Welcome to Bindle Systems, Inc. (“Bindle,” “we,” “us,” “our”). We take your privacy seriously and have prepared this privacy notice to explain how we collect and use your personal information, who we share it with, and how we protect it. This Policy covers any information you provide to us, whether through our website or our mobile application (we refer to the combination of these technologies as our “Services” in this policy). This Policy is subject to our Terms of Use.

1. What Data Does Bindle Collect?
   
   The Services, and the information and content available on them, are protected by applicable intellectual property laws. Unless subject to a separate written agreement between you and Company, your right to use any and all Services is subject to these Terms of Use.


2. What is Wallet Data?

   Wallet Data is all of the data that is stored in your Bindle digital wallet, including your name, date of birth, email address, mobile phone number, selfie, COVID-19 related health information and government identification documents that you have uploaded.

3. How We Collect Data Using Your Mobile Device
   
   When we establish your wallet, we will ask your consent for access to your device in order to collect data.
   
   We will ask your consent to:
   
4. Access your camera in order to take photos as part of creating your account or to upload images when creating certificates.
5. Access your photos in order to collect images as part of creating your account or to upload images when creating certificates.
6. Access your audio, video and other files in order to provide documentation when creating certificates.
7. Access your precise location when creating entry passes so we can provide the location and the approximate distance to the location you are selecting.


8. Where is Wallet Data Stored?

   Your Wallet Data is encrypted and stored in a personal data locker that is located on an Internet-connected computer. Your data locker is dedicated only to you. The data is encrypted with military-grade encryption using a private key that is located in the “secure enclave” of your phone. The “secure enclave” is a separate piece of hardware on your phone where any of the most sensitive data you hold on your phone is stored, including credit card numbers, passwords, and private keys.



9. Who Has Access to Wallet Data?

   By placing your private key in the secure enclave of your phone, the only person who can decrypt your data is the person who has the ability to unlock your phone.
   
   As a result, Bindle does not have access to any Wallet Data, nor can it provide your Wallet Data to any third party, without your permission. This means that if a government entity demanded that we hand over the data in your wallet, we would have to respond that we do not have the ability to decrypt your data and that they need to contact you directly. Similarly, if another company were to acquire Bindle, they would not be able to decrypt your data.
   
   We do not share your private key or Wallet Data with Sponsors; rather, with your explicit prior consent, when you create an entry pass using your Wallet Data, you create an asset against which Bindle may check a Sponsor’s entry requirements and return a “yes” or “no” answer to the Sponsor.



10. What is “Non-Wallet Data?”
    
    Non-Wallet data is stored on our servers and on the servers of third-party software providers that we use to deliver our Services.
11. Registration and contact information, such as information you provide when you register to use the Services. Please note that three pieces of data are considered BOTH Wallet Data and Non-Wallet Data: your name, email address and phone number. In other words, when you provide that information during setup, it is kept BOTH in the Wallet (and therefore considered Wallet Data) and outside of the Wallet (and therefore also considered Non-Wallet Data).
12. Feedback or correspondence, such as information you provide when you contact us with questions, feedback, or otherwise correspond with us online.
13. Information you provide as part of your responses to surveys or similar programs from us.
14. Your preferences for receiving communications about our products and services, and details about how you engage with our communications.
15. Wallet Data that you proactively decide to share with a third party as part of using our Services, such as for contact tracing or checking into an event. The only way this Wallet Data becomes Non-Wallet Data is if you proactively opt in by affirmatively agreeing to sharing it with the third party.
16. Cookies, browser web storage (also known as locally stored objects, or “LSOs”), web beacons, IP address, and similar technologies to automatically collect information about your interaction with our services through your computer or mobile device.
17. General location information such as city, state or geographic area.


18. What Other Data Does Bindle Collect?
    
    The below are categories of data that are not associated with an individual’s identity. We may use this data for any legal purpose.
19. Anonymized data related to your Wallet transactions and interactions with our systems or Services.
20. Device data, such as computer or mobile device operating system type and version number, manufacturer and model, device identifier, browser type, screen resolution.
21. Standard web analytics such as online activity data, such as the website a user visited before browsing to our website, and information about a user’s use of and actions on our websites and mobile apps, including pages or screens you viewed, how long a user spent on a page or screen, navigation paths between pages or screens, information about your activity on a page or screen, access times, and length of access, and how you respond to emails we send you.


22. How Do We Use Your Non-Wallet Data?
    
    
23. To establish and maintain your account;
24. To provide information about our Services through announcements, updates, security alerts, and support and administrative messages;
25. To secure or protect the Services;
26. To personalize your experience with our Services;
27. To provide support and maintenance for our Services;
28. To analyze and improve our Services;
29. To help develop new products and services;
30. To respond to your requests, questions, and feedback;
31. To send marketing emails related to Bindle’s products and services to the email address you provide to us (provided, however, that any such marketing emails will tell you how to easily opt-out of receiving further marketing emails);
32. To comply with the law. We may use your Non-Wallet Data to comply with applicable laws, lawful requests, and legal process, such as to respond to warrants or subpoenas or other requests from government authorities; and
33. For compliance, fraud prevention, and safety. We may use your Non-Wallet Data and disclose it to law enforcement, government authorities, and private parties as we believe necessary or appropriate to: (a) protect our, your or others’ rights, privacy, safety or property (including by making and defending legal claims); (b) enforce the terms and conditions that govern the services; and (c) protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity.


34. How Do We Share Your Non-Wallet Data?

    We may share your Non-Wallet Data with our subsidiaries and affiliates that are involved in providing the services to you, but we will only do so if these subsidiaries and affiliates have a privacy policy which is as protective, or more protective, of your Non-Wallet Data as this Privacy Policy.
    
    We may also share your Non-Wallet Data with third party companies and individuals that provide services on our behalf or help us operate the services (such as customer support, hosting, analytics, email delivery, professional advisors, and database management services). These third parties may use your Non-Wallet Data only as directed or authorized by us and in a manner consistent with this Privacy Policy.



35. Information for California Consumers.

    California Civil Code Section 1798.83 permits you to request information regarding the disclosure of your personal information to third parties during the immediately preceding calendar year for third-party direct marketing purposes as directed or authorized by us, along with the names and addresses of these third parties. This request may be made no more than once per calendar year. We reserve our right not to respond to requests submitted other than to the email or postal address specified above. Please include “California Privacy Rights” in the subject line and in your request. You must provide us with specific information regarding yourself so that we can accurately respond to the request.
    
    In the course of using the Bindle mobile collects information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device (“Personal Information”). In particular, the Services have collected the following categories of Personal Information from its consumers within the last twelve (12) months:

    Category	Example	Collected
    A. Identifiers.	A real name, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, or other similar identifiers.	YES
    B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)) Note: Some Personal Information included in this category may overlap with other categories.	A name, physical characteristics or description, address, telephone number, medical information.	YES
    C. Protected classification characteristics under California or federal law.	Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, genetic information (including familial genetic information).	NO
    D. Commercial information.	Records of personal property, products purchased, obtained, or considered, or other purchasing or consuming histories or tendencies	NO
    E. Biometric information.	Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.	NO
    F. Internet or Network Activity.	Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement.	YES
    G. Geolocation data.	Physical location or movements.	YES
    H. Sensory data.	Audio, electronic, visual, thermal, olfactory, or similar information.	NO
    I. Professional or employment-related information.	Current or past job history or performance evaluations.	NO
    J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).	Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.	NO
    K. Inferences drawn from other Personal Information.	Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.	NO

    
    We must disclose whether the following categories of personal information are disclosed for a “business purpose” or sold or shared as those terms are defined under California law. Note that while a category below may be marked, that does not necessarily mean that we have personal information in that category about you. In the preceding twelve months, we have disclosed the following categories of personal information collected through the Services in the manner described.
    
    

    Category	Information is Disclosed for a Business Purpose	Information is Sold or Shared for Valuable Consideration
    A. Individual Identifiers and Demographic Information	Yes, to service providers such as hosting or marketing providers, or as you request to use the Services;	NO
    B. Customer Record	Yes, to service providers such as hosting providers or as you request to use the Services;	NO
    D. Internet or Network Activity	Yes, to service providers such as hosting, security, or marketing providers	NO
    E. Geolocation	Yes, to service providers such as hosting or security providers, or as you request to use the Services.	NO



36. Your Choices
    
    You have the right to request that we disclose certain information to you about our collection and use of your Personal Information over the past 12 months. Once we receive and confirm your verifiable consumer request, we will disclose to you: (A) the categories of Personal Information we collected about you; (B) the categories of sources for the Personal Information we collected about you; (C) our business or commercial purpose for collecting or selling that Personal Information; (D) the categories of third parties with whom we share that Personal Information; (E) the specific pieces of Personal Information we collected about you (also called a data portability request). If we sold or disclosed your Personal Information for a business purpose, we will provide you with two separate lists disclosing such sales or disclosures, identifying the Personal Information categories that each category of recipient purchased or otherwise obtained.
    
    You have the right to request that we delete any of your own Personal Information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your Personal Information from our records, unless an exception applies.
    
    An exception to your request may apply if retaining the information is necessary for us or our service provider(s) to:
37. Complete the transaction for which we collected the Personal Information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.
38. Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
39. Debug products to identify and repair errors that impair existing intended.
40. Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
41. Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 etc.).
42. Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed.
43. Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
44. Comply with a legal obligation.
45. Make other internal and lawful uses of that information that are compatible with the context in which you provided.



Only you, or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your Personal Information. You may also make a verifiable consumer request on behalf of your minor child. You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must: (A) provide sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Information or an authorized representative; and (B) describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it. We cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use Personal Information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.

We endeavor to respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to ninety (90) days), we will inform you of the reason and extension period in writing. We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

You may deactivate your Wallet at any time by deleting the Bindle app from your device. If you have not backed up your wallet, deleting the Bindle app removes all references to your private encryption key and therefore all of the personal information maintained within your Wallet. Because deleting the Bindle app destroys your private key, unless you have chosen to backup your Wallet, the personal information in your Wallet CAN NOT be recovered after you delete the Bindle app and its associated private key from your device. If you have backed up your Wallet and wish to purge your information from our network, please fill out the Wallet Deletion Request Form to purge your Bindle Wallet.



46. How does Bindle Protect my Information?
    
    Bindle maintains compliant organizational, technical and administrative measures designed to protect against unauthorized access, misuse, loss, disclosure, alteration and destruction of personal information we maintain. Our security program is designed to mitigate risk and to use reasonable and appropriate procedures and technologies to help protect the confidentiality of all personal information.
    
    Unfortunately, data transmission over the Internet cannot be guaranteed as completely secure. Therefore, while we strive to protect your personal information, we cannot guarantee the security of personal information. In the event that Bindle is required to notify you about a situation involving your data, we may do so by email or telephone to the extent permitted by law.
    
    Bindle retains personal information for only as long as necessary to (a) provide our services; (b) comply with legal obligations; (c) resolve disputes; and (d) enforce the terms of customer agreements.


47. Children
    
    If we have obtained the personal information of a child under 13, we will delete that information. Parents or legal guardians may also contact us if they believe their child under 13 has provided us with Personal Information to request that Bindle stop collecting this information or have it deleted. Such requests are subject to Bindle’s verifying to our satisfaction that the requester is in fact the child’s parent or legal guardian.


48. Does Bindle Transfer My Data Outside of the USA?
    
    Bindle is headquartered in the United States and has affiliates and service providers in other countries, and your personal information may be transferred to locations outside of your state, province, country or other governmental jurisdiction where privacy laws may not be as protective as those in your jurisdiction.


49. What about Other Sites and Services?
    
    For your convenience and information, we may provide links to websites and other third-party content that is not owned or operated by Bindle. These links are not an endorsement, authorization or representation that we are affiliated with that third party. We do not exercise control over third party websites or services, and are not responsible for their actions. Other websites and services follow different rules regarding the use or disclosure of the personal information you submit to them. We encourage you to read the privacy policies of the other websites you visit and services you use.


50. How will I know when Bindle Changes this Privacy Policy?
    
    We may update our Privacy Policy from time to time by posting a new version online or within our application. If we make material changes to this Privacy Policy, we will notify you by email, in-app notification, a notice on this website or another method that we believe is reasonably likely to reach you.


51. Contact Us
    
    If you have any questions or concerns at all about our Privacy Policy, please contact us at privacy@bindlesystems.com. Our physical mailing address is: Bindle Systems, 1055 Saw Mill River Road, Suite 207, Ardsley, NY 10502.