Privacy Policy

Additional Disclosures for U.S. States Privacy Law Compliance.

The following section includes provisions that comply with the privacy laws of these states (California, Colorado, Delaware, Florida, Virginia, and Utah) and is applicable only to the residents of those states. Specific references to a particular state (in a heading or in the text) are only a reference to that state's law and applies only to that state's residents. Non-state specific language applies to all of the states listed above.

Do Not Track

Some browsers have a "Do Not Track" feature that lets you tell websites that you do not want to have your online activities tracked. At this time, we do not respond to browser "Do Not Track" signals.

We adhere to the standards outlined in this privacy policy, ensuring we collect and process personal information lawfully, fairly, transparently, and with legitimate, legal reasons for doing so.

California Privacy Laws - CPPA

Under California Civil Code Section 1798.83, if you live in California and your business relationship with us is mainly for personal, family, or household purposes, you may ask us about the information we release to other organizations for their marketing purposes. In accordance with your right to non-discrimination, we may offer you certain financial incentives permitted by the California Consumer Privacy Act, and the California Privacy Rights Act (collectively, CCPA) that can result in different prices, rates, or quality levels for the goods or services we provide. Any CCPA-permitted financial incentive we offer will reasonably relate to the value of your personal information, and we will provide written terms that describe clearly the nature of such an offer. Participation in a financial incentive program requires your prior opt-in consent, which you may revoke at any time.

Under California Civil Code Section 1798.83, if you live in California and your business relationship with us is mainly for personal, family, or household purposes, you may ask us about the information we release to other organizations for their marketing purposes. To make such a request, please contact us using the details provided in this privacy policy with “Request for California privacy information” in the subject line. You may make this type of request once every calendar year. We will email you a list of categories of personal information we revealed to other organisations for their marketing purposes in the last calendar year, along with their names and addresses. Not all personal information shared in this way is covered by Section 1798.83 of the California Civil Code.

California Notice of Collection

In the past 12 months, we have collected the following categories of personal information enumerated in the CCPA:

For more information on information we collect, including the sources we receive information from, review the “Information We Collect” section. We collect and use these categories of personal information for the business purposes described in the “Collection and Use of Information” section, including to provide and manage our Service.

Right to Know and Delete

You have rights to delete your personal information we collected and know certain information about our data practices in the preceding 12 months. In particular, you have the right to request the following from us:

• The categories of personal information we have collected about you;
• The categories of sources from which the personal information was collected;
• The categories of personal information about you we disclosed for a business purpose or sold;
• The categories of third parties to whom the personal information was disclosed for a business purpose or sold;
• The business or commercial purpose for collecting or selling the personal information; and
• The specific pieces of personal information we have collected about you;

To exercise any of these rights, please contact us using the details provided in this privacy policy.

Shine the Light

In addition to the rights discussed above, you have the right to request information from us regarding the manner in which we share certain personal information as defined by applicable statute with third parties and affiliates for their own direct marketing purposes.

To receive this information, send us a request using the contact details provided in this privacy policy. Requests must include “Privacy Rights Request” in the first line of the description and include your name, street address, city, state, and ZIP code.

Additional Disclosures for General Data Protection Regulation (GDPR) Compliance (EU)

Data Controller / Data Processor

The GDPR distinguishes between organizations that process personal information for their own purposes (known as "data controllers") and organizations that process personal information on behalf of other organizations (known as "data processors"). We, ANAHCIG, located at the address provided in our Contact Us section, are a Data Controller with respect to the personal information you provide to us.

Legal Bases for Processing Your Personal Information

We will only collect and use your personal information when we have a legal right to do so. In which case, we will collect and use your personal information lawfully, fairly, and in a transparent manner. If we seek your consent to process your personal information, and you are under 16 years of age, we will seek your parent or legal guardian's consent to process your personal information for that specific purpose.

Our lawful bases depend on the services you use and how you use them. This means we only collect and use your information on the following grounds:

Consent From You

Where you give us consent to collect and use your personal information for a specific purpose. You may withdraw your consent at any time using the facilities we provide; however this will not affect any use of your information that has already taken place. When you contact us, you may consent to your name and email address being used so we can respond to your enquiry. While you may request that we delete your contact details at any time, we cannot recall any email we have already sent. If you have any further enquiries about how to withdraw your consent, please feel free to enquire using the details provided in the Contact Us section of this privacy policy.

Performance of a Contract or Transaction

Where you have entered into a contract or transaction with us, or in order to take preparatory steps prior to our entering into a contract or transaction with you. For example, if you contact us with an enquiry, we may require personal information such as your name and contact details in order to respond.

Our Legitimate Interests

Where we assess it is necessary for our legitimate interests, such as for us to provide, operate, improve and communicate our services. We consider our legitimate interests to include research and development, understanding our audience, marketing and promoting our services, measures taken to operate our services efficiently, marketing analysis, and measures taken to protect our legal rights and interests.

Compliance With the Law

In some cases, we may have a legal obligation to use or keep your personal information. Such cases may include (but are not limited to) court orders, criminal investigations, government requests, and regulatory obligations. If you have any further enquiries about how we retain personal information in order to comply with the law, please feel free to enquire using the details provided in the Contact Us section of this privacy policy.

International Transfers Outside of the European Economic Area (EEA)

We will ensure that any transfer of personal information from countries in the European Economic Area (EEA) to countries outside the EEA will be protected by appropriate safeguards, for example by using standard data protection clauses approved by the European Commission, or the use of binding corporate rules or other legally accepted means.

Your Rights and Controlling Your Personal Information

Restrict: You have the right to request that we restrict the processing of your personal information if:

• you are concerned about the accuracy of your personal information;
• you believe your personal information has been unlawfully processed;
• you need us to maintain the personal information solely for the purpose of a legal claim; or
• we are in the process of considering your objection in relation to processing on the basis of legitimate interests.

Objecting to processing: You have the right to object to processing of your personal information that is based on our legitimate interests or public interest. If this is done, we must provide compelling legitimate grounds for the processing which overrides your interests, rights, and freedoms, in order to proceed with the processing of your personal information.

Data portability: You may have the right to request a copy of the personal information we hold about you. Where possible, we will provide this information in CSV format or other easily readable machine format. You may also have the right to request that we transfer this personal information to a third party.

Additional Disclosures for Australian Privacy Act Compliance (AU)

International Transfers of Personal Information

Where the disclosure of your personal information is solely subject to Australian privacy laws, you acknowledge that some third parties may not be regulated by the Privacy Act and the Australian Privacy Principles in the Privacy Act. You acknowledge that if any such third party engages in any act or practice that contravenes the Australian Privacy Principles, it would not be accountable under the Privacy Act, and you will not be able to seek redress under the Privacy Act.

Additional Disclosures for Personal Information Protection and Electronic Documents Act (PIPEDA) Compliance (Canada)

Additional Scope of Personal Information

In accordance with PIPEDA, we broaden our definition of personal information to include any information about an individual, such as financial information, information about your appearance, your views and opinion (such as those expressed online or through a survey), opinions held about you by others, and any personal correspondences you may have with us. While this information may not directly identify you, be aware that it may be combined with other information to do so.

As PIPEDA refers to personal information using the term Personally Identifying Information (PII), any references to personal information and PII in this privacy policy, and in official communications from ANAHCIG, are intended as equivalent to one another in every way, shape and form.

Valid Consent

Where you give us consent to collect and use your personal information for a specific purpose. You may withdraw your consent at any time using the facilities we provide; however this will not affect any use of your information that has already taken place. When you contact us, we assume your consent based on your positive action of contact, therefore you consent to your name and email address being used so we can respond to your enquiry. Under PIPEDA, consent is only valid if it is reasonable to expect that an individual to whom the organization's activities are directed would understand the nature, purpose, and consequences of the collection, use, or disclosure of the personal information to which they are consenting.

Where you agree to receive marketing communications from us, we will do so based solely on your indication of consent or until you instruct us not to, which you can do at any time.

While you may request that we delete your contact details at any time, we cannot recall any email we have already sent. If you have any further enquiries about how to withdraw your consent, please feel free to enquire using the details provided in the Contact Us section of this privacy policy.

International Transfers of Information

While ANAHCIG endeavors to keep, store and handle customer data within locations in Canada, it may use agents or service providers located in the United States (U.S.), European Economic Area (EEA) or United Kingdom (UK) to collect, use, retain and process personal information as part of providing services to you. While we use all reasonable efforts to ensure that personal information receives the same level of security in any other jurisdiction as it would in Canada, please be aware that privacy protections under U.S. laws may not be the same adequacy.

Customer Data Rights

Although PIPEDA does not contain an extensive set of consumer rights, it does grant consumers the right to:

• Access the personal information organizations hold about them;
• Correct any inaccurate or outdated personal information the organization hold about them (or, if this is not possible, delete the inaccurate personal information)
• Withdraw consent for any activities for which they have consented (e.g. direct marketing or cookies)

Right to Withdraw Consent

Where you give us consent to collect and use your personal information for a specific purpose. Subject to some restrictions, you can, at any time, refuse to consent, or continue to consent to the collection, use or disclosure of their personal information by notifying us using the email address below in the "Contact Us" section. Withdrawal of consent may impact our ability to provide or continue to provide services.

Customers cannot refuse collection, use and disclosure of their personal information if such information is required to:

• be collected, used or disclosed as required by any law;
• fulfill the terms of any contractual agreement; and
• be collected, used or disclosed as required by any regulators including self regulatory organizations

While you may request that we delete your contact details at any time, we cannot recall any email we have already sent. If you have any further enquiries about how to withdraw your consent, please feel free to enquire using the details provided in the Contact Us section of this privacy policy.

Right of Access Under PIPEDA

PIPEDA gives you a general right to access the PII held by businesses subject to this law. Under PIPEDA, you need to make your access request in writing and pay a minimal fee of $30.00.

If any organizational fees seem unjust, you have the right to complain about this. We retain the right to decide how we disclose the copies of your PII to you. We will take all necessary measures to fulfill your request in 30 days from receipt, otherwise we must inform you of our inability to do so before the 30-day timeframe if:

• meeting the time limit would unreasonably interfere with our business activities; or
• the time required to undertake consultations necessary to respond to the request would make it impractical to meet the time limit.

We can also extend the time limit for the length of time required to convert the personal information into an alternative format. In these circumstances, we will advise you of the delay within the first 30 days and explain the reason for it.

Right of rectification under PIPEDA

You may request a correction to any factual errors or omissions within your PII. We would ask you to provide some evidence to back up your claim. Under PIPEDA, an organization must amend the information, as required, if you successfully demonstrate that it's incomplete or inaccurate.

You may contact us at any time, using the information provided in the Contact Us section of this privacy policy if you believe your PII on our systems is incorrect or incomplete.

If we cannot agree on changing the information, you have the right to have your concerns recorded with the Office of the Privacy Commission of Canada.

Compliance with PIPEDA's Ten Principles of Privacy

This privacy policy complies with the PIPEDA's requirements and ten principles of privacy, which are as follows:

1. Accountability. ANAHCIG is responsible for the PII under its control and will designate one or more persons to ensure organizational accountability for compliance with the ten principles of privacy under PIPEDA, whose details are included below. All personnel are accountable for the protection of customers' personal information.
2. Identifying purposes. ANAHCIG identifies the purposes for which personal information is collected at or before the time the information is collected.
3. Consent. Consent is required for ANAHCIG's collection, use or disclosure of personal information, except where required or permitted by PIPEDA or other law. In addition, when customers access a product or service offered by us, consent is deemed to be granted. Express consent may be obtained verbally, in writing or through electronic means. Alternatively, consent may be implied through the actions of customers or continued use of a product or service following ANAHCIG's notification of changes.
4. Limiting collection. Personal information collected will be limited to that which is necessary for the purposes identified by ANAHCIG.
5. Limiting use, disclosure and retention. We will not use or disclose personal information for purposes other than those for which the information was collected, except with your consent or as required by law. We will retain personal information only for as long as is necessary to fulfill the purposes for collecting such information and compliance with any legal requirements.
6. Accuracy. Personal information will be maintained by ANAHCIG in an accurate, complete and up-to-date format as is necessary for the purpose(s) for which the personal information was collected.
7. Safeguards. We will protect personal information with security safeguards appropriate to the sensitivity of such information.
8. Openness. We will make our policies and practices relating to the collection and management of personal information readily available upon request, including our brochures or other information that explain our policies, standards, or codes.
9. Customer access. We will inform customers of the existence, use and disclosure of their personal information and will provide access to their personal information, subject to any legal restrictions. We may require written requests for access to personal information and in most cases, will respond within 30 days of receipt of such requests. Customers may verify the accuracy and completeness of their personal information, and may request the personal information be corrected or updated, if appropriate.
10. Challenging compliance. Customers are welcome to direct any questions or inquiries concerning our compliance with this privacy policy and PIPEDA requirements using the contact information provided in the Contact Us section of this privacy policy.

Anti-Spam Legislation

Our email interactions with our customers are compliant with Canadian Anti-Spam Legislation. The Company does not send unsolicited email to persons with whom we have no relationship. We will not sell personal information, such as email addresses, to unrelated third-parties. On occasion, your personal information may be provided to our third-party partners to administer the products and services you request from us.

When you leave our product by linking to another website, you are subject to the privacy and security policies of the new website. We encourage you to read the privacy policies of all websites you visit, especially if you share any personal information with them.

Enquiries, Reports and Escalation

To enquire about ANAHCIG's privacy policy, or to report violations of user privacy, you may contact us using the details in the Contact us section of this privacy policy.

If we fail to resolve your concern to your satisfaction, you may also contact the Office of the Privacy Commissioner of Canada:

30 Victoria Street
Gatineau, QC K1A 1H3
Toll Free: 1.800.282.1376
www.priv.gc.ca

Additional Disclosures for UK General Data Protection Regulation (UK GDPR) Compliance (UK)

Data Controller / Data Processor

The GDPR distinguishes between organizations that process personal information for their own purposes (known as "data controllers") and organizations that process personal information on behalf of other organizations (known as "data processors"). We, ANAHCIG, located at the address provided in our Contact Us section, are a Data Controller with respect to the personal information you provide to us.

Third-Party Provided Content

We may indirectly collect personal information about you from third-parties who have your permission to share it. For example, if you purchase a product or service from a business working with us, and give your permission for us to use your details in order to complete the transaction.

We may also collect publicly available information about you, such as from any social media and messaging platforms you may use. The availability of this information will depend on both the privacy policies and your own privacy settings on such platforms.

Additional Disclosure for Collection and Use of Personal Information

In addition to the aforementioned purposes warranting the collection and use of personal information, we may also conduct marketing and market research activities, including how visitors use our site, website improvement opportunities and user experience.

Personal Information No Longer Required for Our Purposes

If your personal information is no longer required for our stated purposes, or if you instruct us under your Data Subject Rights, we will delete it or make it anonymous by removing all details that identify you ("Anonymisation"). However, if necessary, we may retain your personal information for our compliance with a legal, accounting, or reporting obligation or for archiving purposes in the public interest, scientific, or historical research purposes or statistical purposes.

Legal Bases for Processing Your Personal Information

Data Protection and Privacy Laws permit us to collect and use your personal data on a limited number of grounds. In which case, we will collect and use your personal information lawfully, fairly and in a transparent manner. We never directly market to any person(s) under 18 years of age.

Our lawful bases depend on the services you use and how you use them. This is a non-exhaustive list of the lawful bases we use:

Consent From You

Where you give us consent to collect and use your personal information for a specific purpose. You may withdraw your consent at any time using the facilities we provide; however this will not affect any use of your information that has already taken place. When you contact us, we assume your consent based on your positive action of contact, therefore you consent to your name and email address being used so we can respond to your enquiry.

Where you agree to receive marketing communications from us, we will do so based solely on your indication of consent or until you instruct us not to, which you can do at any time.

While you may request that we delete your contact details at any time, we cannot recall any email we have already sent. If you have any further enquiries about how to withdraw your consent, please feel free to enquire using the details provided in the Contact Us section of this privacy policy.

Performance of a Contract or Transaction

Where you have entered into a contract or transaction with us, or in order to take preparatory steps prior to our entering into a contract or transaction with you. For example, if you contact us with an enquiry, we may require personal information such as your name and contact details in order to respond.

Our Legitimate Interests

Where we assess it is necessary for our legitimate interests, such as for us to provide, operate, improve and communicate our services. We consider our legitimate interests to include research and development, understanding our audience, marketing and promoting our services, measures taken to operate our services efficiently, marketing analysis, and measures taken to protect our legal rights and interests.

Compliance With the Law

In some cases, we may have a legal obligation to use or keep your personal information. Such cases may include (but are not limited to) court orders, criminal investigations, government requests, and regulatory obligations. If you have any further enquiries about how we retain personal information in order to comply with the law, please feel free to enquire using the details provided in the Contact Us section of this privacy policy.

International Transfers of Personal Information

The personal information we collect is stored and/or processed in the United Kingdom by us. Following an adequacy decision by the EU Commission, the UK has been granted an essentially equivalent level of protection to that guaranteed under UK GDPR.

On some occasions, where we share your data with third parties, they may be based outside of the UK, or the European Economic Area ("EEA"). These countries to which we store, process, or transfer your personal information may not have the same data protection laws as the country in which you initially provided the information.

If we transfer your personal information to third parties in other countries:

• we will perform those transfers in accordance with the requirements of the UK GDPR (Article 45) and Data Protection Act 2018;
• we will adopt appropriate safeguards for protecting the transferred data, including in transit, such as standard contractual clauses ("SCCs") or binding corporate rules.

Your Data Subject Rights

Right to Restrict Processing: You have the right to request that we restrict the processing of your personal information if (i) you are concerned about the accuracy of your personal information; (ii) you believe your personal information has been unlawfully processed; (iii) you need us to maintain the personal information solely for the purpose of a legal claim; or (iv) we are in the process of considering your objection in relation to processing on the basis of legitimate interests.

Right to Object: You have the right to object to processing of your personal information that is based on our legitimate interests or public interest. If this is done, we must provide compelling legitimate grounds for the processing which overrides your interests, rights, and freedoms, in order to proceed with the processing of your personal information.

Right to be Informed: You have the right to be informed with how your data is collected, processed, shared and stored.

Right of Access: You may request a copy of the personal information that we hold about you at any time by submitting a Data Subject Access Request (DSAR). The statutory deadline for fulfilling a DSAR request is 30 calendar days from our receipt of your request.

Right to Erasure: In certain circumstances, you can ask for your personal data to be erased from the records held by organizations. However this is a qualified right; it is not absolute, and may only apply in certain circumstances.

When may the right to erasure apply?

• When the personal data is no longer necessary for the purpose for which it was originally collected or processed for.
• If consent was the lawful basis for processing personal data and that consent has been withdrawn. ANAHCIG relies on consent to process personal data in very few circumstances.
• The Company is relying on legitimate interests as a legal basis for processing personal data and an individual has exercised the right to object and it has been determined that the Company has no overriding legitimate grounds to refuse that request.
• Personal data are being processed for direct marketing purposes e.g. a person's name and email address, and the individual objects to that processing.
• There is legislation that requires that personal data are to be destroyed.

Right to Portability: Individuals have the right to get some of their personal data from an organisation in a way that is accessible and machine-readable, for example as a csv file. Associated with this, individuals also have the right to ask an organisation to transfer their personal data to another organisation.

However, the right to portability:

• only applies to personal data which a person has directly given to ANAHCIG in electronic form; and
• onward transfer will only be available where this is "technically feasible".

Right to Rectification: If personal data is inaccurate, out of date, or incomplete, individuals have the right to correct, update or complete that data. Collectively this is referred to as the right to rectification. Rectification may involve filling the gaps i.e. to have to have incomplete personal data completed - although this will depend on the purposes for the processing. This may involve adding a supplementary statement to the incomplete data to highlight any inaccuracy or claim thereof.

This right only applies to an individual's own personal data; a person cannot seek the rectification of another person's information.

Notification of data breaches: Upon discovery of a data breach, we will investigate the incident and report it to the UK's data protection regulator and yourself, if we deem it appropriate to do so.

Complaints: You have the right, at any time, to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance using the details below. Please provide us with as much information as you can about the alleged breach. We will promptly investigate your complaint and respond to you, in writing, setting out the outcome of our investigation and the steps we will take to deal with your complaint.

Enquiries, Reports and Escalation

To enquire about ANAHCIG's privacy policy, or to report violations of user privacy, you may contact our Data Protection Officer using the details in the Contact us section of this privacy policy.

If we fail to resolve your concern to your satisfaction, you may also contact the Information Commissioner's Office (ICO), the UK Data Protection regulator:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Tel: 0303 123 1113 (local rate)
Website: www.ico.org.uk