LAST UPDATED: AUGUST 2022

We know that you care about your personal data and how it is used, and we want you to trust that Surgically Clean Air uses your personal data carefully. This Privacy Notice will help you understand what personal data we collect, why we collect it, what we do with it, and what choices you have. In using our services, making a purchase or by otherwise choosing to submit your personal data, you consent to all of the terms of this Privacy Notice. If you do not agree with any terms of this Privacy Notice, please do not use our services, or submit any personal information to Surgically Clean Air.

As you read our Notice, please keep in mind that it applies to Surgically Clean Air as defined below.

Please take a moment to familiarise yourself with our privacy practices and let us know if you have any questions by sending us an email or submitting a request through the contact form.

We have tried to keep this Notice as simple as possible, but if you’re not familiar with terms, such as cookies, IP addresses, and browsers, then please read about these key terms first.

You have the right to object to certain uses of your personal data including the use of your personal data for direct marketing.

Privacy Policy Summary:

1. What Personal Information do we collect?
2. What we do with the Personal Information we collect?
3. When we Disclose Personal Information.
4. Your choices.

Who is collecting it?

This Privacy Notice applies to personal data collected by Surgically Clean Air in connection with the services and products we offer.

Any personal data provided to or collected by Surgically Clean Air is controlled by Surgically Clean Air, 1A-6300 Viscount Road, Toronto, Ontario, Canada L4V 1H3 (the data controller).

This Privacy Notice applies to personal data collected by Surgically Clean Air in connection with the services and products we offer. References to “Surgically Clean Air ” in this Notice means Surgically Clean Air and any company directly or indirectly owned and/or controlled by them that you are interacting with or have a business relationship with.

This Privacy Notice also applies to Surgically Clean Air’s marketing content, including offers and advertisements for Surgically Clean Air products and services, which we (or a service provider acting on our behalf) send to you on third-party websites, platforms and applications based on your site usage information. These third-party websites generally have their own Privacy Notice and Terms and Conditions. We encourage you to read them before using those websites.

What personal data is being collected?

Personal data means any information that can be used to identify directly or indirectly a specific individual and may include your contact information (i.e. name, address, telephone number, email address, etc.), professional or social media information, commercial information, and inferences and preferences related to your behaviour. This definition includes personal data collected offline through our Consumer Engagement Centres, direct marketing campaigns, sweepstakes and competitions and online through our websites, applications and branded pages on third-party platforms and applications accessed or used through third-party platforms.

You are not required to provide Surgically Clean Air the personal data that we request, but if you choose not to do so, we may not be able to provide you with our products or services, or with a high quality of service or respond to any queries you may have.

We may collect personal data from a variety of sources. This includes:

• Personal data you give us directly,
• Personal data we collect automatically, and
• Personal data we collect from other sources.

We collect, process and disclose your personal data only for specific and limited purposes. For example, to process your payments, to assess and handle any complaints, to develop and improve our products, services, communication methods and the functionality of our websites, to provide personalised products, communications and targeted advertising as well as product recommendations to you.

We also create profiles by analysing the information about your online surfing, searching and buying behaviour on our sites and your interactions with our brand communications by building segments (creating groups that have certain common characteristics) and by placing your personal data in one or more segments.

We collect, process and disclose your personal data for the following purposes:

• To process your payments, if you purchase our products, to provide you with your order status, deal with your enquiries and requests, and assess and handle any complaints;
• To process and answer your inquiries or to contact you to answer your questions and/or requests;
• To develop and improve our products, services, communication methods and the functionality of our websites;
• For the purposes of competitions or promotions that you have entered;
• To communicate information to you and to manage your registration and/or subscription to our newsletter or other communications;
• To manage our everyday business needs regarding your participation in our contests, sweepstakes or promotional activities or request;
• To authenticate the identity of individuals contacting us by telephone, electronic means or otherwise;
• For internal training and quality assurance purposes;
• To understand and assess the interests, wants, and changing needs of consumers, to improve our website, our current products and services, and/or developing new products and services; and
• To provide personalised products, communications and targeted advertising as well as product recommendations to you.

