BoardEffect Privacy Policy

1. The personal information we use
   • 1.1 Information we collect directly from you
   • 1.2 Information we collect from other sources
   • 1.3 Other information we use about you
   • 1.4 Special categories of personal data
2. How we use your personal information and the basis on which we use it
3. Your rights over your personal information
4. Information Sharing
5. Information Security and Storage
6. International Data Transfer
7. EU-U.S. Privacy Shield
8. Links to Other Sites
9. Contact Us
10. Changes to the Policy

This Privacy Policy applies to our websites and online board management and corporate governance services, including:

• Diligent Boards - diligent.com
• BoardDocs® - boarddocs.com
• BoardEffect - boardeffect.com
• BoardPad - boardpad.com
• Blueprint OneWorld - blueprintoneworld.com

(together, the "Services" and the "websites", respectively). The websites and the Services are owned and operated by Diligent Corporation and its group companies as listed here (collectively, "We", "Us", or "Our"). This Privacy Policy describes how we collect, use, share and secure the personal information you provide via the websites or the Services. It also describes your choices regarding use, access and correction of your personal information. Personal information is information, or a combination of different types of information, that could reasonably allow you to be identified. For the avoidance of doubt, this Privacy Policy does not supersede or replace any additional or supplementary requirements that may be present in our customer contracts.

1. Personal information we use

You can generally visit our websites without actively entering any personal information about yourself. However, in certain areas of this site, we may ask you to contact us with questions or comments, or request more information about our services. In these cases, we will collect personal information from you directly as described below. We may be required to collect certain personal information about you either by law or as a consequence of any contractual relationship we have with you. Failure to provide this information may prevent or delay the fulfillment of these obligations.  We will inform you at the time your information is collected whether certain data is compulsory and the consequences of the failure to provide such data.

1.1 Information we collect directly from you
The categories of information that we collect directly from you are:

• Personal details (e.g. name, title, employer or organization)
• Contact details (e.g. phone number, email address, postal address or phone number)
• Additional information about your organization (e.g. annual operating budget, number of board members, number of committee members)
• Demographic information (e.g. age, education status, etc.)
• Information we collect automatically from you, including data collected using cookies and other device identifying technologies ('Cookies and Tracking Technologies'). Further information about our use of Cookies and Tracking Technologies is available in our Cookies Policy.
• Other information provided in use of the Services.

1.2 Information we collect from other sources:
We collect information about you from your employer or organization or our business partners. The categories of information we collect from other sources include:

• Personal details (e.g. name, title, employer or organization)
• Contact details (e.g. phone number, email address, postal address or phone number)
• Additional information about your organization (e.g. annual operating budget, number of board members, number of committee members)
• Demographic information (e.g. age, education status, etc.)

1.3 Other information we use about you
We may also collect information in the course of your on-going relationship with our Services and this website.  The categories of information we collect in this context include:

• Account information (such as user ID, contact details or answers to security questions); and
• Information about your usage of our Services or the websites (such as support requests or information provided to us to resolve such support requests).

1.4 Special categories of personal data
Some of the categories of information that we process solely as a processor in connection with provision of our Services may constitute special categories of personal data (also known as sensitive personal information). In particular, we may process personal data revealing racial or ethnic origin, religious or philosophical beliefs, or trade union membership, or data concerning health if such information is uploaded to our Services. We will not process such information for any other purpose other than as a provider of the Services in accordance with the terms of use for the Service.  

