Policy

This dayX External Privacy Policy (the "Policy") sets forth our policies and procedures for protecting the privacy of Data, as defined below.

Definitions.

“Affiliate(s)” means any legal entity directly or indirectly controlling, controlled by or under common control of dayX, where control means the ownership of a majority share of the stock, equity or voting interests of such entity.

"Customer Data" means any data, information or material originated by Customer that Customer submits to dayX, collects through its use of the Subscription Services or provides to dayX in the course of using the Subscription Services.

"Data Controllers" are those people that determine how and whether Personal Information is processed. dayX and our Affiliates are Data Controllers for purposes of these procedures."Data Processors" are those people that process Personal Information on behalf of a Data Controller.

"Data Subjects" are the people to whom the Data relates.

"Data" means any Customer Data relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Properly anonymized and de-identified or aggregate data is not Data.

"Process" is used very broadly to indicate performing any action on Data, such as collecting, recording, organizing, storing, transferring, modifying, using, retaining, or deleting.

Data Minimization and Privacy by Design.

Privacy protection is integral to dayX' processing of Data. We collect and process Data in a number of ways, including from the following: When customers or prospects request information about our products and services or sign up to receive information from us, they may enter their email address, name, or contact information, in which case their information will be used in order to contact them about our products and services. When customers or prospects purchase services from us, we will collect the Data that they submitted in order to administer or improve our services to them, to administer our rewards and promotional programs; to improve our Website and services to them; to solicit their feedback; and to inform them about our products and services.

When customers or prospects otherwise send their personal information to us by email, by submitting an online form on our website, or contact us using other means and we use that Data in order to respond to them.

We collect Other Information from Website visitors that is publicly transmitted by devices and web browsers in order to understand basic information about the categories and frequency of visitors that come to our website.

dayX's policy is to minimize the unnecessary collection or use of Data and use of anonymized and de-identified or aggregate data wherever possible.

Procedures.

DATA COLLECTION AND CONSENT.

Prior to the collection and processing of Data, dayX must obtain consent from the Data Subject in a manner appropriate to the context. Most of the time, consent is implied from the circumstances. For instance, if a Data Subject signs up for email updates regarding dayX news, they expect the information to be used to send newsletters and to communicate with them about product releases, but they would not expect that information to be sold to a third-party for re-targeting purposes. When Data is used in ways that are not reasonably implied from the apparent circumstances, dayX will seek consent on an opt-in or opt-out basis.

To provide notice and receive informed consent, dayX will disclose the following before collecting Data when it is not otherwise clear from the circumstances:

The identity of the person or entity that is collecting the Data (i.e., the Data Controller);

The purpose(s) for which the Data is to be processed or used;

The methods by which the Data is to be collected;

The scope of Data that may be collected (e.g., types, over what time period, etc.); and

The identity of anyone to whom the Data may be disclosed or transferred.

dayX does not need not obtain consent from the Data Subject in the following limited circumstances:

i) when the Data is available and collected from a public source;

ii) when the processing is necessary for the performance of a contract to which the Data Subject is party, or in order to take steps at the request of the Data Subject prior to entering into a contract;

iii) when the processing is necessary for compliance with dayX' legal compliance obligations, such as to investigate and protect its legal interests;

iv) when the processing is necessary in order to protect the vital interests of the Data Subject, narrowly construed; in certain circumstances, when processing is necessary for the performance of a task carried out in the public interest;

v) In circumstances, when processing is necessary for the performance of a task carried out in the public interest;

vi) when processing is necessary for the dayX' legitimate business interests, as disclosed to the Data Subject, consistent with the fundamental rights and freedoms of the Data Subject; or where the intended collection, use, processing, and/or disclosure is otherwise permitted or not precluded by applicable law.

Withdrawal of Consent.

Consent to the collection and use of Data may be withdrawn, subject to contractual and legal restrictions and reasonable notice.

Withdrawal of consent may have consequences, such as no longer being able to provide certain services or communicate in certain ways. In certain circumstances, consent may not be withdrawn with respect to certain necessary uses and disclosures of Data, such as with respect to certain legal and contractual obligations.

Our Data systems are designed to allow for the effective withdrawal of consent. Communications are made subject to opt-out lists maintained by dayX.

Purpose Specification and Use Limitation.

When Data is used, dayX uses the Data in a way that is compatible with the purposes for which it was collected, or for a reasonably related purpose. If Data needs to be used for another purpose or handled in a way that the Data Subject has not provided consent, dayX obtains the consent of the Data Subject for the new or different use.

Only dayX personnel or third parties working on behalf of dayX with a legitimate business purpose may access or use Data, and even those individuals may access such Data only for legitimate purposes required by their positions.

Data Subject Access.

dayX has posted a Privacy Policy (https://dayx.ai/privacy) so that Data Subjects can contact the appropriate person with inquiries or complaints regarding the use of their Data. dayX makes reasonable efforts to grant Data Subjects’ requests to access their Data. In accordance with these procedures, Data Subjects may ask dayX whether it maintains Data about them, and the contents, if any, of that data. If dayX denies access, dayX will provide the Data Subject the reasons for such denial and allow the Data Subject to challenge the denial.

Data Accuracy.

dayX uses its best efforts to process accurate Data. To this end, Data Subjects may make reasonable requests for the correction of any incorrect or misleading Data about them. To the extent reasonably feasible, dayX will, as appropriate, correct or destroy Data that is inaccurate, misleading, or out-of-date. If dayX does not make a requested correction, the request should be noted in the Data Subject’s file to the extent feasible and explained to the Data Subject.