When we collect and use your personal data for purposes mentioned above or for other purposes, we will inform you before or at the time of collection.

Where appropriate or required under applicable law, we will ask for your consent to process the personal data. Where you have given consent for processing activities, you have the right to withdraw your consent at any time.

In some cases and to the fullest extent permitted by applicable law, we rely on legitimate interest for processing your personal data. A legitimate interest could exist for example, when you sign up for a loyalty plan with one of our brands and we use the personal data collected to conduct data analytics to improve our products or services. This ground will only be used where it is necessary to achieve a legitimate interest, for example to assist in the performance of a contract, or to optimise a service, and does not outweigh your rights as an individual. This legal basis will only be relied upon where there is no less intrusive way to process your personal data. We can assure you that if legitimate interest is used as a ground for processing your personal data, we will keep a record of this and you have the right to ask for this information.

Profiling

Surgically Clean Air uses your personal data to build profiles. We create profiles by analysing the information about your online surfing, searching and buying behaviour on our sites and your interactions with our brand communications by building segments (creating groups that have certain common characteristics) and by placing your personal data in one or more segments. These segments are used by Surgically Clean Air  to personalise the website and our communications to you (such as showing relevant content to you when you visit our site or in a newsletter to you), and to display relevant offers and advertisements from the Surgically Clean Air brand on the Surgically Clean Air site, and via third-party websites. The segments can also be used for third-party campaigns on the Surgically Clean Air site. Surgically Clean Air profiles your data where you have provided consent for us to do so; for example, accepting the setting of cookies on your browser online or signing up for email newsletters from one of our brands.

You can withdraw your consent to prevent your personal data being used this way at any time using the manage cookies section of our Cookie Notice or unsubscribing to the use of your email address if you have logged into one of our websites or signed up to any marketing newsletters.

By way of example –

• Surgically Clean Air collects data, with your consent, from:
  – Our websites about what you view and the way you interact with our content;
  – Our digital display advertising that we serve to you on social platforms and other publisher’s websites; and
  – Forms you fill in online and send to us about what your interests are.
• We also track the products you buy when you click on one of our display adverts and go on to purchase something from a selection of our retail partners.
• If you have asked to receive emails or SMS communications from us, we track whether you open, read or click on the content to see what you are interested in so that we can give you more content that we think you are more likely to enjoy.
• We use this data to profile your likes and dislikes. For instance, if we see that you are regularly viewing air filters on our website, and you have opted in to receiving emails from us, we might give you an update on the new air filters that have just hit the site for your interest, or we may tailor our web content when you visit towards things we think you’ll be most interested in.
• Based on this profile information, we may also give you advertising that we think you will like and want to see as you view content from us or from our network of publishers that we advertise with. Sometimes, with your consent, we may use your current location to serve advertising to you that is to do with promotions or events that are happening nearby that we think you might be interested in.
• We may also use information you have provided to selected third-parties and consented to be shared, like your age, gender, life stage, lifestyle and wider interests to identify people who we think will have similar interests to you and who we believe will be interested in similar advertising.

Who will it be shared with?

As a global business, Surgically Clean Air shares your personal data internally and with selected third-parties. For example, we share your personal data with third-party service providers, other third-parties, as well as in case of business transfers or legal disclosure.

As a global business, Surgically Clean Air shares your personal data internally and with selected third-parties in the following circumstances:

• Third-party service providers. In order to carry out your requests, respond to your inquiries, fulfil your orders, honour coupons, provide you with samples, enable you to participate in sweepstakes or make various other features, services and materials available to you through our websites, or otherwise process your personal data as described in this Privacy Notice, we share your personal data with third-party service providers that perform functions on our behalf, such as companies that: host or operate Surgically Clean Air’s websites, process payments, analyse data, provide customer service, postal or delivery services, and sponsors or other third-parties that participate in or administer our promotions. They have access to personal data needed to perform their functions but may not use it for other purposes. Further, they must process this personal data in accordance with this Privacy Notice and as permitted by applicable data protection laws and regulations.
• Business transfers. Your personal data will be used by us or shared with the joint data controllers for internal reasons, primarily for business and operational purposes. As we continue to develop our business, we may sell or purchase assets, subsidiaries or business units. In such transactions, your personal data generally is one of the transferred business assets but remains subject to the promises made in any pre-existing Privacy Notice (unless, of course, you consent otherwise). If another entity acquires us, our businesses or substantially all or part of our assets, or assets related to Surgically Clean Air’s website, your personal data will be disclosed to such entity as part of the due diligence process and will be transferred to such entity as one of the transferred assets. Also, if any bankruptcy or reorganization proceeding is brought by or against us, all such personal data will be considered an asset of ours and as such it is possible they will be sold or transferred to third-parties.
• Legal disclosure. We may transfer and disclose your personal data to third-parties:
  – To comply with a legal obligation;
  – When we believe in good faith that an applicable law requires it;
  – At the request of governmental authorities conducting an investigation;
  – To verify or enforce our “Terms of Use” or other applicable policies or agreements;
  – To detect and protect against fraud, or any technical or security vulnerabilities;
  – To respond to an emergency; or otherwise
  – To protect the rights, property, safety, or security of third-parties, visitors to Surgically Clean Air’s website, Surgically Clean Air or the public.

International data transfers

Surgically Clean Air shares personal data internally or with third-parties for purposes described in this Privacy Notice.

Surgically Clean Air will only send personal data collected within the European Economic Area (EEA) to foreign countries in circumstances such as:

• To follow your instructions;
• To comply with a legal duty; or
• To work with our agents and advisers who we use to help run our business and services.

If we do transfer personal data to outside of the EEA, Surgically Clean Air will make sure that it is protected in the same way as if it was being used in the EEA. We’ll use one of the following safeguards:

• Transfer to a non-EEA Country whose privacy legislation ensures an adequate level of protection of personal data to the EEA one or other applicable privacy legislation;
• Put in place a contract with the foreign third-party that means they must protect personal data to the same standards as the EEA or other applicable privacy legislation; or
• Transfer personal data to organisations that are part of specific agreements on cross-border data transfers with the European Union (e.g., Privacy Shield, a framework that sets privacy standards for data sent between the United States, Canada, and the European countries).

How do we protect your personal data?

Surgically Clean Air takes the security of your personal data very seriously. We make efforts to protect your personal data from misuse, interference, loss, unauthorised access, modification or disclosure.

Our measures include implementing access controls, investing in Information Security Capabilities to protect the IT environments we leverage, and ensuring we encrypt, pseudonymise and anonymise personal data where we deem it appropriate based on the nature of the information.

We have technical, organizational, and physical safeguards in place to help protect your personal data. However, no method of storage or transmission is 100% secure, and is subject to possible loss, interception or alteration while in transit. We do not assume any liability for any damage you may experience or costs you may incur as a result of any electronic transmissions over the internet or other networks.

Access to your personal data is only permitted among our employees and agents on a need-to-know basis or for such other purposes as may be permitted or required by the applicable law, and subject to strict contractual confidentiality obligations when processed by third-parties.

By using our services and providing us with personal data, you acknowledge and agree that your personal data may be stored and processed in [Canada, USA, or UK], and in any other country where we or our affiliates, subsidiaries, or third-party service providers maintain facilities or personnel. When you provide personal data to us, we may process and transfer your data within the EEA and around the world. The privacy protections and legal requirements, including the rights of authorities to access your personal information, in some of these countries may not be equivalent to those in your country. As a result, this information may be subject to access requests from governments, courts, law enforcement or national security authorities in those jurisdictions according to laws in those jurisdictions. If you do not agree to the transfer of your personal data outside of your jurisdiction of residence, please do not provide us with personal data. Personal Data we collect is managed from our offices at Toronto, Ontario, Canada.

How long do we keep your personal data for?

