Directly Logo

Privacy Policy

Directly Terms & Policies

Privacy Policy

Effective Date: Last Updated as of March 3, 2020.

Download as PDF  

 

Update Summary

This Privacy Policy describes how Directly collects, uses and shares information or data, including your personal data, and what choices you have with respect to the data. Updates in this version of the Privacy Policy reflect recent changes in our Services.

Expert DPA Exhibit
1. Introduction

1.1. Directly Service. Welcome to directly.com and the related platform software and services (collectively the “Services”) operated by Directly, Inc. (“Directly”, “we”, “our”, “us”). Directly provides the Services to deliver a better customer experience for our corporate enterprise customers (“Customer(s)”). Our Services allow our company Customers to build networks of expert contributors (“Expert(s)”) to provide best in class support to their end users (“Customer End User(s)”). Experts earn rewards for answering questions submitted by Customer End Users, providing context or performing tasks that could include training AI systems and updating knowledge database systems to support Customer End Users (collectively “Expert Content”).

1.2. Purpose & Scope. Privacy and security are important to Directly. The purpose of this privacy policy notice (“Privacy Policy”) is to help you understand our privacy practices by describing how we collect, use, and share different types of data, including personal data and the choices you have with respect to your personal data. By “Personal Data” we mean any type of information or data that identifies, or reasonably could be used to identify, you as an individual. Certain legal jurisdiction(s) (for example, the European Economic Area countries or “EEA”) apply different definitions of personal data. Where this is the case, we will apply that specific definition of personal data or similar term. We refer to data that falls outside any applicable legal definition of personal data as “Other Data”. Personal Data and Other Data are referred to collectively as “Data”. All capitalized terms not defined in this Privacy Policy are defined in our Terms. Please remember that your use of the Services is also subject to our Terms of Service. By accessing directly.com or submitting Personal Data through the Services, you consent to the processing of your Personal Data in accordance with this Privacy Policy.

If you do not agree with our Privacy Policy or Terms, do not access or use directly.com, the Services or any other aspect of Directly’s business, and in such case, you should (a) take the necessary steps to remove cookies from your computer after leaving our website and/or Services (see Section 2.3 below), and (b) discontinue any future access or use.

Our Services (including directly.com) are intended for adults and not for children: Anyone under the age of 18 is not permitted to access or use directly.com or the Services. If you are under the age of 18 you are prohibited from registering for or using a Directly Account (as described below) or submitting any Data to us.

1.3. Scope of Application. The Privacy Policy applies to your access to and use of the Services, as either a visitor to directly.com or as an Expert. This Privacy Policy does not apply to the following circumstances:

First, the Privacy Policy does not apply to our Customers, whose license and access to the Services is governed by a separate legal agreement with Directly (each a “Customer Agreement”). Second, the Privacy Policy does not apply to End Users who post customer service questions through independent websites, helpdesk systems and customer service channels managed by each Customer. Third, the Privacy Policy does not apply to any third-party websites or other digital properties, applications, services, products or software (“Third-Party Services”) even if they link to or from directly.com or the Services, or any other third-party products, services or businesses such as our Customers. Accordingly, in each of these circumstances you should review carefully the privacy policies and practices of those independent third parties.

2. Data Collected

2.1. Experts and Registration for a Directly Account. We collect Personal Data in different ways depending on the circumstances of your use of our Services and the choices you make about the Data you submit to us. You can visit directly.com and certain subdomains without registering, but to become an authorized Expert eligible to submit Expert Content, you will need to create an account with Directly (“Directly Account”) and submit the following types of Personal Data: legal name, email address and/or mobile phone number, a personal headshot photo, physical mailing address, birthdate, verification phone number and government identification (“Expert Registration Information”). As an Expert, you must also select your username, sometimes referred to on our platform as your “alter ego”. The default setting for the username is your first name and last initial, unless that username is already taken. You also have the option to change your username. Please read our current guidelines on the Expert User Hub as there are rules and privacy consequences for your username selection. Generally, we recommend that Experts do not use their full legal name, which could be used to identify them, or use a fanciful, misleading or inappropriate username. Experts also have the option to create user profiles describing why they should be considered Experts, as well as their top skills and language abilities. We use elements of the Expert Registration Information to verify your identity, combat fraud and keep our Services, Experts, Customers and partners secure. By registering for a Directly account, you authorize us and/or our Third-Party Providers (as described below) to verify Expert Registration Information, including your identity.