Data Retention.

dayX does not keep Data longer than necessary for the purpose for which it was collected. dayX securely destroys Data from its systems when it is no longer required to accomplish the purpose for which it was collected. dayX may, however, retain some Data in order to comply with applicable laws, regulations, rules, and court orders.

If the Data Subject is a customer, upon termination or expiration of their agreement, dayX shall, in accordance with the terms of the Agreement, delete or make available to customer for retrieval all relevant Data (including copies) in dayX’ possession, save to the extent that dayX is required by any applicable law to retain some or all of the Data. In such an event, dayX shall extend the protections of the agreement to such Data and limit any further Processing of such Data to only those limited purposes that require the retention, for so long as dayX maintains the Data.

Security.

dayX takes reasonable administrative, technical, and physical measures to safeguard against unauthorized processing or use of Data, and against the accidental loss of, or damage to, Data. These measures include:

i) Making available written plans to identify, prevent, detect, respond to, and recover from cybersecurity threats and incidents;

ii) Developing security authentication procedures for accessing all systems that store Data;

iii) Maintaining patched, up-to-date anti-virus software, firewalls, and other computer security safeguards, and appointing appropriate personnel to be

Responsible for keeping such safeguards up-to-date;

iv) Requiring third-party data processors, vendors and other service providers who will be processing Data on behalf of dayX maintains appropriate security measures;

v) Maintaining appropriate records of access to and processing of Data;

vi) Auditing Data security and recording the results of such audits;

vii) Using appropriate protections, such as encryption, to protect Data in transit and when stored on portable computer media as necessary or appropriate;

viii) Utilizing appropriate and secure destruction methods of Data as legally required; and,

ix) Utilizing appropriate and secure destruction methods of Data as legally required; and,

Sharing Data With Third Parties.

dayX may share the Data with Affiliates and third parties that provide services to our customers to the extent such third parties are contractually required to follow the procedures set forth herein, or substantially equivalent standards, and to protect Data in accordance with all relevant laws, regulations and rules, and subject to any appropriate security measures and directions from dayX. Data may not be sold, transferred, or disclosed to other third parties except as authorized in writing.

Sub-processing.

dayX may engage dayX Affiliates and third party sub-processors (collectively, “Sub-processors”) to Process the Data on dayX’s behalf. The Sub-processors currently engaged by dayX are listed at dayX’s Sub-processor web page: (the “Sub-processor List”). The Sub- processor List shall include a mechanism to subscribe to notifications of any new Sub-processors or changes to the Sub-processor List. dayX shall impose on such Sub-processors data protection terms that protect the Data to the same standards as our agreements and shall remain liable for any breach caused by a Sub-processor.

dayX may, by giving no less than thirty (30) days’ notice to the customer, add or make changes to the Sub-processors. The customer may object to the appointment of an additional Sub-processor within fourteen (14) calendar days and in accordance with the directions set forth in the Sub-processor List.

dayX may replace a Sub-processor if the need for the change is urgent and necessary to provide the Services and the reason for the change is beyond dayX’ reasonable control. In such instances, dayX shall notify the customer of the replacement as soon as reasonably practicable, and the customer shall retain the right to object to the replacement Sub-processor.

Confidentiality.

dayX employees and third-party contractors may not disclose information made available on dayX systems and networks, including to other dayX personnel, except as expressly authorized by the appropriate manager. The duty of nondisclosure and confidentiality extends to interactions with third parties, including other employees, customers, business partners, and vendors.

Incident Reporting and Response.

The suspected theft, loss, or unauthorized processing of data, including Data, must be immediately addressed. dayX will take immediate steps to investigate the cause of the security breach and make every effort to contain the breach. dayX must follow the steps set forth in the Data Security Incident Response Plan when responding to security incidents.

Privacy Inquiries and Dispute Resolution.

dayX has designated an individual to handle complaints and disputes regarding the use of Data. This person may be contacted by Data Subjects for complaints or disputes about how their Data is handled. These complaints and disputes shall be addressed by dayX management. The Privacy Officer is the person authorized to handle complaints and disputes.

Compliance with Procedures.

dayX employees who violate this Policy may be subject to disciplinary actions, up to and including termination of employment.

As is appropriate, dayX may modify its procedures for the handling of Data, but material changes to the handling of Data cannot be applied retroactively without the express consent of the Data Subject or customer unless consent was not necessary to collect and use the Data.

To facilitate compliance with this Policy and to protect its workers, systems, information, and assets; dayX may review, audit, monitor, intercept, access, and disclose information processed or stored on dayX equipment and technology, or on personally owned devices accessing dayX networks.

If you have any questions about this guidance, or for additional information or training, please contact us at privacy@dayx.ai.

dayX’ management may monitor, assess, and promote compliance with this Policy by providing guidance regarding implementation of, and adherence to, the Policy; Training.assisting with the design of initiatives to minimize the collection and other processing of Data; designing and conducting appropriate privacy training; serving as an initial point of contact for privacy and Data protection issues; handling privacy complaint investigations and resolutions; providing guidance regarding contracts for processing Data; monitoring legal developments regarding privacy and data protection; and providing an ongoing assessment of compliance with applicable laws and industry best practices.

Training.

All dayX employees shall receive annual training on our privacy and security programs and procedures

dayX's ‍Sub-Processors

Welcome to dayX’s Sub-Processor page where we maintain a current list of sub-processors authorized to process data on dayX’s behalf. dayX performs due diligence on the information security practices and data protection compliance of all sub-processors and requires each to commit to written obligations regarding their security controls and applicable regulations for the protection of personal data.