Data Processor Agreement

Last Updated: August 28, 2020

This Data Processing Agreement (the “DPA”), entered into by the Optmyzr Customer identified on the applicable Optmyzr ordering document for Optmyzr services (“Customer”) and Optmyzr, Inc. (“Optmyzr”), governs the processing of personal data that Customer uploads or otherwise provides Optmyzr in connection with the services, the processing of data by Optmyzr on behalf of Customer in connection with the services, and the processing of any personal data that Optmyzr uploads or otherwise provides to Customer in connection with the services.

Optmyzr offers online services and software (the “Services”) through the URL: optmyzr.com which allows Customer to create and build marketing campaigns, optimize campaigns, and share automated reports. Customer has already signed up for the Service and agreed to Optmyzr’s Terms of Use and Privacy Policy (collectively, the “Agreement”). This DPA is incorporated into the Agreement by reference. Collectively, the DPA (including the SCCs, as defined herein), the Agreement, and any applicable ordering documents are referred to in this DPA as the “Optmyzr Agreement.” In the event of any conflict or inconsistency between any of the terms of the Optmyzr Agreement, the provisions of the following documents (in order of precedence) shall prevail: (a) the SCCs; (b) this DPA; (c) the Agreement; and (d) the applicable ordering document to the Optmyzr Agreement. Except as specifically amended in this DPA, the Optmyzr Agreement and applicable ordering document remain unchanged and in full force and effect.

1. Definitions.

1.1 The following definitions and rules of interpretation apply in this DPA. “Alternative Transfer Solution” means a solution, other than the SCCs, that enables the lawful transfer of personal data to a third country in accordance with European Data Protection Law. “Authorized Persons” means the persons or categories of persons that the Customer authorizes to give Optmyzr Personal Data processing instructions. “Business Purpose” means the services described in the Master Agreement or any other purpose specifically identified in Appendix A. “Controller-to-Controller SCCs” means the Standard Contractual Clauses (Controller to Controller Transfers – Set II) in the Annex to the European Commission Decision of December 27, 2004, as may be amended or replaced from time to time by the European Commission. “Controller-to-Processor SCCs” means the Standard Contractual Clauses (Processors) in the Annex to the European Commission Decision of February 5, 2010, as may be amended or replaced from time to time by the European Commission. “Customer Personal Data” means (a) Personal Data that Customer uploads or otherwise provides Optmyzr in connection with Customer’s use of Optmyzr’s Services or for which Customer is otherwise a data controller or (b) the relevant Privacy and Data Protection Requirements otherwise defined as protected personal data. “Data Exporter” means the controller who transfers the Personal Data. “Data Importer” means the processor who agrees to receive from the Data Exporter Personal Data intended for processing on its behalf after the transfer in accordance with its instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95.46.EC. “Data Protection Requirements” means the General Data Protection Regulation, Local Data Protection Laws, and any applicable laws, regulations, and other legal requirements relating to (a) privacy, data security, consumer protection, marketing, promotion, and text messaging, email, and other communications; and (b) the use, collection, retention, storage, security, disclosure, transfer, disposal, and other processing of any Personal Data. “Data Subject” means an individual who is the subject of Personal Data. “European Personal Data” means Personal Data the sharing of which pursuant to this Agreement is regulated by the General Data Protection Regulation or Local Data Protection Laws. “General Data Protection Regulation” means Regulation (EU) 2016/679 of the European Parliament and of the Council. “Personal Data” means information about an individual that (a) can be used to identify, contact or locate a specific individual, including data that Customer chooses to provide to Optmyzr from services such as customer-relationships management (CRM) services; (b) can be combined with other information that can be used to identify, contact or locate a specific individual; or (c) is defined as “personal data” or “Personal Data” by applicable laws or regulations relating to the collection, use, storage or disclosure of information about an identifiable individual. “Processing,” “processes,” or “process” means any activity that involves the use of Personal Data or that the relevant Privacy and Data Protection Requirements may otherwise include in the definition of processing, processes, or process. It includes obtaining, recording, or holding the data, or carrying out any operation or set of operations on the data including, but not limited to, organizing, amending, retrieving, using, disclosing, erasing, or destroying it. Processing also includes transferring Personal Data to third parties. “Privacy and Data Protection Requirements” means all applicable federal, state, and foreign laws and regulations relating to the processing, protection, or privacy of the Personal Data, including where applicable, the guidance and codes of practice issued by regulatory bodies in any relevant jurisdiction.

“Security Breach” means any act or omission that compromises the security, confidentiality, or integrity of Data or the physical, technical, administrative, or organizational safeguards put in place to protect it. The loss of or unauthorized access, disclosure, or acquisition of Personal Data is a Security Breach whether or not the incident rises to the level of a security breach under the Privacy and Data Protection Requirements

“SCCs” means all Controller-to-Processor SCCs and Controller-to-Controller SCCs entered into between the parties under the Optmyzr Agreement.
“Sub-processor” means any entity which provides processing services to Optmyzr in furtherance of Optmyzr’s processing on Customer’s behalf.
“Supervisory Authority” means an independent public authority which is (i) established by a European Union member state pursuant to Article 51 of the General Data Protection Regulation; or (ii) the public authority governing data protection, which has Supervisory Authority and jurisdiction over Customer.
1.2 This DPA is subject to the terms of the Optmyzr Agreement and is incorporated into the Optmyzr Agreement. Interpretations and defined terms set forth in the Optmyzr Agreement apply to the interpretation of this DPA.
1.3 The Appendices form part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Appendices.
1.4 1.5
A reference to writing or written includes faxes and email. In the case of conflict or ambiguity between:
any provision contained in the body of this DPA and any provision contained in the Appendices, the provision in the body of this DPA will prevail;
the terms of any accompanying invoice or other documents annexed to this DPA and any provision contained in the Appendices, the provision contained in the Appendices will prevail;
any of the provisions of this DPA and the provisions of the Optmyzr Agreement, the provisions of this DPA will prevail; and
any of the provisions of this DPA and any executed Standard Contractual Clauses, the provisions of the executed Standard Contractual Clauses will prevail.
Personal Data Types and Processing Purposes.
2.

