Privacy Shield Policy

Privacy Shield Policy

Effective: September 27, 2021

Defiant, Inc. (“Defiant,” “our,” “we” or “us”) complies with the EU-US Privacy Shield Framework and Swiss-U.S. Privacy Shield Frameworks administered by the US Department of Commerce (together “Privacy Shield”) regarding the collection, use and retention of EU Personal Data (as defined below). This means that Defiant certified that it adheres to the principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access and Recourse, Enforcement and Liability as defined in the Privacy Shield (“Privacy Shield Principles”). If there is any conflict between the terms in this Privacy Shield Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.

For purposes of enforcing compliance with the Privacy Shield, Defiant is subject to the investigatory and enforcement authority of the US Federal Trade Commission. For more information about the Privacy Shield, see the US Department of Commerce’s Privacy Shield website located at: https://www.privacyshield.gov.

1. Definitions

In this Privacy Shield Policy:

“Customer” means any individual or entity that purchases Services from Defiant.

“EU Personal Data” means any information relating to a User that identifies or can be used to identify that User, either separately or in combination with other readily available data that is received by Defiant in the U.S. from the EEA or Switzerland in connection with the Services.

“Sensitive Personal Data” means EU Personal Data regarding an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, physical or mental health, or sexual life.

“Services” means a Defiant website, mobile application, and related support services.

“Standard Contractual Clauses” means the standard data protection clauses for the transfer of EU Personal Data to processors established in third countries which do not ensure an adequate level of data protection, as described in Article 46 of the GDPR.

“User” means an individual authorized by a Customer to access and use the Services.

2. Scope

Defiant commits to comply with the Privacy Shield Principles with respect to the EU Personal Data received from Customers and Users in connection with the use of the Services. This Privacy Shield Policy does not apply to EU Personal Data transferred under Standard Contractual Clauses or any approved derogation under EU data protection law.

3. Privacy Shield Principles

Defiant commits to processing EU Personal Data in accordance with the Privacy Shield Principles as follows:

3.1. Notice. Defiant’ Privacy Policy (the “Privacy Policy”) notifies Customers and Users covered by this Privacy Shield Policy about the categories of EU Personal Data that Defiant collects and the purposes for collection and use of their EU Personal Data. Defiant will only process EU Personal Data in ways that are compatible with the purpose for which Defiant collected it or for purposes later authorized.

3.2. Choice. The EU Personal Data that Defiant collects from Users depends on how the User uses the Services. Please see the Privacy Policy for more information on the EU Personal Data we collect and how we collect the EU Personal Data.

All EU Personal Data is collected to for the purposes described in Section 4 of the Privacy Policy – How We Use Your Personal Information. Before Defiant uses EU Personal Data for a purpose that is materially different from the purpose for which Defiant collected it or that was later authorized, Defiant will provide Users with the opportunity to opt out.

Defiant shares EU Personal Data collected through the Services in accordance with Section 5 of the Privacy Policy – Our Information Sharing Practices.

When Defiant collects Sensitive Personal Data, Defiant will obtain opt-in consent if Privacy Shield requires, including before Sensitive Personal Data is used for a different purpose than that purpose for which it was collected or later authorized.

Please send requests to opt out of uses or disclosures of EU Personal Data to privacy@defiant.com

3.3. Accountability for Onward Transfer. If Defiant transfers EU Personal Data covered by this Privacy Shield Policy to a third party, Defiant takes reasonable and appropriate steps to ensure that each third party transferee processes EU Personal Data transferred in a manner consistent with Defiant’ obligations under the Privacy Shield Principles. Defiant will ensure that each transfer is consistent with any notice provided to Customers and Users and any consent they have given. Defiant requires a written contract with any third party receiving EU Personal Data that ensures that the third party (i) processes the EU Personal Data for limited and specified purposes consistent with any consent provided by Customers and Users, (ii) provides at least the same level of protection as is required by the Privacy Shield Principles, (iii) notifies Defiant if it cannot comply with Privacy Shield; and (iv) ceases processing EU Personal Data or takes other reasonable and appropriate steps to remediate.

