Last Updated: 27th July, 2023

Global Roots, Inc. a Delaware corporation ("GloRoots", "us", "we", or "our") operates the website www.Gloroots.com and provides various Services the "Service", which is available through the Website.

This Privacy Policy informs you of how information about you is collected, used, and disclosed by us when you access our Website and our Service. By using the Service, you agree to the collection and use of your information in accordance with this policy.

Unless otherwise defined in this Privacy Policy, capitalized terms used in this Privacy Policy have the same meanings as in our Terms of Service.

Information Collection

While accessing our Website and/or using our Service, we collect and store certain information about you. Some of this information can be used on its own or in combination with other information to identify you ("Personal Information"). Below is a list of types of Personal Information that we may collect and use when you apply for, or use any of our products or services.

• Contact: Your name, addresses, e-mail addresses, phone numbers and other ways in which to contact you
• Payment Payment card number, expiration date, security code and billing address. Transactional Details about the transactions you carry out and the payments to and from your accounts with us
• Contractual Details about the products or services we provide to you
• Locational Data we get about where you are. This may come from your mobile phone or the place where you connect a computer to the internet. It may also include locations where you used your card.
• Behavioral details about how you use our Services and Website
• Technical details on the devices and technology you use
• Communications: What we learn about you from communications between us.
• Public and third-party records: Details about you that are in public records and information about you that is publicly available on the internet. We also collect information about you which we receive from other companies, such as (without limitation) credit reference or fraud protection agencies (see below for more information).
• Usage data: Other data about how you use our products and services
• Documentary data: Details about you that are stored in documents in different formats, or copies of them. This could include things like (without limitation) your passport, driver’s license, photographs or birth certificate.
• Consents: Any permissions, consents or preferences that you give us

Where we collect personal information: We may collect personal information about you or your businesses from any of these sources:

• Data we collect when you use our products or services
  • Payment and transaction data
  • Profile and usage data (including, without limitation, your security details, app or your website browser settings, marketing choices and data from the devices you use to connect to our Platform so we can provide you with our products or services).
  • We also use cookies and other internet tracking software to collect data while you are using our website or mobile apps (or any other device as described in more detail below
• Data from third parties
  • Companies and business partners that introduce you to us
  • Our service partners, such as PSP partners as defined in Gloroots’s terms
  • Our third-party vendors, including (without limitation) those that help us authenticate your identity
  • Social networks and other technology providers (for instance, when you click on one of our Facebook or Google adverts)
  • Fraud prevention agencies
  • Other financial services companies (to fulfil a payment or other service as part of a contract [which they have] with you, or to help prevent, detect and prosecute unlawful acts, money laundering, and fraudulent behavior)
  • Public information sources such as (without limitation) Companies House
  • Third-party agents, suppliers, sub-contractors and advisers
  • Market researchers
  • Firms providing data services
  • Government, law enforcement agencies, authorities and regulatory bodies to help Gloroots comply with its legal obligations

Cookie Use

Please refer to our Cookie policy for more information.

Information Use

Below is a list of the ways that we may use your personal information:

• Managing our relationship with you or your business
• Developing and carrying out marketing activities
• Studying how our customers use products and services from Gloroots
• Communicating with you about our products and services
• Fulfilling Gloroots’s contract with Users;
• When it is Gloroots’s legal duty;
• When Users consent to it;
• When it is in Gloroots’s legitimate interest:
• Keeping our records up to date
• Working out which of our products and services may interest you and telling you about them
• Developing products and services;
• Testing new products
• Improving our products and services
• Managing how we work with other companies that provide services to us and our customers
• Developing new ways to meet our customers’ needs and grow our business
• Being efficient about how we fulfill our legal and contractual duties
• Asking for your consent when we need it to contact you
• Developing products and services, our pricing for them and types of customers that may want to use them. This may include sending questionnaires and surveys as well as requesting feedback from existing customers
• When Users consent, Communicating Gloroots’s products, services, invite you to participate in events or surveys, or otherwise communicate with you for marketing purposes with the consent requirements of applicable law
• Delivering Gloroots’s products and services
• Making and managing payments
• Managing fees and charges due on user accounts
• Collecting and recovering money that is owed to Gloroots
• Crime prevention and managing risks
• Identifying, investigating, reporting and preventing fraud, money laundering and other crime
• Managing risk for us and our Users
• Complying with laws and regulations
• Investigating and responding to complaints and feedback
• Business management
• Operating our business in an efficient and proper way, including managing our financial position, business capability, planning, adding and testing systems and processes, managing communications, corporate governance, and audit
• Carrying out our obligations arising from and exercising our rights set out in our contract

Communications We may contact you with newsletters and other marketing information that may be of interest to you. You may opt out of receiving any, or all, of these marketing communications from us by following the unsubscribe link or instructions provided in any email we send or by contacting us. Please note that we may still send you transactional or administrative messages related to the Service even after you have opted out of receiving marketing communications.

