Login

Book a Demo

Privacy Policy

[Last Modified: October 11, 2023]

This privacy policy (“Privacy Policy” or “Policy”) describes how Carambola Media Ltd. and its
affiliated companies and subsidiaries (collectively shall be referred to as “Carambola”, “we”, “us”, or
“our”) collect, use and disclose certain information, and the choices you can make about that
information.
Carambola is the developer and owner of the technology and platform (“Platform”) that enables
publishers, operating websites, applications or other digital assets (“Digital Assets” and “Publishers”
respectively) to embed and share within the Digital Assets interactive units including, but not
limited, online quizzes, questionnaires, surveys, feedback applications or other features
(“Interactive Unit”) for the purpose of creating end user engagement. The Interactive Units can
further include advertisements and other promotional content (“Ads”) provided by third party
advertisers (“Advertisers”) (all together shall be referred to as “Services”).
We collect and process certain information when visitors browse our website:
https://carambola.com/ (“Visitors” and “website”), we collect and use certain information about
the Publishers using our Platform and Services or on behalf of the Advertiser or Publisher, such as
information on the end users, the individuals watching the ads or interacting with the Interactive
Units (as applicable the “end users”, “Visitors” and “Publishers” collectively shall be referred to as
“you”).
This Privacy Policy applies to all information about you that we collect in connection with the
Services throughout the world, and explains what data we may collect from you, how such data may
be used or shared with others, how we safeguard it, and how you may exercise your rights related
to your Personal Data (as defined below) under the applicable privacy laws such as the EU General
Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act (“CCPA”) and other
US states as further detailed below.
Carambola participates in the IAB Transparency & Consent Framework and complies with its
Specifications and policies. Carambola’s Vendor number within the framework is 1240.

CONTENTS
1. POLICY AMENDMENTS: 3
2. CONTACT INFORMATION AND DATA CONTROLLER INFORMATION: 3
3. DATA SETS WE COLLECT AND FOR WHAT PURPOSE: 3
4. HOW WE COLLECT YOUR INFORMATION: 6
5. COOKIES AND SIMILAR TECHNOLOGIES: 6
6. DATA SHARING – CATEGORIES OF RECIPIENTS WE SHARE PERSONAL DATA WITH: 6
7. USER RIGHTS AND OPT-OUT OPTIONS: 8
8. DATA RETENTION: 8
9. SECURITY MEASURES: 9
10. INTERNATIONAL DATA TRANSFER: 9
11. ELIGIBILITY AND CHILDREN PRIVACY: 9
12. JURISDICTION SPECIFIC NOTICES: 10
A. ADDITIONAL NOTICE TO CALIFORNIA RESIDENTS 10
B. ADDITIONAL NOTICE TO COLORADO RESIDENTS 10
YOUR RIGHTS UNDER CPA: 10
HOW TO SUBMIT A REQUEST UNDER CPA? 13
C. ADDITIONAL NOTICE TO VIRGINIA RESIDENTS 13
HOW TO SUBMIT A REQUEST UNDER VCDPA? 14
D. ADDITIONAL NOTICE TO CONNECTICUT RESIDENTS 14
HOW TO SUBMIT A REQUEST UNDER CDPA? 14
E. ADDITIONAL NOTICE TO UTAH RESIDENTS (effective January 2024) 15
F. NOTICE TO NEVADA RESIDENTS 15

1. POLICY AMENDMENTS:
We reserve the right to amend this Privacy Policy from time to time, at our sole discretion. The most
recent version of the Privacy Policy will always be posted on the website and the update date will be
reflected in the “Last Modified” heading. We will provide notice to you if these changes are
material, and, where required by applicable law, we will obtain your consent. Any amendments to
the Privacy Policy will become effective within 30 days upon the display of the modified Privacy
Policy. We recommend you review this Privacy Policy periodically to ensure that you understand our
most updated privacy practices.