2. How we use your personal information and the basis on which we use it

We use your personal information to:

• Identify and authenticate you: We use your identification information to verify your identity when you access and use our services and to ensure the security of your personal information. We do this to comply with our contractual obligations to you or your organization.
• Provide you with services: We process your personal information to provide the services you or your organization have requested. We do this to comply with our contractual obligations to you or your organization.
• Improve our services: We analyze information about how you use our services to provide an improved experience for our customers of all our services, including product testing and site analytics. It is in our legitimate interest to use the information provided to us for this purpose, so we can understand any issues with our services and improve them.
• Communicate with you: We may use your personal information when we communicate with you, for example if we are providing information about changes to the terms and conditions or if you contact us with questions. It is in our legitimate interest to provide you with appropriate responses and provide you with notices about our services.
• Market our services: We may use your personal information to build a profile about you and place you into particular marketing segments in order to understand your preferences better and to appropriately personalize the marketing messages we send to you. It is in our legitimate interest to provide more relevant and interesting advertising messages. Where necessary, we will obtain your consent before sending such marketing messages.
• Exercise our rights: We may use your personal information to exercise our legal rights where it is necessary to do so, for example to detect, prevent and respond to fraud claims, intellectual property infringement claims or violations of law or our applicable contract terms and conditions.
• Comply with our obligations: We may process your personal information to, for example, carry out fraud prevention checks or comply with other legal or regulatory requirements, where this is explicitly required by law.
• Customize your experience: When you use the services, we may use your personal information to improve your experience of the services, such as by providing interactive or personalized elements on the services and providing you with content based on your interests.

We may obtain your consent to collect and use certain types of personal information when we are required to do so by law (for example, in relation to our direct marketing activities, Cookies and Tracking Technologies or when we process sensitive personal information). If we ask for your consent to process your personal information, you may withdraw your consent at any time by contacting us using the details at the end of this Privacy Policy. Customer Testimonials We may post customer testimonials on our websites which might contain personal information. We obtain the customer’s consent via email prior to posting the testimonial to post their name, title, and organization name along with their testimonial.  If you wish to update or delete your testimonial, you can contact us at marketing@diligent.com.  

3. Your rights over your personal information

You have certain rights regarding your personal information, subject to local law. These include the following rights to:

• access your personal information
• rectify the information we hold about you
• erase your personal information
• restrict our use of your personal information
• object to our use of your personal information
• receive your personal information in a usable electronic format and transmit it to a third party (right to data portability)
• lodge a complaint with your local data protection authority.

If you would like to discuss or exercise these rights, please contact us at the details below. We encourage you to contact us to update or correct your information if it changes or if the personal information we hold about you is inaccurate. We will contact you if we need additional information from you in order to honor your requests.  

4. Information Sharing

We may share your personal information with third parties under the following circumstances:

• Service providers and business partners. We may share your personal information with our service providers and business partners that perform marketing services and other business operations for us. For example, we may partner with other companies to ship your order or offer customer service. These companies are authorized to use your personal information only as necessary to provide these services to us.
• Diligent group companies. Diligent Corporation works closely with other businesses and companies that fall under within the Diligent group of companies. We may share certain information about your personal details and contact information, cookie information, service usage information, or use of our website) with other Diligent group companies for provision of customer support services pursuant to a contract, marketing purposes, internal reporting and customer insights and service optimization. A list of companies within the Diligent group with which your personal information may be shared can be found here.
• Law enforcement agency, court, regulator, government authority or other third party. We may share your personal information with these parties where we believe this is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights or the rights of any third party. Where permitted by law or regulation and reasonably practicable, we will attempt to notify you of such requirements.
• The company or organization that has made you an authorized user of the services.
• Asset purchasers. We may share your personal information with any third party that purchases, or to which we transfer, all or substantially all of our assets and business. Should such a sale or transfer occur, we will use reasonable efforts to try to ensure that the entity to which we transfer your personal information uses it in a manner that is consistent with this Privacy Policy. You will be notified via email and/or a prominent notice on our websites of any change in ownership or uses of your personal information.

Because we operate as part of a global business, the recipients referred to above may be located outside the jurisdiction in which you are located (or in which we provide the services). See the section on "International Data Transfer" below for more information.  

5. Information Security and Storage

We implement technical and organizational measures to ensure a level of security appropriate to the risk to the personal information we process. These measures are aimed at ensuring the ongoing integrity and confidentiality of personal information. We evaluate these measures on a regular basis to ensure the security of the processing. We will keep your personal information for as long as we have a relationship with you. Once our relationship with you has come to an end, we will retain your personal information for a period of time that enables us to:

• Maintain business records for analysis and/or audit purposes
• Comply with record retention requirements under the law
• Defend or bring any existing or potential legal claims
• Deal with any complaints regarding the services
• Enforce our commercial agreements.