Information Sharing with Third Parties We will only share your information with the third parties listed below for the purposes described above in the “Use of Your Information” Section, unless otherwise noted at the point of collection:

• Third-party agents, partners, and service providers who are only permitted to use your information as we allow which may include contacting you on your behalf, and are required under law or contract to keep your personal information confidential. Information is shared to help us provide the Service.
• Government agencies and taxing authorities, as required to provide the Service, including but not limited to the Internal Revenue Service, state and local tax agencies, and state and federal regulatory agencies.
• Insurance carriers and other third parties, as needed to carry out the Benefits Service
• Banking and financial institutions.
• Certain parties as necessary to respond in good faith to legal process where required to do so by law or subpoena or if we believe that such action is necessary to comply with the law and the reasonable requests of law enforcement or to protect the security or integrity of our Service.
• Legal and financial advisors and auditors
• The following third-parties under the circumstances described below:
  • we may share business or personal information with credit bureaus, and we may share information with certain companies, banks and organizations for purposes such as fraud prevention or determining eligibility for the Service;
  • if you participate in a referral program, the referral email and referral link sent to any Referred Leads may include your first name;
  • if there is a sale of Gloroots (including, without limitation, a merger, stock acquisition, sale of assets or reorganization), or in the event that Gloroots liquidates or dissolves, we may sell, transfer or otherwise share some or all of our assets, which could include your information, to the acquirer;
  • we may share de-identified personal information with academic institutions to perform research, under controls that are designed to protect your privacy—including requiring such institutions to operate under confidentiality agreements and mandating that published findings contain only de-identified and aggregated data;
  • from time to time, we may share reports with the public that contain anonymized, aggregate, de-identified information and statistics; and
  • we may share your information with certain other third parties with whom you, your Client, or your Client’s accountant partner expressly authorize us to share your information

How long we keep your personal information: We will keep your personal information as long as you are a User of Gloroots. We may keep your personal information for up to 10 years after you stop being a customer. The reasons we may do this are:

• To respond to a question or complaint, or to show whether we gave you fair treatment
• To study customer data as part of our own research
• To comply with legal rules that apply to us about keeping records, and maybe longer if certain laws mean that we cannot delete it for legal, regulatory or technical reasons.

Security: The security of your Personal Information is important to us. However, please be aware that no method of transmission over the internet, or method of electronic storage is 100% secure and we are unable to guarantee the absolute security of the Personal Information we have collected from you. You are also a key stakeholder in making sure that your Personal Information is protected. If you become aware of any breach of security or privacy, please contact us immediately.

International Transfer Information collected while you use the Website and/or Service, including your Personal Information, may be transferred to and maintained on computers located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ than those from your jurisdiction. If you are located outside the United States and choose to provide information to us, please note that we transfer the information, including your Personal Information, to the United States and process it there. Your consent to this Privacy Policy followed by your submission of such Personal Information represents your agreement to that transfer.

Link To Other Sites Our Service may contain links to other sites that are not operated by us. If you click on a third party link, you will be directed to that third party's site. We strongly advise you to review the Privacy Policy of every site you visit. We have no control over, and assume no responsibility for the content, privacy policies or practices of any third party sites or services.

Children's Privacy: We do not knowingly collect Personal Information from Children under 16. If you are a parent or guardian and you learn that your Children have provided us with Personal Information, please contact us. If we become aware that we have collected Personal Information from a child under age 16 without verifiable parental consent, we will take steps to remove that information from our servers.

Data Transfers from the EU, UK and Switzerland When transferring data from the European Union, the European Economic Area, the UK, and Switzerland, Gloroots relies upon the Standard Contractual Clauses as included in our Data Processing Addendum.
Gloroots commits to cooperate with EU and UK data protection authorities and comply with the advice given by such authorities regarding personal data transferred from the EU, the UK, and Switzerland.