As described in our Terms, Directly or Customers may impose additional terms and duties for your eligibility (“Supplemental Terms”). You will be given an opportunity to review and consent to such Supplemental Terms. For example, where a Customer or applicable data protection law requires special expert certification measures, and subject to your consent, Experts may be asked to provide additional Personal Data relating to professional background, location of access or residence.

2.2. Log and Usage Information. We also collect other types of Data, which may be construed as Personal Data in certain jurisdictions, including the following: website usage information such as how you have used our Services, IP address and other technical data such as browser type, unique device identifiers and information, language preference, referring site and the date and time of access, operating system and mobile network information; approximate location data (from IP address); information regarding interactions with directly.com, such as votes on Expert Content, feedback, comments, poll responses and other information you may provide such as contact form submissions or other information you provide us.

2.3. Cookies. A cookie is a small text file that is stored on a user’s computer for record-keeping purposes such as site visitation. We use first party and third-party cookies for several different purposes. Some cookies are required for technical reasons to operate our Services. Other cookies enable us to track and target the interests of our users to enhance the experience of our Services. For example, Directly uses first-party cookies to keep track of the specific directly.com webpages or Services you visit to determine which are the most popular or most used. Third parties serve third-party cookies through our website for advertising, analytics and other purposes. These third parties may use information about your visits to directly.com and other websites to provide relevant advertisements about goods and services that may be of interest to you. They may also employ technology that is used to measure the effectiveness of advertisements. Information about cookies is available at https://www.aboutcookies.org. Many web browsers allow you to manage your preferences. You can set your browser to refuse cookies or delete certain cookies. You may be able to manage other technologies in the same way that you manage cookies using your browser’s preferences. Please note that if you choose to block cookies, doing so may impair the Services or prevent certain elements of them from functioning. On your mobile device, you may also have a “Limit Ad Tracking” setting (on iOS devices) or a setting to “Opt Out of Interest-Based Ads” (on Android), which allows you to limit the use of information about your use of apps for purposes of serving ads targeted to your interests. For detailed information about the use of cookies and other tracking technologies on our website, please read and review our Cookie Policy found here.

2.4. Data Collected by Third Parties. We also may process Data and Personal Data that certain third-party providers (each a “Third-Party Provider”) collect from you to update or supplement the Data and Personal Data you provide, or we collect automatically. Third party services provide us with information needed for core aspects of the Services. If you access our Services from a Third-Party Provider in connection with services such as the Apple App Store, Google Play, Salesforce App Store or another third-party app platform, you are subject to the privacy policies of the respective provider. Our Services and associated technology also enable one or more Third-Party Providers of analytic services (e.g., Google Analytics) to collect this type of information (such as device identifiers) so we can analyze how our Services are used. (We may also link with certain Third-Party Providers, such as Jumio, who link from our Service and collect personal data subject to its separate terms and privacy policy.) All Data and Personal Data collected by Third-Party Providers are governed by the respective provider’s terms of service and privacy policy.

3. Use and Retention

3.1. Personal Data Use. We and our Third-Party Providers use Personal Data to: (i) provide our Services; (ii) promote, analyze and improve our Services; (iii) comply with applicable law and (iv) detect and prevent fraud, harmful or abusive conduct, or other harm to Experts, Customers, Directly and third parties. Some examples of how we may use Personal Data include:

  • Creating your Directly Account;
  • Identifying you on our system, and verifying your actual identity and Registration Information, to ensure the security of our Services and enable you to send or respond to certain routed Tasks;
  • Responding to your inquiries to administer and improve our website and Services;
  • Informing the applicable Customer of your relevant activity on the Services;
  • Providing technical support and respond to inquiries by Experts and Customers;
  • Soliciting input and feedback to improve and customize your Expert experience;
  • Informing you about new features, services and programs on the Services;
  • Customizing your use of the Services and/or content, or other material that we may send to you from time to time;
  • Conducting aggregate analysis and develop business intelligence that enable us to operate, protect, make informed decisions and improve and report on the performance of our Services and business;
  • For audits, regulatory purposes or compliance with industry standards;
  • Preventing or taking action against activities that are, or may be, in breach of our Terms, Privacy Policy or applicable law, including combating fraud; and
  • For any other purpose, provided we disclose this to you at the relevant time, and provided that you agree to the proposed use of your Personal Data.

