ONLINE PRIVACY POLICY AGREEMENT 

SPS/GZ Consumer Privacy Policy

Introduction

Protecting consumer privacy is important to SPS/GZ. This privacy policy outlines our standard policy and practices for implementing the Website Privacy Principles (set out below). This includes the types of information we gather, how we use it and the notice/choice affected individuals have regarding our use of/ their ability to correct that information. This privacy policy applies to all personal information received by SPS/GZ through this website domain. This Privacy Policy does not govern information you might provide through a channel other than the Website. This Privacy Policy applies to all visitors to the Website.

Definitions

“Personal Information” or “Information” means information that (1) is recorded in any form; (2) is about, or pertains to a specific individual; and (3) can be linked to that individual; (4) can directly or indirectly identify an individual.

“Sensitive Personal Information” means personal information that reveals race, ethnic origin, sexual orientation, political opinions, religious or philosophical beliefs, trade union membership or that concerns an individual’s health. SPS/GZ’s website domain forms do not include the collection of Sensitive Personal Information.

Website Privacy Principles

SPS/GZ collects data from the public via the SPS/GZ web site. This data may include information volunteered by an individual who wants to obtain more information about SPS/GZ’s services or data which indicates who accessed SPS/GZ’s web site and which pages they accessed. The latter type of data may or may not include Personal Information. This data is used for SPS/GZ’s marketing purposes and is not passed to third parties for any purpose other than assisting SPS/GZ in its marketing efforts. SPS/GZ does not sell this data to third parties. Third parties who do receive this type of data are obligated to use the data only for the contracted purpose and to maintain the confidentiality of the data.

Choice

Individuals who have provided information to SPS/GZ via its web site may contact SPS/GZ to have their names and information removed from SPS/GZ’s marketing databases by contacting us at spsgzsupport@greenzapato.com SPS/GZ complies with applicable law that requires all marketing emails to include the means to opt out of such email.

SPS/GZ does not currently collect Sensitive Personal Information. In the event that SPS/GZ does receive Sensitive Personal Information, SPS/GZ shall treat Sensitive Personal Information received from an individual the same as the individual would treat and identify it as Sensitive Personal Information.

Use of Cookies

As you browse spsgz.com, advertising cookies will be placed on your computer so that we can understand what you are interested in. These cookies are used to show relevant ads to you and to measure the performance of our advertising campaigns.

The techniques our partners employ do not collect personal information such as your name, email address, postal address or telephone number.

Data Security

SPS/GZ has put in place appropriate physical, electronic and procedural controls to safeguard and secure the Information from loss, misuse, unauthorized access or disclosure, alteration or destruction. Although information sent to and from SPS/GZ is secured according to industry best practices, SPS/GZ cannot guarantee the security of Information on or transmitted via the Internet.

Data Integrity

SPS/GZ shall only process Personal Information in a way that is compatible with and relevant for the purpose for which it was collected or authorized by the individual. To the extent necessary for those purposes, SPS/GZ shall take reasonable steps to ensure that Personal Information is accurate, complete, current and reliable for its intended use.

Access

SPS/GZ shall allow an individual to access their Personal Information and allow the individual to correct, amend or delete inaccurate information, except where the burden or expense of providing access would be disproportionate to the risks to the privacy of the individual in the case in question or where the rights of persons other than the individual would be violated. Where the information the individual seeks to edit was provided by a SPS/GZ customer, SPS/GZ will need to contact the customer and will only change the information after the customer has verified that the original information was inaccurate. Access can be initiated via email to spsgzsupport@greenzapato.com

Dispute Resolution

SPS/GZ is committed to resolving complaints about your privacy and our collection or use of your Personal Information. Individuals with inquiries or complaints regarding this privacy policy should first contact SPS/GZ at spsgzsupport@spsgz.com.

We will investigate and attempt to resolve any complaints or disputes regarding the use or disclosure of personal data within 45 days of receiving your complaint.

Privacy Notice for California Residents

Data Protection for California Consumers under the California Consumer Privacy Act If you are a visitor, user, or other individual who resides in the State of California

(“consumer”), you have the right to: (a) request that SPS/GZ disclose what personal information it collects, uses, discloses and sells about you, (b) request deletion of the personal information you have provided to SPS/GZ, and (c) be free from discrimination by SPS/GZ as a result of you exercising your rights under the California Consumer Privacy Act of 2018 (“CCPA”).

We note that the CCPA temporarily exempts personal information reflecting a written or verbal business-to-business communication from some of its requirements, such that the rights to access and delete your personal information do not apply with respect to such information.

In addition, under the CCPA, none of the rights set forth in this Notice apply to, and “personal information” does not include, certain categories of information, such as (i) publicly available information from government records, (ii) deidentified or aggregated consumer information, (iii) health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data, and (iv) information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994.

If you wish to exercise any of these rights, you must submit a Verifiable Consumer Request by emailing spsgzsupport@greenzapato.com.

California Consumers’ Rights

If you are a natural person who is resident in the state of California, you may have the following rights in relation to personal information that we collect about you.