2.1
compliance obligations under the applicable Privacy and Data Protection Requirements, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to Optmyzr.
2.2 Appendix A contains the categories of Personal Data processed and the categories of Data Subjects subject to this DPA.
Customer retains control of its Personal Data and remains responsible for its

3 Compliance with Laws.
The parties shall each comply with their respective obligations under all
applicable Data Protection Requirements. 4 Optmyzr’s Obligations.
4.1 Optmyzr will Process Customer Personal Data (i) only for the purpose of providing, supporting and improving Optmyzr’s services (including to provide insights and other reporting), using appropriate technical and organizational security measures; and (ii) in compliance with the instructions received from Customer. Optmyzr will not use or process the Customer Personal Data for any other purpose. Optmyzr will promptly inform Customer in writing if it cannot comply with the requirements under Clauses 9-11, 13-16 of this DPA, in which case Customer may terminate the Optmyzr Agreement or take any other reasonable action, including suspending data processing operations. Optmyzr will not process the Personal Data for any other purpose or in a way that does not comply with this DPA or the Privacy and Data Protection Requirements. Optmyzr must promptly notify the Customer if, in its opinion, the Customer’s instruction would not comply with the Privacy and Data Protection Requirements.
4.2 Optmyzr will promptly comply with any Customer request or instruction from Authorized Persons requiring Optmyzr to amend, transfer, or delete the Personal Data, or to stop, mitigate, or remedy any unauthorized Processing.
4.3 Optmyzr will maintain the confidentiality of all Personal Data and will not disclose Personal Data to third parties unless Customer or this DPA specifically authorizes the disclosure, or as required by law. If a law requires Optmyzr to Process or disclose Personal Data, Optmyzr must first inform the Customer of the legal requirement and give the Customer an opportunity to object or challenge the requirement, unless the law prohibits such notice.
4.4 Optmyzr will reasonably assist the Customer with meeting the Customer’s compliance obligations under the Privacy and Data Protection Requirements, taking into account the nature of Optmyzr’s Processing and the information available to Optmyzr.
4.5 Optmyzr will inform Customer promptly if, in Optmyzr’s opinion, an instruction from Customer violates applicable Data Protection Requirements.
4.6 If Optmyzr is collecting Customer Personal Data from individuals on behalf of Customer, follow Customer’s instructions regarding such Customer Personal Data collection (including with regard to the provision of notice and exercise of choice.
4.7 Optmyzr will promptly notify the Customer of any changes to Privacy and Data Protection Requirements that may adversely affect Optmyzr’s performance of the Optmyzr Agreement.

4.8 The Customer acknowledges that Optmyzr is under no duty to investigate the completeness, accuracy, or sufficiency of any specific Customer instructions from Authorized Persons or the Personal Data other than as required under the Privacy and Data Protection Requirements.
4.9 Optmyzr will only collect Personal Data for the Customer using a notice or method that the Customer specifically pre-approves in writing, which contains an approved data privacy notice informing the Data Subject of the Customer’s identity, the purpose or purposes for which their Personal Data will be processed, and any other information that is required by applicable Privacy and Data Protection Requirements. Optmyzr will not modify or alter the notice in any way without the Customer’s prior written consent.
4.10 Upon request, Optmyzr will provide Customer with a summary of Optmyzr’s privacy and security policies.
5 Optmyzr’s Employees.
5.1 Optmyzr will limit Personal Data access to:
(a) those employees who require Personal Data access to meet Optmyzr’s obligations under this DPA and the Optmyzr Agreement; and
(b) the part or parts of the Personal Data that those employees strictly require for the performance of duties.
5.2 Sub-processors:
Optmyzr will take commercially reasonable steps to ensure that employees and
(a) are informed of the Personal Data’s confidential nature and use restrictions;
(b) have received training on the Privacy and Data Protection Requirements relating to handling Personal Data and how it applies to their particular duties; and
(c) are aware both of Optmyzr’s duties and their personal duties and obligations under the Privacy and Data Protection Requirements and this DPA.
5.3
integrity, and trustworthiness of all of Optmyzr’s employees and Sub-processors with access to the Personal Data.
Optmyzr will take commercially reasonable steps to ensure the reliability,
6 Customer Obligations.
6.1
Customer agrees to:
(a) determine the purposes and general means of Optmyzr’s processing of Customer’s Personal Data in accordance with the Optmyzr Agreement; and

