RevPAR Collective Inc. dba Stash Hotel Rewards  ("RPC", "we" or "us") owns and operates the STASH HOTEL REWARDS® ("Stash" or "SHR") program. This privacy policy ("Policy") explains our policies and practices regarding the Personal Information we collect (1) on the Stash Site, www.stashrewards.com, and (2) in connection with our Members' participation in the Stash program, including the types of information collected and how it is used and shared.  Certain provisions in the Policy are only applicable to Members who reside outside the United States.  Those provisions appear in the section entitled “Terms Applicable to Data from E.U. Member Countries,” as well as in separate paragraphs, each of which will bear the notation “For non-U.S. Residents”.

For non-U.S. Residents:  RPC operates in the United States and uses external service providers that operate both in and outside the United States.  By providing us with your information, including personal information that identifies you, you are agreeing to its transmission, processing and storage in the U.S. Information sent to RPC will be subject to U.S. laws, and may be disclosed to the U.S. (including a State) Government, a Government agency, law enforcement agency, courts or others, in response to a lawful order made under U.S. law.

EU-U.S. Privacy Shield

RevPAR Collective Inc. participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework.  RevPAR Collective Inc. is committed to subjecting all personal data received from European Union (EU) member countries, in reliance on the Privacy Shield Framework, to the Framework’s applicable Principles.  To learn more about the Privacy Shield Framework, visit the U.S. Department of Commerce’s Privacy Shield List.

RevPAR Collective Inc. is responsible for the processing of personal data it receives, under the Privacy Shield Framework, and subsequently transfers to a third party acting as an agent on its behalf.  RevPAR Collective Inc. complies with the Privacy Shield Principles for all onward transfers of personal data from the EU, including the onward transfer liability provisions.

With respect to personal data received or transferred pursuant to the Privacy Shield Framework, RevPAR Collective Inc. is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission.  In certain situations, RevPAR Collective Inc. may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Truste
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.

 

Scope

This Policy applies only to Personal Information, i.e. information that could be used to identify you such as your name and contact information, including physical and mailing address, postal code, email address, occupation, employment information, telephone number, and payment information. It does not cover data we collect that cannot be used to identify an individual or to pseudonymous data, nor does it include encoded or anonymized information or aggregated data which we collect or create about a group or category of services, features or users which does not contain personally identifying information.

Collection of Information

Stash Site Visitors

We collect information from visitors to the Stash Site, both Members and non-Members, when they voluntarily provide it to us on the Stash Site. The information we collect may vary based on your use of the Stash Site.  For example, we may request your name, street address, phone number and/or email address when you request information relating to RPC, a "Participating Hotel", the Stash Site or Stash program, or when you respond to one of our online surveys.

If you send us an email from the Stash Site, we may retain your email (including the email address from which it was sent), our response(s), and any follow up communications that you send. This information may be used to assess the extent to which your questions or concerns were addressed and to improve our Stash program and Stash Site.  For more information on our retention policy, please refer to the section on “Data Retention” below.

Technologies such as cookies or similar technologies are used by RPC and our marketing partners, affiliates, and analytics providers. These technologies are used in analyzing trends, administering the site, tracking users’ movements around the site, and to gather demographic information about our user base as a whole. We may receive reports based on the use of these technologies by these companies on an individual, as well as, aggregated basis.

We use cookies for authentication, to remember users’ settings, to keep track of user activity during a visit to our site, to conduct usability tests, to improve site performance, and to implement certain features of our site. Users can control the use of cookies at the individual browser level. You are asked to consent to the placement of cookies and, if you do, you can later withdraw your consent by changing your preferences on our Site or through your browser.  If you reject cookies, you may still use our site, but your ability to use some features or areas of our site may be limited.

As is true of most websites, we gather certain information automatically and store it in log files.  This information may include internet protocol (IP) addresses, browser type, internet service provider (ISP), referring/exit pages, operating system, date/time stamp, and/or clickstream data.

We may combine this automatically collected log information with other information we collect about you. We do this to improve services we offer you and to improve marketing (where permitted), analytics, and site functionality. The collected information is not used for any other purpose.

