OVERVIEW OF US RIGHTS REQUESTS
Stratus responds to valid privacy requests in accordance with U.S. data privacy laws as follows:
- Request Intake: Requests may be submitted by data subjects or a third party authorized agent.
- California Requirement: An authorized agent may submit a request on behalf of an individual provided that the authorized agent is registered to do business in California and provides the written permission authorizing the agent to submit the request.
- Exemptions: The Company will deny requests that fall within exemptions under U.S. state privacy laws.
For example, the request may denied if it exceeds two requests in a 12-month period from the same individual.
- Request Acknowledgement: The Company will acknowledge privacy requests without undue delay, and no later than ten calendar days from receiving the request.
- Request Validation: The Company will review its files to confirm if the Company holds any information about the individual. If there is no information, the Company will reach out to the individual confirming that the request cannot be verified due to a lack of personal information about the individual.
- Request Identity Verification: The Company verifies identity when fulfilling all privacy requests except for requests to opt out of the sale of personal information.
- As part of the verification process, the Company will take the following steps:
- Match at least three pieces of personal information provided by the individual with information held by the Company (i.e., name, mailing address, and email address).
- Confirm the individual’s email address by sending an email to the account and requiring that the individual click on a link or reply to the email.
- If not enough information is available in the Company’s records to verify the request, the Company may optionally request a copy of the individual’s government-issued identification.
- If the Company receives a request through an authorized agent, the Company should still verify the individual’s identity directly with the individual as described above.
- Request Fulfillment: After verification of the request (if required), the Company proceeds to request fulfillment within 45 days (with an option to extend the response timeframe on a case-by-case basis depending on the laws of the specific U.S. state). Request fulfillment varies based on the specific right requested by the individual, as follows:
- Right of Access: The individual may request access to their personal data or information about the types of personal data that the Company collects, the sources of the data, and the uses of the data. To fulfill these requests, the Company provides the information to the individual directly in a secure manner (i.e., password protected file).
The Company will not provide sensitive personal data to the individual, such as government issued identification numbers, financial account numbers, passwords, security questions, or other information.
- Right of Deletion: The individual may request deletion of their personal data, subject to specific statutory exceptions, including to provide a good or service requested by the individual, perform a contractual obligation, or comply with a legal obligation. To fulfill the request, the Company will confirm that the personal data was deleted, and describe any exceptions pursuant to which the Company retained data. Data that was retained will not be used except in accordance with the applicable exception.
- Right to Correct: The individual has the authority to make a request to rectify his or her personal data when it is inaccurate or incomplete, by providing proof indicating the change that should be made. If the proof offered by the individual is reliable (including from a government source), the Company will update its records where warranted. If the proof offered by the individual appears unreliable or outdated, the Company will request additional information from the individual to validate the accuracy and reliability of the information, or use third data validation services. The Company will retain a copy of the proof offered by the individual for recordkeeping purposes.
To fulfill the request, the Company will confirm that the individual’s records were updated.
- Right to Opt-Out: U.S. state privacy laws provide for various rights to opt-out. To the extent that Stratus “sells” or “shares” personal data, including by engaging marketing vendors that participate in targeted advertising activities, lead generation, or profiling of individuals, Stratus is required to provide an opportunity to opt out.
- Right to Limit Processing of Sensitive Personal Data: Individuals have the right to limit processing of Sensitive Personal Data to specific business purposes defined in the law. If applicable, Stratus will limit use and disclosure of Sensitive Personal Data when requested.
- Right to Appeal: Stratus will provide a right to appeal whereby an individual may appeal a denial of a request to exercise rights under specific U.S. state laws. For example, if a request is denied because the individual did not provide supporting documentation to verify the individual’s identity, the individual may appeal and provide additional verification information. If the appeal is denied, the individual will be informed about redress available under applicable laws, including contacting authorities with jurisdiction over Stratus.