Under certain circumstances, Defiant may be required to disclose EU Personal Data in response to valid requests by public authorities, including for national security or law enforcement requirements.

Defiant remains liable under the Privacy Shield Principles if an agent processes EU Personal Data covered by this Privacy Shield Policy in a manner inconsistent with the Privacy Shield Principles unless Defiant is not responsible for the event giving rise to the damage.

3.4. Security. Defiant takes reasonable and appropriate measures to protect EU Personal Data covered by this Privacy Shield Policy from loss, misuse and unauthorized access, disclosure, alteration and destruction. In determining these measures, Defiant takes into account the risks involved in the processing and the nature of the EU Personal Data. For more information regarding Defiant’ information security practices please see Section 8 of our Privacy Policy – Safety and Information Security Measures.

3.5. Data Integrity and Purpose Limitation. Defiant takes reasonable steps to ensure that such EU Personal Data is reliable for its intended use, accurate, complete and current. Defiant adheres to the Privacy Shield Principles for as long as it retains EU Personal Data in identifiable form. Defiant takes reasonable and appropriate measures to comply with the requirement under the Privacy Shield to retain EU Personal Data in identifiable form only for as long as it serves a purpose of processing.

Defiant limits the collection of EU Personal Data covered by this Privacy Shield Policy to information that is relevant for the purposes of processing. Defiant does not process EU Personal Data in a way that is incompatible with the purpose for which it was collected or subsequently authorized by a Customer or User.

3.6. Access. A User whose EU Personal Data is covered by this Privacy Shield Policy has the right to access his or her EU Personal Data and to correct, amend or delete the EU Personal Data if the EU Personal Data is inaccurate or processed in violation of the Privacy Shield Principles. Defiant is not required to grant the rights to access, correct, amend and delete EU Personal Data if the burden or expense of providing access, correction, amendment or deletion is disproportionate to the risks to the User’s privacy or if the rights of persons other than the User are or could be violated.

Please send requests for access, correction, amendment or deletion to privacy@defiant.com

3.7. Recourse, Enforcement, and Liability. In compliance with the Privacy Shield Principles, Defiant commits to resolve complaints about your privacy and our collection or use of your EU Personal Data. Please first contact Defiant with inquiries or complaints regarding this Privacy Shield Policy at privacy@defiant.com

Defiant has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to the International Centre for Dispute Resolution, an independent dispute resolution mechanism operated by the American Arbitration Association. If your complaint is not satisfactorily addressed, please visit http://go.adr.org/privacyshield.html for more information and to file a complaint. Please contact us at privacy@defiant.com to be directed to the relevant Data Protection Authority contacts.

Under certain conditions detailed in the Privacy Shield, a User may be able to invoke binding arbitration before the Privacy Shield Panel created by the U.S. Department of Commerce and the European Commission. To learn more, please see Privacy Shield Framework Annex I (Binding Arbitration) at https://www.privacyshield.gov/article?id=ANNEX-I-introduction.

Defiant commits to periodically review and verify its compliance with the Privacy Shield Principles and to remedy any issues arising out of failure to comply with the Privacy Shield Principles. Defiant acknowledges that its failure to provide an annual self-certification to the U.S. Department of Commerce will remove it from the Department’s list of Privacy Shield participants.

4. Changes to this Privacy Shield Policy

Defiant may amend this Privacy Shield Policy consistent with the requirements of the Privacy Shield, including notice about any amendment.

5. How to Contact Defiant

If you have any questions about this Privacy Shield Policy or would like to request access to your EU Personal Data, please contact us as follows:

E-mail: privacy@defiant.com
Address: Defiant, Inc., 1700 Westlake Ave N Ste 200, Seattle, WA 98109