Your rights: Under applicable privacy regulation, you may have some or all of the following rights in respect of your personal information:

• to obtain a copy of your personal information together with information about how and on what basis that personal information is processed;
• to rectify inaccurate personal information;
• to erase your personal information in limited circumstances where it is no longer necessary in relation to the purposes for which it was collected or processed;
• to restrict processing of your personal information where: (a) the accuracy of the personal information is contested; (b) the processing is unlawful but you object to the erasure of the personal information; (c) we no longer require the personal information for the purposes for which it was collected, but it is required for the establishment, exercise or defense of a legal claim;
• to challenge processing which we have justified on the basis of our legitimate interest;
• to object to decisions which are based solely on automated processing or profiling;
• to obtain a portable copy of your personal information, or to have a copy transferred to a third party controller; or
• to obtain a copy of or access to safeguards under which your personal information is transferred outside of the EEA.

In addition to the above, you have the right to lodge a complaint with a supervisory authority for data protection. You also have the right to withdraw your consent to the processing of your information at any time. We may ask you for additional data to confirm your identity and for security purposes, before disclosing data requested to you. We reserve the right to charge a fee where permitted by law. We may also decline to process requests that jeopardize the privacy of others, are extremely impractical, or would cause us to take any action that is not permissible under applicable laws. Additionally, as permitted by applicable laws, we may need to retain certain personal information for a limited period of time for record-keeping, accounting and fraud prevention purposes.

To exercise these rights you may contact us by emailing support@gloroots.com. Please note also that you may be able to exercise some of these rights without our intervention. For example, if you are a registered Gloroots Platform user, you can access and update your personal data.

Changes To This Privacy Policy

This Privacy Policy is effective as of the “LAST REVISED” date specified at the top of this Privacy Policy and will remain in effect except with respect to any changes in its provisions in the future, which will be in effect immediately after being posted on this page.

We reserve the right to update or change our Privacy Policy at any time and you should check this Privacy Policy periodically. Your continued use of the Service after we post any modifications to the Privacy Policy on this page will constitute your acknowledgment of the modifications and your consent to abide and be bound by the modified Privacy Policy.

Questions or Concerns Regarding the Privacy Policy: If you have questions or concerns regarding privacy using our Service, please contact us at support@gloroots.com

This Data Protection Agreement ("DPA”) shall form an integral part of the Service Agreement / Terms of Service (“Agreement”) with effect from last date of publishing as provided in the privacy policy, between “You” (hereinafter “Data Controller” or “Customer”) and GloRoots (the contracting entity being Global Roots, Inc. (a Delaware Corporation) and its subsidiaries and affiliates (as applicable), hereinafter referred to as “Data Processor” or “Service Provider”).

"Data" or "Information": Any information, whether in electronic or physical form, that relates to an identified or identifiable natural person.

"Personal Data": Any information relating to an identified or identifiable natural person.

"Sensitive Personal Data or Information": Personal Data that includes special categories of data, such as racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health information, or data concerning a natural person's sex life or sexual orientation.

The terms "Data," "Information," "Personal Data," and "Sensitive Personal Data or Information" shall be interpreted in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") for contracts involving EU data subjects, the California Consumer Privacy Act ("CCPA"), and any other relevant data protection laws in effect in the countries or regions, as the case may be.

In the event of any conflict or inconsistency between the definitions provided in this clause and the definitions in the relevant data protection laws applicable to the agreement, the latter shall prevail.

The Parties agree to handle and process any Data, Information, Personal Data, or Sensitive Personal Data or Information in accordance with the applicable data protection laws and regulations, as the case may be.

