Last updated: September 5, 2023

WALNUT PRIVACY POLICY

This privacy policy (“Privacy Policy”) describes how Walnut Ltd. and its affiliates (collectively “Walnut”, “we”, “us”, or “our”) collect, use and disclose certain information, including your personal information and the choices you can make about that information.

Walnut is the developer and owner of a cloud-based SaaS platform enables customers to create and manage interactive sales demos (“Services”).This Privacy Policy governs the processing and transfer of data collected directly or indirectly when using the Services (“Customer”) or merely when interacting with our website, available at: www.walnut.io (“website“ and “Visitor” respectively) (“Visitors” and “Customers” shall be collectively referred to as “you”). This Privacy Policy is hereby incorporated into our Terms of Service (“Terms”). Hence, any capitalized terms used herein but not defined herein, shall have the meaning ascribed to it under the Terms of Service.

POLICY AMENDMENTS:

We reserve the right to amend this Privacy Policy from time to time, at our sole discretion. The most recent version of the Privacy Policy will always be posted on the website. The updated date of the Privacy Policy will be reflected in the “Last Modified” heading. We will provide notice to you if these changes are material, and, where required by applicable law, we will obtain your consent. Otherwise, any amendments to the Privacy Policy will become effective immediately upon the display of the modified Privacy Policy. We recommend you review this Privacy Policy periodically to ensure that you understand our most updated privacy practices.

CONTACT INFORMATION AND DATA CONTROLLER INFORMATION:

Walnut Ltd is the controller entity, incorporated under the laws of Israel, its address: Dubnov 10 St. Tel Aviv, Israel. You may contact us and our privacy team as follows:

DPO Contact Information: privacy@walnut.io

Representative for data subjects in the EU and UK: We value your privacy and your rights as a data subject and have therefore appointed Prighter Group with its local partners as our privacy representative and your point of contact.
Prighter gives you an easy way to exercise your privacy-related rights (e.g., requests to access or erase personal data). If you want to contact us via our representative, Prighter or make use of your data subject rights, please visit the following website: https://prighter.com/q/15054779509.

DATA SETS WE COLLECT AND FOR WHAT PURPOSE:

We may collect two types of information from you, depending on your interaction with us.

The first type of information is non-identifiable and anonymous information (“Non-Personal Data”). We are not aware of the identity of the individual from who we have collected the Non-Personal Data. Non-Personal Data which is being gathered consists of technical information, and may contain, among other things, the type of operating system and type of browser, type of device, your action in the website or Services (such as session duration).

The second type of information is individually identifiable information, namely information that identifies an individual or may with reasonable effort identify an individual (“Personal Data”).

For the avoidance of doubt, any Non-Personal Data connected or linked to Personal Data shall be deemed as Personal Data as long as such connection or linkage exists.

The table below details the types of Personal Data we process, the purpose, lawful basis, and our processing operations:

Visitors

Data Set	Purpose and Operation	Lawful Basis
Contact Information: ‍If you voluntarily contact us through any form available on the website or by email, you may be required to provide us with certain information such as your full name, email address, and any additional information you decide to share with us (“Contact Information”).	We will process the Contact Information to provide you with a response to your inquiry. The correspondence with you may be processed and stored by us in order to improve our customer service and in the event, we believe it is required to continue to store it, for example, in the event of any claims or in order to provide you with any further assistance (if applicable).	We will process Contact Information subject to our legitimate interest.
Website Interaction and Marketing: ‍When you interact with our website, we may collect your online identifiers, such as Internet Protocol (IP) address and Cookie ID, unique identifiers (“Online Identifiers”). ‍ Further, we will collect your behavior information, which is collected indirectly by our external marketing tools, or analytic tools. This information includes the referring URL (that is, the webpage directing you to our website, and other websites you visited in the session), your interests in our competitors, the web page you visited when you tapped/clicked on our ad, how you interact with our webpage, time, duration of use, pages you have viewed on our website (“Usage Data”).	Online Identifiers and Usage Data are used to enable the operation and proper functionality of the Services, for security and fraud prevention purposes, debugging purposes and to resolve technical problems. For example, in order to automatically recognize you by the next time you enter your account or to confirm you are a real person. Online Identifiers and the Usage Data are indirectly processed by third-parties marketing and analytic tools, for analytic and marketing purposes. We process this data to understand how users use our website and to measure effectiveness of some ads we use for user acquisition, in order to track conversions, build targeted audience, and market our Services to people who have taken some action on the website.	Online Identifiers which are collected through cookies we implement, which are strictly necessary for the proper and basic operation of the Services will be processed in our legitimate interest. Your Usage Data which are collected through third-party cookies, including any targeting and marketing cookies, will be processed based on your consent which we will obtain through our cookie notice and consent management. You may withdraw consent at any time by using the cookie preference settings as available in our website footer, or as otherwise detailed under Section 11 herein “User Rights”.
Career: ‍When you apply for a position offered by Walnut, we will process the CV your provided including any information associated therewith, such as your name, email address, phone number, your education and skills, employment history, and your photo (to the extent provided by you). Further, where required by law, we may process diversity and inclusion data regarding your candidacy, such as ethnicity, gender, or any disability. In addition, we may collect further information from public and online sources, referees, and former employers and combine such data with your other data. (collectively “Recruitment Information”).	We will collect Recruitment Information in order to process your application, for recruitment management purposes, for further recruitment steps (e.g., interview), and to enable us to comply with corporate governance and legal and regulatory requirements. If you are hired, your Recruitment Information may be stored with HR as part of your employee file, and subject to our corporate management. We use third party service provider for the purpose of managing job applications, currently we are using Greenhouse. Such vendors are contractually obligated to keep your information confidential and secure and they will not use the Recruitment Information for any other purpose other than detailed herein.	We process Recruitment Information subject to our legitimate interest. In some cases, for example, where we will ask you to provide health related information or diversity and inclusion data, we will process your such data based upon your consent. You may always withdraw consent at any time. We will retain your Recruitment Information for records keeping and future defense from legal claims under our legitimate interest, or if you have provided consent to contact you in the future.
Newsletter Registration: In the event you sign up to receive our newsletter or other marketing materials, you will be requested to provide your contact details, such as your email address.	We will use your email in order to send you our newsletter and other marketing materials.	We process such contact information subject to your consent. You may withdraw consent at any time through the “unsubscribe” link within the email or by contacting us directly.

Customers

Data Set	Purpose and Operation	Lawful Basis
Direct Marketing: If and to the extant available through the Services, when creating an account or other similar forums, we will send you service communications and marketing promotions, such as new features, additional offerings, special opportunities or any other information we think you will find valuable (“Direct Marketing”).	We will use your information in order to keep you updated with offers and content such as service updates, new capabilities and features, surveys, etc.	We process your information subject to our legitimate interest. You can opt-out at any time through the “unsubscribe” link within the email. In addition, we will further maintain a suppression file – meaning lists of applicable email addresses that have requested to opt-out, under our legitimate interest and to ensure we comply with such preference and choice.
Registration Information: When creating an account to use the Services or any other evaluation or free trial services, you will provide us with certain information such as full name, company name, email address, etc., and designate, or otherwise be provided with, credentials.	We use this information to create your account, authentication, provide account management (including billing and invoices), support and to provide the Services as well as perform and execute our service agreement with you and to grant you the license to use the Services. In addition, we use this information for Direct Marketing purposes, meaning, as a Customer we may send you marketing related communications (by email or other contact details you have provided), materials and content regarding the Services you are currently using or any services we may offer in the future to keep you up to date, and for example, offers and content such as software updates, new capabilities and features, surveys, etc.	We process such data as part of performance of our contract with you.
Customer Content: You may upload creative content, images, graphics, videos, text, information, etc. (“Customer Content”) for the purpose of creating demos and presentations (“Demo”) through our Services. Although we recommend not to do so, the Customer Content you upload may include Personal Data. We will keep the original Customer Content and edited Demo for as long as you are using the Service or unless otherwise instructed by you. Please note, Walnut allows you to share your Demos with third-parties. In order to do so, you will upload the recipients’ contact information (name, email and job title) as well as insights on such recipients’ use and view of the Demo and enriched data provided by Walnut or Walnut’s service providers which includes professional information on such prospect title, or company (“Recipients Information”).	Walnut will process the Customer Content Data on behalf of the Customer for the purpose of providing the Services as set forth in the Agreement between you and Walnut. We process such data solely subject to your instructions during the use of the Services	Our Customers are the controller of such data, hence are subject to the Data Processing Agreement.
Usage Data: ‍During your use the Services, information regarding your use is automatically generated and collected. Such information may include the click stream within the Services, the use of the Services (i.e., accessed or used by Customer) and the time spent on different pages or features, crash data, analytics, etc. We record how you interact with our Service. We log crashes, interaction with the Services, how often you use the Service, how long you are on the Service, etc.	We will use this data in order to operate, provide, maintain, protect and manage our Services.	We process such information subject to our legitimate interest.
Payment Information: In order to use the Services, you may be requested to provide customary billing information, such as name, and billing address. We will collect the transaction information, however we do not collect any payment method information (i.e., credit card) as we use the following third-party payment processors: Stripe and BlueSnap, any transactions that are processed by these third-party payment processors will be governed by their privacy policies and terms which are linked by name above.	will process this information to be able to provide our Services and process your payment.	We process this information for the purpose of performing our contract with you.

