Date last modified: March 8, 2023
- Information UDC Brands Collects.
In order to allow you to use our websites in the best possible way, UDC Brands may request and/or collect information (such as name and e-mail address) from you on a voluntary basis. UDC Brands collects the following types of information about users: Personally Identifiable Information and Non-Personally Identifiable Information (collectively “Information”).
- Personally Identifiable Information: Personally Identifiable Information is information that identifies you and may be used to contact you online or offline. UDC Brands only collects Personally Identifiable Information from you on a voluntary basis. The information UDC Brands collects and stores will depend on the activity, but may include, but is not limited to, your first and last name, date of birth, phone number, mailing address, country of residence, and e-mail address. If you make a purchase from any of our websites, we may also collect a credit or debit card number or other financial information, card verification value, and billing address. Any credit card information that you provide will only be used as is necessary to process payments and prevent fraud during processing. If you make any purchases associated with or on our websites, as applicable, using any third-party payment processor, that third-party payment processor will collect your email address as well as the billing and payment information it needs to process your charges. UDC Brands and its third party payment processor do not use credit card information for any other purposes, and we do not store any credit card information without prior authorization or request to do so. Except as provided herein, when you ask for help from UDC Brands customer service, we will collect and store the contact information you give them (generally, your name and e-mail address, and information about your activity on our websites). To participate as a user and/or make purchases on the websites, or in online activities, special events, contests, sweepstakes, or blog comments, you may be required to provide Personally Identifiable Information. You represent and warrant that any Personally Identifiable Information you provide to UDC Brands is complete, accurate and up-to-date.
- Non-Personally Identifiable Information: Non-Personally Identifiable Information is information that cannot be used to personally identify you. The Non-Personally Identifiable Information UDC Brands may collect includes, but, is not limited to the time and date of an email communication, anonymous usage data while you are using our websites, preferences that are generated based on the data you submit and/or number of clicks, referring/exit pages, a website’s uniform resource locator (“URL”) that you just came from or the URL you go to next, and your internet protocol (“IP”) address. However, to the extent that any of the aforementioned identifiers or similar identifiers are considered personal information by law, UDC Brands also treats these identifiers as Personally Identifiable Information.
- How UDC Brands Uses and Shares Information.
- Internal Use of Personally Identifiable Information: UDC Brands will use your Personally Identifiable Information internally to: provide you with access to our websites, enhance the operation of our websites, process orders and notify you based on the status of your order, send you products you ordered, notify the winners of contests or sweepstakes, address fraud concerns, provide technical support, communicate with you and respond to questions and issues, send you promotional materials and push notifications where you have opted in, solicit feedback from you, conduct marketing and user preference related research, and notify you regarding upcoming changes to our websites. Some Personally Identifiable Information may also be shared internally across UDC Brands websites that are included under UDC Brands’ single sign on environment (“SSO”).
- Retention Policy: UDC Brands will store and manage any user requests for Personally Identifiable Information records for a minimum of two (2) years since the date of the request, along with UDC Brands’ response to such request. UDC Brands will store and manage any collected Personally Identifiable Information for a minimum of two (2) years since the date of collection. Notwithstanding the foregoing, UDC Brands will erase and destroy any Personally Identifiable Information it no longer needs.
- Information Disclosure: To the extent permitted by law, UDC Brands may access and disclose your Information if UDC Brands (a) is required to do so by law or court order or (b) has a good faith belief that such access or disclosure is reasonably necessary to (i) comply with applicable laws, regulations, or legal processes; (ii) enforce any of the terms and conditions of any UDC Brands’ websites; (iii) respond to claims that your use of our websites has violated rights of UDC Brands or third parties; (v) share such Information with its third party licensors, third party vendors, advertisers, licensors, and other third-parties at UDC Brands’ sole discretion per any agreement or obligation; and (vi) troubleshoot software bugs and operational problems. We may transfer the Information collected through our websites if any one of UDC Brands is acquired by, sold to, or merged with another entity. We may also share the Information with subsidiaries and affiliated and related entities that provide services on our behalf or in connection with UDC Brands, including allowing us to share participant data with applicable third party licensors and data recipients for direct marketing purposes. We do not sell, rent, or trade your Information with third parties.