2. CONTACT INFORMATION AND DATA CONTROLLER INFORMATION:
Carambola Media Ltd. is incorporated under the laws of Israel, and is the Controller (as such term is
defined under the GDPR or equivalent privacy legislation) of your Personal Data.
For any question, inquiry or concern related to this Privacy Policy or the processing of your Personal
Data, you may contact as follows:

DPO CONTACT INFORMATION:
Carambola Media Ltd.
10 Aba Even Blvd. Building C, Herzliya, 4672528, Israel.
By Email: DPO@Carambola.com

3. DATA SETS WE COLLECT AND FOR WHAT PURPOSE:
You can find here information regarding the data sets we collect, purposes for which we process
your data as well as our lawful basis for processing, and how the data is technically processed. In
general, we may collect two types of information from you, depending on your interaction with us:

Non-Personal Data
During your interaction with our Services, we may collect aggregated, non-personal non-identifiable
information, which may be made available or gathered via your access to and use of the Services
(“Non-Personal Data “). We are not aware of the identity of the user from which the Non-Personal
Data is collected. The Non-Personal Data being collected may include your aggregated usage
information and technical information transmitted by your device, such as: the type of browser or
device you use, operating system type and version, language preference, time and date stamp,
country location, etc.
Personal Data
We may also collect from you, during your access or interaction with the Services, individually
identifiable information, namely information that identifies an individual or may, with reasonable
effort, be used to identify an individual (“Personal Data” or “Personal Information”). The types of
Personal Data that we collect as well as the purpose for processing such data are specified in the
table below.

For the avoidance of doubt, any Non-Personal Data connected or linked to any Personal Data shall
be deemed as Personal Data as long as such connection or linkage exists.

The table below details the processing of Personal Data we collect, the purpose, lawful basis, and
processing operations:

DATA SET PURPOSE AND OPERATIONS LAWFUL BASIS

WEBSITE

Online Identifiers:
When you access and interact
with our website, we collect
certain online identifiers, such
as Cookie ID, agent ID, internet
protocol (IP) address or similar
unique online identifiers
generated (“Online
Identifiers”).

We process such data through
our first party cookies to
enable the operation of the
website, security and for fraud
prevention purposes. The first
party cookies are strictly
necessary.

First party cookies are strictly
necessary and processing of
Online Identifiers is subject to
our legitimate interest.

Contact Information:
If you voluntarily contact us,
you may be required to provide
us with certain information
such as your full name, phone
number, company name, email
address (“Contact
Information”), and any
additional information you
decide to share with us.

We process such data to
respond to your inquiry.

We process such Contact
Information subject to our
legitimate interest.
We may keep such
correspondence if we are
legally required to.

PUBLISHERS AND END USERS

Account Information:
Publishers are designated with
an account, or are able to
register and create an account
through the website, the
account registration
information includes your full
name, email address and
possibly you phone number.
Additionally, during the
registration process you will be
required to create a username
and password.
This information will be
processed when you login as

We process such data to create
you an account, provide you
with account management,
support and to provide you the
Services as well as to send you
needed information related to
our business engagement (e.g.,
send you a welcome message,
notify you regarding any
updates to our Services, send
applicable invoices, etc.) and
additional occasional
communications and updates
related to the Services, as well
as to communicate with you,
updates, send you updates on

We process such data for the
purpose of performing our
contract with you, meaning,
to provide the Services and
to designate your account.
Direct Marketing is
processed subject to our
legitimate interest. You can
opt-out at any time by using
the “unsubscribe” option.

well.
You represent and warrant that
you will not provide us with
inaccurate, misleading or false
information.

new capabilities and features,
and to send you invoices
promotional and marketing
emails (“Direct Marketing”).

We may also use the
information in order to verify
your identity.

Usage Data:
We collect certain usage data,
meaning analytic and statistics
on how the Publishers use our
Services and the dashboard
available through the Platform
(“Usage Data”).

We process such aggregated
Usage Data with respect to the
Platform and Services in order
to operate, provide, maintain,
protect, manage and improve
Carambola Platform tools and
Services.

We process such data
subject to our legitimate
interest.

End User Data:
End users, are individuals
browsing publishers’ Digital
Assets and views advertisers’
ads (“End User”), we process
certain information on End
Users (“End User Data”):
identifiers, unique identifier, IP
address, Privacy or Preference
String, TCF sting, the URL the
End User is browsing, the
interaction with the ads or the
publisher assets (viewed,
clicked, etc.), country level
location extracted from the IP,
type of browser, language, type
of device and other technical
data.

