Thank you for your interest in our website. In the following, we will inform you in detail about the processing of personal data when using this website:

1. Who is responsible for data processing?

2. To what extent is personal data processed?

   1. Collection of personal data when you visit our website

   2. Spreadshirt Partners: Shop Partners and Marketplace Designers

   3. Communication with Spreadshirt

   4. Processing of data for web analytics

   5. Usage-based online advertising

   6. Processing of personal information when using our mobile application for Partners

3. What are my rights?

4. Is my information secure?

5. Do-not-track (“DNT”) Requests

6. Privacy Statement for California Residents

7. Children’s Online Privacy Protection

8. Effective Date and Changes

Personal data means all data that can be personally related to you, e.g. name, address, telephone number, email address or user behavior.

1. Who is responsible for data processing?

The service provider and party responsible for processing personal data (“controller”) is Spreadshirt, Inc., 1572 Roseytown Road, Greensburg, PA 15601 (“Spreadshirt”).

If you have any questions about the collection, processing, or usage of data; if you have requests for information, correction, disabling or deletion of data; or if you want to revoke a previously given consent; or if you want to object to the usage of your information for advertising purposes, please use the settings provided in your account’s user area, or else contact us at one of the following addresses:

Email: info@spreadshirt.com
Fax: 1-877-202-0251
Postal Mail: 1572 Roseytown Road, Greensburg, PA 15601

2. To what extent is personal data processed?

2.1 Collection of personal data when you visit our website

a) Log files

If you visit our site for informational purposes but don’t register with us, create an account, order something, or otherwise deliberately transfer information to us, we collect information from your browser to help us serve our websites to you. In particular, we collect

• IP address,

• date and time of the request,

• time zone difference to Greenwich Mean Time (GMT),

• name of the requested file,

• access status/HTTP status code,

• volume of data transferred,

• the page from which you came to visit us,

• your operating system and its interface,

• your browser type and the language and version of the browser software,

• a report of successful retrieval

The data is technically necessary for us to display our website to you. It is also evaluated to make the website user-friendly and to ensure stability and security. For this purpose, we partly use the external web hosting service providers Fastly, Inc. and Amazon Web Services, Inc. In connection with this processing, data may be transferred to the USA. (See Section 3). The legal basis for the processing is our legitimate interests.

b) Cookies and similar technologies

We also use “cookies” on our sites. Cookies are small text files that are assigned to your browser and stored on your device. Through them, certain information flows to the place that sets the cookie, such as settings or data for exchange with the system. This helps us to make our website more user-friendly and effective overall. Cookies cannot execute programs or transmit viruses to your device.

Our website uses the following types of cookies:

• Session cookies,

• Long-term or persistent cookies,

• Third-party cookies.

Session cookies store what’s called a session ID, which can be used to assign different requests of your browser to a common session. This allows your device to be recognized when you return to our website. For example, this lets you store certain information you have entered (such as log-in information, language settings) in such a way that you do not have to repeat it constantly. Session cookies are automatically deleted when you log out or close your browser.

Persistent cookies remain on your device for the time being, so that we can recognize your browser on your next visit and we can, for example, assign your preferred information and settings. Long-term cookies are automatically deleted after a specified period, which may vary depending on the cookie.

When you visit our website, our partner companies also store third-party cookies on your device. The cookies contain information about how our website is used, e.g. which pages and products were visited. The data is collected in a pseudonymized form by assigning an identification number, which is not combined with any other personal data you may have provided to us.

To the extent that cookies are necessary for the operation of our Website (for example, the Log-in session cookie), our legal basis for this is our legitimate interests. For cookies and technologies that serve the purposes of advertising and analytics, our legal basis for this is your consent. You provide your consent by clicking the ”Okay“ button in the cookie banner that appears when your visit our website.

You can delete cookies in your browser settings at any time or prevent them from being stored, although the latter may result in a restriction of the functionality of our website for you. In the relevant sections of this Privacy Policy, we explain which technologies that are comparable to cookies are used on our website and how you can object to the use of cookies and other technologies with the individual third-party providers.

2.2 Spreadshirt Partners: Shop Partners and Marketplace Designers

1. If you want to offer designs on our marketplace or operate a shop, it is necessary for the conclusion of a contract with us that you use your email address to open a password-protected user account and store your name and address there. For the payout of earnings, it is necessary that you additionally provide your bank details or your PayPal information as well as information about your tax status. Any other information you may provide to us when using the account is voluntary. You do not have to enter a real name when choosing your username. You can manage and change this information in your account. You can also deactivate or erase it – or the entire user account. If this affects data necessary for the performance of the contract, we may retain that data for a longer period in accordance with commercial and tax regulations (standard period of ten years). We process this data to conduct the contractual relationship that exists with you; the legal bases are to perform under a contract and our legitimate interests.