3.2. Retention. Where Directly is processing and using your Personal Data, as permitted by law or under your consent, we will store your Personal Data (i) only for as long as is required to fulfil the purposes set out below; (ii) until you object to Directly’s use of your Personal Data (where Directly has a legitimate interest in using your Personal Data): or (iii) until you withdraw your consent (where you consented to Directly using your Personal Data). However, where Directly is required by law to retain your Personal Data longer, or where your Personal Data is required for Directly to assert its legal rights or defend against legal claims, we will retain your Personal Data until the end of the relevant retention period or until the claims in question have been settled. Please note that we have a variety of obligations to retain Personal Data and Other Data you provide to us, including to ensure that rewards and associated payments can be appropriately processed consistent with applicable law and our legal obligations. Accordingly, even if you close your Directly Account, we may retain certain data to meet our obligations.

4. Sharing and Disclosure

4.1. General. Directly does not sell or rent your Personal Data. We share Personal Data collected by Directly with Third-Party Providers only in limited circumstances, including: (i) with your consent; (ii) to an authorized Third-Party Provider who meets our data protection standards; or (iii) when we have a good faith belief it is required by law, such as pursuant to a subpoena or other legal process, or to enforce our Terms.

4.2. Third-Party Providers. We share data with certain Third-Party Providers who help us provide the Services. For example, certain Third-Party Providers help us with such activities as web hosting and data analysis. Currently, we use Amazon for hardware, software, networking and storage services which are necessary to operate our website and Services. We also reserve the right to share Personal Data with Third-Party Providers, such as merchants (e.g., PayPal), application providers (e.g., Lessonly), and identity verification providers (e.g. Jumio) as necessary to process payments, qualify Experts and provide Services. Except as otherwise stated in this Privacy Policy, such Third-Party Providers are prohibited from using Personal Data other than to provide the services specified under written contract by Directly and for no other purposes. Subject to the foregoing, you expressly consent to the sharing of your Personal Data and Other Data with these Third-Party Providers for these limited purposes.

4.3. Third Party Acquirer. If we merge with another company such that your Personal Data and Other Data will become subject to a materially different privacy policy, we will notify you before the transfer. You can opt out of any new policy by deleting your account during the notice period.

4.4. Experts. We disclose certain limited content of each request for Answers (e.g., non-personally identifiable usernames or first names of Experts). We also share Other Data with Experts about their responses to Answers and the generation of Expert Content.

4.5. Customers and Customer End Users. We disclose the content of the responses to Answers (including the first name of the Expert who responded) to the Customer who generated the request for Answers (and to any subsequent Customer End User that pose similar requests). When an Expert responds to requests for Answers by Customer End Users posted via the Services, certain limited and filtered Data contained in the Answer, such as your username, the text of the response to the Answer and other Personal Data (such as an Expert’s headshot or picture) will be accessible to Customers and Customer End Users. You understand and agree to the sharing of Data.

4.6. Usage Data. Directly will not use or disclose (except as expressly provided herein) the personal data of Experts, except to provide the Services as specified herein, but, except where prohibited by applicable law or legal duty, may use and disclose data about usage of the Services that does not identify or reasonably could be anticipated to be used to identify any individual user of the Services or otherwise constitute Personal Data (“Usage Data”). We share Usage Data about our Website and Services with our business partners. We reserve the right to use and disclose Usage Data for any purpose and to any third parties subject to the terms herein.

4.7. Future Affiliates. Although we currently do not have a parent company, any subsidiaries, joint ventures or other companies under a common control (collectively, “Affiliates”), we may in the future. We may share some or all of your Personal Data with these Affiliates, in which case we will require our Affiliates to honor this Privacy Policy. If another company acquires our company or our assets, including pursuant to a bankruptcy or similar proceeding, that company will possess the Personal Data collected and stored by us and will assume the rights and obligations regarding your Personal Data as described in this Privacy Policy.

4.8. Legal Disclosures. We reserve the right to disclose your Other Data and Personal Data as required by law, in connection with any legal investigation, when we believe that disclosure is necessary to protect our rights (or those of other Users or third parties) and/or to comply with a judicial proceeding, court order, warrant, subpoena or legal process served on us.

4.9. Communications. Services/Services-related Announcements. We will send you services-related announcements when it is necessary to do so. For instance, if our Services are temporarily suspended for maintenance, we might send you an email or other communications. App Notifications. We may send you notifications on your mobile device. You may disable these notifications in the settings of your device. Customer Service. Based upon the Personal Data you provide us, we will send you a welcoming email to verify your username and password. We will also communicate with you in response to your inquiries, to provide the services you request, and to manage your Directly Account. We will communicate with you by email or telephone, in accordance with your indicated preferences.

