This website is operated by Cardinal Path, LLC (Cardinal Path, we, us), a digital performance marketing agency and part of the Dentsu Aegis Network Group. We believe that the responsible use of data supports businesses growth and builds strong relationships between brand and consumer. We are committed to being transparent in our handling and processing of personal data at all times in accordance with applicable privacy and data protection laws. This Privacy Notice explains in detail the types of personal data we may collect about you, or when applicable your authorized representative (herein collectively “you”), when you interact with us. Cardinal Path is the data controller of any personal data you provide to us, including in relation to this website (www.cardinalpath.com). The California Consumer Privacy Act of 2018 (“CCPA”) provides California residents with rights with respect to their personal information.
Those rights are explained below in the Supplemental Information section below (Your California Rights).
This Privacy Notice explains the following:
- Information we may collect
- How we use this information
- How long we will keep your information
- How we secure your personal data
- Information sharing and disclosure
- International and group company transfers
- Your rights in relation to your personal data
- Our responsibility for website links
- How to contact us
- Disclosures required under CCPA
- Policies regarding Information Collection Specific to Individual Google Platforms or Tools
In the Supplementary Information section of this Privacy Notice, we explain what is meant by “personal data” and other terms used in this notice.
1. Information we may collect
The type of information we collect will depend on the circumstances and the service you are using. Generally speaking, we will collect information relating to you and/or your use of the services we provide on our website, in the following ways:
Information relating to your use of the website
We collect information about how you use our website. This includes information relating to the pages you visit on our website and the links and content you choose to access. The information we collect is limited to the details we need to provide the specific service you have asked for, and will not be used for any other purpose.
We collect information about the device(s) you use to access our site. This includes collecting unique mobile device ID or the interest protocol (IP) address online identifiers, which are numbers that can uniquely identify a specific computer or other network device on the internet. This information is linked to a cookie ID, which we receive and process. You may find more information on the cookies we use and the purpose for which we use them on our separate Cookies Notice.
We collect contact details when you send us a query or ask for information about our services.
We do not actively seek to collect information about children aged 16 or under, or create interest segments specifically designed for the purpose of targeting children. If you have any concerns about your child’s privacy in relation to our services or if you believe that your child may have entered personal data onto our website, please contact us at Contact.PrivacyUS@cardinalpath.com.
2. How we use this information
Under certain data protection laws we are required to advise you on the legal basis for processing your personal data. For the most part, where applicable, the processing of your personal data is based either on a) our legitimate interests related to us providing you services you have requested or otherwise your customer relationship with us, or b) your consent, where requested.
In the table below we set out further information about the purposes for which we use your personal data and the legal basis we rely on for its use. Note that we may process your personal data for more than one lawful basis depending on the specific purpose for which we are using your data.
|Purpose/Activity||Types of personal data that may be processed||Lawful basis for processing, including basis of legitimate interest|
|To send you information which you have requested about our services||Where you have requested information from us, we will send such communications based on your consent.|
To improve and develop our website:
We conduct statistical analysis on the usage of the website e.g. to enable us to improve our website, offer new features and material etc.
|Necessary for our legitimate interest (to keep our website updated and to develop our business).|
|To share information with our service providers||It is in our legitimate business interest to share your data with trusted third parties who provide us with services relevant to the provision of our website.|
|To share information within the Dentsu Aegis Network group||As Dentsu Aegis Network operates as a global operating media company, it is our legitimate business interest to share your data within the Dentsu Aegis Network group in order to manage our business effectively and provide our products and services.|
|To share information with other third parties, such as regulator and law enforcement agencies||We share your data as necessary for compliance with any legal obligation to which we are subject or in order to satisfy our legitimate business interests.|
|To update you with any changes to our terms and conditions /other policies||It is in our legitimate interest to respond to communications that you send to us, inform you of relevant information in relation to the services that we provide and utilise your information to improve our business.|
The categories of personal data we collect under CCPA are: personal information; geolocation data, professional or employment related information; and internet or other similar network activity. For more information about the CCPA categories of personal information, see Your California Rights.
3. How long we will keep your information
We will keep your personal data for as long as is necessary for the relevant service, in accordance with our legal obligations. After this time, your personal data will either be securely deleted or anonymized/de-identified so that it can be used for analytical purposes. You may request further information via the contact details given in this Privacy Notice.
4. How we secure your personal data
We maintain appropriate organizational and technological safeguards to help protect against unauthorized use, access to or accidental loss, alteration or destruction of personal data. We also seek to ensure our service providers do the same.