2. Within the scope of the contractual relationship, we also process the email address provided by you in order to send you emails at irregular intervals containing information and tips about the Marketplace and your shops (“Partner Newsletter”). We use your name to allow us to personalize these emails. To this end, the data is passed on to the software company Emarsys eMarketing Systems AG, Hans-Fischer-Straße 10, 80339 Munich, Germany (“Emarsys”), which handles the technical side of the mailing on our behalf. You can unsubscribe from the Partner Newsletter at any time by clicking on the unsubscribe link provided in each email, informing us via the contact details specified in Section 1, or changing your newsletter settings in your user account (“Account Settings” – “Newsletter subscriptions”).
   
   When sending the Partner Newsletter, we use Emarsys to statistically evaluate your user behavior in order to optimize the design. To enable this evaluation, the emails contain what are called web beacons or tracking pixels. These are single-pixel image files that establish a connection to our website und thus permit a log file analysis. The web beacons are linked with the data mentioned in Section 2.1 a and an individual ID. The links contained in the email also contain this ID. For example, we can see if and when an email has been opened and which links have been clicked on. The data is stored on the Emarsys servers for 13 months and collected pseudonymously, meaning the IDs are not linked to other personal data at this point, thus ruling out any possibility of direct personal reference. You can object to the recording of your usage behavior at any time by clicking on the unsubscribe link provided in each email, informing us via the contact options listed in Section 1, or changing the newsletter settings in your user account (“Account settings” – “Newsletter subscriptions”). Recording is not possible if you have disabled the display of images in your email settings. In this case, the newsletter will not be displayed to you in full and you may not be able to use all functions. If you choose to display the images manually, recording will take place as described above.
   
   The legal bases for the processing are your consent, to perform under a contract, and our legitimate interests.

3. If you store your address in your user account, we use Google Maps Autocomplete, a service of Google LLC (“Google”). This allows an address you start typing to be completed automatically. This helps us verify your address, which we do for tax reasons. Google sometimes conducts a geolocalization using your IP address. We also use Google Fonts to enhance the user experience in the Partner section of your account as well as Google Calendar to inform you about Partner-related promotions for customers. Via these services and applications, Google receives the information that you have retrieved the corresponding subpage of our website. In addition, the data referred to in Section 2.1 is transmitted. This is regardless of whether you have a Google account and are logged in. Once you are logged in to your Google Account, the information will be directly associated with your account. If you do not want this assignment to occur, you must log out before entering your address. Google stores your data as user profiles and uses it (even in the case of users who are not logged in) for the purposes of advertising, market research and/or the needs-oriented design of its own website. Google also processes your data in the USA (see Section 3). You can object to Google creating such user profiles. For more detailed information about the purpose and scope of data processing by Google and about protecting your privacy, please refer to Google’s Privacy Policy: https://policies.google.com/privacy. The binding terms of use for Google Maps/Google Earth can be found here: https://www.google.com/help/terms_maps.html. Third-party provider information: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
   
   The legal basis for the processing is our legitimate interests.

4. We will share your information with third parties in specific circumstances. If we sell all or part of our business, or make a sale or transfer of assets, or are otherwise involved in a similar event, we may transfer your information as part of that transaction. In addition, there are a few times when we must share your information either to protect our rights, to further our legitimate interests, or to comply with a legal obligation to which we are subject. We will share your personal information when we believe in good faith that:

   • a subpoena or warrant is duly issued, or we receive any other legitimate government agency request to produce information;

   • we need to share the information in order to enforce or protect our own rights, for example, to respond to and resolve third-party claims or complaints, or with respect to contracts with our users and third parties;

   • we need to address a security or technical issue within our website;

   • sharing the information is necessary to prevent harm to others or others’ property, especially in an emergency situation.

2.3 Communication with Spreadshirt

a) Establishing contact

If you contact us via a contact form, letter, fax, email, social media or telephone, we process the data provided by you for the purpose of processing your inquiry and for advertising purposes. We use the software of Sematell GmbH, Neugrabenweg 1, 66123 Saarbrücken, Germany, to coordinate and process emails, which means that Sematell GmbH gains access to the data. We use the management software of Hootsuite Media, Inc, 5 East 8th Avenue, Vancouver, BC, Canada to coordinate and process enquiries via our social media channels Twitter, Facebook and Instagram. The legal basis for the processing is our legitimate interests. If the aim of establishing contact is to conclude a contract, then an additional legal basis is to perform under a contract.

