GOcxm Inc. Privacy Policy

Introduction

Committed to protecting your privacy, GOcxm Inc., its subsidiaries, related entities, directors, officers and employees (collectively, "GOcxm", "we", "our" or "us") recognize the sensitive nature of personal information. GOcxm adheres to rules governing the protection of confidential information and complies with the principles of the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 ("PIPEDA") and the National Standard for the Protection of Personal Information (CAN/CSA-Q830-96). This Privacy Policy governs GOcxm's collection, use and disclosure of "Personal Information" (as defined below) in the course of our commercial activities. GOcxm's officers, directors and employees are familiar with this Privacy Policy and they understand the importance of abiding by the policies and procedures set out in this Privacy Policy. BY ACCESSING THIS SERVICE, USING ANY OF THE PRODUCTS OR SERVICES OFFERED HEREIN, OR PROVIDING ANY PERSONAL INFORMATION WHATSOEVER, YOU HEREBY AGREE TO THE TERMS AND CONDITIONS OF THIS PRIVACY POLICY.

Scope

This Privacy Policy applies to the treatment of personally identifiable information ("Personal Information") that GOcxm may collect via the Retail Execution platform or the Reporting Portal (the "Services") for you (collectively, the "User", "you", or "your"). Your access to the Services is being provided as a result of the business engagement between us and your organization (the "Customer") and your use of the Services constitutes your acknowledgement and acceptance of this Privacy Policy. This Privacy Policy does not apply to any personally identifiable information that may be collected via the marketing website or consumer promotions; such are governed by our Website/Promotions Privacy Policy.

Roles (Controller vs. Processor)

The Privacy Policy covers Personal Information that is processed inside the Services. This includes data collected from the field submissions, photos, adjudication outcomes, as well as program and campaign results.

The Privacy Policy also covers account and access information. This includes Microsoft Single Sign-On, magic link, security and audit logs, limited product analytics and telemetry, and user-initiated support communications. GOcxm acts as a data controller to authenticate users, secure and operate the Services, troubleshoot issues that may arise, and improve the quality of the Services.

Log-In & Account Data

When you log-in using your Microsoft account, GOcxm receives your name, work email, and identity/tenant identifiers required to authenticate and authorize access. GOcxm does not receive or store your Microsoft account password.

When you log-in using a magic link, GOcxm will send a one-time link to your work email for authentication purposes.

Customer administrators may permit third-party or guest access at their discretion.

Categories of Data We Process

Information We Process About You

Depending on the Service, we collect the following information:

Both Services

• Your name, work email, and tenant and user identification.
• Your role at the organization and permissions, if applicable.
• Your log-in activity, session identifiers, and internet protocol and device metadata.

Retail Execution Platform

• Your identification, customer type, display type, product category, free-text comments and context, and submission timestamp.
• Your images of retail product displays or forms.
• Your adjudication metadata.
• Your data may be used in leaderboard depending on your organization's program configuration.
• You should avoid photographing faces or other personal identifiers. GOcxm processes photos for adjudication and program verification. Customers control program rules.

Reporting Portal

• Your name, role at the organization, and region or territory.
• Your submission counts, completion rates, scores, leaderboards, status and adjudication outcomes, and timestamps.
• Your region, store identification, store name, display type, and product information.

Consumer Engagement Reporting

• Your campaign performance metrics, such as sessions, sign-ups, conversions, engagement, funnel key performance indicators.
• Your audience information, such as geography and demographic segments.
• Your survey analytics, such as survey responses, geography, and demographics.
• Your prize information, such as counts and status. Counts refers to the number of approvals and rejections you receive based on the program criterion. Status refers to whether the submission is approved or rejected.

Purposes of Use

Information that GOcxm collects through the Services is gathered exclusively to fulfill our contractual obligations with Customer and anyone acting on behalf of Customer. We use the collected information solely to provide the Services requested by the Customer.

Data Residency & Storage

Personal Information is stored in Canada on AWS infrastructure, unless your master agreement specifies otherwise.

Retention & Deletion

We retain Personal Information while actively providing our products and services. After the termination of our engagement with your organization, we delete Personal Information upon request by your organization within ninety (90) days.

You may request that we delete Personal Information we have collected about you. If no deletion request is made, we may retain Personal Information for up to five (5) years from the date of termination of our contract with your organization for audit purposes, compliance, and program history. This is subject to your instructions and applicable laws.

Security

We employ security measures to ensure that in the course of fulfilling our products, Personal Information is protected against unauthorized access, alteration, disclosure or destruction. GOcxm encrypts your data using modern TLS, AES-256, RSA-2048+, and ECC (≥ 256-bit). We do not allow deprecated algorithms and insecure key sizes.

In the event of a breach of security safeguards involving Personal Information, we will notify affected Customer and User without undue delay in accordance with applicable laws and our contractual commitments.

Subprocessors

We share the information we collect from you with vetted third-party service providers ("Sub-processors") who operate the products and perform functions on our behalf. A list of entities with whom we share Personal Information is listed below:

• AWS (Canada)
• Google Cloud Services

Cookies & Analytics

In order to provide better service and for easier access to our websites, we use essential session cookies for authentication and security. The Reporting Portal uses Google Analytics to understand navigation and activity. By using the Reporting Portal, you consent to the analytics as part of service operation.

Your Choices & Rights

You may directly request from GOcxm: (a) account information; (b) logs regarding activity, registration, and submission; and (c) telemetry. For requests regarding accessing, correcting, or deleting your data, please contact your organization's administrator.

International Transfers

If Personal Information that is collected through or in connection with the Services is transferred to and processed outside of Canada, we will take steps to ensure that the information receives the same level of protection as if it remained within Canada, including contractual provisions and other mechanisms that provide an adequate level of protection for Personal Information.

Changes

GOcxm reserves the right to revise this Privacy Policy to reflect updates in our practices or regulatory requirements at any time and in its sole discretion. Notifications of material changes will be provided through the Services or to your organization directly.

Contact

Any questions or requests about this Privacy Policy or the collection or use of Personal Information by GOcxm can be directed to the following contact information:

Mail: 379 Adelaide St W #200, Toronto, ON M5V 1S5, attention GOcxm Inc. -- Privacy Team.

Email: privacy@gocxm.com

Phone: +1 (888) 225-2928