Please note that the actual processing operation per each purpose of use and lawful basis detailed in the table above may differ. Such processing operation usually includes a set of operations made by automated means, such as collection, storage, use, disclosure by transmission, erasure, or destruction. The transfer of Personal Data to third-party countries, as further detailed in the “INTERNATION DATA TRANSFER” Section 10 below, is based on the same lawful basis as stipulated in the table above.

In addition, we may use certain Personal Data to prevent potentially prohibited or illegal activities, fraud, misappropriation, infringements, identity thefts, and any other misuse of the Services and to enforce the Terms, as well as to protect the security or integrity of our databases and the Services, and to take precautions against legal liability. Such processing is based on our legitimate interests.

We may collect different categories of Personal Data and Non-Personal Data from you, depending on the nature of your interaction with the Services provided through the website and Services, as detailed above.

HOW WE COLLECT YOUR INFORMATION:

Depending on the nature of your interaction with us, we may collect the above detailed information from you, as follows:

Information you provide us directly – for example, when you register and create an account, apply for a job or correspond with us.
Information we receive from third parties – for example, through data enrichment partners or if you access the Services through a third-party connection or log-in, such as Google account, such third party may pass certain information about your use of their service to us. This information could include, but is not limited to, the user ID associated with your account, an access token necessary to access that service, any information that you have permitted the third party to share with us, and any information you have made public in connection with that service. You should always review, and if necessary, adjust your privacy settings on third-party websites and services before linking or connecting them to the Services.
Information we receive automatically – we will collect your Online Identifiers and Behavior Data including analytics data (or use third-party measurement and marketing tools). For more information on the cookies we use and how to opt out of third-party collection of this information, please see our Section 5 below “Cookies & Similar Tracking Technologies”.

COOKIES AND SIMILAR TECHNOLOGIES:

We use “cookies” (or similar tracking technologies) when you access our website. The use of cookies is a standard industry-wide practice. A “cookie” is a small piece of information that a website assigns and stores on your computer while you are viewing a website.

Cookies may be used for different purposes such as: (i) allowing you to navigate between pages efficiently; (ii) enabling automatic activation of certain features; (iii) remembering your preferences; and (iv) making the interaction between you and our Services quicker and easier. Cookies are also used to help customize your experience and for advertising purposes (including personalized advertising).

The cookies and similar tracking technologies we use are available here. If you wish to change your cookie preferences – withdraw your consent, opt-out from certain types of cookies please use the cookies settings available through our website footer.

You can find more information about cookies at http://www.allaboutcookies.org/.

We share your data with third parties, including our service providers that help us provide our Services. You can find here information about the categories of such third-party recipients.