We partner with third-party providers to either display advertising on our website or to manage our advertising on other sites. Our third-party providers may use technologies such as cookies to gather information about your activities on this website and other sites in order to provide you advertising based upon your browsing activities and interests. The cookies generated from the advertisements do not contain Personal Information and may remain on your hard drive three or more years unless you delete them. If you wish to not have this information used for the purpose of serving you interest-based ads, you may opt-out by clicking here (or if located in the European Union click here).  Please note this does not opt you out of being served ads; you will continue to receive generic ads.  Where we use third parties to provide advertising, email marketing or similar services, each such third party will have its own opt-out process, which it will manage and control.  You will need to follow those procedures to opt out of the services they provide.

For non-U.S. Residents: For clarity, we may collect personal information about you through the operation of the technologies mentioned above. We may do so to fulfill our obligation to you, in furtherance of our legitimate business interests, or with your consent.  If we rely on consent, we will ask you before we collect the information and, by giving your consent, you are agreeing to the collection and use of your information, including your personal information, for the purposes described above.  You may withdraw your consent at any time by contacting us as provided below.   

Stash Members

We collect certain information from Members when they enroll in the Stash program. Members are required to provide their name, address and email address, and phone number. The email address you provide at the time of enrollment will serve as your Stash Member ID. In addition, you will create a password at the time of enrollment or account activation which you will need to access your Member account ("Account") information and preferences.

We maintain personal profiles for Members containing hotel stay preferences and other information that they voluntarily provide to us. Examples of the types of voluntary information we may seek in the Member profile include (i) preferred amenities and (ii) whether the Member participates in other travel rewards programs. Creating and completing a member profile allows you to make reservations and redeem Stash Points more easily and also allows us and our Participating Hotels to enhance your membership and hotel stay experiences. We may share a Member's preference profile with a Participating Hotel when the Member books a stay at that Participating Hotel through a Stash Site and/or when we otherwise learn of a Member's upcoming stay at a Participating Hotel.

We may also collect non-Personal Information relating to Members, such as aggregated Participating Hotel stay data, responses to surveys and/or promotional offers, communication preferences, travel patterns (e.g., frequency of travel, frequent destinations, etc.) or use of the Stash Site.

Following a Member's check-out from a Participating Hotel, the Participating Hotel will provide us with information relating to the stay, including the Member's email address, check in and check out date, reservation number, room type, rate code and folio amount (total room charges for the Member at the Participating Hotel). This stay information is used to credit the appropriate number of Stash Points (if any) to the Member's Account and may also be used to identify and send targeted promotional offers to the Member. We may also extrapolate certain information from such stay data, such as a Member's frequency of travel and/or frequency of stays in Participating Hotels, and share such information with a Participating Hotel when we learn of a Member's upcoming stay at that Participating Hotel.

For non-U.S. Residents: You may opt-out of receiving promotional offers by contacting us as indicated at the bottom of this Policy.

Children

The Stash Site is intended for users over the age of majority. We do not target or direct the Stash Site towards children under the age of 13, and children under 13 should not provide Personal Information to the Stash Site.

Consent

When you enroll in the Stash Hotel Rewards Program or use the Stash Site you have the opportunity to create a profile.  You don't need to create a profile, but if you do, you must consent to our collection and use of any Personal Information you provide to us, the terms of this Policy, and our Terms.  You can later withdraw your consent, but by creating a profile, you affirmatively consent to our collection and use of the information you provide as described herein.

In addition, when you register on the Stash Site you may be given a choice to receive email messages and/or newsletters about product updates, improvements, special offers, or content.  We use third-party service providers to send our marketing email.  There are no cookies in the email; however, they contain e-tags which permit you to share the email via social sites to which you subscribe. In addition, when you click on a link to the Stash Site included in the email, a persistent cookie is placed on your computer.  This cookie is used to measure the effectiveness of our email marketing efforts, better understand how our users navigate through the Stash Site, and enhance the user experience.  To that end, we collect a variety of information about how you interact with our marketing efforts, including how many times the email is opened and/or clicked, the browser type used, operating system, user email program, etc.  The cookie sent by our service providers will remain on your hard drive for 30 days after the last time you clicked on the coded link in the email or until you delete it.

