Privacy and Cookies Policy

1.INTRODUCTION AND SCOPE OF THIS PRIVACY AND COOKIES POLICY

1.1 CSIdentity Corporation, with registered office at 1501 South Mopac Expressway, Suite 200 Austin, TX 78746 as your Data Controller (“CSID,” “we” “us” and “our”) respects individual privacy and values the confidence of our subscribers. This Privacy and Cookies Policy sets out the privacy principles that we follow with respect to processing your personal information in the course of providing our services, including but not limited to our web portal at www.intesasanpaolo-protezioneidentita.mastercard.com (the “web portal”) and our telephone helplines (collectively the “services”). We will only collect, use and disclose personal information in a manner consistent with the privacy laws applicable to us. By using any of CSID’s services, you consent to the data practices described in this Privacy and Cookies Policy.

1.2 The CSID’s Italian privacy representative is

EVERSHEDS Associazione Professionale

Via del Plebiscito n. 112

00189 – Roma (ITALY)

T: + 39 06 8932701

Fax +39 06 3201012

1.3 This Privacy and Cookies Policy applies to all personal information processed by CSID in respect of the services we offer to eligible cardholders.

2. WHAT INFORMATION DO WE COLLECT AND HOW DO WE COLLECT IT?

2.1When you register to use our services and for the duration of any services we provide to you, we will collect “personal information” (also referred to as “personal data”) from which we can identify you (either solely from the information you have given us or when we combine it with other information that we hold), such as your: name, date of birth, postal and e-mail address, phone number, national identifier or social security number (as applicable) and credit card details. Please note that this list is not exhaustive and may be updated from time to time, in accordance with section 15.

2.2 For example we collect personal information from you when:

2.2.1 you contact us through our helpline in respect of our Restoration services;

2.2.2 you enrol with our CyberAgent® Internet Surveillance services through our web portal; and

2.2.3 we provide our services to you, as requested.

2.3 Please note that the list above is not exhaustive and may be updated from time to time, in accordance with section 15.

3. HOW DO WE USE YOUR INFORMATION?

3.1 We will use your personal information to access and monitor various data sets that you request us to monitor as part of your identity protection service and for the prevention and detection of fraud.

3.2 To the extent permitted by applicable law, we will use the information you provide us for the following purposes:

3.2.1 providing you with the services you have requested;

3.2.2 administering our relationship with you (for example to process your online account registration and enforcing our Terms and Conditions (such as determining your eligibility for the services);

3.2.3 responding to your technical or other queries;

3.2.4 internal business purposes (for example, for record keeping, audit and, where necessary, to restructure or sell any or all of our business and/or assets);

3.2.5 developing our services (including by way of statistical analysis); and

3.2.6 compliance with our legal, regulatory and other good practice obligations.

3.3 Please note that the list above is not exhaustive and may be updated from time to time, in accordance with section 15.

3.4 Your personal data will also be processed by way of electronic means, by technical staff and service providers in respect of the relevant processing, or otherwise by those tasked with maintenance activities as may be necessary from time to time.

4. DO WE DISCLOSE OR SHARE YOUR INFORMATION?

4.1 We will share your personal information with third parties only in the ways that are described in this Privacy and Cookies Policy. We do not sell your personal information to, or share such personal information with, third parties for their promotional use or for marketing purposes.

4.2 In order for us to provide you with our identity protection service and for the prevention and detection of fraud, we will share your personal information with third parties who perform services on our behalf. These companies are authorized to use your personal information only as necessary to provide their services to us. We may also share your information with Mastercard in connection with the provision of the services to you.

4.3 We may also disclose your personal information to governmental and regulatory bodies and other third parties where required to do so by applicable law, such as to comply with a court order or a request from a regulator or similar legal process or where otherwise necessary to comply with a legal obligation or for the administration of justice.

4.4 In addition, in the event of a merger, acquisition, or any form of sale of some or all of our assets to a third party, we may also disclose your personal information to the third parties concerned or their professional advisors. In the event of such a transaction, the personal information held by CSID will be among the assets transferred to the buyer.

4.5 When you close your account, we may continue to process your personal data, to the extent permitted by applicable law.

5. HOW DO WE USE AGGREGATED AND ANONYMOUS INFORMATION?

5.1 Aggregated personal information does not personally identify you. It may be used for statistical analysis and administration, including analysis of trends, carrying out actuarial work, tailoring services, risk assessment and analysis of costs and charges in relation to our services.

5.2 We may provide analysis of our customers in the aggregate or otherwise in anonymous form to prospective partners, group companies, service providers and other third parties.

6. IS YOUR INFORMATION SECURE?

6.1 We have appropriate physical, technical and organizational measures in place to protect your personal information that comply with applicable law. When you enter financial information (such as a credit card as part of the enrollment process), we encrypt the transmission of that information using secure socket layer technology (SSL).