(b) comply with its protection, security and other obligations with respect to Customer Personal Data prescribed by Data Protection Requirements for data controllers.
6.2 Customer agrees to, at Optmyzr’s request, designate to Optmyzr a single point of contact (the “Authorized Agent”) responsible for (i) receiving and responding to Data Subject requests Optmyzr receives from Customer Data Subjects relating to Customer Personal Data; and (ii) notifying Optmyzr of Customer’s intended response to a Data Subjects request relating to the access to or the rectification, erasure, restriction, portability, blocking or deletion of Customer Personal Data that Optmyzr processes for Customer, and authorizing Optmyzr to fulfill such responses on behalf of Customer.
7 Controller-To-Controller Scenarios.
Each party will, to the extent that it, along with the other party, acts as data
controller, as the term is defined in applicable Data Protection Requirements, with respect to Personal Data, reasonably cooperate with the other party to enable the exercise of data protection rights as set forth in the General Data Protection
Regulation and in other Data Protection Requirements.
Where both parties each act as data controller with respect to Personal Data, and the transfer of data between the parties results in a transfer of European Personal Data to a jurisdiction other than a jurisdiction in the EU, the EEA, or the European Commission- approved countries providing ‘adequate’ data protection, each party agrees it will (a) provide at least the same level of privacy protection for European Personal Data as required under the U.S.-EU and U.S.-Swiss Privacy Shield frameworks; or (b) use the Controller-to-Controller SCCs, which are incorporated herein by reference. If data transfers under this DPA rely on Controller-to-Controller SCCs to enable the lawful transfer of Personal Data, as set forth in the preceding sentence, the parties agree that the following terms apply: (i) Data Subjects for whom a Customer processes European Personal Data are third-party beneficiaries under the Controller-to-Controller SCCs; (ii) Appendix A to this DPA shall apply as Annex B of the Controller-to-Controller SCCs; and (iii) for purpose of Clause II(h), the Data Importer will process the European Personal Data, at its option, in accordance with “the relevant provisions of any Commission decision pursuant to Article 25(6) of Directive 95/46/EC, where the Data Importer complies with the relevant provisions of such an authorization or decision and is based in a country to which such an authorization or decision pertains, but is not covered by such authorization or decision for the purposes of the transfer(s) of the personal data.” The parties acknowledge and agree that each is acting independently as Data Controller with respect of Personal Data and the parties are not joint controllers as defined in the General Data Protection Regulation.
8 Third Party Data Processors.
Customer acknowledges that in the provision of some services (such as CRMs), Optmyzr, on receipt of instructions from Customer, may transfer Customer Personal Data to and otherwise interact with third party data processors. Customer agrees that if and to the extent such transfers occur, Customer is responsible for entering into separate contractual arrangements with such

third party data processors binding them to comply with obligations in accordance with Data Protection Requirements. Such third party data processors are not Sub- processors.
9 Security.
9.1 Optmyzr will at all times implement appropriate technical and organizational measures designed to safeguard Personal Data against unauthorized or unlawful processing, access, copying, modification, storage, reproduction, display, or distribution, and against accidental loss, destruction, or damage, including, but not limited to, measures with respect to personnel, facilities, hardware and software, storage and networks, access controls, monitoring and logging, vulnerability and breach detection, incident response, and encryption of Customer Personal Data while in transit and at rest, as set forth in further detail in Appendix B. Optmyzr will document those measures in writing and periodically review them, at least annually, to ensure they remain current and complete.
9.2 Optmyzr will notify Customer without undue delay, and in any event within 48 hours of becoming aware of any breach of Personal Data.
9.3 Optmyzr will take commercially reasonable precautions to preserve the integrity of any Personal Data it processes and to prevent any corruption or loss of the Personal Data, including but not limited to establishing effective back-up and data restoration procedures.
10 Security Breaches and Personal Data Loss.
10.1 Optmyzr will promptly notify the Customer if any Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable. Optmyzr will restore such Personal Data at its own expense.
10.2 Optmyzr will notify the other party if it becomes aware of:
(a) any unauthorized or unlawful processing of Customer’s Personal Data; or
(b) any Security Breach.
10.3 Immediately following any unauthorized or unlawful Personal Data processing or Security Breach, the parties will co-ordinate with each other to investigate the matter. Optmyzr will reasonably co-operate with the Customer in the Customer’s handling of the matter, including:
(a) assisting with any investigation;
(b) providing Customer with physical access to any facilities and operations affected; and

(c) making available all relevant records, logs, files, data reporting, and other materials required to comply with all Privacy and Data Protection Requirements or as otherwise reasonably required by the Customer.
10.4 Optmyzr will not inform any third party of any Security Breach without first obtaining the Customer’s prior written consent, except when law or regulation requires it.
10.5 Optmyzr agrees that the Customer has the sole right to determine:
(a) whether to provide notice of the Security Breach to any Data Subjects, regulators, law enforcement agencies, or others, as required by law or regulation or in the Customer’s discretion, including the contents and delivery method of the notice; and
(b) whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.
10.6 Optmyzr will cover all reasonable expenses associated with the performance of the obligations under Clause 10.2 and Clause 10.3, unless the matter arose from the Customer’s specific instructions, negligence, willful default, or breach of this DPA, in which case the Customer will cover all reasonable expenses.
6.7 Optmyzr will also reimburse Customer for actual reasonable expenses Customer incurs when responding to and mitigating damages, to the extent that Optmyzr caused a Security Breach, including all costs of notice and any remedy as set out in Clause 10.5.
11 Cross-Border Transfers of Personal Data.
11.1 If any Personal Data transfer between Optmyzr and Customer involves a transfer from the EEA, Switzerland or the UK to the US or any third country that does not ensure an adequate level of protection under European Data Protection Law, and European Data Protection Law applies to those transfers the parties will complete all relevant Data Protection Requirements, and execute, the SCCs as referenced herein above, and take all other actions required to legitimize the transfer, including:
(a) co-operating to register the SCCs with any Supervisory Authority in any European Economic Area country; and
(b) ensuring compliance with all SSCs in respect of the those transfers;
(c) procuring approval from any such Supervisory Authority; or
(d) providing additional information about the transfer to such Supervisory Authority.
11.2 If Customer has entered into the Standard Contract Clauses but reasonably determines subsequently that they do not provide an adequate level of protection, then:

(a) if Alternative Transfer Solution is made available by Optmyzr, Customer may notify Optmyzr in accordance with Section 12 and terminate any SCCs applicable under Section 11.1, such that Section 11.2 will apply; or
(b) if Optmyzr does not make an Alternative Transfer Solution available to Customer, then Customer may terminate the Agreement pursuant to Section 12.

11.3 Optmyzr will not transfer any Personal Information to another country unless the transfer complies with the Privacy and Data Protection Requirements and SCCs.
12 Term and Termination.
12.1 This DPA will remain in full force and effect so long as:
(a) the Master Agreement remains in effect; or
(b) Optmyzr retains any Personal Information related to the Master Agreement in its
possession or control (the “Term”).
12.2 Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Optmyzr Agreement in order to protect Personal Data will remain in full force and effect.
12.3 Optmyzr’s failure to comply with the terms of this DPA is a material breach of the Optmyzr Agreement. In such event, Customer may terminate any part of the Optmyzr Agreement authorizing the processing of Personal Information effective immediately upon written notice to Optmyzr without further liability or obligation.
12.4 If a change in any Privacy and Data Protection Requirement prevents either party from fulfilling all or part of its Agreement obligations, the parties will suspend the processing of Personal Data until that processing complies with the new requirements. If the parties are unable to bring the Personal Data processing into compliance with the Privacy and Data Protection Requirement within thirty (30) business days, they may terminate the Optmyzr Agreement upon written notice to the other party.
13 Data Return and Destruction.
13.1 The parties agree that on the termination of the data processing services or upon Customer’s reasonable request, Optmyzr will, and will cause any Sub-processors to, at the request of Customer, return all of Customer’s Personal Data and copies of such data to Customer in its possession or control in the format and on the media reasonably specified by the Customer or securely destroy such Personal Data and demonstrate to the satisfaction of Customer that it has taken such measures, unless Data Protection Requirements prevent Optmyzr from returning or destroying all or part of the Customer Personal Data disclosed. In such case, Optmyzr agrees to preserve the confidentiality of the Customer Personal Data retained by it and that it will only actively process such Customer Personal Data after such date in order to comply with applicable laws.
13.2 If any law, regulation, or government or regulatory body requires Optmyzr to retain any documents or materials that Optmyzr would otherwise be required to return or destroy, it will notify Customer in writing of that retention requirement, giving details of the documents or

materials that it must retain, the legal basis for retention, and establishing a specific timeline for destruction once the retention requirement ends. Optmyzr may only use this retained Personal Information for the required retention reason or audit purposes.
13.3 Optmyzr may continue to process Customer Personal Data that has been aggregated in a manner that does not identify individuals or customers to improve Optmyzr’s systems and services.
14 Notice to Customer. Optmyzr will inform Customer if Optmyzr becomes aware of:
(a) Any non-compliance by Optmyzr or its employees with Clauses 9-11, 13-16 of this DPA or the Data Protection Requirements relating to the protection of Customer Personal Data processed under this DPA;
(b) Any legally binding request for disclosure of Customer Personal Data by a law enforcement authority, unless Optmyzr is otherwise forbidden by law to inform Customer, for example to preserve the confidentiality of an investigation by law enforcement authorities;
(c) Any notice, inquiry or investigation by a Supervisory Authority with respect to Customer Personal Data; or
(d) Any complaint or request (in particular, requests for access to rectification, erasure, restriction, portability, blocking or deletion of Customer Personal Data) received directly from Data Subjects of Customer. Optmyzr will not respond to any such request without Customer’s prior written authorization.
15 Records.
15.1 Optmyzr will keep accurate and up-to-date records regarding any processing of Personal Data it carries out for the Customer, including but not limited to, the access, control, and security of the Persona Data, approved Sub-processors and affiliates, the processing purposes, and any other records required by the applicable Privacy and Data Protection Requirements (the “Records”).
15.2 Optmyzr will ensure that the Records are sufficient to enable the Customer to verify Optmyzr’s compliance with its obligations under this DPA.
16 Audit, Certification.
16.1 Supervisory Authority Audit. If a Supervisory Authority requires an audit of the data processing facilities from which Optmyzr processes Customer Personal Data in order to ascertain or monitor Customer’s compliance with Data Protection Requirements, Optmyzr will cooperate with such audit. Customer is responsible for all costs and fees related to such audit, including all

reasonable costs and fees for any and all time Optmyzr expends for any such audit, in addition to the rates for services performed by Optmyzr.
16.2 Audits. Optmyzr will provide to Customer each year an opinion or Service Organization Control report provided by an accredited, third-party audit firm under the Statement on Standards for Attestation Engagements (SSAE) No. 18 (“SSAE 18”) (Reporting on Controls at a Service Organization) or the International Standard on Assurance Engagements (ISAE) 3402 (“ISAE 3402”) (Assurance Reports on Controls at a Service Organization) standards applicable to the services under the Optmyzr Agreement (each such report, a “Report”). If a Report does not provide, in Customer’s reasonable judgment, sufficient information to confirm Optmyzr’s compliance with the terms of this DPA, then Customer or an accredited third-party audit firm agreed to by both Customer and Optmyzr may audit Optmyzr’s compliance with the terms of this DPA during regular business hours, with reasonable advance notice to Optmyzr and subject to reasonable confidentiality procedures. Customer is responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time Optmyzr expends for any such audit, in addition to the rates for services performed by Optmyzr. Before the commencement of any such audit, Customer and Optmyzr shall mutually agree upon the scope, timing, and duration of the audit. Customer shall promptly notify Optmyzr with information regarding any non- compliance discovered during the course of an audit. Customer may not audit Optmyzr more than once annually.
17 Warranties.
17.1 Optmyzr warrants and represents that:
(a) its employees, Sub-processors, agents, and any other person or persons accessing Personal Data on its behalf are reliable and trustworthy and have received the required training on the Privacy and Data Protection Requirements relating to the Personal Data; an
(b) it and anyone operating on its behalf will process the Personal Data in compliance with both the terms of this DPA and all applicable Privacy and Data Protection Requirements and other laws, enactments, regulations, orders, standards, and other similar instruments; and
(c) it has no reason to believe that any Privacy and Data Protection Requirements prevent it from providing any of the Optmyzr Agreement’s contracted services; and
(d) considering the current technology environment and implementation costs, it will take reasonable appropriate technical and organizational measures to prevent the unauthorized or unlawful processing of Personal Data and the accidental loss or destruction of, or damage to, Personal Data, and ensure a level of security appropriate to:
(i) the harm that might result from such unauthorized or unlawful processing or accidental loss, destruction, or damage; and

(ii) the nature of the Personal Data protected; and
(iii) comply with all applicable Privacy and Data Protection Requirement and its information and security policies, including the security measures required in Clause 10.1.
17.2 The Customer warrants and represents that Optmyzr’s expected use of the Personal Data for the Business Purpose and as specifically instructed by the Customer will comply with all Privacy and Data Protection Requirements.
18 Indemnification.
18.1 Optmyzr agrees to indemnify, keep indemnified, and defend at its own expense the Customer against all costs, claims, damages, or expenses incurred by the Customer or for which the Customer may become liable due to any failure by Optmyzr or its employees,
Sub-processors, or agents to comply with any of its obligations under this DPA or applicable Privacy and Data Protection Requirements.
18.2 Any limitation of liability set forth in the Optmyzr Agreement will not apply to this DPA’s indemnity or reimbursement obligations.
19 Mediation and Jurisdiction.
19.1 Customer agrees that if the Data Subject invokes against it claims for compensation of damages under the Clauses, Optmyzr will accept the decision of the Data Subject:
(i) to refer the dispute to mediation, by an independent person or, where applicable, by the Supervisory Authority;
(ii) to refer the dispute to the courts in the Member State in which the Customer is established.
19.2 The parties agree that the choice made by the Data Subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national and international law.
20 Governing Law, Jurisdiction, and Venue.
The Clauses shall be governed by the law of the Member State in which Customer is
established.
21. Variation of Contract.

The parties undertake not to vary or modify the Clauses. This does not prejudice the parties form adding clauses on business related issues where required as long as they do not contradict the Clause.

APPENDIX A
PERSONAL DATA PROCESSING PURPOSES AND DETAILS
1. Business Purposes. To facilitate Customer’s use of the Optmyzr Services.
2. Data Subjects. The Personal Data transferred concerns the following
categories of Data Subjects:
Depending on the services used by the Data Exporter:
3.
- Google Ads, Bing Ads, Facebook Ads, Amazon Ads, sales and marketing leads of the Data Exporter; and
- Third parties that have, or may have, a commercial relationship with the Data Exporter (e.g. advertisers, customers, corporate subscribers and contractors).
Purposes of the Transfer. The transfer is made for the following purposes:
The transfer is intended to enable the Data Exporter to determine the purposes and means of the processing of personal data obtained through Data Importer’s products to support the sales, marketing, or other business practices of the Data Exporter.
4. Categories of Data. The Personal Data transferred concerns the following categories of data:
The data transferred is the Personal Data provided by the Data Exporter to the Data Importer in connection with its use of Optmyzr’s services, referred to as Customer Personal Data in the Agreement. Such Personal Data may include first name, last name, email address, contact information, CRM data concerning sales leads and customer lists, purchase history, prospective customers and clients, employees, and any notes provided by the Data Exporter regarding the foregoing.
5. Recipients. The Personal Data transferred may be disclosed only to the following recipients or categories of recipients:
Employees and other representatives of the Data Importer who have a legitimate business purpose for the processing of such personal data.
6. Sensitive Data (if appropriate). The personal data transferred concern the following categories of sensitive data:
None.
7. Data Protection Registration Information of Data Exporter (where applicable).

None.
8. Sub-processors.
Data Exporter consents to sub-processing by the following subcontractors:
9.
- Techvitt Consultants LLP
- Optmyzr Tech APS
- Techfruit Technologies Private Limited
- Asesorias EAP SpA
Additional Useful Information (storage limits and other relevant information).
The personal data transferred between the parties may only be retained for the period of time permitted under the Optmyzr Agreement. The parties agree that each party will, to the extent that it, along with the other party, acts as a data controller with respect to Personal Data, reasonably cooperate with the other party to enable the exercise of data protection rights as set forth in the Data Protection Requirements.
10. Privacy Shield as a Basis for Receiving Personal Data with Cross-Border Restrictions
Optmyzr does not rely on Privacy Shield as a legal basis to transfer Personal Data in light of the judgment of the Court of Justice of the European Union in Case C- 311/18, for so long as Optmyzr is self-certified to the Privacy Shield it shall continue to process European Data in compliance with the Privacy Shield Principles and notify Customer if it makes a determination that it can no longer meet its obligation to provide the level of protection as is required by the Privacy Shield Principles.
Contact Information. Contact points for data protection enquiries: compliance@optmyzr.com
Data Importer: Signatory to the DPA between the parties
Data Exporter: Signatory to the DPA between the parties

APPENDIX B SECURITY MEASURES
REQUIRED TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES, SUCH AS:
● PHYSICAL ACCESS CONTROLS
○ Access to the premises where Optmyzr employees work is secured by
at least one of the following: electronic key cards, video cameras, guard
or alarms
● SYSTEM ACCESS CONTROLS.
○ Strong passwords are required for employees to access Optmyzr’s business systems
○ Mobile devices used to access data are managed by Google’s device policy and can be remotely disabled in case of loss
● DATA ACCESS CONTROLS.
○ Private data is restricted to employees who are working with a customer. ○ Access to accounts is logged.
● INTERNAL PROTOCOL & EDUCATION
○ Annual data protection training for all employees and periodic review and update of data privacy processes to comply with the Data Protection Requirements.
● ADDITIONAL SAFEGUARDS
○ Data is encrypted in transit
○ Transmissions of private data are exclusively over HTTPS
○ Data in the cloud is inside VPC (virtual private cloud)

Optmyzr | Contact Us

Optmyzr Guest Post Guidelines

Hey there,

We’ve paused our guest post program for the foreseeable future.

Optmyzr Privacy Policy for Microsoft Teams

If your organization signed a Service Agreement with Optmyzr, that Agreement may have modified the privacy policy below. Please contact your Optmyzr account rep for details.

Optmyzr Privacy Policy For Microsoft Teams
Last Updated August 27, 2020

Thanks for using Optmyzr! We are committed to protecting your privacy and making you more efficient and successful at managing your online advertising. Our Privacy Policy below covers how we collect, use, disclose, transfer, and store your Personal Data when you use our websites, software, and services (collectively, “Services”. Please take a moment to familiarize yourself with our privacy practices and contact us if you have any questions.

What Personal Data We Collect and Why
“Personal Data” is data that can be used to identify or contact a single person. You may be asked to provide your Personal Data anytime you are in contact with Optmyzr or an Optmyzr affiliate. Optmyzr and its affiliates may share this Personal Data with each other and use it solely in a manner consistent with this Privacy Policy. We may also combine your Personal Data with other information to provide and improve our products, services, content, and advertising. You are not required to provide the Personal Data that we have requested, but, if you chose not to do so, in many cases we will not be able to provide you with our products or services or respond to any queries you may have.

Here are some types of Personal Data we may collect and how we may use it:
Account information.
We collect, and associate with your account, the information you provide to us when you do things such as sign up for your account, upgrade to a paid plan, and set up two-factor authentication (like your name, email address, phone number, payment info, and physical address). Some of our Services let you access your accounts and your information via other service providers.

Your Content.
Our Services are designed to make it simple for you to store your online advertising data, goals, targets, contacts, etc. (“Your Content), collaborate with others, and work across multiple devices. To make that possible, we store, process, and transmit Your Content as well as information related to it. This related information includes your profile information that makes it easier to collaborate and share Your Content with others, as well as things like the performance of ads, schedules for automations, recipients of reports, and usage activity. Our Services provide you with different options for sharing Your Content .

Contacts.
You may choose to give us details about your contacts to make it easy for you to do things like share and collaborate Your Content , send messages, and invite others to use the Services. If you do, we’ll store those contacts on our servers for you to use.

Bases for processing your Personal Data.
We collect and use the Personal Data described above in order to provide you with the Services in a reliable and secure manner. We also collect and use Personal Data for our legitimate business needs, such as sending you important notices about your account and facilitating your requests. To the extent we process your Personal Data for other purposes, we expressly ask for your consent in advance or require that our partners obtain such consent. For more information on the lawful bases for processing your data, please see our FAQ.

**Collection of Non-Personal Data
**We also collect data in a form that does not, on its own, permit direct association with any specific individual. We may collect, use, transfer, and disclose non-personal information for any purpose. The following are some examples of non-personal information that we collect and how we may use it:

Usage information.
We collect information related to how you use the Services, often including actions you take in your account (like viewing insights, running optimizations, scheduling automations, etc.). We use this information to improve our Services, develop new services and features, and protect Optmyzr users.

Device information.
We also collect information from and about the devices you use to access the Services. This includes things like IP addresses, the type of browser and device you use, the web page you visited before coming to our sites, and identifiers associated with your devices. Your devices (depending on their settings) may also transmit location information to the Services.

**Cookies and Other Technologies
**Cookies and other technologies.
We use technologies like cookies and pixel tags to provide, improve, protect, and promote our Services. For example, cookies help us with things like remembering your username for your next visit, understanding how you are interacting with our Services, and improving them based on that information. We treat information collected by cookies and other technologies as non-personal information. However, to the extent that IP addresses or similar identifiers are considered Personal Data by local law, we also treat these identifiers as Personal Data. Similarly, to the extent that non-personal information is combined with Personal Data, we treat the combined information as Personal Data for the purposes of this Privacy Policy. You can set your browser to not accept cookies, but this may limit your ability to use the Services. If our systems receive a DNT:1 signal from your browser, we’ll respond to that signal as outlined here.

Please note that certain features of our Services may not be available once cookies are disabled. We gather some information automatically and store it in log files. This information includes IP addresses, browser type and language, Internet service provider (ISP), referring and exit websites and applications, operating system, date/time stamp, and clickstream data. We use this information to understand and analyze trends, to administer the site, to learn about user behavior on the site, to improve our product and services, and to gather demographic information about our user base as a whole.