In addition, the third-party providers that assist with our marketing emails may use pixel tags that help us send the email in a format you can read, to allow us to know which emails you act upon and to better target the content of future emails.  We also use these tags to track the aggregate number of emails read and whether any of the links in the email were accessed.

At any time, you can choose to no longer receive commercial or promotional emails or newsletters from us by using the email address associated with your account to send an email to Member Support with the word “Unsubscribe” in the subject line or by following the opt-out process below. You also will be given the opportunity, in any commercial email that we send to you, to opt out of receiving such messages in the future. It may take up to ten (10) days for us to process an opt-out request. We may send you other types of transactional and relationship email communications, such as service announcements, administrative notices, and surveys, without offering you the opportunity to opt out of receiving them. Please note that changing information in your account or otherwise opting out of receipt of promotional email communications will only affect future activities or communications from us. If we have already provided your information to a third party (such as a credit card processing partner) before you have changed your preferences or updated your information, you may have to change your preferences directly with that third party.

Payment Card Information

The Stash Site will require your credit card information to process purchases and reservations. Credit card data is transferred over a Secured Sockets Layer (SSL) line if you are using an SSL-enabled browser such as Microsoft Internet Explorer, Firefox, Safari or Google Chrome.  We also use SSL on other select pages where you enter Personal Information. This ensures that your Personal Information is encrypted as it travels over the Internet. This secure mode is enabled before any such information is transmitted from your computer. You will know you are in a secure mode when the padlock or key icon in the lower right-hand or left-hand corner of the computer screen appears in the locked position. In addition, when accessing a secure server, the first characters of the site address will change from http to https. After information reaches us, it is stored on a secure server that resides behind firewalls designed to block unauthorized access from outside Stash.

Use of Collected Information

Stash Site Visitors

We will use Personal Information provided by visitors to the Stash Site for the purpose it was provided and as otherwise disclosed at the time the information is provided or otherwise in accordance with this policy.

We may share non-Personal Information, such as aggregate user statistics, demographic information, and Stash Site usage information with third parties.  We may use our third-party service providers and contractors to perform certain services on our behalf, such as processing, storing, maintaining and transmitting data, processing and web analytics, and data analysis. With respect to Stash Site analysis, we may use Google Analytics, or another analytics provider, to record and process information as to how your browser navigates the Stash Site, to identify keywords that drove traffic to the Stash Site, to help us count visitors and to evaluate the Stash Site’s technical capacity. For those analytics providers that use cookies or Web beacons, any opt-out functionality is controlled by them, and subject to their opt-out policies and practices. For information on how Google Analytics collects and processes data, visit the link to the site “How Google uses data when you use our partners' sites or apps”, (http://www.google.com/policies/privacy/partners, or any other URL Google may provide from time to time).

Stash Members

We may use Members' Personal Information to: (a) provide services, such as processing a reservation transaction for a stay at a Participating Hotel, (b) improve our services and better understand your needs and requests, for example by analyzing Member travel and hotel stay activities and patterns, (c) send Members electronic communications from us, including monthly Account balance statements, other notices regarding your Account and Member surveys, (d) send Members offers and other promotional communications, which may include promotions or offers from Participating Hotels, provided that the Member has not opted out of receiving such promotional communications by writing us at the address provided at the bottom of this Policy, or (e) establish and maintain Member accounts and other business records and comply with accounting and legal requirements. We may also use lists of Stash Members and their Personal Information in the ordinary course of business in accordance with applicable law.

Sharing of Personal Information

We will share your Personal Information with third parties, including Participating Hotels, only in the ways that are described in this Policy unless otherwise required by law. If you do not want us to share your Personal Information with these companies, you may delete your membership account via the Delete Account section in the My Account section of the Stash Site.  If you delete your account, you will no longer be able to use certain features of our site or services or accrue or redeem Stash Points.