b) Blog

In our blog, where we publish various articles on topics related to our activities, you can post public comments. Your comment will be published along with your chosen username. We recommend using a pseudonym instead of your real name. It is necessary to provide a username and email address, while all other information is voluntary. The necessary information is processed to run the blog. We need your email address to contact you if a third party should complain that your comment is unlawful. We reserve the right to delete comments if third parties complain that they are unlawful. The legal basis for the processing is our legitimate interests.

c) Forum

With the exception of a few sections, our Forum can be read without the need to register. If you wish to actively participate in the Forum under your chosen username, you must log in using your Spreadshirt user account access data. To open a Spreadshirt user account, only your email address and a password are required. We process your activities (public posts, private messages, likes, profile information, activity logs) and your IP address in order to operate the Forum. The legal basis is our legitimate interests. If you deactivate or delete your user account, your public posts will continue to be visible. If you would like your public posts to be deleted, please contact us using the contact details provided in Section 1. When writing a comment and in the Forum settings (under “Preferences” – “Emails” and “Notifications”), you can specify in which cases and to what extent you would like to be notified by email about new activities in the Forum. You can unsubscribe again at any time, either in the Forum settings or by clicking on the unsubscribe link contained in the respective notification email.

2.4 Processing of data for web analytics

a) Adobe Analytics

To allow us to analyze and regularly improve the use of our website, our website also uses the Adobe Analytics web analytics service. The statistics and A/B test results that this yields allow us to improve our website and make it more interesting for you as a user. In exceptional cases, personal data may be processed in the USA (see Section 3).

The analysis involves storing cookies (see Section 2.1 b) on your device. The information collected in this way is stored on servers, including in the USA. We would like to point out that if you prevent the storage of cookies, you may not be able to use this website in its entirety. You can adjust your browser settings to prevent the storage of cookies. You can also prevent Adobe Analytics from recording your data on this website by clicking here: Disable Adobe AnalyticsEnable Adobe Analytics. This will place an opt-out cookie which prevents recording when you visit our website in future. The opt-out cookie is set per top-level domain, per browser and per device and only prevents the recording of data for this website. How to prevent the recording of your data on other websites is explained on the respective sites and at https://www.adobe.com/privacy/opt-out.html.

Our website uses Adobe Analytics with the settings “Before Geo-Lookup: Replace visitor’s last IP octet with 0” and “Obfuscate IP-Removed”, which removes the last octet from your IP address and replaces it with a generic IP address, i.e. one that can no longer be assigned. Any personal connection can therefore be ruled out.

The legal basis for the processing is your consent. You may revoke your consent anytime as described above (without this affecting the lawfulness of the processing up to the point of revocation).

Third-party provider information: Adobe Systems Software Ireland Limited, 4–6 Riverwalk, Citywest Business Campus, Dublin 24, Ireland; privacy@adobe.com; Adobe’s privacy policy: https://www.adobe.com/privacy/policy.html.

b) Hotjar

Our website also uses the web analytics service Hotjar from Hotjar Ltd. This service allows us to track movements on our website (so-called heat maps). These make it possible to see how much time you spend on which pages, how far you scroll, the movement of your mouse and how often you click on certain links and buttons. Your keystroke data, i.e. your entries in input fields, are not recorded. Hotjar uses cookies (see point 2.1 b) to collect this information about your behavior, as well as the following information about your device: IP address of the device (only collected and stored in an abbreviated, anonymized form), screen size, device type (unique device identifiers), browser used, geographic location (country only) and language preferred when viewing the online offer. Hotjar Ltd. stores the information on servers in Ireland for 365 days, after which the data is deleted. Neither Hotjar Ltd. nor we will merge or associate the information with any other data about you, and it will not be used to identify individual users. The data collected by Hotjar Ltd. is only used for our internal evaluation of the user behavior when interacting with our online offer. It is used to improve aspects of user-friendliness of our website. The legal basis for the processing is your consent. You may revoke your consent anytime as described below (without this affecting the lawfulness of the processing up to the point of revocation).

You can prevent the storage of cookies by selecting the appropriate settings in your browser software; however, please note that if you do this you may not be able to use the full functionality of our website. You can also prevent Hotjar from recording your data on this website by clicking here: Disable HotjarEnable Hotjar. This will place an opt-out cookie which prevents recording when you visit our website in future. Please note that if you delete all cookies on your device, this opt-out cookie will also be deleted; in this case, if you still wish to object then you must place the cookie again using the above button. The opt-out cookie is set per top-level domain, per browser and per device, and only prevents the recording of data for this website. How to prevent collection on other websites is explained on the respective site and here: https://www.hotjar.com/privacy/do-not-track/.