5. Information sharing and disclosure
We may disclose a user’s personal data to third parties when we are obligated to do so by applicable law or regulation, and in order to investigate, prevent, or take action regarding suspected or actual prohibited activities.
From time to time we may use a third party to help us manage our information technology systems and to process personal data on our behalf. We will only disclose the information necessary to enable these third parties to perform their services. Our service providers are contracted to comply with our instructions and we require that they do not use your personal data for their own business purpose. All of the categories of personal information under CCPA listed above may be shared within our group of companies. We do not sell or rent any personal data about you to any third party, and have not done so within the past 12 months.
6. International and group company transfers
Cardinal Path is part of the Dentsu Aegis Network, which is a global media group consisting of multiple companies. Therefore, we may from time to time disclose your personal data within our group of companies. Access will always be controlled on a need-to-know basis, and only provided where it is necessary to provide you with requested services or to allow us to perform any necessary or legitimate functions. With regard to personal data that is subject to EU data protection law, some of our group companies are located outside the European Union, but we always ensure the security of such disclosures and transfers in accordance with the applicable privacy and data protection laws.
We will only transfer your personal data outside the EU, where we are satisfied that adequate levels of protection are in place to protect the integrity and security of any information being processed and compliance with applicable privacy and data protection laws. These measures may include the use of standard contractual/data protection clauses adopted by the European Commission and where transfers are to the United States of America, the EU-US Privacy Shield, Swiss-US Privacy Shield or your consent. Where we transfer personal data between our group companies, we have covered these transfers by entering into standard contractual clauses adopted by the European Commission.
You may request further information on the measures used for such transfers via the contact details given in this Privacy Notice.
7. Your EU data protection law rights in relation to your personal data
- Object to our processing of your personal data where we are relying on legitimate interest (or those of a third-party), and you want to object to processing on this ground, as you feel it impacts on your fundamental rights and freedoms. You can object at any time and we shall stop processing the information you have objected to, unless we can show compelling legitimate grounds to continue that processing.
- Access your personal data. If you make this kind of request and we hold personal data about you. We are required to provide you with information on it, including a description and copy of the personal data and why we are processing it. We will require you to prove your identity before granting access to your personal data. We will process your request within the timeframe required under the relevant law.
- Request the transfer of your personal data. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Please note, this right applies to the personal data you have provided to us; and if we use your personal data on the basis of consent or where we used the information to perform a contract with you.
- Request erasure (deletion) of your personal data. You have a right to ask us to delete or remove your data where you have successfully exercised your right to object (see above), or where we are required to erase your personal data to comply with local law. Please note, we may be required to retain certain information by law and/or for our own legitimate business purpose. But when we do so, we will inform you
- Request correction or updating of your personal data. This enables you to have any incomplete or inaccurate data we hold about you corrected.
- Request the restriction of our processing of your personal data in some situations. If you request this, we can continue to store your personal data but are restricted from processing it while the restriction is in place.
- Withdraw your consent. Where you have provided your consent to our processing of your personal data you can withdraw your consent at any time. If you do withdraw consent, that will not affect the lawfulness of what we have done with your personal data before you withdrew consent.
- Make a Complaint. We will do our best to resolve any complaint. However, if you feel we have not resolved your complaint, you have a right to make a complaint to your local data protection authority. For example, in the UK, the local data protection authority is the UK Information Commissioner’s Office.
If you exercise the rights above and there is any question about who you are, we may require you to provide information from which we can satisfy ourselves as to your identity.
8. Our responsibility for website links
We may provide links within this site to other websites from time to time. If you follow these links, you should use these sites in conjunction with their applicable user and privacy policies as their data practices fall outside the scope of this Privacy Notice. Further, we have no responsibility for or control over the information collected by any third-party website and we are not responsible for the protection and privacy of any information which you may provide on such websites.
This Privacy Notice may be updated from time to time to reflect changes in law, best practice or a change in our practices regarding the treatment of personal data. The date of the most recent revision will appear at the top of this page. If you do not agree to the changes, please do not continue to use our website. You should check this notice frequently for updates.
10. Contact us
If you have any questions about this Privacy Notice, our approach to privacy or would like to exercise any of the rights mentioned in this Privacy Notice you can contact our Data Protection Officer in any of the following ways:
Address: Cardinal Path LLC
515 N. State Street, 22nd Floor
Chicago, IL 60654 U.S.
In this Supplementary Information section, we explain some of terminology used in this Privacy Notice.
“Data Controller” – the person or company that controls the purpose and means of processing personal data
“European Economic Area” – the 28 countries in the European Union plus Iceland, Liechtenstein and Norway.
“personal data” or “personal information” – any information that relates to you or your household (or from which you or your household can be identified).
“processing” – doing anything with personal data. For example, collecting it, storing it, disclosing it and deleting it.
“transfer” – sending personal data outside the European Economic Area (e.g. by storing it on equipment located outside the European Economic Area), or allowing someone from outside the European Economic Area to access the personal data.
11. Your California Rights
This section describes the rights that residents of California have and in other jurisdictions as provided by local law, and how to exercise such rights.
1. Right to Know about Personal Information Collected, Disclosed or Sold
You have the right to request that we disclose certain information to you about our collection, use, disclosure or sale of your personal information over the past 12 months. Once we receive and confirm your verifiable consumer request (see Exercising Access and Deletion Rights), and subject to certain limitations that we describe below, we will disclose such information. You have the right to request any or all of the following:
- The categories of personal information we collected about you.
- The categories of sources from which the personal information is collected.
- Our business or commercial purpose for collecting or selling that personal information.
- The categories of third parties with whom we share that personal information.
- The specific pieces of personal information we collected about you (also called a data portability request).
2. Right to Request Deletion
You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request (see Exercising Access and Deletion Rights), we will delete (and direct our service providers to delete) your personal information from our records. However, we may retain personal information that has been de-identified or aggregated. Furthermore, we may deny your deletion request if retaining the information is necessary for us or our service provider(s) in order to perform certain actions set forth under CCPA, such as detecting security incidents and protecting against fraudulent or illegal activity.
3. Exercising Access and Deletion Rights
To exercise the access and deletion rights described above, please submit a request to us by emailing us at Contact.PrivacyUS@cardinalpath.com or via the following toll-free number: 877-570-5939
Only you, or a person or business entity registered with the California Secretary of State that you authorize to act on your behalf (an “authorized agent”), may make the requests set forth above. You may also make a request on behalf of your minor child.
The request should include your contact information and describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it. In addition, you should provide adequate information that we can reasonably verify that you are the person about whom we collected the personal information (including information that enables us to verify the identifying information we possibly maintain about you).
We will respond to consumer requests in a reasonably timely manner. If we require extra time to respond, we will inform you of the reason and extension period in writing. In order to protect the security of your personal information, we will not honor a request if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. The method used to verify your identity will depend on the type, sensitivity and value of the information, including the risk of harm to you posed by any authorized access or deletion. Generally speaking, verification will be performed by matching the identifying information provided by you to the personal information that we already have.
Any disclosures we provide will only cover the 12-month period preceding our receipt of your request (and will not be made more than twice in a 12-month period). If we cannot comply with a request, or cannot fully comply with a request, the response we provide will also explain the reasons we cannot comply.
We will not discriminate against you for exercising any of your CCPA rights, including, but not limited to, by:
- Denying you goods or services.
- Charging you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
- Providing you a different level or quality of goods or services.
- Suggesting that you may receive a different price or rate for goods or services or a different level or quality of goods or services.
12. Policies regarding Information Collection Specific to Individual Google Platforms or Tools
Google Analytics is a web-based service which assists website owners and operators in learning about and understanding the usage patterns of visitors who use their websites by collecting information about which individual webpages were visited, how long users visited the website, which websites referred the most visitors, general geographic location of visitors and other similar anonymous statistics. In order to distinguish one visit from another, Google Analytics may create several tracking cookies on a visitor’s computer which will expire after two years have passed since the initial visit. Google explicitly and expressly forbids the collection of Personally Identifiable Information in the Terms of Service for Google Analytics, and as such Cardinal Path has not attempted to make, has not made, and will never make modifications that would enable Google Analytics or any of the Cardinal Path Online Properties to collect any such information. Google Analytics does not collect any Personally Identifiable Information by default. Google Analytics collects the Internet Protocol (“IP”) addresses of computers or Internet connections used by visitors to websites on which Google Analytics has been installed. Google Analytics does not reveal or expose the Internet Protocol addresses of visitors to the owners of the website on which Google Analytics is installed. If you prefer to remain anonymous and untracked, Cardinal Path will respect your rights in this regard, and you may choose to opt-out of tracking here: https://tools.google.com/dlpage/gaoptout
Registration Forms on the Website provide a means for visitors to register for an event or content download. Information submitted by a visitor using the Registration Form will only be used for the following:
- To register the visitor for an event or content download;
- Archived and/or processed for statistical purposes, in which case the information will be stripped of any traceable Personally Identifiable Information or Confidential Information before any statistical or other analysis is undertaken;
- To send visitors relevant marketing communications and/or relevant communications about the event.