Deliver and display contextual
content and advertising,
reporting and measurements:
We use the End User Data to
place contextual content, which
is not advertisement.
We share the End User Data
with the advertisers so that they
are able to display relevant
advertisement to you.
We use the aggregated End
User Data to provide our
publishers with insights and
reports regarding their
campaigns, meaning
aggregated measurements and
reporting.

We process the End User Data
upon consent provided
through the consent string,
TCF string.
Otherwise, the aggregated
data is used in our legitimate
interest in providing the
Service, and conducting
research for improving the
Service, all as detailed in the
Legitimate Interest Claim
below.
In certain aspects of our
Service, we act as the “data
processor” or “service
provider”, in which we will
rely on our publishers to
obtain the necessary lawful
basis for processing the end
user personal data.

Please note that the actual processing operation per each purpose of use and lawful basis detailed
in the table above may differ. Such processing operation usually includes a set of operations made
by automated means, such as collection, storage, use, disclosure by transmission, erasure, or
destruction. The transfer of Personal Data to third-party countries, as further detailed in the
“International Data Transfer” Section below, is based on the same lawful basis as stipulated in the
table above.
In addition, we may use certain Personal Data to prevent potentially prohibited or illegal activities,
fraud, misappropriation, infringements, identity thefts, and any other misuse of the Services and to

enforce the Terms, as well as to protect the security or integrity of our databases and the Services,
and to take precautions against legal liability. Such processing is based on our legitimate interests.
We may collect different categories of Personal Data and Non-Personal Data from you, depending
on the nature of your interaction with the Services provided through the website and Platform, as
detailed above. If we combine Personal Data with Non-Personal Data, the combined information will
be treated as Personal Data or for as long as it remains combined.
Please further be advised that, as an end user interacting with the Interactive Unit, you might be
subject to additional data collection directly on behalf of Publishers (meaning the Publishers
operating the Digital Assets in which our Interactive Unit are implemented, as well as Advertisers
providing the ads displayed in the Interactive Unit). We are not responsible, nor do we monitor such
data collection, that shall be governed by such Publishers’ privacy policies.

4. HOW WE COLLECT YOUR INFORMATION:
Depending on the nature of your interaction with us, we may collect the above detailed information
from you, as follows:
● Automatically, when you visit our website, interact with our Platform or use our Services,
including through the use of Cookies (as detailed below) and similar tracking technologies.
● When you voluntarily choose to provide us with information, such as when you contact us, all as
detailed in this Policy.
● Provided by our partners and Cookie Management Platforms implemented in our partners'
assets.

5. COOKIES AND SIMILAR TECHNOLOGIES:
We use “cookies” (or similar tracking technologies) when you access our website. The use of cookies
is a standard industry-wide practice. A “cookie” is a small piece of information that a website assigns
and stores on your computer while you are viewing a website. Cookies can be used for various
purposes, including allowing you to navigate between pages efficiently, as well as for statistical
purposes, analytic purposes and marketing.
The specific cookies we currently use on our website, are detailed in the table below:
COOKIE NAME PURPOSE EXPIRY
Google Analytic Performance Cookies (Analytics) 1 Year
Mixpanel
Hotjar

6. DATA SHARING – CATEGORIES OF RECIPIENTS WE SHARE PERSONAL DATA WITH:
We share your data with third parties, including the Publishers or service providers that help us
provide our Services. You can find here information about the categories of such third-party
recipients.
CATEGORY OF
RECIPIENT

DATA THAT WILL BE
SHARED

PURPOSE OF SHARING

Advertisers End User Data We provide such information to our Advertisers, so
they will be able to bid for content that best suits
such a web-page, as a part of our Services. We will
further present aggregated data about end users’
interaction with the ads, to provide reports to our
Publishers.
The Advertisers is required to secure the data and to
use the data for pre-agreed purposes only, while
ensuring compliance with all applicable data
protection regulations. Carambola and the Advertiser
has engaged in the Module II of the Standard
Contractual Clauses.
The transferred data shall be encrypted when
transferred.