Third Party Information: Hotjar Ltd, Level 2, St Julian's Business Centre, 3, Elia Zammit Street, St Julian's STJ, Malta. For more information about Hotjar Ltd.'s privacy practices, please see their privacy policy: https://www.hotjar.com/legal/policies/privacy.

2.5 Usage-based online advertising

Our website uses various conversion tracking and retargeting technologies made available by other service providers. We use these technologies to make our website interesting for you. The information also helps us to address users who have already shown an interest in our products with individually tailored advertising on the websites of our partner companies. We assume that the display of personalized, interest-based advertising is generally more interesting for the internet user than advertising that has no such personal relevance. At the same time, we want to avoid inappropriate and intrusive advertising.

General information about third-party advertising-based technologies and how to disable them can be found on the following websites, among others:

• Your Online Choices: http://www.youronlinechoices.eu/

• YourAdChoices: http://optout.aboutads.info/?c=2#!/

• Network Advertising Initiative: http://optout.networkadvertising.org/?c=1#!/

a) Use of Google Ads-Conversion-Tracking and Google Ads Remarketing

- Google Ads-Conversion-Tracking

We use Google Ads, a service of Google LLC (“Google”), to use ads (so-called Google AdWords) to draw attention to our offers on external websites. In relation to the data of advertising campaigns, we can identify how successful the individual advertising activities are. In this way we want to show you advertising that is of interest to you, make our website more attractive to you and achieve a fair calculation of advertising costs.

These ads are deployed by Google via ‘ad servers’. For this purpose, we use ad server cookies, which enable the tracking of certain parameters for measuring success, such as the display of ads or clicks by users. If you arrive at our website via a Google ad, Google Ads will store a cookie on your device. These cookies usually expire after 30 days and are not intended to identify you personally. Analysis values usually stored for this cookie are the unique cookie ID, the number of ad impressions per placement (frequency), the last impression (relevant for post-view conversions) and opt-out information (marker showing that the user no longer wishes to be targeted).

These cookies allow Google to recognize your internet browser. If a user visits certain pages of an Ads customer’s website (in this case ours) and the cookie stored on their device has not yet expired, Google and the customer can recognize that the user has clicked on the ad and has been redirected to this site. Each Ads customer is assigned a different cookie. Cookies cannot therefore be tracked via the websites of Ads customers. We do not collect and process any personal data in the aforementioned advertising activities. Google merely provides us with statistical evaluations. On the basis of these evaluations we can identify which of the advertising activities used are particularly effective. We do not receive any further data from the use of ads; in particular we cannot identify users on the basis of this information.

Due to the marketing tools used, your browser automatically establishes a direct connection to the Google server. We have no influence on the extent and further processing of the data collected by Google through the use of this tool and therefore inform you according to what we know: By integrating Ads Conversion, Google receives the information that you have retrieved the corresponding part of our website, or that you have clicked on one of our ads. If you are registered with a Google service, Google can associate the visit with your account. Even if you are not registered with Google or have not logged in, it is possible that Google will obtain and store your IP address.

- Google Ads Remarketing

Besides AdWords Conversion, we also use Google’s remarketing feature. This is a process we use in an attempt to contact you again. After visiting our website, this feature makes it possible to show you our ads when you continue to use the internet. This is done by means of cookies stored in your browser, which Google uses to record and evaluate your usage behavior when visiting various websites. This is how Google can determine that you have previously visited our website. According to its own information, Google does not combine the data collected in the context of remarketing with your personal data, which may be processed by Google. Specifically, according to Google, pseudonymization is used during remarketing.

There are various ways in which you can prevent your participation in this tracking procedure:

• By setting your browser software accordingly; in particular, disabling cookies from third party providers means that you will not receive any ads from third-party providers;

• By permanent deactivation in your browser Firefox, Internet Explorer or Google Chrome via the link: http://www.google.com/settings/ads/plugin. Please note that by doing this you may not be able to properly use the full functionality of our website.

• By clicking on the following button: Disable Google AdsEnable Google Ads. This will place an opt-out cookie which prevents recording when you visit our website in future. The opt-out cookie is set per top-level domain, per browser and per device and only prevents the recording of data for this website.

• By disabling interest-based ads from providers who are part of the “YourAdChoices” self- regulation initiative via the link http://optout.aboutads.info/?c=2#!/; please note that this setting will be erased if you erase your cookies.

The legal basis for the processing is your consent. You may revoke your consent anytime as described above (without this affecting the lawfulness of the processing up to the point of revocation).