5. Choices and Rights

5.1. Opt-Out Choices. You have choices and access rights regarding our use and disclosure of your Personal Data. If you no longer want to receive marketing-related emails from us going forward, you may opt-out via the unsubscribe link included in such emails. If you wish to access, amend or delete any Personal Data we hold about you, or if you have any objection to the processing of any Personal Data that we hold about you, please complete our secure data request web form. If you ask us to delete your account (either via the Directly Account Settings page or by email), we will do so within a reasonable period of time, but we may need to retain some of your Personal Data in order to satisfy our legal obligations, or where we have a legitimate reason for doing so. If your Personal Data changes, or if you no longer desire our Services, you may update it or deactivate your Directly Account by making the change in your account page, or by completing our secure data request web form. We may be required to keep your Data and not delete your Data (or to keep your information for a certain time, in which case we will comply with your deletion request only after we have fulfilled such requirements). When we delete any Data, it will be deleted from the active database, but may remain in our archives. After deactivation of your Directly Account and deletion of Data from the active database, we may continue to use and disclose your Personal Data in accordance with this Privacy Policy. If you decide that you do not want us to use your Data in the manner described in the Privacy Policy, you may not use the website or the Services. If you have already registered an account, you can cancel your account, or correct or delete your Data by completing a secure data request web form.

5.2. Access Rights. Individuals located in certain countries, such as the European Union or EEA, have certain statutory rights in relation to their Personal Data. Please read Section 7.5 below carefully so you understand all of your rights and how to exercise all of your rights.

6. Security

The security of your Personal Data is important to us. We follow generally accepted industry standards to protect the Data submitted to us, both during transmission and once we receive it. No method of transmission over the Internet, or method of electronic storage, is 100% secure, however. Therefore, while we strive to use commercially acceptable means to protect your Data, we cannot guarantee its absolute security.

We urge you to take steps to keep your Personal Data safe (including your account password), and to log out of your account after use. If your Directly Account is hacked, this may lead to unauthorized access, so be careful to keep your account data secure. You use our Website and Services at your own risk, and you are responsible for taking reasonable measures to secure your account (like using a strong password).

7. Important Information for European Users

7.1. Data Export and Processing. Our Services (including directly.com) are accessible globally. We store and process Personal Data on servers located in the United States and we may transfer Personal Data (as defined under applicable law) to countries outside of your country of residence, which may have data protection laws that are different from those of the country where you reside. However, we will take measures to ensure that any such transfers comply with applicable data protection laws and that your Personal Data remains protected to the standards described in this Privacy Policy. By using our Services, you consent to the transfer, storage and processing of your Personal Data in the United States in accordance with this Privacy Policy and applicable law.

7.2. Safeguards for Exports from EEA. If you are located in the EEA or Switzerland, we comply with applicable laws to provide an adequate level of data protection for the transfer of Personal Data. Directly is certified under the EU-U.S. and the Swiss-U.S. Privacy Shield Framework. For more, see Directly’s Privacy Shield Policy. You agree that Directly may transfer your Personal Data to countries other than the one in which you live. We deploy the following safeguards when Directly transfers Personal Data originating from the European Union or Switzerland to other countries not deemed adequate under applicable data protection law:

  • EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield. To comply with European Union and Swiss data protection laws, Directly self-certified under the EU-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield. These frameworks were developed to enable companies to comply with data protection requirements when transferring Personal Data from the European Union and Switzerland to the United States. To learn more about the Privacy Shield Program, please see http://www.privacyshield.gov/welcome.
  • European Union Model Clauses. Directly offers European Union Model Clauses, also known as Standard Contractual Clauses, to meet the adequacy and security requirements for our Customers that operate in the European Union and other international transfers of Personal Data. A copy of our standard data processing addendum, incorporating the Model Clauses, is available upon request.

7.3. Legal Basis for Processing. If you are an individual residing in the EEA, we collect and process information about you only where we have legal bases for doing so under applicable EU laws. The legal bases depend on the specific aspects of the Services you use and how you use those Services. This means we collect and use your information only where:

  • We need it to provide you with or operate the Services, including to provide customer support and personalized features and to protect the safety and security of the Services;
  • It satisfies a legitimate interest (which is not overridden by your data protection interests), such as for anti-fraud protection or to protect our legal rights and interests;
  • You give us consent to do so for a specific purpose; or
  • We need to process your data to comply with a legal obligation.

If you have consented to our use of your Personal Data for a specific purpose, you have the right to change your mind at any time, but this will not affect any processing that has already taken place. Where we are using your Personal Data because we or a third party have a legitimate interest to do so, you have the right to object to that use though, in some cases, this may mean no longer using the Services or associated services.