Publisher End User Data Providing reports and analytic to the Publisher.
The Publisher is required to secure the data and to
use the data for pre-agreed purposes only, while
ensuring compliance with all applicable data
protection regulations. Carambola and the Publisher
has engaged in the Module II of the Standard
Contractual Clauses.
The transferred data shall be encrypted when
transferred

Service
Providers

All data We may disclose Personal Data to our trusted agents
(such as legal counsel) and service providers
(including, but not limited to, our Cloud Service
Provider, Analytics Service Provider, CRM provider,
etc.) so that they can perform the requested services
on our behalf. Thus, we share your data with third
party entities, for the purpose of storing such
information on our behalf, or for other processing
needs. These entities are prohibited from using your
Personal Data for any purposes other than providing
us with requested services.

Any acquirer of
our business

All data We may share Personal Data, in the event of a
corporate transaction (e.g., sale of a substantial part
of our business, merger, consolidation or asset sale).
In the event of the above, our affiliated companies or
acquiring company will assume the rights and
obligations as described in this Policy.

Affiliated
Companies

All Data We may share aggregate or Non-Personal Data with
our affiliated companies and additional third parties
in accordance with the terms of this Policy. We may
store any type of information on our servers or cloud
servers, use or share Non-Personal Data in any of the

above circumstances, as well as for the purpose of
providing and improving our Services, aggregate
statistics, marketing and conduct business and
marketing analysis, and to enhance your experience.

Legal and law
enforcement

Subject to law
enforcement
authority request.

We may disclose certain data to law enforcement,
governmental agencies, or authorized third parties, in
response to a verified request relating to terror acts,
criminal investigations or alleged illegal activity or
any other activity that may expose us, you, or any
other user to legal liability, and solely to the extent
necessary to comply with such purpose.

When we share information with services providers and Publishers, we ensure they only have access
to such information that is strictly necessary for us to provide the Services. These parties are
required to secure the data they receive and to use the data for pre-agreed purposes only while
ensuring compliance with all applicable data protection regulations (such service providers may use
other non-personal data for their own benefit).

7. USER RIGHTS AND OPT-OUT OPTIONS:
We acknowledge that different people have different privacy concerns and preferences. Our goal is
to be clear about what information we collect so that you can make meaningful choices about how
it is used. We allow you to exercise certain choices, rights, and controls in connection with your
information. Depending on your relationship with us, your jurisdiction and the applicable data
protection laws that apply to you, you have the right to control and request certain limitations or
rights to be executed. Please note, if you are an individual who interacts with a Publisher and you
contact us regarding your rights, you will be directed to contact the applicable Publisher as the
“controller” of the Personal Data.
For additional rights under various jurisdictions, please refer to Section ‎12 “JURISDICTION-SPECIFIC
NOTICES” herein below. For detailed information on your rights and how to exercise your rights,
please see the Data Subject Request Form (“DSR”) available HERE or send it to:
DPO@Carambola.com.
Further, you may execute certain rights without the need to fill out the DSR Form, such as: You can
correct or delete the Contact Information or Account information at any time, through the account
settings, You can you can opt-out from receiving our emails by clicking “unsubscribe” link, You can
withdraw consent for processing End User Data for analytics or marketing purposes, at any time be
using the cookie settings on the website, Use the “Do Not Sell or Share My Information” through the
first-party business, i.e., through the cookie consent manager presented on the Publisher's website,
etc.
To opt out from cross contextual ads you can further use these links: the Network Advertising
Initiative’s (“NAI”) website: NAI consumer opt-out and the Digital Advertising Alliance’s (“DAA”)
website: DAA opt-out page. Or the European Interactive Digital Advertising Alliance (“EDAA”)
website: Your Online Choices page.

8. DATA RETENTION:

We retain Personal Data we collect as long as it remains necessary for the purposes set forth above,
all in accordance with applicable laws, or until an individual expresses a preference to opt-out.
Other circumstances in which we will retain your Personal Data for longer periods of time include: (i)
where we are required to do so in accordance with legal, regulatory, tax, or
accounting requirements; (ii) for us to have an accurate record of your dealings with us in the event
of any complaints or challenges; or (iii) if we reasonably believe there is a prospect of litigation
relating to your Personal Data. Please note that except as required by applicable law, we may at our
sole discretion, delete or amend information from our systems, without notice to you, once we
deem it is no longer necessary for such purposes.