Third-party provider information: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (see Section 3). For further information about privacy at Google, please refer to: https://policies.google.com/privacy and https://services.google.com/sitestats/en.html. Alternatively, you can visit the website of the Network Advertising Initiative (NAI) at: http://www.networkadvertising.org.

b) Use of Facebook Custom Audiences, Facebook Website Custom Audiences and Facebook Conversion Tracking

- Facebook Custom Audiences

Our website also uses the Website Custom Audiences remarketing function of Facebook, Inc. (“Facebook”). This allows users of the website to see interest-based ads (“Facebook Ads”) when visiting the social network Facebook or other websites that also use the process. Our intention here is to show you ads that are of interest to you.

Due to the marketing tools used, your browser automatically establishes a direct connection to the Facebook server. We have no influence on the extent and further processing of the data collected by Facebook through the use of this tool and therefore inform you according to what we know: By integrating Facebook Custom Audiences, Facebook receives the information that you have retrieved the corresponding part of our website, or that you have clicked on one of our ads. If you are registered with a Facebook service, Facebook can associate the visit with your account. Even if you are not registered with Facebook or have not logged in, it is possible that Facebook will obtain and store your IP address and other identifying information.

- Facebook Website Custom Audiences

Our website also uses the Facebook product “Custom Audiences from your website”. For this purpose, we have integrated remarketing tags (so-called Facebook Pixel or web beacon) into our website. The Facebook Pixel is a small piece of JavaScript code that provides a range of functionalities for sending application-specific events and user-defined data to Facebook. We use the Facebook Pixel to track how visitors use our site. The Facebook Pixel records and reports to Facebook information about the user’s browser session, a hashed version of the Facebook ID, and the URL being viewed. Every Facebook user therefore has a device-independent Facebook ID, which enables us to recognize users across multiple devices on the social network Facebook so that we can use Facebook Ads to reach our visitors again for advertising purposes. After 180 days, the user information is deleted until the user returns to our website. No personal information is transmitted to us about individual website visitors, and we can only specifically deploy ads to website custom audiences if the custom audience has reached a critical size. This makes it impossible for us to determine the individual identities of visitors.

- Facebook Conversion Tracking

We also use the Facebook Pixel on our website to measure the reach of ads. This allows us to track users’ actions after they have seen or clicked on a Facebook Ad. The Facebook Pixel records and reports to Facebook information about the user’s browser session, a hashed version of the Facebook ID, and the URL being viewed. The way it works is comparable to Facebook Website Custom Audiences via the Facebook Pixel, which is already described above. Using the hashed Facebook ID, we can measure the reach and effectiveness of an ad to find out whether you are actually interested in our advertising. This enables us to measure the effectiveness of Facebook Ads for statistical and market research purposes. For us, the data used is not personally identifiable

You can prevent Facebook from recording your data on this website by clicking here: Disable Facebook Custom Audiences, Facebook Website Custom Audiences and Facebook Conversion TrackingEnable Facebook Custom Audiences, Facebook Website Custom Audiences and Facebook Conversion Tracking. This will place an opt-out cookie which prevents recording when you visit our website in future. The opt-out cookie is set per top-level domain, per browser and per device and only prevents the recording of data for this website. How to prevent the recording of your data on other websites is explained on the respective sites, and if you are a user who has logged in to Facebook, here: https://www.facebook.com/settings/?tab=ads#_.

The legal basis for the processing is your consent. You may revoke your consent anytime as described above (without this affecting the lawfulness of the processing up to the point of revocation).

Third-party provider information: Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, D2 Dublin, Ireland, Telephone: +0016505434800, Fax: + 0016505435325. For more information about data processing by Facebook, please refer to Facebook’s privacy policy: https://www.facebook.com/about/privacy.

c) ShareASale Partner-Program

Our website uses the tracking services of the affiliate network ShareASale, Inc. (“ShareASale“). This allows us to determine which new Shop Owner sign-ups (Section 2.2) are attributable to members of the ShareASale network, and to optimize the recruitment of new Shop Owners. For this purpose, when you visit our website via a ShareASale tracking link, a cookie is placed on your computer (see Section 2.1b). This allows ShareASale to attribute your registration as a new Shop Owner with us to a specific member of the ShareASale network and to reward that member accordingly.

There are various ways in which you can disable this tracking. You can adjust your browser settings to prevent the storage of cookies, although this may result in a restriction of the functionality of our website for you. You also can prevent ShareASale from recording your data on this website by clicking here: Disable ShareASale conversion trackingEnable ShareASale conversion tracking. This will place an opt-out cookie which prevents recording when you visit our website in future. The opt-out cookie is set per top-level domain, per browser and per device and only prevents the recording of data for this website. In addition, you can disable interest-based ads from providers who are part of the “YourAdChoices” self-regulation initiative (http://optout.aboutads.info/?c=2#!/) or e.g. part of the Network Advertising Initiative (http://optout.networkadvertising.org/?c=1#!/); please note that this setting will be erased if you erase your cookies.