6.2 When you submit personal information to CSID through our website, you should be aware that your personal information is transmitted across the Internet and that no method of transmission over the Internet is 100% secure. Although we take reasonable security measures to protect your personal information when we receive it, you also need to ensure you take appropriate steps to protect your personal information.

7. WILL WE SEND YOU OFFERS OF OTHER CSID PRODUCTS AND SERVICES?

Our range of identity protection products and services is constantly evolving to match the increasingly sophisticated market in which we operate. We will not send you details of other CSID products without your prior consent (in accordance with applicable laws) and you can change your mind at any time by contacting us. If you no longer wish to receive our promotional communications, you may opt-out of receiving them by following the instructions included in each communication or by e-mailing us at the e-mail address provided below.

8. WHEN DO WE TRANSFER YOUR PERSONAL INFORMATION OVERSEAS?

8.1 Your information will be transferred to, stored, and processed in the United States of America where CSID is based. We will take appropriate measures to protect your privacy and the personal information we transfer.

9. NOTICE, CHOICE AND DATA INTEGRITY – RELEVANCE, RETENTION AND ACCURACY

9.1 Note that certain information may be subject to policies of CSID that may differ in some minor respects from this Privacy and Cookies Policy, in which case, these differences will have been highlighted to you when signing-up for our services.

9.2 At the time we collect your personal information we will state clearly the purposes for which your data will be required and any third parties to whom it may be disclosed. We will also provide options for you to receive details of services that may be of interest and benefit to you.

9.3 We will use the personal information you supply us with solely for the purpose of providing you with the services you have requested and for administering our relationship with you, internal business purposes and statistical analysis, to the extent each is permitted by applicable law.

9.4 We will take appropriate steps to ensure that all personal information is relevant to its intended use, accurate, complete, and current.

9.5 We will use this data to access and monitor various data sets that you request us to monitor as part of your identity protection service and for the prevention and detection of fraud. When you close your account, we may continue to use and share information about you to the extent is it required and/or permitted by applicable law.

9.6 We will keep your personal information only as long as we need it for the purposes for which we collected it, or as required or permitted by law.

10. YOUR RIGHTS - ACCESS AND CORRECTION

10.1 You have the right to obtain confirmation as to whether or not your personal data is processed by CSID and receive communication of such data in an intelligible form.

10.2 You have the right to be informed of the:

10.2.1 source of your personal data;

10.2.2 purposes and methods of the processing;

10.2.3 logic applied to the processing, if the latter is carried by electronic means;

10.2.4 identity of the data controller in respect of your personal data and of any data processors that the data controller may instruct to process your personal data from time to time;

10.2.5 the identity of the privacy local representative; and

10.2.6 details of any persons to whom CSID disclosed your personal data (unless CSID is prohibited from providing such information pursuant to applicable law).

10.3 Subject to applicable law, you have the right to:

10.3.1 request your personal data be updated or amended where information be inaccurate;

10.3.2 request the erasure, anonymization or blocking of your data if it is being processed unlawfully, including where data is being retained for a period that is unnecessary for the purposes for which it was collected or subsequently processed; and

10.3.3 receive confirmation that any of the requests above have been notified to the relevant party and action taken, unless this is impossible or involves a manifestly disproportionate effort.

10.4 You have the right to object, in whole or in part,

10.4.1 on legitimate grounds, to the processing of your personal data; and

10.4.2 to the processing of your personal data for direct marketing purposes or for communication surveys.

10.5 To exercise any of your rights (as listed above), including to request the deletion of your information, please contact us through one of the methods listed below in section 17.

10.6 Alternatively, if your personally identifiable information changes, or if you no longer desire our service, you may correct, update, amend, or deactivate it by making the change on our subscriber profile page or by contacting us through one of the methods listed below in section 17.

10.7 You may request a copy of the information we hold about you by writing to the contact listed below in section 17. We may ask you to provide sufficient evidence of your identity for your own protection so we can ensure that information is being released to the correct person. We will respond to any such request as soon as possible and, in any event, within 30 days.

11. DATA SHARING AND INTERNATIONAL TRANSFERS

11.1 Except as described in this Privacy and Cookies Policy, we will not share your personal information with third parties without your consent.

11.2 If we transfer your personal information to another country, we will take appropriate measures to protect your privacy and the personal information we transfer.

12. ENFORCEMENT

We will verify adherence to this Privacy and Cookies Policy via in-house and third party compliance audits. In addition, if necessary, we will cooperate with an independent third party as a means of providing you with a mechanism by which any complaints and disputes can be investigated and satisfactorily remedied.

13. DO WE USE COOKIES?

13.1 When you visit our web portal, we generate one or more “cookies.” A cookie is a small text file that is temporarily stored in your browser to be used to facilitate your experience on our website.

13.2 We use both session ID cookies and persistent cookies.

13.3 Specifically, we use session-based cookies in order to store language and other country specific preferences such as support contact information. CSID may also utilize cookies in order to track internal metrics of site usage. At no time will this information be provided or sold to any third party affiliates or marketing companies. A session ID cookie expires when you close your browser.

