as further set forth in this Privacy Policy.

Section G. Rights of Consumers in California

California Consumer Privacy Act (CCPA) requires that we disclose certain information regarding the categories of Personal Information” (PI) we collect. For purposes of this CA Notice, PI has the meaning provided by the CCPA, as amended, and does not include information that is publicly available, that is deidentified or aggregated such that it is not capable of being associated with us, or that is excluded from the CCPA’s scope, such as PI covered by certain sector-specific privacy laws, such as the HIPAA, the FCRA, GLBA or the Driver's Privacy Protection Act of 1994. This CA Notice does not apply to information relating to our employees, contractors, or other personnel.

I. Collection and use of PI

A. We collect PI from and about CA consumers for a variety of purposes as set forth in Section G.1.B.

B. For California residents, the type of PI we collect will depend on how you engage with us (for example, as a customer or potential customer, or as a website visitor to www.applause.com). In the last 12 months, we have collected the following categories of PI generally:

• Identifiers, such as your name, address, phone number, email address, or other similar identifiers
• California customer records, such as payment information
• Professional and educational information, and sensitive personal information (such as geolocation) if you apply for a job with us through our website
• Commercial information, such as a history of our services purchased, obtained or considered
• Internet/Network information, such as device information, logs and analytics data;
• Inferences about your interests and preferences, generated from your site use

C. We collect this information directly from you, from our business partners and affiliates, from your browser or device when you visit our website, www.applause.com, or from third parties that you permit to share information with us.

D. We retain personal information for as long as it is needed for business, record-keeping, financial, tax, audit, or legal purposes. We do not use personal information for automated decision making. For more detailed information on how we process personal data, see https://www.applause.com/privacy-policy, Section B: Information on the processing of personal data.

II. Disclosure of PI.

A. We share PI with third parties for business purposes. The categories of third parties to whom we disclose your PI may include:

• our service providers and advisors
• vendors who assist us with marketing and advertising our services
• analytics providers such as Google

B. When we disclose your PI to our service providers, vendors or other third parties that process the information on our behalf, we have entered into a written contract that includes terms substantially similar to this notice and we will remain liable for any breach of this notice that is caused by the acts or omissions of our service providers.

C. Our use of cookies and other similar technologies may be considered a sale of personal information under applicable law. Please see below for information on exercising your rights and choices.

III. Rights and Choices.

A. Rights of Applause Personnel who rise in California

If you work for Applause as an employee or contractor, you have additional rights under the CPRA as of January 1, 2023. These rights include:

Applause will not discriminate against an individual because the individual exercised any of their rights, including the right to opt-out, under the CPRA. Specifically, this prohibition includes retaliating against an employee, applicant or independent contractor for exercising their rights under the CPRA.

B. As a California resident, you may exercise the following rights:

• The Right to Know any or all of the following information relating to your PI we have collected and disclosed in the last 12 months, upon verification of your identity
  • º specific pieces of PI we have collected about you
  • º categories of PI we have collected about you
  • º categories of sources of the PI
  • º categories of PI we have disclosed to third parties for a business purpose, and the categories of recipients to whom this information was disclosed
  • º categories of PI we have sold and the categories of third parties to whom the information was sold (if applicable); and
• The business or commercial purposes for collecting or selling the PI
• Right to Request Deletion of PI we have collected, subject to certain exceptions
• Right to Opt Out of PI Sales to third parties
• Right to be free of discrimination for exercising these rights
• Right to Limit the Use of Sensitive Personal Information
• Right to Correct PI

C. However, please note that if the exercise of these rights limits our ability to process PI, such as in the case of a deletion request, we may no longer be able to provide you our services or engage with you in the same manner

IV. To Submit your California Consumer Rights Requests

A. You may submit a request to exercise your California Consumer Rights through one of the mechanisms described here in Section IV. E.

B. We will need to verify your identity before processing your request, which may require us to request additional PI from you or require you to log into your account, if you have one

C. In certain circumstances, we may decline or limit your request, particularly where we are unable to verify your identity or locate your information in our systems, or as permitted by law

D. You may exercise all of the above rights at all times and we will not unlawfully discriminate against you for exercising your rights under the CCPA

To exercise your rights, please contact us at privacydpo@applause.com, or +1-844-300-2777

Section H. NEVADA RESIDENTS: YOUR NEVADA PRIVACY RIGHTS

If you are a resident of Nevada, under Nevada law (S 220) as of January 1, 2023, you can opt-out of the sale of certain information website operators may collect about you. Our use of cookies and other similar technologies may be considered a sale of personal information under applicable law as defined in Nevada law, You have the opportunity to opt-out of such sale by contacting us at PrivacyDPO@applause.com or +1-844-300-2777.

Section I. VIRGINIA RESIDENTS: YOUR VIRGINIA PRIVACY RIGHTS

Under Virginia’s Consumer Data Protection Act (“CDPA”), which goes into effect January 1, 2023, Virginia residents have certain rights around Applause’s collection, use, and sharing of their personal data.
Our use of cookies and other similar technologies may be considered a sale of personal information under applicable law. As of January 1, 2023 you have the right to opt-out of targeted advertising by emailing PrivacyDPO@applause.com.

Applause collects various categories of personal data when you use the service, including identifiers, commercial information, internet or other electronic network or device activity information, geolocation data, and professional information. A more detailed description of the information Applause collects and how we use it is provided above in Section 1 (Information We Collect and How We Use It). Section 3 (Third Parties) describes the categories of third parties with whom we share personal data, and what information may be shared under different circumstances.
If you are a resident of Virginia, starting January 1, 2023 you have the right to (1) request to know what personal data has been collected about you, and to access that information; (2) request to correct inaccuracies in your personal data; (3) request deletion of your personal data, though exceptions under the CDPA and other laws may allow Applause to retain and use certain personal data notwithstanding your deletion request; and (4) obtain a copy of your personal data. You can learn more about how to submit a data rights request, or appeal denial of a request to PrivacyDPO@applause.com or +1-844-300-2777.

Section J. Effective date of and changes to this Data Protection Information

The effective date of this Data Protection Information is January 31, 2019. Version 2 was dated November 05, 2021. Version 3 is dated as of February 14, 2023.

It may be necessary to modify this Data Protection Information due to technical developments and/or amendment of statutory or official requirements.

An up-to-date version of this Data Protection Information can be retrieved at any time at https://www.applause.com/privacy-policy