The legal basis for the processing is your consent. You may revoke your consent anytime as described above (without this affecting the lawfulness of the processing up to the point of revocation).

Third-party provider information: ShareASale.com Inc., 15 W. Hubbard St. STE 500, Chicago IL 60654, USA (see Section 3). ShareASale Privacy policy: http://www.shareasale.com/PrivacyPolicy.pdf.

2.6 Personal data processing in connection with our mobile Partner-App

In addition to our website, we offer a mobile application (hereafter “SpreadApp”) which you can use to access an overview of your partner statistics (credits, sales, and best-sellers) any time.

a) Personal data processing in connection with our SpreadApp

- Log-in

In order to connect the SpreadApp to your Partner account, you must either scan the provided QR code with your mobile device, or input your email address and password in the provided fields. The legal basis for the processing is to perform under a contract.

- App rights und Notifications

The SpreadApp will be able to access your mobile device camera, if you grant it this permission. This allows you to scan the QR code in order to connect to your Partner account. You will receive notifications from the SpreadApp (for example about new sales) if you allow this in your device’s settings. You may adjust these permissions on your mobile device at any time in the device’s system settings. The SpreadApp functions even with these settings turned off. The legal basis for the processing is your consent.

- Displaying information from your Spreadshirt Partner account

The SpreadApp displays the following information from your Partner account: your username, your partner ID, your credit, and an overview of your sales and best-selling products and designs. This is necessary to supplement your underlying partner contract. The basis for the processing is to perform under a contract.

- Logfiles

We will collect the following personal data when you use the SpreadApp. These data are necessary for technical purposes, in order to facilitate the functioning of the SpreadApp, as well as to ensure its stability and security. The legal bases for the processing are to perform under a contract and our legitimate interests.

• IP address,

• date and time of the request,

• content of the request (specific site),

• the page from which you came to visit us,

• access status/HTTP status code,

• volume of data transferred,

• Browser,

• your browser type and the language and version of the browser software,

• your operating system and its interface,

• Device ID,

• Type and name of your mobile device,

• Screen size and resolution,

• Country and city,

• App Version,

• Your Spreadshirt account number.

b) Processing of data for app analytics

Along with the processing of the above-mentioned data, we use technology similar to cookies in connection with the SpreadApp. We use JavaScript code to send counting impulses to the counting servers of the following service providers. This information allows us to analyze the usage of our SpreadApp. You can prevent the collection of this data by toggling the option during installation, or later in the SpreadApp’s settings menu under “App Analytics.”

- Google Analytics

The SpreadApp uses Google Analytics, an analytics service of Google LLC (”Google“). The information generated about usage is usually transferred to a Google server in the USA and stored there for 26 months. However, due to the activation of IP anonymization in the SpreadApp, your IP address will first be shortened by Google within the Member States of the European Union or in other states party to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. On our behalf, Google will use this information to evaluate your use of the SpreadApp, to compile reports on app activity and to provide us with other services relating to app usage. The IP address transmitted by your browser in the context of Google Analytics will not be combined with other data held by Google. The SpreadApp uses Google Analytics with the “_anonymizeIp()” extension. Consequently, IP addresses are further processed in shortened form, so that any personal association with the data subject can be ruled out. As far as the data collected about you relates to you personally, that association is therefore ruled out immediately and the personal data thus erased without delay. We use Google Analytics to analyze and regularly improve the use of our SpreadApp. The statistics this yields allow us to improve our website and make it more interesting for you as a user. In exceptional cases, personal data may be processed in the USA (see Section 3). The legal basis for the processing is our legitimate interests.

Third-party provider information: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. See also the terms of use (https://www.google.com/analytics/terms/us.html) and privacy overview (https://support.google.com/analytics/answer/6004245? ) for Google Analytics as well as Google’s privacy policy: https://policies.google.com/privacy.

- Adobe Analytics

We use Adobe Analytics to analyze and regularly improve the use of the SpreadApp. The statistics this yields allow us to improve our website and make it more interesting for you as a user. In exceptional cases, personal data may be processed in the USA (see Section 3). The legal basis for the processing is our legitimate interests. The SpreadApp uses Adobe Analytics with the settings “Before Geo-Lookup: Replace visitor’s last IP octet with 0” and “Obfuscate IP-Removed”, which removes the last octet from your IP address and replaces it with a generic IP address, i.e. one that can no longer be assigned. Any personal connection can therefore be ruled out. The usage information is stored for 25 months.