13.4 A persistent cookie remains on your hard drive for an extended period of time. Persistent cookies also enable us to track and target the interests of our users to enhance the experience on our site. You can remove persistent cookies by following directions provided in your Internet browser’s “help” file.

13.5 The use of cookies by our partners and tracking utility service providers is not covered by our Privacy and Cookies Policy. We do not have access or control over these cookies. Our partners and tracking utility service providers use persistent cookies to help us with site optimization.

13.6 On our web portal, we use two “essential” or “strictly necessary” cookies that expire when your session is terminated or when you leave our site. The first essential cookie increases site security by preventing you from using multiple concurrent sessions while the second essential cookie helps us to determine which site’s brand you are referencing when you navigate to our site. Our ‘strictly necessary’ cookies are not used for the purposes of marketing and/or advertising. See further detail below.

Cookie Name

Cookie Type

Purpose

Duration

Enable/disable?

PHP Session ID

Strictly Necessary

Prevents the use of concurrent users (security)

Session

Can be disabled through browser

Partner Number

Strictly Necessary

Used to initiate the user’s session in the appropriate site

Session

Can be disabled through browser

13.7 On our web portal, we also use Google Analytics to monitor aggregate user behavior patterns. Google Analytics uses first-party cookies to report on user interactions on our web portal. These cookies are used to store non-personally identifiable information. For further information on Google Analytics and Google’s use of data generated through Google Analytics see here.

13.8 You can manage your preferences in respect of cookies through your browser settings. Please note that if you choose to disable cookies through your browser, a part of, or even the entire web portal, may become inoperable. Instructions for disabling cookies on your browser (as applicable) are outlined below:

13.8.1 Google Chrome: https://support.google.com/accounts/answer/61416?hl=it

13.8.2 Apple Safari: https://support.apple.com/kb/PH19214?viewlocale=it_IT&locale=en_US

13.8.3 Microsoft Internet Explorer: http://windows.microsoft.com/en-US/windows7/how-to-manage-cookies-in-internet-explorer-9

13.9 We may employ a software technology called clear gifs (a.k.a. Web Beacons/Web Bugs) in our HTML-based emails. Clear gifs are tiny graphics with a unique identifier, similar in function to cookies, that we use to let us know which e-mails have been opened by recipients and to gauge the effectiveness of our transactional based communications. In contrast to cookies, which are stored on a user’s computer hard drive, clear gifs are embedded invisibly on Web pages and are about the size of the period at the end of this sentence. We do not tie the information gathered by clear gifs to your personal information.

13.10 To the extent you are accessing the web portal from within Italy, the CSID’s Italian privacy representative is:

EVERSHEDS Associazione Professionale

Via del Plebiscito n. 112

00189 – Roma (ITALY)

T: + 39 06 8932701

Fax +39 06 3201012

14. LINKS TO OTHER WEBSITES

Our web portal may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information that you provide while visiting such sites and such sites are not governed by this Privacy and Cookies Policy. You should exercise caution and look at the privacy statement applicable to the website in question.

15. AMMENDMENTS

We may update this Privacy and Cookies Policy to reflect changes to our information practices. If we make any material changes we will update you by means of a notice on this Site prior to the changes taking effect. We encourage you to periodically review this page for the latest information on our privacy practices and this Privacy and Cookies Policy.

Please click this link to access the previous version of this Privacy and Cookies Policy, if applicable.

16. HOW LONG DO WE KEEP YOUR PERSONAL INFORMATION FOR?

16.1 We will not keep your personal information for longer than is necessary in relation to the purpose(s) for which we have collected it or than as required by applicable laws or our data retention policy, whichever is longer.

16.2 However, it may not always be possible to completely remove or delete all of your personal information from our databases because of back-ups and other technical reasons. Where this is the case, we will take steps to ensure that your personal data is suppressed in order to render it unusable.

16.3 Please tell us if you cancel the credit card that is connected with your use of our services so that we are able to securely delete your personal information from our systems (where we do not need to retain the same as described above for other lawful reasons).

17. HOW DO YOU CONTACT US AND/OR EXERCISE YOUR RIGHTS?

17.1 Depending on where you are based, you may have certain rights to request copies or access, and in some cases oppose the processing of, your personal information.

17.2 If you have a question regarding our privacy practices, please contact us using the details below.

17.3 If you (1) have questions, comments, and/or complaints regarding CSID’s Privacy and Cookies Policy or how we collect, transmit, and process your personal information, or (2) want to exercise your rights regarding your personal information, please contact us by:

E-MAIL

privacy@csid.com

MAIL

CSID

Attn: Legal Department

1501 South Mopac Expressway, Suite 200

Austin, TX 78746

EVERSHEDS Associazione Professionale

Via del Plebiscito n. 112

00189 – Roma (ITALY)

T: + 39 06 8932701

Fax +39 06 3201012

Effective Date: May 17, 2016