- Managing Your Information.
In addition to the aforementioned mechanisms, you have the ability to manage the use of your information in the following ways:
- Modify Information: If you wish to access, modify, delete, verify, correct, or update any of your Personally Identifiable Information collected through our websites, you may edit your Information in your account settings or contact us using the contact information in Section 13 herein. In accordance with our routine record keeping, we may delete certain records that contain Personally Identifiable Information you have submitted through our websites. We are under no obligation to store such Personally Identifiable Information indefinitely and expressly disclaim any liability arising out of, or related to, the destruction of such Personally Identifiable Information. It may not always be possible to completely remove or delete all of your Information from our databases without some residual data because of backups and other reasons.
- Delete Information: You have a right to request that we delete any of your Personally Identifiable Information, except when it is necessary to: (i) complete the transaction for which the Personally Identifiable Information was provided or perform a contract with you; (ii) detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity and to prosecute those; (iii) debug to identify and repair errors that impair existing intended functionality; (iv) exercise free speech of business or another consumer or other rights; (v) comply with the California Electronic Communications Privacy Act; (vi) engage in public or peer reviewed research in the public interest; (vii) enable internal uses reasonably aligned with you expectations based on your relationship with us; (viii) comply with a legal obligations; and/or (ix) use your Personally Identifiable Information, internally, in a lawful manner that is compatible with the context in which you provided the information.
- Opt Out: You may direct us not to share your Personally Identifiable Information with third parties (other than our service providers), not to use your Personally Identifiable Information to provide you with information or offers, and not to send you newsletters, emails, or other communications by modifying your registered user information on your account or contacting us using the contact information in Section 13.
- Collection and Use of Data in Promotional Activities, Contests, Sweepstakes, and Special Events.
- Children’s Privacy.
Age Restrictions: We do not direct our websites to users under the age of majority (“Child” or “Children”) and our websites are only intended for users over the age of eighteen (18) years old.We do not knowingly collect or maintain Personally Identifiable Information or Non-Personally Identifiable Information from Children, other than as permitted by law in support of the internal operations. If we become aware that Personally Identifiable Information of Children has been collected, other than for support of the internal operations, we will take reasonable steps to remove such information. If a parent or legal guardian believes that his or her Child has submitted personal information to any UDC Brand, he or she may contact us at the addresses provided in Section 13 herein.
- How We Protect Information.
To protect your Information, UDC Brands follows generally accepted industry standards and maintains reasonable safeguards to attempt to ensure the security, integrity, and privacy of the Information you provide. We have standard security measures in place, including but not limited to a firewall-protected server and use of encryption, designed to protect against the loss, misuse, unauthorized disclosure or access, unauthorized alteration, and any other unlawful form of processing of the Information under our control. No system or data transmission over the internet can be guaranteed to be completely secure and human errors do occur, so there is always a possibility that there could be unauthorized access to your Information. Although we strive to protect your Information, you acknowledge that: (a) there are security and privacy limitations of the internet that are beyond our control; (b) the security, integrity, and privacy of any and all Information and data exchanged between you and UDC Brands through the websites cannot be guaranteed; and (c) any such Information and data may be viewed or tampered with in transit by a third party. Canadian residents should be aware that their Personally Identifiable Information will be stored on servers located in the United States of America.
- PIPEDA and Applicable Provincial Privacy Legislation (Canada).
The applicable data protection authority in Canada is the Office of the Privacy Commissioner of Canada (https://www.priv.gc.ca/en/contact-the-opc/), or the equivalent provincial/territorial authority. The Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5) (“PIPEDA”) and applicable provincial privacy legislation provide data subjects within Canada with certain access rights with respect to their Personal Information. For purposes of PIPEDA, Personal Information refers to any information includes any factual or subjective information in any form, recorded or not, about an identifiable individual, including age, name, ID numbers, income, ethnic origin, or blood type; opinions, evaluations, comments, social status, or disciplinary actions; and employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant. PIPEDA gives you a right to access your Personal Information held by businesses. Your request to access your Personal Information must be made to UDC Brands in writing to email@example.com. Please note that PIPEDA sets out a number of exceptions to your general right of access to your Personal Information.