We will keep your personal data for as long as we need it for the purpose it is being processed for. For example, where you make a purchase online with us, we will keep the data related to your purchase, so we can perform the specific contract you have entered and after that, we will keep the personal data for a period which enables us to handle or respond to any complaints, queries or concerns relating to the purchase.

Your data may also be retained so that we can continue to improve your experience with us and to ensure that you receive any loyalty rewards which are due to you.

We retain the identifiable data we collect directly for targeting purposes for as little time as possible, after which we employ measures to permanently delete it.

We will actively review the personal data we hold and delete it securely, or in some cases anonymise it, when there is no longer a legal, business or consumer need for it to be retained.

What are your rights?

You have rights in relation to your personal data and how it is processed. You can exercise these rights at any point. We have provided an overview of these rights below together with what this entails for you. You can exercise your rights by sending an email or submitting a request through the contact us form.

• The right to be informed. You have the right to be provided with clear, transparent and easily understandable information about how we use your personal data and your rights. Therefore, we’re providing you with the information in this Notice.
• The right to access and rectification. You have the right to access, correct or update your personal data at any time. We understand the importance of this and should you want to exercise your rights, please contact us. We will use reasonable efforts to comply with your access or correction request; however, in some cases we may not be able to allow you to access certain personal information in certain circumstances, for example if it contains personal information of other persons, or for legal reasons. In such cases, we will provide you with a reasonable explanation of why it is not possible to grant access to your personal information. To protect against fraudulent access to your information, we may require you to verify your identity when you request access to your personal data.
• The right to data portability. The personal data you have provided us with is portable. This means it can be moved, copied or transmitted electronically under certain circumstances.
• The right to be forgotten. Under certain circumstances, you have right to request that we delete your data. If you wish to delete the personal data we hold about you, please let us know and we will take reasonable steps to respond to your request in accordance with legal requirements. If the personal data we collect is no longer needed for any purposes and we are not required by law to retain it, we will do what we can to delete, destroy or permanently de-identify it.
• The right to restrict processing. Under certain circumstances, you have the right to restrict the processing of your personal data.
• The right to object. Under certain circumstances, you have the right to object or unsubscribe to certain types of processing, including processing for direct marketing (i.e., receiving emails from us notifying you or being contacted with varying potential opportunities).
• The right to lodge a complaint with a Supervisory Authority. You have the right to lodge a complaint directly with any local Supervisory Authority about how we process your personal data.
• The right to withdraw consent. If you have given your consent to anything we do with your personal data (i.e., we rely on consent as a legal basis for processing your personal data), you have the right to withdraw your consent at any time (although if you do so, it does not mean that anything we have done with your personal data with your consent up to that point is unlawful). You can withdraw your consent to the processing of your personal data at any time by contacting us with the details provided below.
• Rights related to automated decision-making. You have the right not to be subject to a decision which is based solely on automated processing and which produces legal or other significant effects on you. In particular, you have the right:
  – to obtain human intervention;
  – to express your point of view;
  – to obtain an explanation of the decision reached after an assessment; and
  – to challenge such a decision.

Further information and advice about your rights can be obtained from the data protection Regulator in your Country.

How do you contact Surgically Clean Air ?

If you have any questions or concerns about Surgically Clean Air’s Privacy Notice or data processing or if you would like to make a complaint about a possible breach of local privacy laws, please do so by sending an email to inquiries@surgicallycleanair.com or submitting a request through the contact us form.

When a privacy question or access request is received we have a dedicated team which triages the contacts and seeks to address the specific concern or query which you are seeking to raise. Where your issue may be more substantive in nature, more information may be sought from you. All such substantive contacts receive a response. If you are unsatisfied with the reply received, you may refer your complaint to the relevant Supervisory Authority in your Country. If you ask us, we will endeavour to provide you with information about relevant complaint avenues which may be applicable to your circumstances.

How do we keep this notice up to date?