  • Disclosure: You have the right to request that we disclose to you, free of charge, the categories and specifics of the personal information we collect about you and/or, if applicable, disclose about you to a third party for business purposes (unless otherwise restricted). You may request the personal information up to 12months preceding your request. Be advised that we are not required to disclose such information more than twice in a 12-month period.
  • Deletion: You have the right to request that we delete the personal information we have collected from you that is in our possession or in the possession of our service providers, unless otherwise restricted by law or regulation.
  • Verifiable Request: We require a verifiable request from you to ensure that it is, in fact, you who is requesting such a disclosure or deletion. Once we verify the request, we will provide that information to you or delete the information.
  • Non-Discrimination: We follow the requirements of California Civil Code §1798.125 and will not discriminate against any consumer who exercises the rights set forth in this privacy notice.
  • Limit the Use or Disclosure of Sensitive Personal Information: We do not use or disclose sensitive personal information for purposes that would require us to offer consumers the right to limit such use under the CCPA.
    Currently the Site does not recognize and respond to “do not track” signals. Should this change in the future, we will inform you through an updated version of this privacy notice.
    SPS/GZ has not sold the personal information of any California consumer to third parties in the preceding 12 months. SPS/GZ does not sell the personal information of minors under 16 years of age without affirmative authorization.
    Data Protection for Individuals in the European Union (EU)In addition to the above information, as SPS/GZ is a global business we may collect data from citizens within the EU.
    Through this section of the Privacy Policy, we aim to inform you about the types of personal data we may collect from European individuals, the purposes for which we use the data and the ways in which the data is handled. We also aim to satisfy the obligation of transparency under the EU General Data Protection Regulation 2016/679 (“GDPR”) and national laws implementing GDPR.
    Transfer of Information Outside the EEAYour personal information will be hosted in the U.S. and will therefore be transferred and stored outside of the European Economic Area (“EEA”). For the purpose of applicable EU laws, such third countries (including the U.S.) may not offer the same level of data protection as your country of residence. Such transfers will be made in accordance with applicable EU data privacy laws. For further information about the safeguards used, please contact spsgzsupport@greenzapato.com.Your EU Rights
    If you are located in the EEA or Switzerland, subject to applicable law, you may have the following rights in relation to personal information that we hold about you. To exercise these rights and controls, please contact spsgzsupport@greenzapato.com.
  • Access: You have the right to ask for a copy of the personal information that we hold about you free of charge, however we may charge a reasonable fee, if we think that your request is excessive, to help us cover the costs of locating the information you have requested.
  • Correction: You may notify us of changes to such your personal information if it is inaccurate or it is necessary to update it
  • Deletion: If you think that we should not be holding or processing your personal information anymore, you may request that we delete it. Please note that this may not always be possible due to legal obligations.
  • Restrictions on use: You may request that we stop processing your personal information (other than storing it), if: (i) you contest the accuracy of it (until the accuracy is verified); (ii) you believe the processing is against the law; (iii) you believe that we no longer need your data for the purposes for which it was collected, but you still need your data to establish or defend a legal claim; or (iv) you object to the processing, and we are verifying whether our legitimate grounds to process your personal information, override your own rights.
  • Object: You have the right to object to processing, including: (i) for direct marketing; (ii) for research or statistical purposes; or (iii) where processing is based on legitimate interests.
  • Withdrawal of consent: If you previously gave us your consent (by a clear affirmative action) to allow us to process your personal information for a particular purpose, but you no longer wish to consent to us doing so, you can contact us to let us know that you withdraw that consent.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal information (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

If you believe that we have processed your personal information in violation of applicable law and failed to remedy such violation to your reasonable satisfaction, you may also lodge a complaint with the data protection supervisory authority in your country. You can find details for your relevant EU national data protection authority

at https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080.

information is provided to third parties outside the EEA, or who will access the information from outside the EEA, we take steps to ensure that approved safeguards are in place.

Trusted Third Parties

We will only share your personal information with trusted third parties where we have retained them to provide services that you have requested or for our legitimate business purposes, such as IT or professional support services.

The Legal Basis for Processing your Personal Information

SPS/GZ’ website

The SPS/GZ website gathers and processes your personal data only if you actively give it to us. Under the GDPR, the legal basis for processing your personal information is Consent, respectively “legitimate interest”, which can mean you have asked us to provide a service or to contact you using the details you have submitted.

To withdraw your consent, please contact spsgzsupport@greenzapato.com.

Data Provided to SPS/GZ by its customers to fulfill SPS/GZ’s contractual obligation

Under our customer contracts, SPS/GZ gathers and processes customers’ customers personal data only if provided to SPS/GZ in order to fulfill its contractual obligations. Under the GDPR, the legal basis for processing your customers’ personal information is contractual obligation.

How Long We Will Hold Your Information

We will retain your personal information only for the time necessary to provide the Services we perform for you, or stated by the purposes outlined in this Privacy Policy. In particular, we will store certain categories of your personal information for the following periods of time:

Category of Personal DataStorage Time Period
Contact details for sales enquiriesUntil you unsubscribe
Email address for blogUntil you unsubscribe
Job applications & CVs Outside EUIndefinitely
Job applications & CVs – EU Citizens1 year (or until consent withdrawn, whichever is earlier)

Complaints from European Individuals

If you are unhappy about our use of your personal information, you can contact us using the details in the contact details below.