We will delete your personal information when it is no longer required for these purposes. If there is any information that we are unable, for technical reasons, to delete entirely from our systems, we will put in place appropriate measures to prevent any further processing or use of the data.  

6. International Data Transfer

Your personal information may be transferred to, stored and processed in various countries, including those that are not regarded as ensuring an adequate level of protection for personal information under European Union law or by the European Commission. We have put in place appropriate safeguards (such as contractual commitments) in accordance with applicable legal requirements to ensure that your data is adequately protected. For more information on the appropriate safeguards in place, please contact us at the details below.  

7. EU–U.S. Privacy Shield

Diligent Corporation (“Diligent”) and BoardEffect LLC (“BoardEffect”) participate in and have certified their compliance with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework. Diligent and BoardEffect are committed to subjecting all personal data received from European Union (EU) Member States and Switzerland, respectively, in reliance on each Privacy Shield Framework, to the Framework’s applicable Principles. To learn more about the Privacy Shield Framework and to view our certification, visit the US Department of Commerce’s Privacy Shield List: https://www.privacyshield.gov/list. Diligent and BoardEffect are responsible for the processing of personal data they receive, under each Privacy Shield Framework, and subsequently transfer to a third party acting as an agent on their behalf. Diligent and Board Effect comply with the Privacy Shield Principles for all onward transfers of personal data from the EU and Switzerland, including the onward transfer liability provisions. With respect to personal data received or transferred under the Privacy Shield Frameworks, Diligent and BoardEffect are subject to the regulatory enforcement powers of the US Federal Trade Commission. In certain situations, Diligent and BoardEffect may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. If you have an unresolved privacy or data use concern that we have not addressed to your satisfaction, please contact our US-based third-party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request. Under certain conditions, described in more detail on the Privacy Shield website https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.  

8. Links to Other Sites

Our site includes links to other websites whose privacy practices may differ from our practices. If you submit personally identifiable information to any of those sites, your information is governed by their privacy policies. We are not responsible for the privacy practices or the content of any sites to which our sites provide links. We encourage you to carefully read the privacy statement of any website you visit. Social Media Widgets Our websites includes Social Media Features, such as the Facebook Like button, and Widgets, such as the Share this button or interactive mini-programs that run on our websites (the "Features"). These Features may collect your Internet protocol address, which page you are visiting on our website, and may set a cookie to enable the Feature to function properly. Social Media Features and Widgets are either hosted by a third party or hosted directly on our website. Your interactions with these Features are governed by the privacy statement of the company providing it.  

9. Contact Us

Diligent Corporation and, with respect to individual service specific inquiries or relationships, the relevant group companies available here, are the controllers responsible for the personal information we collect and process. Our European Union representative is Diligent Boardbooks Limited, whose registered office is located at 1 Strand, Grand Buildings, First Floor, London, WC2N 5HR United Kingdom. Our Data Protection Officer can be contacted at: privacy@diligent.com. If you have questions or concerns regarding the way in which your personal information has been used, please contact privacy@diligent.com. If you have inquiries related a data subject access requests, please contact subjectdatarequest@diligent.com. We are committed to working with you to obtain a fair resolution of any complaint or concern about privacy. If, however, you believe that we have not been able to assist with your complaint or concern, you have the right to make a complaint to the data protection authority.  

10. Changes to the Policy

You may request a copy of this Privacy Policy from us using the contact details set out above. We may modify or update this Privacy Policy from time to time. If we change this Privacy Policy, we will notify you of the changes. Where changes to this Privacy Policy will have a fundamental impact on the nature of the processing or otherwise have a substantial impact on you, we will give you sufficient advance notice so that you have the opportunity to exercise your rights (e.g. to object to the processing).   Last Updated: The 25^th Day of May, 2018