As noted above, we may share Members' Personal Information with our Participating Hotels. For example, we may share a Member's personal preference profile and point balance with a Participating Hotel when we are aware that the Member has booked a stay at that hotel. We will also match a Member's Stash Member ID against guest stay information provided to us by the Participating Hotels to ensure that Stash Points are credited to the Member's account in connection with Eligible Stays. We will also provide Members' Personal Information to Participating Hotels in connection with hotel transactions they book through the Stash Site. Information that Members directly provide to a Participating Hotel (for example, when booking a stay on their website or at check in or check out) is subject to that Participating Hotel's own privacy practices and policies.

We may also share Members’ Personal Information with third parties who facilitate bookings.  For example, if you book accommodations with a property that is not a Participating Hotel, that booking may be handled by a third party such as Booking.com.  In that case, we share the Members’ Personal Information with Booking.com so that it can complete your booking and provide you booking confirmations and related services.  These third parties have their own privacy practices and policies that you can review at their sites. To review the privacy policy for Booking.com, visit: http://www.booking.com/content/privacy.html.

We may share Members’ Personal Information with Synchrony Financial, our financial services partner, so that Stash may offer Members the opportunity to apply for the co-branded Stash Hotel Rewards® Visa® Card. Specifically, we may share Members’ names, mailing addresses, email addresses, and telephone numbers with Synchrony so that we can identify Members who may be interested in learning about and applying for the Stash Hotel Rewards Visa credit card.  If you do not want this information shared, and do not consent to being contacted by Synchrony Financial, you may delete your membership account via the Delete Account section in the My Account section of the Stash Site.

For non-U.S. Residents: We do not share personal information of non-U.S. Members with Synchrony Financial.

In addition to the above, we may share your Personal Information: (a) with RevPAR subsidiaries and affiliates for purposes consistent with this Privacy Policy; (b) when you consent to disclosure; and (c) as needed to comply with the law or in the good-faith belief that such action is necessary to (i) comply with a legal obligation, including to comply with a judicial proceeding, court order, or legal process served on the Stash Site, (ii) protect and defend our rights or property, (iii) act in urgent circumstances to protect the personal safety of our users or the public, or (iv) protect against legal liability.

Service Providers

We may use third party service providers to provide specific business support services to us which may involve limited access to your Personal Information. We require these companies to use the information only to provide the contracted services and prohibit them from using the information for any other purpose or transferring the information to another party, except as needed to provide the contracted services. Examples of such services include sending emails, conducting and administering promotions, executing surveys, providing customer service, performing business analysis, and processing payments. When we employ another company to perform a function for us, we only provide them with the information that they need to perform their specific function. We are not responsible for the actions of service providers or other third parties, nor are we responsible for any additional information you provide directly to any third, parties.

For non-U.S. Residents: As mentioned above, our third-party service providers may operate outside of the United States.

We reserve the right to disclose your Personal Information to other parties (a) when the Member or visitor consents to the disclosure, (b) when we believe that it is necessary to protect our rights, protect your safety or the security of our Stash Site or Members, (c) as required by law, or (d) when we believe that it is necessary to comply with a judicial proceeding, court order or legal process served on our Stash Site.

We also may disclose your Personal Information to other third parties in conjunction with entering into an agreement for the sale of our stock or assets or if we are involved in bankruptcy proceedings, including for the purpose of the due diligence required to determine whether a transaction will proceed. The recipient of Personal Information following such actions may have privacy policies that differ from those in this Policy.  You will be notified via email and/or a prominent notice on the Stash Site of any change in ownership or uses of your Personal Information, as well as any choices you may have regarding your Personal Information.

Any third parties to whom we may disclose Personal Information may have their own privacy policies that describe how they use and disclose Personal Information. Those policies will govern use, handling, and disclosure of your Personal Information once we have shared it with those third parties as described in this Policy. If you want to learn more about their privacy practices, we encourage you to visit the websites of those third parties. These entities or their servers may be located either inside or outside the United States.