7.4. Identifying Data Controller and Data Processor and Different GDPR Roles. Data protection law in certain jurisdictions differentiates between the “controller” and “processor” of data. It is important to note that Directly acts as both as a Data Controller and as a Data Processor within the realm of GDPR (as described below) compliance: (a) As a Data Controller, Directly is responsible for safeguarding the data of our registered expert users as they interact directly with our marketplace platform and our visitors to directly.com; and (b) As a Data Processor, Directly is responsible for safeguarding the data of Customer End Users as it flows through our marketplace platform.

Each of Directly’s Customers is the controller of its Customer End Users’ personal data. In this context, Directly serves as the processor of such personal data under instructions from each controller. Each Customer is also responsible for making sure that their respective Customer end user’s privacy rights are protected, including responding to data subject requests. Directly will respond to such data subject requests from Customers and Customer End Users as a Data Processor; this means with respect to Personal Data of Customer End Users we must respond as a matter of law and contract through our Customer. On the other hand, with respect to Experts, Directly serves as the controller of Expert Personal Data and will directly respond to data subject request rights from Experts.

7.5. Access Rights. Individuals located in certain countries, including the European Economic Area, have certain statutory rights in relation to their personal data. Subject to any exemptions provided by law, such individuals may have the right to request access to their Personal Data, as well as to seek to update, delete or correct this information. They also have a right to restrict or object to processing and to data portability, where applicable. We may be legally required or permitted to deny or part of your request and, if we do deny your request, we will endeavor to explain the reasons underlying our decision.

7.6. Data Protection Authority and Representative. Subject to applicable law, you may also have the right to (i) restrict Directly’s use of certain data elements that constitute your Personal Data; and (ii) lodge a complaint with your local data protection authority or the Irish Data Protection Commissioner, which is Directly’s lead supervisory authority in the European Union. If you are a resident of the European Economic Area and believe we maintain your Personal Data within the scope of the General Data Protection Regulation (“GDPR”), you may direct questions or complaints to our European GDPR representative. To find the data protection authority in your country, please refer to this contact list. Our GDPR Data Protection Representative is DPR group and can be contacted by sending an email to datainquiry@dpr.eu.com quoting “Directly, Inc.” in the subject line.

8. California Users

As there is no accepted standard on how to respond to "Do Not Track Signals,” we respond to such signals. With respect to the California Consumer Privacy Act or "CCPA", Directly currently does not meet the statutory thresholds for a "Covered Business" and therefore is exempted; however, Directly intends to follow the general principles embodied in the CCPA and respond to requests by California consumers and households. Please refer to Section 10 of this Privacy Policy below for requests.

9. Changes

We may periodically update this Privacy Policy. If we make any substantial changes, we may notify you by sending you an email to the last email address you provided to us (if any) and/or by prominently posting notice of the changes on the website and via Services, so it is visible when you visit and/or log on to the website or Services for the first time after the change is posted. Your continued use of the website or the Services after the changes have been posted shall constitute your acceptance of the changes. If you do not agree to the updated Privacy Policy, you must cease your access and use of the websites and Services.

10. Contact Us

How do I contact Directly about questions or issues about my privacy? Any questions about this Privacy Policy or our practices with respect to your Data can be submitted via our secure data request web form.

11. Data FAQs

How does Directly and its Services Operate? As detailed in our Terms, Directly has entered into separate agreements with each Customer to govern the delivery, access and use of the Services including instructions for the processing of the personal data of their respective Customer End Users. Each Customer licenses Directly technology and configures their help desks to enable its Customer End Users to post Tasks to the Services for routing to Experts.

It is important to note that Directly acts as both as a Data Controller and as a Data Processor within the realm of GDPR compliance: As a Data Controller, Directly is responsible for safeguarding the data of our Experts as they interact directly with our marketplace platform and our visitors to directly.com. As a Data Processor, Directly is responsible for safeguarding the data of our Customers Users as it flows through our marketplace platform.

If you are a Customer User. If you are a visitor to directly.com or an Expert of the Services your Data Controller is Directly, Inc. If you are Customer User (i.e., an individual that posted a support Request via a Customer’s website or digital property), then the Data Controller of your personal data is your respective Customer and you should direct all questions about your Personal Data to that Customer.

What does Directly collect and do with my Personal Data? Directly will process your Personal Data as set out in this Privacy Policy. The Data we collect depends on how you use our website and Services. Sometimes, we receive Data directly from you, such as when you create a Directly Account to register as Expert, complete a form or send us an email. Other times, we collect Data by recording interactions with our website or Services. The collection and use of Data from a variety of sources is essential to our ability to provide the Services, and to help keep it trustworthy and secure. Further information about our use of your Data and Personal Data can be found in Section 2.