Catergory of Recipient	Data that will be Shared	Purpose of Sharing
Walnut Tech Inc.	Contact Information, and any information needed for Customer Success and sales.	We may share certain information with our affiliated company, Walnut Tech Inc., for sales and marketing purposes as well as customer success and support.
Service Providers	All data	We employ other companies and individuals to perform functions on our behalf, such as sending communications, processing payments, analyzing data, providing marketing and sales assistance (including advertising and event management), identifying errors and crashes, conducting customer relationship management, and providing training. These third-party service providers have access to Personal Data needed to perform their functions, but they are prohibited from using your Personal Data for any purposes other than providing us with requested services.
Any acquirer of our business	All data	We may share Personal Data, in the event of a corporate transaction (e.g., sale of a substantial part of our business, merger, consolidation or asset sale). In the event of the above, our affiliated companies or acquiring company will assume the rights and obligations as described in this Policy.
Enforcement of our rights and security detections.	All types of Personal Data	We may disclose Personal Data to enforce our policies and agreements, as well as defend our rights, including the investigation of potential violations thereof, alleged illegal activity or any other activity that may expose us, you, or other users to legal liability, and solely to the extent required. In addition, we may disclose Personal Data to detect, prevent, or otherwise address fraud, security, or technical issues, solely to the extent required.
Legal and law enforcement	Subject to law enforcement authority request.	We may share certain data when we believe it is appropriate to do so in order to comply with the law enforcement, governmental agencies or authorized third parties, or protect the rights, property, or security of Walnut, our Customers, or others.

DATA RETENTION:

In general, we retain the Personal Data we collect for as long as it remains necessary for the purposes set forth above, all under the applicable regulation, or until you express your preference to optout, where applicable.

Other circumstances in which we will retain your Personal Data for longer periods of time include: (i) where we are required to do so in accordance with legal, regulatory, tax, or accounting requirements, or (ii) for us to have an accurate record of your dealings with us in the event of any complaints or challenges, or (iii) if we reasonably believe there is a prospect of litigation relating to your Personal Data. Please note that except as required by applicable law, we will not be obligated to retain your data for any particular period, and we may delete it for any reason and at any time, without providing you with prior notice if our intention to do so.

SECURITY MEASURES:

We work hard to protect the Personal Data we process from unauthorized access, alteration, disclosure, or destruction. We have implemented physical, technical, and administrative security measures for the Services that comply with applicable laws and industry, such as encryption using SSL, we minimize the amount of data that we store on our servers, restricting access to Personal Data to Walnut employees, contractors, and agents, etc. Note that we cannot be held responsible for unauthorized or unintended access beyond our control, and we make no warranty, express, implied, or otherwise, that we will always be able to prevent such access.

Please contact us at: privacy@walnut.io, if you feel that your privacy was not dealt with properly, in a way that was in breach of our Privacy Policy, or if you become aware of a third party’s attempt to gain unauthorized access to any of your Personal Data. We will make a reasonable effort to notify you and the appropriate authorities (if required by applicable law) in the event that we discover a security incident related to your Personal Data.

INTERNATIONAL DATA TRANSFER:

Our data servers in which we host and store the information are located in the US and EU. The Company’s HQ are based in Israel in which we may access the information stored on such servers or other systems such as the Company’s ERP, CRM and other systems. In the event that we need to transfer your Personal Data out of your jurisdiction, we will take appropriate measures to ensure that your Personal Data receives an adequate level of protection as required under applicable law. Furthermore, when Personal Data that is collected within the European Economic Area (“EEA“) is transferred outside of the EEA to a country that has not received an adequacy decision from the European Commission, we will take necessary steps in order to ensure that sufficient safeguards are provided during the transferring of such Personal Data, in accordance with the provision of the standard contractual clauses approved by the European Union. Thus, we will obtain contractual commitments or assurances from the data importer to protect your Personal Information, using contractual protections that EEA and UK regulators have pre-approved to ensure your data is protected (known as standard contract clauses), or rely on adequacy decisions issued by the European Commission. Some of these assurances are well-recognized certification schemes.

We acknowledge that different people have different privacy concerns and preferences. Our goal is to be clear about what information we collect so that you can make meaningful choices about how it is used. We allow you to exercise certain choices, rights, and controls in connection with your information. Depending on your relationship with us, your jurisdiction and the applicable data protection laws that apply to you, you have the right to control and request certain limitations or rights to be executed.