Security and Integrity

We will take reasonable steps to protect the Personal Information we collect from loss, misuse and unauthorized access, disclosure, alteration and destruction. When you enter Personal Information on our registration forms or within your Account, we encrypt that information using SSL. We, and the service providers maintaining or otherwise handling such Personal Information on our behalf, have put in place appropriate physical, electronic and managerial procedures to safeguard and secure the Personal Information from loss, misuse, unauthorized access or disclosure, alteration or destruction. For example, electronically stored Personal Information is stored on a network with firewall protection, and access to our electronic information systems requires user authentication via password or similar means. We also employ access restrictions, limiting the scope of employees who have access to Personal Information.  Nevertheless, any information transmitted over the Internet may be subject to breaches of security and we cannot guarantee the security of information you send to or receive from us. Any electronic transmissions that you submit or accept are at your own risk. If you have any questions about security on our Stash Site, you can email us at security@stashrewards.com.

Links

For your convenience, we may provide links from the Stash Site to other websites, including those of our Participating Hotels. The privacy policies on these third-party websites may be different from this Policy and we are not responsible for the information collection practices or the content of the third party sites to which we link, including any Participating Hotel sites. You access such linked sites at your own risk and should read the privacy policy of any linked site before sharing your Personal Information on such site.

Social Media Features

The Stash Site includes Social Media Features, such as the Facebook Like button and Widgets, such as the Share this button or interactive mini-programs that run on our site. These Social Media Features and Widgets may collect your IP address, which page you are visiting on our site, and may set a cookie to enable the Feature to function properly. Social Media Features and Widgets are either hosted by a third party or hosted directly on the Stash Site. In both cases, your interactions with these Social Media Features and Widgets are governed by the privacy policy of the company providing them.

For non-U.S. Residents: It is your responsibility to read the policies applicable to any Social Media Features prior to using them.  Their inclusion on the Stash Site is not an endorsement of any Social Media Features.

Blog

The Stash Site offers publicly accessible blogs or community forums. You should be aware that any information you provide in these areas may be read, collected, used, and disclosed by others who access them. By contributing to a blog or community forum, you are consenting to such collection, use and disclosure. To request removal of your Personal Information from our blog or community forum, contact us at member support.  In some cases, we may not be able to remove your Personal Information, in which case we will let you know if we are unable to do so and why.  Alternatively, if you used a third party application to post such information, you will need to remove it, either by logging into the application and removing the information, where permitted, or by contacting the appropriate third-party application.

Testimonial

We display personal testimonials of satisfied customers on our site in addition to other endorsements.  With your consent we may post your testimonial along with your name.  If you wish to update or delete your testimonial, you can contact us at member support.

For non-U.S. Residents: Your consent to our posting your testimonial and name must be express.  Please contact us at member support if you would like to share a testimonial about our program.

Choice

Members have the choice not to complete and submit a personal profile to us and/or to opt out of receiving promotional electronic communications from us. Members can opt out of promotional electronic communications by following the directions contained in such communications or by changing their communications preferences at the My Account portion of the Stash Site here. Members will need their Stash Member ID and password to access this portion of the Stash Site.

International Visitors

The Stash Site is hosted in the United States. If you choose to use the Stash Site from the E.U. or other regions of the world with laws governing data collection and use that may differ from U.S. law, then please note that you are transferring your Personal Information outside of those regions to the United States for storage and processing. The United States does not have the same data protection laws as the E.U., Canada, and some other regions.  Also, the Stash Site may transfer your data from the U.S. to other countries or regions in connection with storage and processing of data, fulfilling your requests, and operating the Stash service. By providing any information, including Personal Information, to RevPAR Collective, you consent to such transfer, storage, and processing.

Your California Privacy Rights

Effective January 1, 2005, under California Civil Code Section 1798.83, if an individual who is a California resident has provided Personal Information to a business in connection with a business relationship that is primarily for personal, family, or household purposes, and if that business has within the immediately preceding calendar year disclosed such an individual’s Personal Information to a third party and knows or should have known that such third party used the information for its own direct marketing purposes, then that business is obligated to disclose in writing to such individual upon request, what Personal Information was shared and with whom it was shared.

Any request for a disclosure required under this California law should be sent to us via email at security@stashrewards.com or via regular mail at:

RevPAR Collective Inc, dba Stash Hotel Rewards 

ATTN: Legal Department

2225 E. Bayshore Road, Suite 200

Palo Alto, CA 94303

Please note that under this law, we are not required to respond to your request more than once in a calendar year, nor are we required to respond to any request that is not sent to the email or mailing address designated above.

