Privacy Notice for California Residents

This Privacy Notice for California Residents (referred to as "Privacy Notice") informs why and how Aiven collects, uses, shares and protects personal information of California residents in compliance with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).

What rights do you have as a California resident?

Under the CCPA and CPRA, you have the following rights regarding your personal information:

• Right to Know: You have the right to request information about the categories and specific pieces of personal information we have collected, used, and shared about you in the past 12 months.
• Right to Delete: You have the right to request the deletion of your personal information, subject to certain exceptions.
• Right to Opt-Out: You have the right to opt-out of the sale of your personal information.
• Right to Non-Discrimination: Aiven will not discriminate against you for exercising your privacy rights.
• Right to Correct: You have the right to correct inaccurate personal information.
• Right to Limit: You have the right to limit the use and disclosure of sensitive personal information.

How to exercise your rights?

To exercise your rights or to ask any questions about this Privacy Notice, please contact us using the information provided below.

California residents have the right to opt out of selling their personal information. This right can be exercised by sending an opt out request through the “Do not sell or share my information”.

The definition of ‘selling’ in California Consumer Privacy Act (CCPA) is broad and includes sharing of information in exchange for anything of value - even when no actual money is related to the matter.

In other words, Aiven never sells your personal data but Aiven may share it as described in section “What personal data do we disclose?”. Some of these disclosures occurred in the last 12 months might be considered ‘selling’ under the CCPA.

In addition to the “Do not sell or share my information”-form, Californian Users can exercise their rights by sending a request to privacy@aiven.io.

We may need to verify your identity before processing your request, which may require you to provide additional information.

What information we collect?

We may collect the following categories of personal information:

• Identifiers: information of the users of the services provided by us, such as full name, email address, company name, address, phone number, user’s IP address;
• Internet or Other Network Information: type and device ID, browser type and version, service access times, statistics on page view and time spent on pages and any other automatically collectible information;
• Geolocation data: geographical location based on the IP address;
• Professional and Employment Information: such as prospects’ job title and company name;
• Commercial Information: customer relationship details, such as the contract between Aiven and the customer, start and end date of customer relationship and services ordered; billing information, such as credit card details, bank account information, payments made, outstanding invoices, and invoices delivered; customer interaction, such as customer contracts, feedback and complaints; interaction in the Aiven Community forum, such as messages sent in the Community forum; marketing communications;
• Personal Records: signatures from customer contracts;
• Sensory Information: certain customer calls; and
• Inferences: certain data collected with cookies.

Aiven collects this information directly from you when you use Aiven services or interact in the Aiven Community forum, Aiven staff at events, or automatically through our website.

For what purpose we process personal information?

We use personal information for the following purposes:

• Performing business transactions by providing our services;
• Providing a requested service such as customer support or other requests;
• Protecting security and functionality by detecting and preventing fraudulent or illegal activities;
• Improving our products and services by analyzing usage patterns and obtaining customer feedback;
• Personalizing user experience by using the User’s preferences and interactions with our services such as personalized content or advertisements; and
• Complying with legal obligations and other regulatory requirements such as accounting, record keeping and reporting obligations.

To whom we share your information with?

We may share personal information with the following categories of third parties for business purposes:

• Affiliates: to our subsidiaries to the extent necessary to provide our services and to manage and organize customer service, marketing as well as information security measures within the group in an appropriate and practical way and use shared IT systems within the group;
• Service Providers: to our third party service providers, including but not limited to hosting service providers, technology service providers, payment service providers and marketing providers;
• Legal and Compliance: as required or permitted to comply with legal obligations, requests by competent authorities and courts and related legal proceedings and as required to establish, exercise or defend or to protect against legal claims; and
• Business Partners: to prospective sellers or buyers if we are involved in a merger, acquisition, or sale of all or a portion of our assets.

What security measures have we taken?

We have carried out reasonable technical and organizational measures to secure the personal information processed against unauthorized access, against accidental or unlawful destruction, manipulation, disclosure and transfer and against other unlawful processing. For instance, any physical data is stored in locked facilities and access to automatically processed data is limited by user rights and passwords within our organization.

Please be aware that, although we endeavor to provide reasonable security measures for personal data, no security system can prevent all potential security breaches.

How long will we retain personal data?

We will only retain personal data for as long as necessary to fulfill the purposes defined in this Privacy Notice. The main retention periods are as follows:

• We retain personal data for the duration of customer relationship and after that as required by legal obligations (e.g. accounting laws) or our contractual rights or obligations (e.g. for invoicing purposes).
• If a dispute arises or a customer fails to make payment for our services, we may retain relevant information until such dispute is resolved or until such payment is made.
• Where we process personal data for marketing purposes, we will delete or anonymise the data after one (1) year has lapsed from last contact between us to the User or when the User asks us to stop marketing and for a short period after this (to allow us to implement the request).