In the table below you can review your rights depending on your interaction with us, how you can exercise them, and appeal a decision we take in this regard, any specification per geo-location or territory are available below the table:

RIGHT TO BE INFORMED, RIGHT TO KNOW	You have the right to confirm whether we collect Personal Data about you, if you wish to know if we collect Personal Data about you, please review this Privacy Policy.
ACCESS RIGHTS	You further have the right to know which Personal Data we specifically hold about you, and receive a copy of such or access it, if you wish to receive a copy of the Personal Data or Personal Information, please submit a Data Subject Request form (“DSR”) as available here.
RIGHT TO CORRECTION	You have the right to correct inaccuracies in your Personal Data, taking into account the nature and purposes of each processing activity. Please submit a DSR as available here.
RIGHT TO BE FORGOTTEN, RIGHT TO DELETION	In certain circumstances, you have the right to delete the Personal Data we hold about you. Please submit a DSR as available here.
RIGHT TO PORTABILITY	You have the right to obtain the Personal Data in a portable, and to the extent technically feasible, readily usable format that allows you to transmit the data to another entity without hindrance. We will select the format in which we provide your copy. If you wish to exercise this right, please submit our DSR as available here.
RIGHT TO OPT OUT UNDER THE EU, AND SPECIFICALLY IN THE US THE RIGHT TO OPT OUT FROM: (I) SELLING PERSONAL DATA; (II) RIGHT TO OPT OUT FROM TARGETED ADVERTISING; AND (III) RIGHT TO OPT OUT FROM PROFILING AND AUTOMATED DECISION MAKING	Direct Marketing: You have the right to opt-out from Direct Marketing, by unsubscribing through the email received. Newsletter: You have the right to withdraw consent when you no longer wish to be in our newsletter list. Cookies: When you no longer wish for cookies to track your behavior for analytic and marketing purpose, change your preferences through the cookie settings available on our website footer. Sale of Personal Data for targeted advertising, monetary gain or profiling, or Share or Sale of Personal Information for analytic or marketing: If and to the extent applicable, you have the right to opt out of the sale of your Personal Data, for the purposes of targeted advertising, sale to a third party for monetary gain, analytic, etc. as detailed under the DSR or through the cookie settings available on our website footer. Last, you are able to install privacy-controls in the browser’s settings to automatically signal the opt-out preference to all websites you visit (like the “Global Privacy Control”). We honor the Global Privacy Control, where applicable, subject to your jurisdiction, as a valid request to opt-out of the sharing of information linked to your browser. Note you may have the right to authorize another person acting on your behalf to opt out (including by technical tools and opt out signals).
RIGHT TO APPEAL OR COMPLAINT	If we decline to take action on your request, we shall so inform you without undue delay as required under applicable laws. The notification will include a justification for declining to take action and instructions on how you may appeal, if applicable. Under the EU you have the right to lodge a complaint with the supervisor authority or the Information Commissioner in the UK.
NON-DISCRIMINATION	Such discrimination may include denying a service, providing a different level or quality of service, or charging different prices. We do not discriminate our customers or users.

ELIGIBILITY AND CHILDREN PRIVACY:

The Services are not intended for use by children (the phrase “child” shall mean an individual that is under the age defined by applicable law, which concerning the EEA is under the age of 16, and with respect to the US, under the age of 13), and we do not knowingly process children’s information. We will discard any information we receive from a user that is considered a “child” immediately upon discovering that such a user shared information with us. Please contact us at privacy@walnut.io, if you have reason to believe that a child has shared any information with us.

JURISDICTION-SPECIFIC NOTICES:

ADDITIONAL INFORMATION FOR CALIFORNIA RESIDENTS

This section applies only to California residents. Pursuant to the California Consumer Privacy Act of 2018 effective November 2020, and as amended by the CPRA, effective January 1, 2023 (collectively “CCPA”). Please see the CCPA Privacy Notice, available here, which discloses the categories of personal information collected, purpose of processing, source, categories of recipients with whom we share the personal information for a business purpose, whether the personal information is sole or shared, the retention period, and how to exercise your rights as a California resident.