Duration of processing of Personal Data. Where Directly is processing and using your Personal Data as permitted by law or under your consent, we will store your Personal Data (i) only for as long as is required to fulfill the purposes set out below; (ii) until you object to Directly’s use of your Personal Data (where Directly has a legitimate interest in using your Personal Data); or (iii) until you withdraw your consent (where you consented to Directly using your Personal Data). However, where Directly is required by mandatory law to retain your Personal Data longer or where your Personal Data is required for Directly to assert or defend against legal claims, we will retain your Personal Data until the end of the relevant retention period or until the claims in question have been settled. See Section 3.2, “Retention Period,” for details.

Why am I required to provide Personal Data? As a general principle, your granting of any consent and your provision of any Personal Data hereunder is entirely voluntary; there are generally no detrimental effects on you if you choose not to consent or to provide Personal Data. However, there are circumstances in which we cannot take action without certain Personal Data, for example, because this Personal Data is required to process your registration or provide you with access to our Services. In these cases, we cannot provide you with what you request without the relevant Personal Data.

Where will my Personal Data be processed? Directly is based and operates out of the United States. As a consequence, whenever Directly is using or otherwise processing your Personal Data for the purposes set out in this Privacy Policy, we may transfer your Personal Data to countries outside of the EEA, such as the United States, where such countries in which a statutory level of data protection applies that is not comparable to the level of data protection within the EEA. See Section 7, “European Users,” above.

Data subjects’ rights. Data protection law in certain jurisdictions differentiates between the “controller” and “processor” of data. Each Customer is the controller of its Customer end user’s Personal Data and in this context Directly serves as the processor of such personal data under instructions from each controller. Each Customer is also responsible for making sure that their respective customers or end user’s privacy rights are protected, including responding to data subject requests. Directly will respond to such data subject requests from Customer End Users as a processor which means that it will contact and follow the advice of the controller Customer with respect to such requests. With respect to Personal Data of Experts, Directly serves as the controller of such data and will respond to data subject request rights. Please refer to Section 5, “Choices and Rights,” above, for additional information on your rights. Experts can request information about the Personal Data Directly stores about you, and the correction or deletion of such Personal Data. Please note, however, that we can delete your Personal Data only if there is no statutory obligation or prevailing right of Directly to retain your Personal Data. If you request that Directly delete your Personal Data, you will not be able to continue to use the Services that requires Directly’s use of your Personal Data. See Section 5, “Choices and Rights,” above.

Right to lodge a complaint. If you believe that Directly is not processing your Personal Data in accordance with the requirements set out herein or applicable EEA data protection laws, you can at any time lodge a complaint with the data protection authority of the EEA country in which you live or our GDPR Data Protection Representative. See Section 11 for details.

12. Supplement to Directly Privacy Policy: EU-U.S. and Swiss-U.S. Privacy Shield Policy-

Effective April 12, 2018. Directly, Inc. (“Directly”, “we”, “our” or “us”) has subscribed to the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework (collectively, “Privacy Shield”). Directly adheres to the Privacy Shield Principles including the Supplemental Principles, (collectively, the “Privacy Shield Principles”) for Personal Data received from entities in the European Economic Area (the “EEA”) and Switzerland.

This Privacy Shield Policy (“Privacy Shield Policy”) describes our privacy practices for Personal Data received from the EEA or Switzerland in reliance on the Privacy Shield. This Privacy Shield Policy uses terms which are defined in our Privacy Policy. If there is any conflict between the terms in this Privacy Shield Policy and the Privacy Shield Principles as concerns the Personal Data received under the Privacy Shield, the Privacy Shield Principles shall govern to the extent of the conflict. To learn more about the Privacy Shield program visit www.privacyshield.gov, and to view our certification, please visit https://www.privacyshield.gov/list.

Privacy Shield Principles

1. Notice and Choice. Our Privacy Policy describes how we use Personal Data we receive from different sources. This Privacy Shield Policy describes how we process Personal Data covered by the Privacy Shield. If you are a Customer, Directly may act as an agent for you in relation to the Personal Data that you provide or make available to Directly. Directly usually does not have a relationship with any users or customers of our Customers, and each Customer is responsible for ensuring that their users are provided with appropriate notice and choice with respect to their Personal Data.

2. Data Integrity and Purpose Limitation. We only collect Personal Data that is relevant to providing our website and associated Services. We process Personal Data in a way that is compatible with us providing the Services to you, or in other ways, for which we will provide you notification. We take reasonable steps to ensure that the Personal Data received under the Privacy Shield is needed for Directly to provide its Services, and to ensure data is accurate, complete and current.