9. SECURITY MEASURES:
We work hard to protect the Personal Data we process from unauthorized access, alteration,
disclosure, or destruction. We have implemented physical, technical, and administrative security
measures for the Services that comply with applicable laws and industry, such as encryption using
SSL, we minimize the amount of data that we store on our servers, restricting access to Personal
Data to Carambola employees, contractors, and agents, etc. Note that we cannot be held
responsible for unauthorized or unintended access beyond our control, and we make no warranty,
express, implied, or otherwise, that we will always be able to prevent such access.
Please contact us at: DPO@Carambola.com if you feel that your privacy was not dealt with properly,
in a way that was in breach of our Privacy Policy, or if you become aware of a third party's attempt
to gain unauthorized access to any of your Personal Data. We will make a reasonable effort to notify
you and the appropriate authorities (if required by applicable law) in the event that we discover a
security incident related to your Personal Data.

10. INTERNATIONAL DATA TRANSFER:
Our data servers in which we host and store the information are located in the Israel. The
Company’s HQ are based in Israel in which we may access the information stored on such servers or
other systems such as the Company’s ERP, CRM, Salesforce, and other systems. In the event that we
need to transfer your Personal Data out of your jurisdiction, we will take appropriate measures to
ensure that your Personal Data receives an adequate level of protection as required under
applicable law. Furthermore, when Personal Data that is collected within the European Economic
Area ("EEA") is transferred outside of the EEA to a country that has not received an adequacy
decision from the European Commission, we will take necessary steps in order to ensure that
sufficient safeguards are provided during the transferring of such Personal Data, in accordance with
the provision of the standard contractual clauses approved by the European Union. Thus, we will
obtain contractual commitments or assurances from the data importer to protect your Personal
Information, using contractual protections that EEA and UK regulators have pre-approved to ensure
your data is protected (known as standard contract clauses), or rely on adequacy decisions issued by
the European Commission. Some of these assurances are well-recognized certification schemes.

11. ELIGIBILITY AND CHILDREN PRIVACY:
The Services are not intended for use by children (the phrase "child" shall mean an individual that is
under the age defined by applicable law, which concerning the EEA is under the age of 16, and with
respect to the US, under the age of 13), and we do not knowingly process children's information. We

will discard any information we receive from a user that is considered a "child" immediately upon
discovering that such a user shared information with us. Please contact us at: DPO@Carambola.com
if you have reason to believe that a child has shared any information with us.

12. JURISDICTION SPECIFIC NOTICES:
A. ADDITIONAL NOTICE TO CALIFORNIA RESIDENTS
This section applies only to California residents. Pursuant to the California Consumer Privacy Act of
2018 (“CCPA”) effective November 2020, and as amended by the CPRA, effective January 1, 2023.
Please see the CCPA Privacy Notice which discloses the categories of personal information collected,
purpose of processing, source, categories of recipients with whom the personal information is
shared for a business purpose, whether the personal information is sole or shared, the retention
period, and how to exercise your rights as a California resident.

B. ADDITIONAL NOTICE TO COLORADO RESIDENTS
Under the Colorado Privacy Act (“CPA”) if you are a resident of Colorado, acting only as an individual
or household context (and not in a commercial or employment context, as a job applicant or as a
beneficiary of someone acting in an employment context), your rights with respect to your personal
data are described below.
“Personal Data” as defined in the CPA means: “information that is linked or reasonably linkable to
an identified or identifiable individual” and does not include any of the following: publicly available
information, de-identified or aggregated consumer, and information excluded from the CPA scope,
such as: Health or medical information covered by the Health Insurance Portability and
Accountability Act of 1996 (HIPPA) or 42 CFR Part 2- “Confidentiality Of Substance Use Disorder
Patient Records”, Personal information covered by certain sector-specific privacy laws, including the
Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or and the Driver’s Privacy
Protection Act of 1994, Children’s Online Policy Protection Act of 1998 (COPPA), Family Educational
Rights and Privacy Act of 1974, national Security Exchange Act of 1934, higher education data and
employment data.
Sensitive Data includes (i) racial or ethnic origin, religious beliefs, mental or physical health
condition or diagnosis, sex life or sexual orientation; (ii) Genetic or biometric data that can be
processed to uniquely identify an individual; or (iii) child data. We do not process or collect any
sensitive data.
Section 3 “Data Sets we Collect and for What Purposes” of the Privacy Policy, we describe our
collection and processing of personal data, the categories of personal data that are collected or
processed, and the purposes. Additionally, in Section 6 “Data Sharing – Categories of Recipients we
Share Personal Data With” details the categories of third-parties the controller shares for business
purposes.
YOUR RIGHTS UNDER CPA:
Herein below, we will detail how consumers can exercise their rights, and appeal such decision, or if
Carambola sells the personal data, or sells the personal data for advertising and how to opt-out.
Right to Access/
Right to Know

You have the right to confirm whether
and know the Personal Data we
collected on you

You can exercise your right by
reviewing this Privacy Policy, in
case you would like to receive

the Personal Data please fill in
this form to receive a copy of
your data

Right to
Correction

You have the right to correct
inaccuracies in your Personal Data,
taking into account the nature of the
Personal Data and the purposes of the
processing of your Personal Data.

You can exercise this right
directly through your account
or by filling in this form

Right to Deletion You have the right to delete the
Personal Data, this right is not absolute
and in certain circumstances we may
deny such request. We may deny your
deletion request, in full or in part, if
retaining the information is necessary
for us or our service provider(s) for any
of the following reasons: (1) Complete
the transaction for which we collected
the Personal Data, provide a good or
service that you requested, take actions
reasonably anticipated within the
context of our ongoing business
relationship with you, fulfill the terms of
a written warranty or product recall
conducted in accordance with federal
law, or otherwise perform our contract
with you; (2) Detect security incidents,
protect against malicious, deceptive,
fraudulent, or illegal activity, or
prosecute those responsible for such
activities; (3) Debug products to
identify and repair errors that impair
existing intended functionality; (4)
Exercise free speech, ensure the right of
another consumer to exercise their free
speech rights, or exercise another right
provided for by law; (5) Comply with
the law or legal obligation; (6) Engage in
public or peer-reviewed scientific,
historical, or statistical research in the
public interest that adheres to all other
applicable ethics and privacy laws, when
the information’s deletion may likely
render impossible or seriously impair
the research’s achievement, if you
previously provided informed consent;
(7) Enable solely internal uses that are
reasonably aligned with consumer
expectations based on your relationship

If you would like to delete your
Personal Data please fill in this
form
You do not need to create an
account with us to submit a
request to know or delete.

with us; (8) Make other internal and
lawful uses of that information that are
compatible with the context in which
you provided it.
We will delete or de-identify personal
information not subject to one of these
exceptions from our records and will
direct our processors to take similar
action.
Right to
Portability

You have the right to obtain the
personal data in a portable, and to the
extent technically feasible, readily
usable format that allows you to
transmit the data to another entity
without hindrance.

If you would like to receive the
Personal Data please fill in this
form to receive a copy of your
data we will select a format to
provide your Personal Data
that is readily usable and
should allow you to transmit
the information from one
entity to another entity
without hindrance.

Right to opt out
from selling
Personal Data

You have the right to opt out of the sale
of your Personal Data for the purposes
of targeted advertising, sale to a third
party for monetary gain, or for profiling
in furtherance of decisions that produce
legal or similarly significant effects
concerning you or any other consumer.
You may authorize another person
acting on your behalf to opt out,
including by broad technical tools, such
as DAA, NAI, etc.

Carambola does not sell your
personal information, so we do
not offer an opt out.
Carambola may “share”
personal information with third
parties for personalized
advertising purposes. You may
indicate your choice to opt-out
of the sharing of your personal
data with third parties for
personalized advertising on
third party sites as detailed in
Section 7 "Users Rights and Opt
Out Options".
To opt out from the use of
cookies on our website, please
click the “do not sell or share
my personal information” in
the footer of the website which
will enable you to customize
the use of cookies on our
website.

Right to opt out
from Targeted
Advertising

Right to opt out
from Profiling

We do not profile you, thus we
do not need to provide an opt-
out.
Right to Appeal If we decline to take action on your
request, we shall so inform you without
undue delay, within 45 days of receipt

Not more than 60 days after
receipt of an appeal we will
inform you in writing of any

of your request. The notification will
include a justification for declining to
take action and instructions on how you
may appeal.
If we deny the appeal, you may contact
the Colorado Attorney General using
this link: https://coag.gov/office-
sections/consumer-protection/ or (720)
508-6000.

action taken or not taken in
response to the appeal,
including a written explanation
of the reason for the decisions.

Duty not to
violet the
existing laws
against
discrimination or
non-
discrimination

Such discrimination may include
denying a good or service, providing a
different level or quality of service, or
charging different prices.

We do not discriminate our
users.

HOW TO SUBMIT A REQUEST UNDER CPA?
Only you, or someone legally authorized to act on your behalf, may make a request to know or
delete related to your Personal Data. If the DSR is submitted by someone other than the consumer
about whom information is being requested, proof of authorization (such as power of attorney or
probate documents) will be required.
We will respond to your request within 45 days after receipt of a verifiable Consumer Request and
for no more than twice in a twelve-month period. We reserve the right to extend the response time
by an additional 45 days when reasonably necessary and provided consumer notification of the
extension is made within the first 45 days. If we refuse to take action on a request, you may appeal
our decision within a reasonable period time by contacting us at: DPO@Carambola.com and
specifying you wish to appeal. Within 60 days of our receipt of your appeal, we will inform you in
writing of any action taken or not taken in response to the appeal, including a written explanation of
the reasons for the decisions. If the appeal is denied, you may submit a complaint as follows:
Colorado AG at https://coag.gov/file-complaint/
If you have an account with us, we may deliver our written response to that account or via email at
our sole discretion. If you do not have an account with us, we will deliver our written response by
mail or electronically, at your option. You do not need to create an account for submitting a request.
Any disclosures we provide will only cover the 12-month period preceding our receipt of your
request. The response we provide will also explain the reasons we cannot comply with a request, if
applicable.

C. ADDITIONAL NOTICE TO VIRGINIA RESIDENTS
Under the Virginia Consumer Data Protection Act, as amended (“VCDPA”) if you are a resident of
Virginia acting in an individual or household context (and not in an employment or commercial
context), you have the following rights with respect to your Personal Data.
"Personal data" means any information that is linked or reasonably linkable to an identified or
identifiable natural person. "Personal data" does not include de-identified data or publicly available

information. Personal Data does not include de-identified data or publicly available data, and
information excluded from the scope such as: HIPAA, GBPA, non-profit entities, higher education,
employment data and FCRA, Driver's Privacy Protection Act of 1994, Family Educational Rights and
Privacy Act, Farm Credit Act.
The VCDPA requires Carambola discloses the Categories of data processing and the purpose of each
category, as detailed
in Section 3 “Data Sets we Collect and for What Purposes” of the Privacy Policy, the categories of
data shared and the third parties with whom it is shared, as detailed in Section 6 “Data Sharing –
Categories of Recipients we Share Personal Data With”. Disclosure of sale of data or targeted
advertising are detailed in Section 7 "Users Rights and Opt Out Options" above, and in the DSR
Form. Further, the table above under Section B “Additional Notice to Colorado Residents” details
the rights you have under VCDPA and how you may exercise your rights.
HOW TO SUBMIT A REQUEST UNDER VCDPA?
We shall respond to your request within 45 days of receipt. We reserve the right to extend the
response time by an additional 45 days when reasonably necessary and provided consumer
notification of the extension is made within the first 45 days. If we refuse to take action on a
request, you may appeal our decision within a reasonable period time by contacting us at:
DPO@Carambola.com and specifying you wish to appeal. Within 60 days of our receipt of your
appeal, we will inform you in writing of any action taken or not taken in response to the appeal,
including a written explanation of the reasons for the decisions. If the appeal is denied, you may
submit a complaint as follows: Virginia Attorney General at
https://www.oag.state.va.us/consumercomplaintform
We shall provide information in response to your request free of charge, up to twice annually,
unless requests are manifestly unfounded, excessive or repetitive. If we are unable to authenticate
your request using commercially reasonable efforts, we may request additional information
reasonably necessary to authenticate you and your request. If we cannot authenticate you and your
request we will not be able to grant your request.
D. ADDITIONAL NOTICE TO CONNECTICUT RESIDENTS
Under the Connecticut Data Privacy Act, Public Act. No. 22-14 (the “CDPA”) if you are a resident of
Connecticut, acting in an individual or household context (and not in a commercial or employment
context or as a representative of business, non-profit or governmental entity), your rights with
respect to your personal data are described below.
"Personal data" means any information that is linked or reasonably linkable to an identified or
identifiable individual. It does not include de-identified data or publicly available information. If
further does not include information excluded from the scope such as: HIPAA, GBPA, non-profit
entities, higher education, employment data and FCRA, Driver's Privacy Protection Act of 1994,
Family Educational Rights and Privacy Act, Farm Credit Act.
The categories of personal data processed, purpose of processing, are detailed in Section 3 “Data
Sets we Collect and for What Purposes”, categories of personal data shared with third parties,
categories of third parties with whom data is shared, are detailed in Section 6 “Data Sharing –
Categories of Recipients we Share Personal Data With”. Disclosure of sale of data or targeted
advertising are detailed in Section 7 "Users Rights and Opt Out Options" above, and in the DSR
Form.

Instructions on how to exercise your rights are detailed in the table above under Section B
“Additional Notice to Colorado Residents” details the rights you have under CDPA and how you may
exercise your rights.
HOW TO SUBMIT A REQUEST UNDER CDPA?
We shall respond to your request within 45 days of receipt. The response period may be extended
once by 45 additional days when reasonably necessary, taking into account the complexity and
number of requests and we inform you of such extension within the initial 45 days response period,
together with the reason for the extension.
If we decline to take action on your request, we shall so inform you without undue delay, within 45
days of receipt of your request. The notification will include a justification for declining to take
action and instructions on how you may appeal. Within 60 days of our receipt of your appeal, we
will inform you in writing of any action taken or not taken in response to the appeal, including a
written explanation of the reasons for the decisions. If the appeal is denied, you may submit a
complaint to the Connecticut Attorney General at link: https://www.dir.ct.gov/ag/complaint/ or
(860) 808-5318.
We shall provide information in response to your request free of charge, up to twice annually,
unless requests are manifestly unfounded, excessive or repetitive. If we are unable to authenticate
your request using commercially reasonable efforts, we may request additional information
reasonably necessary to authenticate you and your request. If we cannot authenticate you and your
request, we will not be able to grant your request.

E. ADDITIONAL NOTICE TO UTAH RESIDENTS (effective January 2024)
Under the Utah Consumer Privacy Act (the “UCPA”) if you are a resident of Utah, acting in an
individual or household context (and not in a commercial or employment context) your rights with
respect to your personal data are described below. “Personal Data" refers that is linked or
reasonably linkable to an identifiable individual, and does not include de-identified data and publicly
available data.
The categories of personal data processed, purpose of processing, are detailed in Section 3 “Data
Sets we Collect and for What Purposes”, categories of personal data shared with third parties,
categories of third parties with whom data is shared, are detailed in Section 6 “Data Sharing –
Categories of Recipients we Share Personal Data With”. Disclosure of sale of data or targeted
advertising are detailed in Section 7 "Users Rights and Opt Out Options" above, and in the DSR
Form.
Further, the table above under Section B “Additional Notice to Colorado Residents” details the rights
you have under CDPA and how you may exercise your rights.

F. NOTICE TO NEVADA RESIDENTS
Nevada law allows Nevada residents to opt out of the sale of certain types of personal information.
Subject to several exceptions, Nevada law defines “sale” to mean the exchange of certain types of
personal information for monetary consideration to another person. We currently do not sell
personal information as defined in the Nevada law. However, if you are a Nevada resident, you still
may submit a verified request to opt out of sales and will record your instructions and incorporate
them in the future if our policy changes. You may send opt-out requests to DPO@Carambola.com