ADDITIONAL INFORMATION FOR COLORADO RESIDENTS

This section applies to Colorado residents acting only as an individual or household context (and not in a commercial or employment context, as a job applicant or as a beneficiary of someone acting in an employment context). Pursuant to the Colorado Privacy Act (“CPA”) please see below the disclosure of the categories of Personal Data that are collected or processed, the purposes, how consumers can exercise their rights, and appeal such decision, categories of third-parties the controller shares or sells the personal data, or sells the personal data for advertising and how to opt-out.

“Personal Data” as defined in the CPA means information that is linked or reasonably linkable to an identified or identifiable individual and does not include publicly available information that is lawfully made available from government records, or that a consumer has otherwise made available to the public; de-identified or aggregated consumer information; or information excluded from the CPA scope, such as: Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPPA) or 42 CFR Part 2- “Confidentiality Of Substance Use Disorder Patient Records”, Personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or and the Driver’s Privacy Protection Act of 1994, Children’s Online Policy Protection Act of 1998 (COPPA), Family Educational Rights and Privacy Act of 1974, national Security Exchange Act of 1934, higher education data and employment data.

“Sensitive Data” include (i) racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life or sexual orientation; (ii) genetic or biometric data that can be processed to uniquely identify an individual; or (iii) child data.

Under CPA, Walnut is required to provide a privacy notice that identifies the categories of Personal Data that are collected or processed, the purposes, how consumers can exercise their rights, and appeal such decision, categories of third-parties the controller shares or sells the personal data, or sells the personal data for advertising and how to opt-out.

In Section 3 to the Privacy Policy, we describe our collection and processing of Personal Data, the categories of Personal Data that are collected or processed, and the purposes for which Personal Data is processed, stored or used. We will not collect additional categories of Personal Data or use the Personal Data we collected for materially different, unrelated, or incompatible purposes without obtaining your consent. Additionally, Section 6 to this Privacy Policy details and discloses the categories of third-parties we share for business purposes. Section 10 to this Privacy Policy details and discloses your rights and Personal Data shared or sold for targeted advertising.

Note your rights are not absolute, and we may, depending on the applicable right you wish to exercise, deny your exercise request, in full or in part, in certain limited events, as described under the DSR available here.

We will respond to your request within 45 days after receipt of a verifiable Consumer Request (no more than twice in a twelve-month period). We reserve the right to extend the response time by an additional 45 days when reasonably necessary and provided consumer notification of the extension is made within the first 45 days. If we refuse to take action on a request, you may appeal our decision within a reasonable period time by contacting us at privacy@walnut.io and specifying you wish to appeal. Within 60 days of our receipt of your appeal, we will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, you may submit a complaint as follows: Colorado AG at https://coag.gov/file-complaint/

If you have an account with us, we may deliver our written response to that account or via email at our sole discretion. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. You do not need to create an account for submitting a request.

Any disclosures we provide will only cover the 12-months period preceding our receipt of your request. The response we provide will also explain the reasons we cannot comply with a request, if applicable.

ADDITIONAL INFORMATION FOR CONNECTICUT RESIDENTS

Under the Connecticut Data Privacy Act, Public Act. No. 22-14 (“CDPA”) if you are a resident of Connecticut, acting in an individual or household context (and not in a commercial or employment context or as a representative of business, non-profit or governmental entity), your rights with respect to your personal data are described below.

“Personal Data” means any information that is linked or reasonably linkable to an identified or identifiable individual and does not include publicly available information that is lawfully made available from government records, or that a consumer has otherwise made available to the public; de-identified or aggregated consumer information; or information excluded from the CDPA scope, such as: HIPAA, GBPA, non-profit entities, higher education, employment data and FCRA, Driver’s Privacy Protection Act of 1994, Family Educational Rights and Privacy Act, Farm Credit Act.

“Sensitive Data” means data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, citizenship, or immigration status; The processing of genetic or biometric data for the purpose of uniquely identifying an individual; Personal data collected from a known child; Precise geolocation data.

Under CDPA, Walnut is required to provide you with a clear and accessible privacy notice that includes: categories of Personal Data processed, purpose of processing, instructions for exercising consumer rights and appealing decisions, categories of Personal Data shared with third parties, categories of third parties with whom data is shared, and any sale of data or targeted advertising.