1. The Customer under the Services is a data fiduciary and will be required to fulfill data fiduciary obligations under the applicable data protection laws.
2. Service Provider shall not collect any Protected Information from third parties unless it is essential and required for a purpose connected with the Service being provided to the Customer.
3. Any and all Protected Information that Service Provider may have access or that Service Provider receives from the Customer as a part of the Service provided under the Agreement shall be strictly kept confidential and shall not be disclosed to any third party including to its sub- contractors or affiliates, save and except to provide the Services under the Agreement
4. Data Principal Requests: In the event, where Service Provider receives a request from the owner of the Protected Information (“Data Principal”) for access to that Data Principal’s Personal Data, for the rectification or erasure of such Personal Data, for the restriction on or the objection to the Processing of such Personal Data, or for portability, or any other request or query from a Data Principal relating to its own Personal Data (a “Data Principal’s Request”), Service Provider shall:
   1. notify Customer immediately of the request (without responding to that Data Principal’s Request, unless it has been otherwise authorized by Customer to do so);
   2. provide details of the request (and any other relevant information Customer may reasonably request) as mutually agreed between the Parties; and
   3. if Customer provides authorization, fulfill and respond to such request in accordance with Customer’s guidance and applicable Data Protection Laws.
   4. in the event that Customer receives a Data Principal request concerning Personal Data being Processed by the Service Provider, Customer may seek assistance from the Service Provider to fulfill and respond to such request. In response to all Data Principal requests, irrespective of original recipient (Customer or the Service Provider), the Service Provider shall provide assistance to Customer as may be reasonably required for the purposes of fulfilling and/or responding to the Data Principal’s Request.
5. The Service Provider shall not delegate or subcontract processing to another party other than the auditors, sub-processors, employee, partner, member or officer of the Service Provider who have a need to know or otherwise access personal data to enable the Service Provider to perform obligations under this Agreement (“Authorized Persons”) without Customer’s prior specific written authorization at Customer’s sole discretion. imposing, in substance, the similar data protection obligations as set out in this Data Protection Agreement terms on the Sub-Processor. In the event the Sub- Processor fails to fulfil its contractual obligations, the Service Provider shall remain fully liable to Customer for the performance of that Sub-Processor’s obligations. The list of Sub-Processors by Customer is mentioned under Annexure I and shall be kept up to date.
6. Service Provider represents and warrants to the Customer that they are compliant with the applicable laws including the Act and the Rules and shall also comply with the following:
7. Protected Information, if disclosed to any personnel other than the Authorized Persons for the purpose of providing the Service, the Service Provider shall ensure that such personnel who have access to the Protected Information enter into terms at least as strict as this DPA, in relation to the confidentiality and the security of the collected/received Information.
8. Service Provider shall implement the technical and organizational security measures to protect the Protected Information against unauthorized or unlawful processing, accidental or unlawful destruction or accidental loss, alteration, damage, unauthorized disclosure or unauthorized access by any person, as prescribed in the Act and Rules.
9. Service Provider represents that measures have been established to protect the Protected Information in accordance with the Act and Rules.
10. Service Provider shall provide the required assistance to the Customer to enable the Customer to provide all protection rights pertaining to this DPA available under the Act and Rules to the individual whose Protected Information is accessed and processed by the Service Provider.
11. Service Provider shall not keep Protected Information any longer than necessary for the purpose of performing or having performed the Services and as permissible and required under applicable law.
12. Further, Service Provider confirms to Customer that it shall:
    1. have procedures in place in an attempt to prevent unauthorized access to Protected Information through the use, as appropriate, of physical and logical (password) entry controls, secure areas for Processing, procedures for monitoring the use of Processing facilities.
    2. Service Provider shall not assign its rights and obligations hereunder to any other party without the prior written consent of Customer.
13. Service Provider shall cease to use the Protected Information upon termination or expiry of the Agreement. Subject to any data or record retention obligations under applicable laws, Service Provider shall delete all the Protected Information together with all copies in the possession or control upon the completion of the Services or upon termination or expiry of the Agreement within 30 (thirty) days of written request by Customer and shall securely destroy any Protected information from its systems and provide a confirmation of destruction to Customer in writing.
14. Service Provider shall inform Customer as soon as reasonably possible after the Service Provider has become aware of any security incident which has resulted in any breach affecting the Data of the Customer and/or its employees.
15. Customer may evaluate Service Providers processes and procedures through specific requests of audit reports to the extent they relate to the Data shared by the Customer, any time with prior written notice to Service Provider, except in case of a Data Breach directly affecting the Customer where the Customer may do so immediately without any notice.
16. Service Provider shall provide all necessary documents, information, evidence and support required for Customer to address or defend any Data Breach incident or claims related to the terms of this DPA.
17. This agreement shall survive the termination or expiry of the Agreement, as long as, Protected Information is in possession of the Service Provider, and upon return/ destruction of such Protected Information, upon termination/expiry of the Agreement, the obligations herein will fallaway.
18. Under the processing activities, the Service Provider processes, Personal and sensitive Information. The data may be transferred to our various sub-processors for processing the information related to and solely for the purpose of providing Services.
19. Use of the Services by the Customer as provided by the Service Provider shall deem to mean that the terms of this DPA stand accepted.
20. If you have any questions about the terms of data processing you may reach out to our data processing officer at mayank@gloroots.com.

The Customer has authorized the use of the following Sub-Processors: