1. Purpose and Scope
1. Purpose
Eisen Inc (“Eisen” or the “Company”) must ensure we have policies and procedures in place to achieve compliance with applicable laws, rules and regulations that govern the treatment of personally identifiable information (“Personally Identifiable Information” or “PII”).
2. Scope
This Internal Privacy Policy (“Policy”) applies to all Eisen entities, including all other Eisen entities, and each entity’s employees, both full and part-time. Eisen will seek to obtain contractual assurances that any contractors or third-party service providers with access to PII in connection with their relationship with or services provided to Eisen have and exercise commensurate policies and procedures regarding PII. Eisen will conduct regular audits of such contractors and third-party services providers in accordance with its’ Vendor Management Policy.
This Policy describes the requirements with respect to the identification, handling, and disposal of PII and applies to current and former users. Further, this Policy, in conjunction with cross-functional procedures, will provide administrative, technical, and physical safeguards, which assist employees in ensuring the confidentiality of PII collected from consumers and users. All nonpublic information, whether relating to current or former users, is subject to this Policy. Any doubts about the confidentiality of user information must be resolved in favor of confidentiality.
Certain Eisen entities may be subject to additional or specific regulatory requirements. In such cases, an entity-level policy will describe those requirements and the process for adherence.
2. Policy Standards
Eisen is subject to a number of federal and state laws, rules and regulations (“Laws”) which govern how user information is obtained, handled, shared and the disposal of such information. These Laws require Eisen to explain its information-sharing practices to its users, limit how we share PII with nonaffiliated third parties, as well as affiliates, and inform users of their right to “opt out” of having their data sold. Additionally, Eisen is required to maintain policies and procedures to safeguard sensitive user information.
For example, under the California Consumer Privacy Act (“CCPA”), the definition of PII means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. PII includes, but is not limited to:
• Name
• Address
• Social Security Number
• Birth Date
• Account Number
• Income
Regardless of whether any or all of this information is publicly available, it is treated as PII and is subject to the requirements of this Policy. In addition, PII is classified as Restricted Data in Eisen’s Data Classification Policy and is subject to the handling, sharing, storage and disposal policies contained in the Acceptable Use Policy and the Information and Cyber Security Program.
2.1 Sharing PII with Eisen Affiliates and Third Parties
Laws apply to the types of PII and conditions that apply when sharing PII internally among Eisen affiliates and with third parties such as vendors or other service providers, and government authorities. These laws require, among other things, disclosures to users about:
• What PII is shared;
• How PII is used; and
• How users can opt-out of the sale of PII.
Eisen makes its disclosures in a Privacy Policy. The Privacy Policy for Eisen is available on the Eisen website for user and prospective user access at all times. If, at any time, Eisen adopts material changes to its Privacy Policy, Eisen will post the updated Privacy Policy on its website.
Eisen may, at some point in the future, become subject to the CCPA should Eisen meet any one of the following thresholds (“CCPA Thresholds”):
• Gross annual revenue of over $25 million;
• Buy, receive, or sell the PII of 50,000 or more California residents’, households, or devices; or
• Derive 50% or more of their annual revenue from selling California residents’ PII.
Should Eisen meet or become close to meeting any of the CCPA Thresholds, Eisen will need to update its Privacy Policy to reflect the requirements of the CCPA and implement further internal processes to ensure ongoing compliance including: creating at least two designated methods for submitting requests to exercise a consumer’s rights under the CCPA and creating a Do Not Sell My Personal webpage.
2.2 Employee Access and Handling of PII
Eisen restricts employee access to users’ PII to those employees and third-party service providers who need to know such information in order to carry out their job functions or provision of services. Employees must therefore consider whether information they share internally or with third-party service providers is necessary to perform a function or complete a task. Any conversations involving any PII, if appropriate at all, must be conducted by employees with care to avoid any unauthorized persons overhearing or intercepting such conversations. Where there is room for doubt, employees should refrain from sharing information and consult with their manager or the Compliance Officer. The prohibition on disclosing users’ PII continues even after termination of employment with Eisen.
Any hard copy PII is required to be secured in a locked compartment or receptacle on a daily basis as of the close of business each day. All electronic or computer files containing such information are classified as Restricted Data and are secured and protected from access by unauthorized persons in accordance with Eisen’s Information and Cyber Security Program.
2.3 Retention of PII
Eisen stores PII securely throughout the life of the user account. PII will be retained for up to 5 years or as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting obligations or to resolve disputes.
All PII in Eisen’s possession shall be disposed of in a secure manner pursuant to records retention policies and consistent with Eisen’s Information and Cyber Security Program.
2.4 Handling/Disposal of PII of Children Under the Age of 16
Eisen’s products are not directed or marketed to children under the age of sixteen (16). If Eisen obtains actual knowledge the Company has collected PII from a child under the age of sixteen (16), Eisen shall promptly delete it, unless legally obligated to retain such data. Verifiable parent or guardian consent need not be obtained where information about children is provided by their parents or guardians.
2.5 Handling Disputes and Data Subject Requests
The Compliance Officer, in conjunction with Legal, is responsible for handling any disputes related to a user’s PII as well as any data subject requests. There should be a dedicated email address or communications portal for receiving data subject requests and disputes, such as an online form. All requests and disputes should be responded to within forty-five (45) calendar days. This deadline may be extended by another forty-five (45) days as long as the Compliance Officer notifies the data subject prior to the first deadline.
3. Policy Governance
The Compliance Officer is responsible for the content and maintenance of this Policy (“Policy Owner"). The Chief Executive Officer is responsible for reviewing and approving this Policy, and this Policy becomes effective on its approval date by the Chief Executive Officer.
This Policy must be reviewed on an annual basis or more frequently when material changes occur in the organization, its business practices, or a related policy that impacts this Policy. The Chief Executive Officer empowers the Policy Owner to make non-material updates to this Policy, such as correction of typographical errors; however, all material changes are submitted to the Chief Executive Officer for review and approval.
4. Roles and Responsibilities
The following process owners are responsible for implementing and maintaining processes, procedures, and internal controls to provide reasonable assurance Eisen is in compliance with this Policy.
Chief Executive Officer. The Chief Executive Officer is responsible for reviewing and approving this Policy at minimum on an annual basis.
Legal. Legal, in conjunction with Compliance, are responsible for:
• Ensuring all Privacy Policies, and written disclosures are clear, accurate and sensitive to the level of sophistication of the target audience for Eisen’s products and services.
• Evaluating and addressing any privacy concerns raised by the business to determine appropriate actions to address the concern.
• Ensuring user agreements and disclosures adequately cover the privacy concerns of the product or service being offered.
Compliance Officer. The Compliance Officer is responsible for:
• Coordinating version control including:
• distribution of this Policy to the appropriate employees and making it available internally;
• distribution of the Privacy Policy to users at the time of account opening; and
• ensuring required privacy disclosures are published and maintained on the Eisen website for user access.
• Coordinating the evaluation of the risks of new or changed products and services or new operating jurisdictions to ensure any privacy risks are appropriately identified and mitigated, including local regulations.
• Responding to requests for privacy information from any Eisen partners related to any reviews, audits, and exams related to Eisen’s practices.
• Coordinating maintenance of the learning management system program to provide required compliance training to employees based on roles and responsibilities.
• Coordinating review and approval of all consumer facing materials, marketing scripts, new products, new product features to ensure that they adequately cover the privacy concerns of the product or service being offered, including any related or optional products or services.
• Responding to and evaluating:
• data subject requests; and
• disputes and complaints from users around the handling of PII in a timely manner.
• Monitor company revenues and user statistics to determine whether Eisen is subject to the CCPA and prepare corresponding updates to the Privacy Policy and internal processes when required.
Partnership Operations. Partnership Operations is responsible for coordination of governance and oversight of third-party vendors who have access to PII pursuant to Eisen’s Vendor Management Policy. Oversight activities may vary, depending on the scope and complexity of the outsourced activities and the information shared, but will be sufficient to validate that each such vendor have and exercise sufficient policies and procedures regarding PII.
Chief Information Security Officer. The Chief Information Security Officer is responsible for coordinating the secure maintenance of PII through the maintenance of Eisen’s systems, as well as implementing controls to monitor and limit access to PII. Should the Chief Information Security Officer become aware of any actual or suspected non-compliance with this Policy, they shall escalate the information to Legal and Compliance through Eisen’s incident management process.
Employees. It is the responsibility of all Eisen employees to read, understand and adhere to the requirements of this Policy and any relevant supporting procedures. Specifically, employees shall safeguard PII and ensure that the information is used for the stated purpose for which it was collected. Employees are prohibited from sharing PII with anyone not authorized to possess such information, including forwarding PII to a non-authorized party.
All employees shall ensure the security of PII on any device (desktop computer, laptop, etc.), whether issued by Eisen or an employee’s own personal device in accordance with Eisen’s Information and Cyber Security Program.
In addition, all employees will be required to send and receive PII electronically in accordance with Eisen’s Information and Cyber Security Program.
If an employee believes the security of a PII has been compromised in any way, the employee shall immediately notify the Chief Information Security Officer as soon as they are aware of the issue.
5. Record and Retention
Eisen will maintain a record of each Regulatory Change Management Report and Privacy in accordance with the retention periods prescribed in Eisen’s Information and Cyber Security Program.
Eisen will maintain documents accessible to all persons who are legally entitled to access them for the period required by law in a form capable of being accurately reproduced for later reference.
6. Training
Eisen will require all employees and affiliate’s employees whose jobs involve handling PII to receive training appropriate to their roles and responsibilities at least annually.
7. Employee Compliance Statement
Failure to comply with this Policy may subject an employee to a range of disciplinary actions, up to and including termination.
8. Exceptions
There are no exceptions to this Policy. Any questions related to this Policy must be directed to the Compliance Officer.
9. Marketing Website
When you visit our website, cookies and similar technologies may be used by our online data partners or vendors to associate these activities with other personal information they or others have about you, including by association with your email or home address. We (or service providers on our behalf) may then send communications and marketing to these email or home addresses. You may opt out of receiving this advertising by visiting https://app.retention.com/optout.