3. Accountability for Onward Transfers. Directly may disclose Personal Data to trusted third parties as indicated in the Privacy Policy. Directly requires that its agents and service providers that have access to Personal Data within the scope of this Privacy Shield Policy provide the same level of protection as required by the Privacy Shield Principles. We ensure that our agents process Personal Data received under the Privacy Shield in a manner consistent with our obligations under the Privacy Shield Principles, unless we prove that we are not responsible for the event giving rise to the damage. We may need to disclose Personal Data in response to lawful requests by public authorities, for law enforcement or national security reasons, or when such action is necessary to comply with a judicial proceeding or court order, or when otherwise required by law.

4. Data Security. We use reasonable and appropriate physical, electronic and administrative safeguards to protect Personal Data from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into account the nature of the Personal Data and the risks involved in processing that information.

5. Access to Personal Data. Our Privacy Policy explains how you may access and/or submit requests to review, correct, update, suppress or delete Personal Data. You can ask to review and correct Personal Data that we maintain about you by completing and submitting a secure data request web form. We may limit or deny access to Personal Data where providing such access is unreasonably burdensome, expensive under the circumstances or as otherwise permitted by the Privacy Shield Principles.

When Directly acts on behalf of its Customers, Directly will assist Users in responding to individuals exercising their rights under the Privacy Shield Principles.

If you are a user or customer of any Directly Customer, please contact the Customer directly with your request to access or limit the use or disclosure of your Personal Data. If you contact us with the name of the Customer to which you provided your Personal Data, we will refer your request to that Customer and support them in responding to your access request.

6. Recourse, Enforcement and Dispute Resolution. We will investigate and attempt to resolve complaints and disputes regarding use and disclosure of Personal Data in accordance with the Privacy Shield Principles.

In compliance with the Privacy Shield Principles, Directly, Inc. commits to resolve complaints about our collection or use of your personal information. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Directly, Inc. using our secure data request web form here.

Directly has further committed to refer unresolved Privacy Shield complaints to JAMS, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please visit JAMS Privacy Shield Dispute Resolution webpage for more information to file a complaint. The services of JAMS are provided at no cost to you.

7. Contact Information. If you have any questions regarding this Privacy Shield Policy, please contact us by submitting a secure data request web form.

8. Changes to this Privacy Shield Policy. This Privacy Shield Policy may be changed from time to time, consistent with the requirements of the Privacy Shield and in accordance with the process described in the Privacy Policy. You can determine when this Privacy Shield Policy was last revised by referring to the “LAST REVISED & UPDATED” date at the top of this page.

13. Expert Data Protection Addendum

This Directly Data Processing Addendum (the “DPA”) supplements, and is incorporated into, the Terms of Service (the “Terms”) between Directly and you as an Expert. The parties agree as follows:

1. Purpose and Scope.

1.1 Except as modified below, the Terms shall remain in full force and effect; if there is any conflict between this DPA and the Terms or any other agreement between the parties, the provisions of this DPA shall take precedence.

1.2 The European Union General Data Protection Regulation 2016/679 (“GDPR”) requires all Experts to contractually undertake certain data protection commitments with respect to Personal Data (as described below) they may Process on Directly’s behalf. To ensure compliance with the GDPR, Experts must agree to the terms of this DPA.

2. Definitions.

All capitalized terms used but not defined in this DPA shall have the meaning given to them in the Terms.

2.1 “Confidential Information” means the definition ascribed in the Terms (see Terms, Section 7, Confidential Information).

2.2 “Data Protection Laws” means (a) any applicable law with respect to any Personal Data to which Directly is subject and (b) European Data Protection Laws.

2.3 “Data Subject Request” means a data subject’s request to exercise that person’s rights under Data Protection Laws in respect of that person’s Personal Data, including, without limitation, the right to access, correct, amend, transfer, obtain a copy of, object to the Processing of, restrict the Processing of or delete such Personal Data.

2.4 “European Data Protection Laws” means the GDPR, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), any national laws or regulations implementing the foregoing Directives, any applicable legislation of European Union Member States passed to implement the foregoing and any other applicable data protection, privacy or data security laws or regulations in the European Economic Area, United Kingdom, Switzerland or any other applicable European jurisdiction, in each case, as they may be amended, replaced or supplemented from time to time.

2.5 “Expert” means a natural person who is a party to this DPA.