- GDPR (European Union).
The European Union General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) provides data subjects within the European Union (“EU”) with certain access rights with respect to their Personal Data. For purposes of GDPR, Personal Data refers to any information that identifies a natural person existing or residing in the EU (“Data Subject”), or may be used to identify a Data Subject, such as name, an identification number, location data, an online identifier, or factors specific to a Data Subject’s physical, physiological, genetic, mental, economic, cultural, or social identity. Please note that UDC Brands is the data controller of your Personal Data. Data Subjects’ GDPR rights are provided herein and summarized briefly below:
- Basic Information – the right to understand who UDC Brands are and how we process a Data Subject’s Personal Data.
- Access – the right to request a summary of the Data Subject’s Personal Data that is processed by UDC Brands, along with a copy of such Personal Data.
- Portability – the right to request we provide a copy of a Data Subject’s Personal Data in machine readable form for transportation to another controller/processor.
- Rectification – the right to request that we correct errors or update a Data Subject’s Personal Data.
- Erasure – the right to request that we erase Personal Data in our possession.
- Restriction on Use – the right to request that we stop processing a Data Subject’s Personal Data.
- Objection to Use – the right to object to our assertion that we have a legitimate interest in processing a Data Subject’s Personal Data.
- Objection to Direct Marketing – the right to object to receiving direct marketing materials from UDC Brands and/or its subsidiaries and affiliates.
- Objection to Automated Processing – the right to object to our use of Personal Data to make automated decisions that affect the Data Subject.
All of the aforementioned requests and objections may be directed to firstname.lastname@example.org. Please note that the data subject access rights described above are not absolute, and in many cases are subject to exceptions or other restrictions. If we determine that a request is invalid or does not correspond with the Data Subject’s access rights provided by GDPR, we will inform the Data Subject of such determination promptly upon reaching that conclusion.
Pursuant to the GDPR, as a Data Subject, you may request that we erase the Personal Data held by us by contacting us at email@example.com. Under Article 17 of the GDPR, Data Subjects have the right to request the erasure of their Personal Data if one of the following grounds applies:
- The Personal Data is no longer necessary for the purpose collected;
- The Data Subject withdraws consent to UDC Brands processing activities and no other legal justification for processing applies;
- The Data Subject is objecting under Article 21(1) of the GDPR to;
- Processing that is necessary for us to perform a task in the public interest under Article 6(1)(e) of the GDPR or in the exercise of our official authority; and
- There are no overriding legitimate grounds to process the Personal Data.
- The data subject is objecting under Article 21(1) of the GDPR to;
- Processing that is necessary to pursue UDC Brands or a third party’s legitimate interests under Article 6(1)(f) of the GDPR; and
- There are no overriding legitimate grounds to process the Personal Data.
- The Data Subject is objecting under Article 21(2) of the GDPR to processing for direct marketing purposes;
- We unlawfully processed a Data Subject’s Personal Data;
- EU law requires us to erase a Data Subject’s Personal Data to comply with a legal obligation; or
- We collected the Personal Data in the context of offering online services to children under Article 8(1) of the GDPR.
However, the right to erasure is not required under the GDPR, to the extent that data processing is necessary:
- For exercising the right of freedom of expression and information;
- For compliance with a legal obligation which requires processing by EU or EU member state law to which UDC Brands is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in us;
- For reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) GDPR as well as Article 9(3) GDPR;
- For archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1) GDPR in so far as the right referred to in paragraph 8.3.1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
- For the establishment, exercise or defense of legal claims.
Pursuant to GDPR, Data Subjects may request confirmation from us regarding whether or not we have processed their Personal Data. If your Personal Data has been processed, as a Data Subject you may request the following information:
- The purposes for which the Personal Data have been processed;
- The categories of Personal Data that have been processed;
- The recipients and/or the categories of recipients to whom your Personal Data have been or are still being disclosed;
- The planned duration of storage of your Personal Data or, if specific information is not available on this, criteria for specifying the duration of storage;
- The existence of the right to lodge a complaint to a supervisory authority;
- All available information on the origin of the personal data, if the personal data was not collected from you; and
- The existence of the right not to be subject to automated decision making, including profiling as per Article 22(1) and (4) of GDPR, and at least in these cases, meaningful information on the logic involved and the consequences and intended effects of this kind of processing for you.
Data Subjects also have the right to request information about whether or not their Personal Data has been transmitted to another country or an international organization. Such requests may be directed to firstname.lastname@example.org.
Data Subjects shall have the right to request us to restrict processing of Personal Data if one of the following conditions is met:
- The data subject contests the accuracy of the Personal Data for a period enabling us to verify the accuracy of the Personal Data;
- The processing is unlawful and the Data Subject opposes the erasure of the Personal Data, but wants it to be restricted;
- UDC Brands no longer needs the Personal Data for the purposes of the processing, but the Data Subject requires it the establishment, exercise or defense of a Data Subject’s legal claims; or
- The Data Subject objected to processing pursuant to Article 21(1) of GDPR pending the verification whether the legitimate grounds of UDC Brands override those of the Data Subject.
- Promotional E-mails.
- Receiving Emails: Where you grant UDC Brands express consent to send you promotional e-mails by opting-in to receive such e-mails, we may, from time to time, send you e-mails regarding our websites and products. Additionally, if you indicated that you are interested in receiving offers or information from us and our affiliates and third party licensors, we may occasionally send you direct mail or electronic mail about products and services that we feel may be of interest to you. UDC Brands shares your Personally Identifiable Information to its third party licensors pursuant to its agreements and including, without limitation, for their direct marketing purposes including by mail and email. You may opt-out of receiving UDC Brands’ e-mails at any time by following the directions on the bottom of e-mails to you from UDC Brands or by logging into your account and modifying your account settings. Users must opt-in to receive such e-mails by granting express consent prior to UDC Brands sending commercial electronic messages.
- Opt Out: If you would prefer not to receive direct communications with regard to UDC Brands and/or services anymore, you may opt-out by following the directions on the bottom of e-mails to you from us.
- Third-Party Sites and Service Providers.
The Personal Data collected by us may be shared with any of our affiliated companies. These companies will hold and transmit all Personal Data in the same safe, confidential and secure environment as set forth herein. We may also share aggregate data with affiliates, partners, third party vendors, advertisers, licensors, and other third-parties at our sole discretion and by accessing and/or using the websites you expressly consent to such disclosure. UDC Brands will not sell or rent your personal information to third parties without your explicit consent.
- Legal Disclosures and Safety.
We may share your Personally Identifiable Information with necessary agencies or persons in the event we, in good faith, believes it will (a) prevent physical injury or harm to yourself or members of the public; (b) protect the rights, property, or safety of UDC Brands or third parties; and/or (c) report a crime or other offensive behavior. We also reserve the right to share your information with legal authorities and other companies for fraud protection and credit risk reduction, to detect any technical or security vulnerabilities, to enforce our terms and conditions or other applicable policies, or to otherwise protect the rights, property, safety or security of third parties, website users, UDC Brands, or the public.
- Contact UDC Brands.
The Upper Deck Company
5830 El Camino Real
Attn: General Counsel
Carlsbad, California 92008, U.S.A.
- Personally Identifiable Information Requests: UDC Brands will promptly respond to all requests regarding Personally Identifiable Information (“PII Request”) within thirty (30) days from its receipt of the request. UDC Brands may receive an additional thirty (30) days to respond to the PII Request if (i) responding to the request within the original thirty (30) days would unreasonably interfere with the activities of UDC Brands; (ii) UDC Brands needs additional time to conduct consultations; or (iii) UDC Brands needs additional time to convert the Personally Identifiable Information to an alternative format. In the event UDC Brands requires an additional thirty (30) days to respond, UDC Brands will notify you within thirty (30) days upon receiving the PII Request.