Privacy Policy

[Effective Date: January 1, 2025]

1. Introduction

Welcome to WisdomBread™ (“WisdomBread™,” “we,” “us,” or “our”). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website (https://www.WisdomBread.com) and services. We are committed to protecting your privacy and personal data in compliance with applicable laws, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the Personal Information Protection and Electronic Documents Act (PIPEDA).

2. Definitions

• “Personal data” means any information that is linked or reasonably linkable to an identified or identifiable individual.
• “Sensitive data” includes information revealing racial or ethnic origin, religious beliefs, mental or physical health conditions, sexual orientation, citizenship status, genetic or biometric data, and precise geolocation.
• “Processing” means any operation performed on personal data.
• “Controller” means the entity that determines the purposes and means of processing personal data.
• “Processor” means the entity that processes personal data on behalf of the controller.

3. PIPEDA Compliance for Canadian Users

We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and adhere to the following 10 Fair Information Principles:

1. Accountability
2. Identifying Purposes
3. Consent
4. Limiting Collection
5. Limiting Use, Disclosure, and Retention
6. Accuracy
7. Safeguards
8. Openness
9. Individual Access
10. Challenging Compliance
11. Information We Collect

We collect the following categories of personal data:

• Identifiers (e.g., name, email address, phone number)
• Commercial information (e.g., products or services purchased)
• Internet activity (e.g., browsing history, search history)
• Geolocation data
• Inferences drawn from other personal information

5. How We Collect Information

We collect information:

• Directly from you when you provide it to us
• Automatically, as you navigate through our website
• From third-party sources with your consent

6. Legal Bases for Processing Personal Data (GDPR)

Under the GDPR, we process your personal data based on one or more of the following legal bases:

• Consent: You have given clear consent for us to process your personal data for a specific purpose.
• Contract: The processing is necessary for a contract we have with you or because you have asked us to take specific steps before entering into a contract.
• Legal obligation: The processing is necessary for us to comply with the law.
• Legitimate interests: The processing is necessary for our legitimate interests or the legitimate interests of a third party unless there is a good reason to protect your personal data, which overrides those legitimate interests.

7. Use of Information

We use your personal data for the following purposes:

• To provide and maintain our services
• To process transactions
• To send promotional communications
• To improve our website and services
• To comply with legal obligations

We will not process personal data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which such personal data is processed, as disclosed to you unless we have obtained your consent.

8. Sharing of Personal Data

We may share your personal data with:

• Service providers and processors who perform services on our behalf
• Legal and regulatory authorities
• Potential buyers in the event of a sale or merger

We do not sell personal data to third parties.

9. Your Rights

Depending on your location, you may have the following rights: For all users:

• Right to access your personal data
• Right to correct inaccuracies in your personal data
• Right to delete your personal data
• Right to object to the processing of your personal data
• Right to restrict processing of your personal data
• Right to data portability
• Right to withdraw consent at any time

Additional rights for EU/EEA users (GDPR):

• Right to lodge a complaint with a supervisory authority
• Right not to be subject to a decision based solely on automated processing

Additional rights for California residents (CCPA):

• Right to know what personal information is collected, used, shared, or sold
• Right to delete personal information held by businesses
• Right to opt out of sale of personal information
• Right to non-discrimination when exercising CCPA rights

To exercise these rights, please contact us using the information provided in the “Contact Us” section.

10. Data Retention

We retain personal data for as long as necessary to fulfill the purposes outlined in this Privacy Policy unless a longer retention period is required or permitted by law. Specific retention periods are as follows:

• Account information: Retained for the duration of your account plus 2 years after account closure
• Transaction data: Retained for 7 years for tax and accounting purposes
• Communication preferences: Retained until you unsubscribe or ask us to delete this information
• Usage data: Retained for 2 years from the date of collection

11. Children’s Privacy

Our services are not directed to children under 13. We do not knowingly collect personal data from children under 13 without parental consent. If we become aware that we have collected personal data from a child under 13 without parental consent, we will take steps to delete such information.

For activities that may involve children under 13:

• We will obtain verifiable parental consent before collecting any personal information
• We will limit the information collected to what is reasonably necessary for participation
• We provide parents with the ability to review, delete, and control the use of information collected from their children
• We have procedures in place to protect the confidentiality and security of children’s information

If you believe we have collected information from your child in error, please contact us to have it removed.

12. Data Security

We implement reasonable security measures to protect your personal data from unauthorized access, disclosure, alteration, and destruction. These measures include:

• Encryption of data in transit and at rest
• Regular security assessments and penetration testing
• Access controls and authentication procedures
• Employee training on data protection and security

However, no security system is impenetrable, and we cannot guarantee the security of our databases.

13. Data Breach Notification Procedures

In the event of a data breach that may compromise your personal information, we will:

1. Investigate the breach and take necessary steps to contain and mitigate the impact
2. Notify affected individuals without undue delay, typically within 72 hours of becoming aware of the breach
3. Provide information about the nature of the breach, likely consequences, and measures taken or proposed to address the breach
4. Notify relevant supervisory authorities as required by applicable laws
5. International Data Transfers

When we transfer personal data outside your jurisdiction (e.g., to countries outside the EU/EEA or Canada), we ensure appropriate safeguards are in place, such as:

• Standard Contractual Clauses approved by the European Commission
• Binding Corporate Rules for transfers within a corporate group
• Compliance with codes of conduct or certification mechanisms
• For transfers to the US, ensuring recipients are Privacy Shield certified (where applicable)

15. California Residents

In addition to the rights mentioned earlier, California residents have the right to:

• Request disclosure of the categories and specific pieces of personal information collected
• Know the categories of sources from which personal information is collected
• Know the business or commercial purpose for collecting or selling personal information
• Know the categories of third parties with whom personal information is shared
• Request deletion of personal information collected
• Opt-out of the sale of personal information

We will not discriminate against you for exercising your CCPA rights.

16. Automated Decision-Making and Profiling

We may use automated decision-making and profiling in the following circumstances:

• For fraud prevention and detection
• To personalize your experience on our website
• For marketing purposes, to tailor our communications to your preferences

You have the right to object to automated decision-making and profiling and to request human intervention in any automated decisions that significantly affect you.

17. Cookie Policy

We use cookies and similar tracking technologies to collect and store information about your interactions with our website. Types of cookies we use include:

• Essential cookies: Necessary for the website to function properly
• Performance cookies: To analyze how visitors use our website
• Functionality cookies: To remember your preferences and settings
• Targeting/Advertising cookies: To deliver personalized advertisements

You can control cookies through your browser settings and other tools. For more detailed information, please refer to our full Cookie Policy [link to Cookie Policy].

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the “Effective Date” at the top of this Privacy Policy.

19. Contact Us

If you have any questions about this Privacy Policy, please contact us at WisdomBread™ Data Protection Officer
Legal Department – legal@WisdomBread.com

WisdomBread™ privacy policy [Effective Date: January 1, 2025] aims to comply with the requirements of the new state privacy laws taking effect in January 2025, including those in Iowa, Delaware, New Jersey, Nebraska, and New Hampshire, as well as Canadian (PIPEDA) and European (GDPR) privacy law requirements.

As laws continue to evolve, we will regularly review and update this policy to ensure ongoing compliance.