Optmyzr may use this information in our marketing and advertising services. In some of our email messages, we may use a “click-through URL” linked to content on our Services. When users click one of these URLs, they pass through a separate web server before arriving at the destination page on our Services. We track this click-through data to help us determine the effectiveness of our customer communications. If you prefer not to be tracked in this way, you should not click text or graphic links in the email messages.

Pixel tags enable us to send email messages in a format customers can read, and they tell us whether mail has been opened. We may use this information to reduce or eliminate messages sent to customers.

We sometimes contact people who do not have an Optmyzr account. For recipients in the EU, we or a third party will obtain consent before contacting you. If you receive an email and no longer wish to be contacted by Optmyzr, you can unsubscribe and remove yourself from our contact list via the message itself.

Marketing.
We give users the option to use some of our Services free of charge. These free Services are made possible by the fact that some users upgrade to one of our paid Services. If you register for our free Services, we will, from time to time, send you information about upgrades when permissible. Users who receive these marketing materials can opt out at any time. If you do not want to receive marketing materials from us, simply click the ‘unsubscribe’ link in any email, or update your preferences in the Preferences section of your personal account.

**Who We Share Your Information With
**At times Optmyzr may make certain Personal Data available to the limited extent discussed below. Personal Data will only be shared by Optmyzr at your request or to provide or improve our products, services and advertising; it will not be shared with third parties for their marketing purposes.

Others working for and with Optmyzr.
Optmyzr uses certain trusted third parties (for example, providers of customer support, payment processing, and IT services) to help us provide, improve, protect, and promote our Services. These third parties will access your information only to perform tasks on our behalf in compliance with this Privacy Policy, and we’ll remain responsible for their handling of your information per our instructions. For a list of trusted third parties that we use to process your Personal Data, please see our FAQ.

Other users.
Our Services display information like your name, profile picture, device, and email address to other users in places like your user profile and sharing notifications. You can also share Your Stuff with other users if you choose. When you register your Optmyzr account with an email address on a domain owned by your employer or organization, we may help collaborators and administrators find you and your team by making some of your basic information—like your name, team name, profile picture, and email address—visible to other users on the same domain. This helps you sync up with others on your team and helps other users collaborate with you.

Certain features let you make additional information available to others. Please be aware that when you share your Personal Content with others through our Services that information has become public information. Optmyzr has no control over how your Personal Data will be used or disseminated by those with whom you share your Personal Content. To the extent you share Personal Content in any publicly viewed area of our Services such Personal Content may be widely disseminated, including via search engines and other tools to locate information online (e.g., internet archive).

Other applications.
You can also give third-party providers access to your information and account—for example, via Optmyzr APIs. Just remember that their use of your information will be governed by their privacy policies and terms.

Disclosure of your Personal Data.
Whether by law, administrative process, litigation, and/or requests from public or governmental authorities within or outside your country of residence, it may become necessary for Optmyzr to disclose your Personal Data. We may also disclose information about you if we determine that for purposes of national security, law enforcement, or other issues of public importance, disclosure is necessary or appropriate.

We may also disclose information about you if we determine that disclosure is reasonably necessary to enforce our terms of service or protect our operations or users. Additionally, in the event of a reorganization, merger, or sale we may transfer any and all Personal Data we collect to the relevant third party.

**Protection of Personal Data
**Security.
Optmyzr takes the security of your Personal Data seriously. We protect your Personal Data by using a two-factor authentication system and use encryption to protect your Personal Data during transit and while files are at rest. We further continue to work on features to keep your information safe in additional to alerts when new devices and apps are linked to your account. We deploy automated technologies to detect abusive behavior and content that may harm our Services, you, or other users.

User Controls.
You can access information by logging into your Optmyzr account and going to your account settings page. You can select what emails you receive from Optmyzr.

Retention.
We make it easy for you to keep your Personal Data accurate, complete, and up to date. We retain your Personal Data for the period necessary to fulfill the purposes outlined in this Privacy Policy and our service specific privacy summaries. When assessing these periods we carefully examine our need to collect Personal Data at all and if we establish a relevant need we only retain it for the shortest possible period to realize the purpose of collection unless a longer retention period is required by law. If you delete your account, all information on your account may be deleted after 30 days, subject to exceptions below. You can also request us to delete your information by sending us a request through the official support channels. Should you decide to subsequently reactivate your account, please note that after 30 days your information may be unrecoverable from our servers and backup storage.

We may retain your information after a deletion request under the following circumstances: (1) there might be some latency in deleting this information from our servers and backup storage; and (2) if necessary to comply with our legal obligations, resolve disputes, or enforce our agreements.

Where
Around the world.
To provide you with the Services, we may store, process, and transmit information in the United States and locations around the world—including those outside your country. Information may also be stored locally on the devices you use to access the Services.
If you are a resident of the European Union (“EU”), you may have additional rights under the EU General Data Protection Regulation (the “GDPR”) with respect to your Personal Data or the Data Protection Act of 2018 if a resident of the United Kingdom (“UK”), as outlined in this Privacy Policy. For the purposes of this Privacy Policy, references to the EU also include the European Economic Area countries Iceland, Liechtenstein, and Norway.
When transferring data from the EU, the UK, and/or Switzerland, Optmyzr relies upon a variety of legal mechanisms to protect the integrity and security of your information when transferring it the U.S., including requiring our data service providers to agree to Standard Contractual Clauses approved by the European Commission.
You have the ability to access, modify, download or delete your personal data through the website. You may also email us at privacy@optmyzr.com.
If you consider that our processing of your Personal Data infringes applicable data protection laws, you have a legal right to lodge a complaint with a supervisory authority responsible for data protection. You may do so in the EU member state or UK where you reside, where your place of work is located, or the place of the alleged infringement.
Cross-Border Information TransfersYou should note that our servers are located in the United States, which is deemed by the EU to have inadequate data protection. Accordingly, when you provide information to us through the Services, you are providing that information to us in the United States. You should also note that, if you are in a country outside the United States (including but not limited to in the EU or UK), your Personal Data may be transferred to and/or collected, stored, processed, and/or used outside of your country, including in the United States. When you sign up to use our Services we will request your consent to transfer to and/or store, process, distribute and use your Personal Data in the United States. When we transfer your information outside of the EU or UK in this way, we will take steps to ensure that appropriate security measures are taken with the aim of ensuring that your privacy rights continue to be protected as outlined in this policy.