You may prefer to, and are entitled to, lodge a complaint with a different supervisory authority in a country of your choice. A list of Supervisory Authorities is available here: http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm

Categories of Personal Information We Collect

Spsgz.com has collected the following types of personal information about consumers in the preceding 12 months:

CategoriesExamplesCollected

A. Identifiers.
A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, or other similaridentifiers.
YES

B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).
A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medicalinformation, or health insurance information.
NO

C. Protected classification characteristics under California or federal law.
Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial geneticinformation).
NO
D. Commercial information.Records of personal property, products or services purchased, obtained, or considered, orYES
other purchasing or consuming histories or tendencies.

E. Biometric information.
Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, andsleep, health, or exercise data.
NO
F. Internet or other similar network activity.Browsing history, search history, information ona consumer’s interaction with a website,application, or advertisement.
YES
G. Geolocation data.Physical location or movements.NO
H. Sensory data.Audio, electronic, visual, thermal, olfactory, or similar information.NO
I. Professional or employment-relatedinformation.Current or past job history or performance evaluations.
NO
J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part99)).Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financialinformation, or student disciplinary records.
NO

K. Inferences drawn from other personal information.
Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence,abilities, and aptitudes.
NO

Sources of Personal Information Collected

SPS/GZ obtains the categories of personal information listed above from the following categories of sources: (a) directly from you, for example, if you contact us via our website; and (b) indirectly from you, for example, via Internet cookies

Disclosure of personal data

We may disclose personal information to third parties, including independent contractors or subcontractors (such as consultants who are engaged by SPSGZ), agents (recruitment agents) and service providers (such as legal and consultancy providers) who need to process your information in the course of providing services for SPSGZ or on behalf of SPSGZ for the purposes specified in this policy.

SPSGZ also uses service providers that perform business functions on our behalf, such as third-party IT service and software providers, to host, store, and process data. When using these processors, SPSGZ will enter into a data processing agreement to safeguard your privacy, and we will make sure that the information is only transferred where reasonably necessary to enable us to fulfil the purposes set out in this Policy. If our processors are located outside of the EU/EEA, SPSGZ will ensure legal grounds for such international transfers on your behalf, for example by using the EU Model Clauses.

SPSGZ may disclose your personal information: (a) as required or permitted by, or to comply with, applicable law, regulation, court or tribunal processes or other statutory requirements; (b) to respond to requests from or disclosures required by any court, tribunal, authority, regulator or supervisory or governmental body or (c) to comply with Know Your customer and anti-money laundering requirements and references, background and other similar checks on or conducted by SPSGZ.

SPSGZ sometimes provide personal information to third parties to perform services on our behalf. If SPSGZ transfers personal information received under the Data Privacy Framework to a third party, except for disclosures to government agencies, the third party’s access, use and disclosure of the personal information must also be in compliance with our Data Privacy Framework obligations and SPSGZ will remain liable under the Data Privacy Framework, unless SPSGZ proves that it is not responsible for the event giving rise to the damage. We may be required to disclose personal information that we handle under the Data Privacy Framework in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Disclosures for a Business or Commercial Purpose

In the preceding 12 months, SPS/GZ has disclosed the following types of personal information to its service providers and affiliates for business purposes: A. Identifiers; D. Commercial information; F. Internet or other similar network activity;

Further Information on Data Protection and Personal Privacy

If you have any enquiries or if you would like to contact us about our processing of your personal information, including to exercise your rights as outlined above, please contact us by one of the methods listed below.

EU-US Data Privacy Framework Commitment to DPF

SPSGZ complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) as set forth by the

U.S. Department of Commerce. SPSGZ has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please

visit https://www.dataprivacyframework.gov/.

Alternate Dispute Resolution

In compliance with the EU-U.S. DPF, SPSGZ commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF to Data Privacy Framework Services, operated by International Centre for Dispute Resolution (ICDR), an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit here for more information or to file a complaint. The services of Data Privacy Framework Services are provided at no cost to you.

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. For information visit DPF here.

Federal Trade Commission

SPSGZ will cooperate with the United States Federal Trade Commissions and any data protection authorities of the EU Member States (“DPAs”) in the investigation and resolution of complaints that cannot be resolved between SPSGZ and the complainant that are brought to a relevant DPA.

Stock Plan Solutions/Green Zapato 444 North Wells, Suite 203

Chicago, IL 60654

(888) 375-3049

spsgzsupport@greenzapato.com

complies with the EU-U.S. Data Privacy Framework


Organizations & Accolades

  • Link to aicpa.org
  • Link to healthcarereformcenter.org
  • Link to wellnessassociation.com
  • Link to icpas.org
  • Link to naspp.com
  • Link to nceo.org
  • Link to scu.edu

Contact us to learn how SPS/GZ can be your company’s trusted partner for stock plan administration and tax form reporting services.