PRIVACY NOTICE FOR CALIFORNIA RESIDENTS

Last updated: April 1, 2025     

This Privacy Notice applies to Consumers residing in California (hereinafter the “California Privacy Notice” or “Notice”), who have some additional rights with respect to their Personal Information under the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020  (collectively, the “CCPA”).  The terms “personal information”, “business purpose”, “commercial purpose”, “sale” and “service provider” as used in this Notice have the meanings ascribed to them in the CCPA. Capitalized terms used but not defined in this Privacy Notice will have the meanings set out in the XM’s Privacy Policy (the “Privacy Policy”) and/or XM’s Terms of Use (“Terms”). If there is any conflict or inconsistency between the terms of this Notice and the Privacy Policy and/or the Terms, the terms of this Notice will govern.

 

1. Categories of Personal Information We Collect

In the preceding 12 months, we have collected the following categories and types of personal information:

  • Identifiers, such as name, email addresses, and billing and shipping addresses for online purchases.
  • Customer characteristics, such as Categories of personal information described in the California Customer Records statute (California Civil Code Section 1798.80) for employment candidates, education and employment history, only as provided by you, as further describes in Section 12 to the Privacy Policy .
  • Commercial information, including purchasing habits, such as the products you have ordered or considered, as well as your purchasing history.
  • Technical Identifies, such as internet and other similar network activity, such as browsing history and cookie history.
  • Geolocation data.
  • Audio and visual information, such as pictures you may have uploaded to our site and recorded customer services calls.
  • Inferences, which are drawn from the above information to create consumer profiles reflecting certain preferences and behaviors and customize content.

In addition to the categories listed above, we may collect additional types of Sensitive Personal Information, such as government ID numbers, account log-in credentials, financial data, and health-related data where necessary and permitted by law.     

For more information about the types of personal information we collect, please see the “What Information do we collect?” section in our Privacy Policy.

 

2. Business or Commercial Purpose for Collecting, Sharing, and Selling Information; Third Party Contracts; Retention of Personal Information     

We collect and share personal information for the following business and commercial purposes: authenticating you when you use our Website, providing customer support, auditing our products and services, detecting security incidents, debugging and fixing errors, research, activities to maintain the quality of our products and services, encouraging and enabling purchases such as through providing personalized marketing offers, subscriptions to newsletters, and other commercial transactions.

We also enter into written agreements with our service providers and contractors that contractually obligate them to use personal information solely for the specific business purposes outlined in our agreement, to implement appropriate security measures, and to prohibit them from retaining, using, or disclosing the personal information for any purpose other than providing the contracted services or as otherwise permitted under applicable law.     

We retain each category of personal information for as long as necessary to fulfill the purposes described in this Notice, including to comply with our legal, regulatory, accounting, or reporting obligations, resolve disputes, enforce our agreements, or protect our legitimate business interests. Where applicable, we may retain information for longer periods if required or permitted by law or in accordance with our internal data retention policies and procedures.

We do not put your data on the open market, act as data brokers or otherwise trade in your data. However, certain standard generally accepted business practices maybe deemed as “Sale” of data under the CCPA, such as when we utilize third party service providers that provide us with services, while they retain certain ability to use your data for their own business needs (e.g. Google Analytics, HubSpot etc.).

If you are a California customer, you have a right under the new definition of “sale”, to request to opt-out of certain data transfers and sharing of personal activities which we operate. Please refer to section 3, “Your California Consumer Rights”, below for information on how you can exercise your rights.

     

For more details on how and to whom we share your data please refer to “TO WHOM WE SHARE PERSONAL INFORMATION,” “DIRECT MARKETING” and “COOKIE POLICY” in our main Privacy Policy.

      

3. Your California Consumer Rights     

California consumers have the right to request access to the specific pieces of personal information we have collected about them in the last 12 months. You may make this request up to two times in a 12-month period.     

You may also request additional details about our information practices, including the:

  •      categories of personal information we have collected about you, 
  •      categories of sources of such collection, 
  •      business or commercial purpose for collecting or selling personal information, 
  •      categories of third parties with whom we share and sell your personal information, 
  •      categories of personal information we have disclosed and “sold” about you in the preceding 12 months, and

     the categories of third parties to whom we sold personal information in the preceding 12 months,          

If you are a California consumer, you also have the rights to:

  •  request deletion of your personal information (subject to certain exceptions),      
  • opt out of sales of personal information and to receive equal service and price      
  • not be discriminated against even if you exercise any of your CCPA rights (unless permitted by applicable law, such as if the differences are reasonably related to your information),      
  • request correction of inaccurate personal information, 
  • obtain information about automated decision-making, including profiling, 
  • and request to limit the use and disclosure of Sensitive Personal Information solely to that information that is necessary to perform the services or provide the goods reasonably expected.     

Your Privacy Choices

You may limit the use of your sensitive personal information to only what is necessary to perform the services or provide the goods you have requested by emailing us at [email protected]. Additionally, you may opt out of the “sale” or “sharing” of your personal information—such as for cross-context behavioral advertising—by sending an email with the subject line “Do Not Sell My Personal Information” to [email protected].

XM Cyber may use automated tools to tailor your experience on our website, such as recommending content or customizing ads based on your interactions. These tools do not make decisions that produce legal or similarly significant effects. You may request more information about our use of automated decision-making technologies, including how they function and your ability to opt out, by emailing [email protected] with the subject line: “Automated Decision-Making Request”.     

Global Privacy Control (GPC) Signals

We recognize and honor browser-based opt-out signals sent via the Global Privacy Control (GPC). If your browser or device is configured to send a GPC signal, we will treat it as a valid request to opt out of the “sale” or “sharing” of your personal information under the California Consumer Privacy Act, as amended by the CPRA.