**Changes to Our Privacy Policy
**If we are involved in a reorganization, merger, acquisition, or sale of our assets, your information may be transferred as part of that deal. We will notify you (for example, via a message to the email address associated with your account) of any such deal and outline your choices in that event. We may revise this Privacy Policy from time to time, and will post the most current version on our website. If a revision meaningfully reduces your rights, we will notify you by sending an email to the address you provided; therefore, it is important to keep your account information up to date.

**Third Party Services
**Our Services may contain links to third-party websites, products, and services. Information collected by third parties, which may include such things as location data or contact details. Your browsing and interaction on any third-party website, including those that have a link on our website, are subject to that third party’s own rules and policies. We recommend that you consult the privacy statements of all third-party websites you visit by clicking on the “Privacy Policy” link typically located at the bottom of the webpage you are visiting.

**Your Right to Control and Access Your Information
**Under the GDPR and Data Protection Act 2018, you have control over your Personal Data and how it is collected, used, and shared. For example, you have a right to:

Erase or delete all or some of Your Content in your Optmyzr account.
You can learn more about how to remove your ads accounts from Optmyzr here.

Change or correct Personal Data.
You can manage your account and the content contained in it, as well as edit some of your Personal Data, through your profile page.

Restrict use. You can restrict our use of your data, however, restricting our use may prevent your access to features of our Service that require us to make use of your Personal Data as described in this Privacy Policy.

Transfer.
To the extent your Personal Content is processed by automated means, you may request your Personal Content be provided to you in a format, if technically feasible, that can be transferred to another provider.

Information.
You may request more information about how we process your information and obtain disclosure regarding certain aspects of the processing.
Access. You may access your data that we process at any time.
Withdraw consent. You may withdraw your consent for use of your data at any time; however, withdrawal of consent may affect the functionality and features of the Services provided to you.
Object to automated processing. When we rely on automated processing or profiling of your Personal Data you have the right to object to such use.
Object to use of your data. You may withdraw your consent for use of your data at any time; however, withdrawal of consent may affect the functionality and features of the Services provided to you. You further have the right to object to how we use your Personal Data, for example, using your data for direct marketing purposes. If you do this we will stop using it for those purposes.
Objection based on legitimate interest. If you disagree with us relying on the legitimate interest grounds for using your Personal Data (see section 2 above), you can object to us doing so. We will then reassess the extent to which we can continue to use the data in light of your particular circumstances.
For more information on your right to control and access your Personal Data, please see our FAQ.

**Children
**We understand the importance of taking extra precautions to protect the privacy and safety of children. We do not permit any person under the age of 18 to access or use our Services or provide information about any person under the age of 13. If we learn that we have collected the Personal Data of a child under 13, or equivalent minimum age depending on jurisdiction, we will take steps to delete the information as soon as possible.

**Canadian Disclosures
**We comply with the requirements of the Personal Data Protection and Electronic Document Act (“PIPEDA”) to ensure your privacy is protected if you are a resident of Canada. Access.You may request, in writing, access to your data, including how we use your data, who we share your data with, and that we provide you a copy of your data in an accessible format. We may not be required or permitted to provide you the data requested if it would breach attorney-client privilege; reveal confidential commercial information; threaten life or security; if data was collected in the context of an investigation of a contract breach or contravention of the laws of Canada or a province; generated as part of a dispute resolution process; or created for the purposes of the Public Servants Disclosure Protection act (“whistleblowing law”).
Withdraw consent. You may withdraw your consent for use of your data at any time; however, withdrawal of consent may affect the functionality and features of the Services provided to you. In some cases you may not be able to withdraw consent if required by law or a contractual obligation. In such cases we will inform you if your consent cannot be withdrawn.
Right to correct or delete information._You can manage your account and the content contained in it, as well as edit some of your Personal Data, through your profile page.
_Compliance. To make requests about your Personal Data that we maintain or to ask questions about our compliance with PIPEDA, you may email our compliance officer at pipeda@optmyzr.com.

**Privacy Questions
**When a privacy question or question about Personal Data received in response to your use of our Services is received we have a dedicated team to address the specific concern. Please contact us at privacy@optmyzr.com with your questions or concerns. Where your issue may be more substantive in nature, more information may be sought from you. All such substantive contacts receive a response. If you are unsatisfied with the reply received, you may refer your complaint to the relevant regulator in your jurisdiction. If you ask us, we will endeavor to provide you with information about relevant complaint avenues which may be applicable to your circumstances.

Privacy Policy

If your organization signed a Service Agreement with Optmyzr, that Agreement may have modified the privacy policy below. Please contact your Optmyzr account rep for details.

Optmyzr Privacy Policy
Last Updated August 27, 2020