Do Not Track

Section 22575 of the California Business & Professions Code requires website and online service operators to disclose whether they honor web browser “Do Not Track” settings.  RPC supports and honors “Do Not Track” web browser settings.  If you enable Do Not Track settings in the browser you are using, RPC will not collect, store, or use Personal Information about websites you visit using that browser other than the Stash Site.  Other parties, however, may not honor Do Not Track signals.  These parties may collect Personal Information about your online activities over time and across different websites when you visit the Stash Site, for example by using cookies on the Stash Site.  We have no access to or control over other parties’ Personal Information collection practices, even those with which RPC may have an affiliation.  You should carefully review the privacy policy and terms of any website you visit.  For more information about Do Not Track, please visit www.allaboutdnt.org.

Changes to this Policy

We may modify this Policy from time to time. If we decide to change our privacy policy we will notify you of any material changes by email or by means of a notice on the home page of the Stash Site, prior to the changes becoming effective so that you are aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. The date on which the Policy was last amended is provided at the bottom of the Policy for your ease of reference in determining whether it has been amended since the last time you visited.

Assignment

If there is a change of ownership or control in RevPAR Collective’s business (whether by merger, sale, or otherwise) or if there is an asset sale, then visitor information, including your Personal Information, could be disclosed as part of such a process and / or sold as part of that transaction and your Personal Information potentially could be used by the purchaser. However, if that business materially changes this Policy or the information-handling practices as described in this Policy, you will be notified by email and/or through a notice posted on the Stash Site, and you may opt-out of the use of your existing information in a new manner. This Policy inures to the benefit of any successors or assigns of RevPAR Collective or the assets of RevPAR Collective.

Other Terms and Conditions

Your access to and use of the Stash Site and services are also subject to our Terms.

Contact Us

If you have any questions about this Policy or our privacy practices, or if you want to review, correct, delete inaccuracies or change Personal Information about you, you may do so by making the change within the My Account section of the Stash Site or by contacting us via member support or at the following address: RevPAR Collective, Inc. dba Stash Hotel Rewards, 2225 E. Bayshore Road, Suite 200, Palo Alto, CA 94303. We will respond to your request as soon as we are able, or in relation to a request for access to or the correction of your Personal Information with us, within 30 days.

Upon request, RPC will provide you with information about whether we hold, or process on behalf of a third party, any of your Personal Information.  To request this information please contact us via member support.

Please note that in an effort to prevent the unauthorized disclosure of Personal Information, you may be required to provide proof of identity in order to access your Personal Information. If, upon review, you wish to deactivate your Member profile or update your Personal Information, you may do so by making the change on your My Account page or by emailing member support.  In some instances, however, information that you request to be removed may be retained in certain files for a period of time in order to troubleshoot problems. In addition, some types of information may be stored indefinitely on backup systems or within log files due to technical constraints or financial or legal requirements. Therefore, you should not always expect that all of your Personal Information will be completely removed from our databases in response to your request.

Data Retention

We will retain your information for as long as your account is active or as needed to provide you services. If you wish that we no longer use your information to provide you services, contact us at security@stashrewards.com. We will retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

Terms Applicable to Data from E.U. Member Countries

If we collect Personal Information from E.U. residents in a manner subject to the General Data Protection Regulation then, in addition to the above, the following terms shall also apply to our collection, use and retention of that information:

Compliance with Privacy Shield Principles: When handling information from residents of the E.U. member countries, we strive to comply with the E.U.-U.S. Privacy Shield Framework principles (Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability) regarding the collection, use and retention of Personal Information from European Union member countries.  However, our compliance with these principles may be limited (a) to the extent necessary to meet applicable national security, public interest, or law enforcement requirements or (b) by statute, governmental regulation, or case law.  If there is a conflict between the policies set forth below and the Privacy Shield Principles, the Privacy Shield Principles shall govern.  To learn more about the Privacy Shield Framework, visit the U.S. Department of Commerce’s Privacy Shield List at https://www.privacyshield.gov/list.

Basis for Collection:  As set out above, we collect and process Personal Information for which you have given your express consent at the time of collection.  For example, we collect Personal Information when you elect to participate in one of our promotions.  We also collect and process Personal Information to improve our services, to deliver services and perform obligations under contracts we have with you, and to comply with our own legal obligations.

Sensitive Data:  We do not collect sensitive data, for example biometric data, health data, or data revealing racial or ethnic origin, from visitors to the Stash Site.

Onward Transfer:  Except as otherwise provided in this Privacy Policy, we only disclose Personal Information to third parties who reasonably need to have access to it for the purpose of the transaction or activity for which it was originally collected or to provide services to or perform tasks or our behalf or under our instruction. All such third parties must agree to use such the Personal Information we provide to them only the purposes for which we have engaged them and they must either: (a) comply with the E.U.-U.S. Privacy Shield Principles or another mechanism permitted by the applicable E.U. & Swiss data protection law(s) for transfers and processing of Personal Information or (b) agree to provide adequate protections for the Personal Information that are no less protective than those set out in this Privacy Policy.  Where we have knowledge that an entity to whom we have provided Personal Information is using or disclosing Personal Information in a manner contrary to this Privacy Policy, we will take reasonable and appropriate steps to prevent, remediate or stop the use or disclosure.

Authorized Transfer:  We also may disclose Personal Information for other purposes or to other third parties when you have consented to or requested such disclosure. Please be aware that we will disclose Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. We are not liable for appropriate onward transfers of personal data to third parties.

Data Processors:  We may retain third parties to process or analyze personal Information we collect from the Stash Site.  For example, the Stash Site may be maintained or hosted by a third party service provider, a promotion may be administered by a sales promotion agency, and/or products may be fulfilled by a wholesaler.  These suppliers and other third parties that provide services for us are contractually obligated not to use Personal Information about you except as we authorize.   

Profiling:  We may analyze Personal Information we have collected about you to create a profile of your interests and preferences so that we can contact you with information that is relevant to you.  We may make use of additional information about you when it is available from external sources to help us do this effectively.  We may also use Personal Information about you to detect and reduce fraud and credit risk. 

Your Rights:  Your rights include: (a) the right to withdraw your consent to the processing of Personal Information about you to which you have previously given consent; (b) the right to object to processing of Personal Information about you for the purpose of direct marketing and other purposes based on our legitimate interest; (c) the right to request information about the Personal Information we collect, how we process it and with whom we share it; (d) the right, in some cases, to require erasure of the Personal Data about you stored with us; and (e) the right to have incorrect Personal Information about you corrected or removed. If you wish to exercise any of these rights, contact us at member support.

If you request to have incorrect Personal Information removed, we may retain some of your Personal Information as necessary for the purposes of our legitimate business interests or in furtherance of public interests in accordance with the Privacy Shield Principles.  Any Personal Information you have shared publicly with others may continue to be publicly visible on the Stash Site.

You also have the right to obtain a copy of the Personal Information we have about you, although we reserve the right to charge a fee for this depending on the nature and frequency of your request(s) and our cost to provide the information.   

Questions and Complaints:  If you have questions or complaints regarding this Policy or our handing of your Personal Information, please contact security@stashrewards.com.  We will promptly investigate and attempt to resolve complaints and disputes in a manner that complies with the principles described in this Privacy Policy. 

Enforcement and Disputes:  In compliance with the E.U.-U.S. Privacy Shield, we commit to resolve complaints about your privacy and our collection or use of your Personal Information.  If you do not receive timely acknowledgement of your request or have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request. 

In addition to the above, you may complain to your home data protection authority and can invoke binding arbitration for some residual claims not resolved by other redress mechanisms.  Contact details for the E.U. data protection authorities can be found at http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm.

The Federal Trade Commission has jurisdiction over our compliance with this Privacy Policy and the E.U.-U.S. Privacy Shield Framework. As a last resort, privacy complaints that remain unresolved after pursuing these and other channels may be subject to binding arbitration before the Privacy Shield Panel to be created jointly by the U.S. Department of Commerce and the European Commission.

Effective July 9, 2018