2.6 “Personal Data” means any information about an identified or identifiable natural person and any other “personal data” governed by applicable Data Protection Laws that Expert Processes in connection with the Expert’s performance of the Services.

2.7 “Privacy Shield” means the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks established respectively by the European Commission and the United States Department of Commerce and the Swiss Administration and the United States Department of Commerce.

2.8 “Process” means any operation or set of operations which is performed on Restricted Information (as described below) or sets of Restricted Information, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

2.9 “Restricted Information” refers collectively to “Confidential Information” and “Personal Data” of any source and includes any information Processed by Expert in connection with the Expert’s performance of the Services.

2.10 “Security Incident” means a reasonably suspected breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.

2.11 “Services” means Expert’s authorized participation, activity and content on and through the platform Directly provides to its customers, including but not limited to, responses relating to tasks and questions about specific products and services for which the Expert is approved.

3. Your Data Protection Duties.

You acknowledge and agree to the following:

3.1 You will Process Personal Data only in accordance with the Terms, Data Protection Laws and Directly’s written instructions communicated by Directly to you from time to time in writing.

3.2 Without limiting the generality of sub-section 3.1, you agree as follows:

3.2.1 You will keep all Restricted Information in strictest confidence and will not copy, use, store, disclose or otherwise Process any Restricted Information except to perform the Services;

3.2.2 You will take appropriate technical and organizational measures (including but not limited to the Expert Standards (which are incorporated herein and may be updated by Directly from time to time)) to ensure the confidentiality, integrity and availability of any computers or other systems that you use to perform the Services and protect against the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, any Restricted Information transmitted, stored or otherwise Processed;

3.2.3 You will only subcontract, delegate or engage any other individual or entity to assist with performance of the Services with the prior written approval of Directly, and pursuant to the completion of a prior data protection and security audit, the implementation of additional data protection and security safeguards and other such measures as Directly reasonably determines is necessary under applicable law.

3.2.4 You will only subcontract, delegate or engage any other individual or entity to assist with performance of the Services with the prior written approval of Directly, and pursuant to the completion of a prior data protection and security audit, the implementation of additional data protection and security safeguards and other such measures as Directly reasonably determines is necessary under applicable law.

3.2.5 You will make available to Directly all information necessary to demonstrate compliance with the obligations set forth in this DPA and the Data Protection Laws and to allow Directly to conduct audits, including inspections, of your compliance with the obligations set forth in this DPA;

3.2.6 If instructed by Directly, you agree to promptly notify Directly and cooperate to provide the circumstances underlying any receipt or access of Personal Data and to confirm you have promptly and permanently deleted any such Personal Data in your possession, together with any existing copies, unless directed otherwise;

3.2.7 If you receive any request, demand or inquiry regarding Personal Data (“Personal Data Request”) other than from Directly, including, without limitation, any Data Subject Request or other request received from a regulator or other governmental body, you agree to NOT respond to any such Personal Data Request except in accordance with Directly’s written instructions or as otherwise required by the Data Protection Laws;

3.2.8 You will promptly and without undue delay cooperate, assist and take such action as Directly may reasonably request to allow Directly to fulfil its obligations to Customers and their Data Subjects or under Data Protection Laws in respect of such a Personal Data Request, including, without limitation, meeting any deadlines imposed by such obligations; you will notify Directly without undue delay and in no event later than 48 hours upon your becoming aware of a Security Incident, and provide Directly with sufficient information to allow it to meet any legal or contractual obligations to report the Security Incident;

3.2.9 You will cooperate with Directly and its authorized agents and representatives to take such reasonable steps as are directed by Directly to assist in the investigation, mitigation and remediation of any Security Incident;

3.2.10 You will provide reasonable assistance to Directly and its Customers with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Directly or its Customer reasonably considers to be required by the Data Protection Laws;

3.2.11 You will immediately inform Directly, in writing, if in your opinion, an instruction violates Data Protection Laws;

3.2.12 You agree to comply with the Privacy Shield principles set forth at www.privacyshield.gov and incorporated into our Privacy Policy and to take such actions and sign such documents (such as “Standard Contractual Clauses”) as Directly may request to ensure that a valid cross-border data transfer mechanism recognized by European Data Protection Laws covers the Processing of Personal Data contemplated by this DPA if required by European Data Protection Laws.

4. General Terms.

4.1 The parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Terms with respect to any disputes or claims however arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity.

4.2 This DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in Terms, or if different, the laws required to govern under European Data Protection Laws.

4.3 Directly may amend this DPA from time to time as is reasonably necessary to comply with Data Protection Laws, and such amendments shall become binding upon giving Expert notice of such changes.