We will update this Privacy Notice when necessary to reflect customer feedback and changes in our products and services. When we post changes to this statement, we will revise the “last updated” date at the top of this Notice. If the changes are significant, we will provide a more prominent notice (including, for certain services, email notification of Privacy Notice changes). We will also keep prior versions of this Privacy Notice in an archive for your review. You should consult this Privacy Notice regularly for any changes.

We will not reduce your rights under this Privacy Notice without your consent.

Additional Privacy Terms or Notices

In addition to this Privacy Notice, there may be specific campaigns or promotions which will be governed by additional privacy terms or notices. We encourage you to read these additional terms or notices before participating in any such campaigns or promotions as you will be required to comply with them if you participate. Any additional privacy terms or notices will be made prominently available to you.

Privacy key terms

Anonymisation – The process of either encrypting or removing personal data from a database, so that the individuals whom the data describe remain anonymous. This is done for the purpose of protecting individuals’ private activities while maintaining the integrity of the data gathered and shared.

Behavioural Advertising – The act of tracking users’ online activities and then delivering ads or recommendations based upon the tracked activities.

Binding Corporate Rules (BCRs) – Personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity.

Biometric Data – Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopy data.

Consent – Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Cookies – A small text file stored on a user machine that may later be retrieved by a web server from the machine. Cookies allow web servers to keep track of the end user’s browser activities, and connect individual web requests into a session.

Data Controller – An entity that has the authority over the processing of personal data. It controls the use of personal data by determining the purposes for its use and the way personal data will be processed.

Data Enrichment – A process used to enhance, refine or otherwise improve existing data.

Data Processing – Any operation or set of operations which is performed on personal data, such as collecting, recording, organizing, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, dissemination or otherwise making the data available, aligning or combining data, or blocking, erasing or destroying data. Not limited to automatic means.

Data Protection Officer – The individual appointed by Surgically Clean Air locally to carry out certain responsibilities and functions in respect of privacy and data protection.

Data Retention – The policies and processes used within Surgically Clean Air for determining the time period for archiving and storing of personal data.

Data Subject – The natural person that the personal data refers to.

Direct Marketing – A form of advertising in which companies provide physical marketing materials to consumers to communicate information about a product or service.

EEA – European Economic Area.

Encryption – The method by which plaintext or any other type of data is converted from a readable form to an encoded version that can only be decoded by another entity if they have access to a decryption key.

GDPR – General Data Protection Regulation.

Genetic Data – Personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.

Health Data – Personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.

International Organisation – An organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.

IP Address – A unique address that identifies a device on the Internet or a local network and which allows a system to be recognized by other systems connected via the Internet protocol.

Online Behavioural Advertising – Websites or online advertising services that engage in the tracking or analysis of, e.g., search terms, browser or user profiles, preferences, demographics, online activity, offline activity, location data, and offer advertising based on that tracking.

Personal Data – Any information relating to an identified or identifiable individual. An identifiable individual is one who can be identified, directly or indirectly, in particular, by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

Personal Data Breach – A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Privacy and Data Protection – The collection of laws and regulation that applies to the collection, usage, storage, protection and other processing of personal data. This includes data protection, privacy, banking secrecy, electronic communications and confidentiality laws and regulations, and any other applicable laws or regulations to the extent they relate to privacy of personal data.

Privacy Champion – An internal employee who serves as the privacy practice sponsor and acts as an advocate to further foster privacy as a core organization concept.

Processor – Processor A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Profiling – Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Pseudonymization – Pseudonymization The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

Recipient – A natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third-party or not. However, public authorities which may receive personal data in the framework of a inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

Representative – Natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor regarding their respective obligations under this Regulation.

Restriction of Processing – The marking of stored personal data with the aim of limiting their processing in the future.

Special Categories of Personal Data – Special categories of personal data, include: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data (for uniquely identifying an individual) and of data concerning health, sex life or sexual orientation.

Supervisory Authority – Independent Authority or division associated with an Authority in any relevant jurisdiction, whose primary purpose and function is to regulate matters related to personal data.

Third-Party – Third-Party A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.