We shall respond to your request within 45 days of receipt. The response period may be extended once by 45 additional days when reasonably necessary, taking into account the complexity and number of requests and we inform you of such extension within the initial 45 days response period, together with the reason for the extension.

If we decline to take action on your request, we shall so inform you without undue delay, within 45 days of receipt of your request. The notification will include a justification for declining to take action and instructions on how you may appeal. Within 60 days of our receipt of your appeal, we will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, you may submit a complaint to the Connecticut Attorney General at link: https://www.dir.ct.gov/ag/complaint/ or (860) 808-5318.

We shall provide information in response to your request free of charge, up to twice annually, unless requests are manifestly unfounded, excessive or repetitive. If we are unable to authenticate your request using commercially reasonable efforts, we may request additional information reasonably necessary to authenticate you and your request. If we cannot authenticate you and your request, we will not be able to grant your request.

ADDITIONAL INFORMATION FOR VIRGINIA RESIDENTS

Under the Virginia Consumer Data Protection Act, as amended (“VCDPA”) if you are a resident of Virginia acting in an individual or household context (and not in an employment or commercial context), you have the following rights with respect to your Personal Data.

“Personal Data” means any information that is linked or reasonably linkable to an identified or identifiable natural person, and does not include publicly available information that is lawfully made available from government records, that a consumer has otherwise made available to the public; de-identified or aggregated consumer information; Information excluded from the VCDPA scope, such as: HIPAA, GBPA, non-profit entities, higher education, employment data and FCRA, Driver’s Privacy Protection Act of 1994, Family Educational Rights and Privacy Act, Farm Credit Act.

“Sensitive Data” means Personal Data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; the processing of genetic or biometric data for the purpose of uniquely identifying a natural person; Personal Data collected from a known child; or precise geolocation data.

The VCDPA requires Walnut to disclose the categories of Personal Data processed, purpose of processing, how you can exercise your rights, including how a you may appeal our decision with regard to the consumer request, the categories of Personal Data shared with third parties and with whom, and if Walnut sells Personal Data to third parties or processes Personal Data for targeted advertising.

We will respond to your request within 45 days after receipt of a verifiable Consumer Request (no more than twice in a twelve-month period). We reserve the right to extend the response time by an additional 45 days when reasonably necessary and provided consumer notification of the extension is made within the first 45 days. If we refuse to take action on a request, you may appeal our decision within a reasonable period time by contacting us at privacy@walnut.io and specifying you wish to appeal. Within 60 days of our receipt of your appeal, we will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, you may submit a complaint to the Virginia Attorney General at https://www.oag.state.va.us/consumercomplaintform.

ADDITIONAL INFORMATION FOR UTAH RESIDENTS

*Effective January 2024

Under the Utah Consumer Privacy Act (“UCPA”) if you are a resident of Utah, acting in an individual or household context (and not in a commercial or employment context) your rights with respect to your personal data are described below.

“Personal Data” means data which is linked or reasonably linkable to an identifiable individual, and does not include de-identified data and publicly available data or data that is processed not within the scope of UCPA.

“Sensitive Data” means Personal Data that reveals an individual’s racial or ethnic origin; religious beliefs; sexual orientation; citizenship or immigration status; information regarding an individual’s medical history, mental or physical health condition, or medical treatment or diagnosis by a health care professional; the processing of genetic personal data or biometric data, if the processing is for the purpose of identifying a specific individual; or specific geolocation data.

The UCPA requires Walnut to disclose the categories of Personal Data processed, purpose of processing, how you can exercise your rights, including your opt-out rights from the sale of Personal Data or processing for targeted advertising, the categories of Personal Data shared with third parties and with whom, and if Walnut sells Personal Data to third parties or processes Personal Data for targeted advertising. Note, under the UCPA, Walnut does not “sell” your Personal Data.

We will respond to your request within 45 days after receipt of your request (no more than twice in a twelve-month period). We reserve the right to extend the response time by an additional 45 days when reasonably necessary and provided consumer notification of the extension is made within the first 45 days. If we refuse to take action on a request, we will provide with the reasoning for our refusal.