Third-party provider information: Adobe Systems Software Ireland Limited, 4–6 Riverwalk, Citywest Business Campus, Dublin 24, Ireland; privacy@adobe.com; Adobe’s privacy policy: https://www.adobe.com/privacy/policy.html.

- Sentry

The SpreadApp also uses the service “Sentry“ from Functional Software, Inc. This service identifies and corrects errors and performance issues that arise when using the SpreadApp. We use this service to improve the stability of the SpreadApp by monitoring system stability and coding errors. The Data we collect in this way, such as information about the device or time of the error, are collected anonymously, are not used in connection with individually identifiable data, and are saved for 90 days. The legal basis for the processing is our legitimate interests.

Third-party provider information: Functional Software, Inc., 132 Hawthorne Street, San Francisco, CA 94107, USA (see Section 3). For more information about the purpose and scope of data processing by this service provider, see the Functional Software, Inc. privacy policy: https://sentry.io/privacy/.

3. What are my rights?

You have the following rights with respect to your personal data:

• The right to be informed.

• The right of access.

• The right to rectification.

• The right to erasure.

• The right to restrict processing.

• The right to data portability.

• The right to object.

As described in the relevant sections, we sometimes use external service providers to process your data. These have been carefully selected and commissioned by us, are bound by our instructions and are regularly checked.

We have indicated in the applicable section where these external service providers are located outside of the European Union.

To the extent the EU-Commission has determined that the respective country does not have an adequate level of data protection, data transfers (for example into the USA) take place based on appropriate guarantees, in particular, standard contractual clauses which ensure the same level of protection as in the European Union.

The personal data processed by us is generally erased or blocked as soon as the purpose of storage ceases to apply. Data may be stored for a longer period if this has been provided for by laws or other rules to which we as the controller are subject. The data will also be blocked or erased once a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the conclusion or performance of a contract.

Further processing operations may be required for contests and other promotional campaigns. In such cases we will inform you in the context of the respective promotional campaign.

4. Is My Information Secure?

We use reasonable measures to secure our website and any private information you submit to us against loss, tampering, unauthorized access, and other malicious acts. For example, we use SSL connections when possible to protect your data while it is in transit (for example login data and customer orders). However, no data transmission over the Internet is completely secure, so we cannot completely guarantee the security of any data. You use our services at your own risk, and are responsible for taking reasonable measures to secure your password, information, and account.

5. Do-Not-Track (“DNT”) Requests

Due to lack of technical standards across browsers, we do not respond to DNT signals.

6. Privacy Statement for California Residents

1. The California Consumer Privacy Act
   This privacy statement supplements the information contained above and applies solely to “consumers” (as defined in the California Consumer Privacy Act (“CCPA”)). All terms defined in the CCPA have the same meaning when used in this section. For example, “consumer” means a California resident, and “personal information” means “information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device” but does not include “publicly available,” “de-identified,” or “aggregated” information. In this section, “you” refers only to California residents.

2. Consumer Rights
   Consumers have the following rights under the CCPA:

   • The right to request that a business disclose the categories of personal information it collects, uses, discloses, and sells about the consumer.

   • The right to request the deletion of personal information collected or maintained by a business.

   • The right to request that a business disclose the categories of sources for personal information collection.

   • The right to request that a business disclose the business or commercial purpose for collecting personal information

   • The right to request that a business disclose the categories of third parties with whom the business shares personal information.

   • The right to request that a business disclose to the consumer the specific pieces of personal information it collects, uses, discloses, and sells about that consumer (or any member of the consumer’s household).

   • If a business discloses personal information for a business purpose, the right to request that a business disclose the categories of personal information that the business disclosed about the consumer for a business purpose and the categories of third parties to whom personal information was disclosed for a business purpose.

   • If the business sells personal information for monetary or other valuable consideration, the right to opt-out of the sale of their personal information by a business. This is the so-called “right to opt-out.”

   • The right not to receive discriminatory treatment by a business for the exercise of the privacy rights conferred by the CCPA.

   • The right to make requests under the CCPA by using an authorized agent designated by the consumer.

3. Our Personal Information Collection, Use, and Disclosure
   In the last twelve months, we have collected and disclosed personal information as follows.

4. We collect and disclose personal information for the following business purposes.

   • Auditing related to a current interaction with the consumer and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards. Personal Information Categories: A (Identifiers), F (Internet and Network Activity)

   • Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity. Personal Information Categories: A (Identifiers), F (Internet and Network Activity)

   • Debugging to identify and repair errors that impair existing intended functionality. Personal Information Categories: F (Internet and Network Activity)

   • Short-term, transient use, provided that the personal information that is not disclosed to another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer's experience outside the current interaction, including, but not limited to, the contextual customization of ads shown as part of the same interaction. Personal Information Categories: A (Identifiers), D (Commercial Information), F (Internet and Network Activity)

   • Performing services on behalf of the business or service provider, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of the business or service provider. Personal Information Categories: A (Identifiers), B (Personal Information as defined by CA Customer Records Law), D (Commercial Information)

   • Undertaking internal research for technological development and demonstration. Personal Information Categories: A (Identifiers), D (Commercial Information), F (Internet and Network Activity)

   • Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business. Personal Information Categories: A (Identifiers), D (Commercial Information), F (Internet and Network Activity)

5. We collect and disclose personal information for the following commercial purposes.

   • To observe how our website is used. Personal Information Categories: A (Identifiers), D (Commercial Information), F (Internet and Network Activity)

   • To evaluate the website, optimize it, and make it more user-friendly. Personal Information Categories: D (Commercial Information), F (Internet and Network Activity)

   • To comply with various legal obligations, for example tax reporting laws. Personal Information Categories: A (Identifiers), B (Personal Information as Defined by CA Customer Records Law), D (Commercial Information)

6. Other Information Sale Disclosures

   Do Not Sell My Personal Information. Click the link to the left to learn how to opt out of the “sale” of your personal information as defined in the CCPA.

   We have no actual knowledge that the personal information we sell belongs to minors under 16 years of age.

7. How to Submit Verified Requests

   To submit a request for information or deletion, please e-mail info@spreadshirt.com or call 1-800-381-0815.

   Your request will be processed only if we can verify that you are the person whose personal information is the subject of the request. If we cannot verify your identity, we will ask you to provide corrected verification information, or we will deny the request to the extent necessary.

   If you request a deletion of your personal information, you will be required to confirm this deletion separately via e-mail.

   All requests must be verified, meaning that we must determine that the consumer making the request is the same consumer whose personal information is the subject of the request. Verification methods will vary depending on the request, the sensitivity of the personal information that is the subject of the request, and our ability to associate the provided verification information with information in our records.

   If you request disclosure of categories of personal information collected, used, and disclosed, then we will need to verify your identity by reference to at least two independent pieces of evidence describing different pieces of personal information that match the personal information in our records that is the subject of the request.

   If you request disclosure of specific pieces of personal information, then we will need to verify your identity by reference to at least three independent pieces of evidence describing different pieces of personal information that match the personal information in our records that is the subject of the request.

   If you request deletion of all or some personal information, then we will need to verify your identity by reference to at least two or three independent pieces of evidence describing different pieces of personal information that match the personal information in our records that is the subject of the request. The specific number and type of pieces of evidence will vary depending on the sensitivity of the personal information to be deleted.

   If you do not have an account with us or have not made a purchase with us, it is possible that we will not be able to verify your request no matter what evidence you provide because we do not have enough information in our records to ensure that the information in our records is yours. This is because some of the personal information we gather is not identifiable with a specific individual (for example, a cookie which only stores which products you have previously viewed on our website so that these are shown to you at your next visit).

8. Authorized Agents

   If an authorized agent will make a request on your behalf under this section, your agent must provide evidence of authorization to act on your behalf, along with the same level of verification on the part of both the authorized agent and yourself which would be required of an individual acting on his or her own behalf.

9. Contacting us With Questions or Concerns About our Privacy Policies and Practices

   If you have any questions or comments about the collection, processing, or usage of personal information; if you have requests for information, correction, disabling or deletion of data, please use the settings provided in your account’s user area, or else contact us using the information found at the beginning of this privacy policy.

10. Privacy Policy Last Updated

11. Online Eraser Law (CA Business and Professions Code §§ 22581)

    To the extent it is technically feasible and provided for and allowed by applicable law, California residents under the age of 18 may email info@spreadshirt.com anytime to ask for access to information held about you in order to have it corrected, disabled, or deleted, when possible.

    Note that removal or deletion of your information does not ensure complete or comprehensive removal of the content or information posted on our website and service, or on the internet generally.

12. “Shine the Light” Law (California Civil Code Section § 1798.83)

    California residents who use our website may request certain information about our disclosure of personal information to third parties for their direct marketing purposes. To make such a request, please email us at info@spreadshirt.com.

7. Children’s Online Privacy Protection

Our website is not intended or directed at individuals under the age of 13. We do not knowingly collect or keep any information of children under the age of 13. If we discover it, we will delete it as soon as possible.

8. Effective Date and Changes

This policy is effective as of October 12, 2020. Any material changes to this Privacy Policy will be announced to you on the website and/or via email.

Thank you for reading this privacy policy in its entirety!