AGREEMENTS

Privacy Policy

Effective date: January 1, 2020

This privacy policy (“Policy”) applies to eShares, Inc. DBA Carta, Inc.’s, and its related and/or affiliated companies (“Company” or “Carta”) online tools and platform(s), including the associated Carta mobile and desktop applications (collectively, the “Services”), www.carta.com and other Carta websites (collectively, the “Websites”) and other interactions (e.g., customer service inquiries, user conferences, etc.) you may have with Carta.  The Policy describes how Carta collects, uses, discloses, and shares your personal information.

What we collect

We get information about you in a range of ways.

Information You Give Us

We may collect your‎ name, postal address, email address, phone number, username, password, demographic information (such as your occupation), social security number, tax ID number, bank account information, as well as other information you directly give us on our Services or Websites.

For customers who have paid software services, we collect your billing details such as credit card information, banking information, and/or billing address.

Information We Get From Others

We may get information about you from other sources, such as your employer when they issue you options or shares. We may add this to information you provide us through our Services or Websites

Information Automatically Collected

Device Information

We may collect information about the devices accessing our Services or Websites. Some examples are: type of device, operating system used, application information, unique device identifiers and crash data. The type of information we collect depends on the type of device used and its settings.

Transactional and Usage Information

We may automatically log information about you and your computer, subject, where necessary, to your consent. For example, like most services when visiting our website, we log your computer operating system type, browser type, browser language, pages you viewed, how long you spent on a page, location (your IP address), access times and information about your use of and actions on our website. This is information we collect from every visitor to the Website, whether they have an account or not. This information may include personal information.

Cookies and Similar Technologies Information

As further described below, and subject, where applicable, to your consent, we automatically collect information from cookies and similar technologies (such as cookie ID and settings) to keep you logged in, to remember your preferences, and to identify you and your device.

Third party data

Carta may receive data about organizations, industries, website visitors, marketing campaigns, and other matters related to our business from affiliates, subsidiaries, partners, or others that we use to make our own information better or more useful. This data may be combined with other information we collect and might include aggregate level data.

Use of personal information

We may use personal information as follows:

  • To operate, maintain, and improve the Services or Website. This includes use of other information to support delivery of our services under contract, assist with service request, monitor for errors, remedy security or technical issues, analyze website and application performances.
  • To respond to comments and questions, verify permission access, and provide customer service.
  • To send information including confirmations, invoices and billing, technical notices, updates, security alerts, and administrative messages.
  • To communicate system updates, upcoming events, and other news about products and services offered by us. We may contact you to inform you about important services-related notices, such as privacy and policy update notices or changes in our terms of service. These communications are strictly necessary and you may not opt out of them.
  • To link or combine user information with other personal information. An example is when we combine the information a company has provided about their shareholders with the information entered by shareholders in their personal portfolios to improve the user experience.
  • To protect, investigate, and deter against fraudulent, unauthorized, or illegal activity.
  • To provide and deliver products and service customers requests. An example is when an employee exercises their stock options and we may provide a tax form to the company for their IRS reporting requirements.

Sharing of personal information

We may share personal information as follows:

  • To fulfill our customers’ instructions.
  • To comply with any applicable law.
  • For legal, protection, information security, and safety purposes. Examples include enforcing contracts or policies, reporting on security breaches, or assisting with investigating and preventing fraud or security issues.
  • We may share customer and user access on the customer’s account. Equity administrators for the customer, authorized users and other designated representatives may be able to add, modify or restrict access. An example is if the company administrator designates a legal administrator to issue new securities on behalf of the company.
  • To comply with laws and regulatory requests. Examples include responding to lawful requests and legal or regulatory processes.
  • To protect the rights and property of Carta, our agents, customers, and others. This includes enforcing our agreements, policies, and terms of use.
  • With those who need it to do work for us. An example is granting a Carta employee the necessary access in order to perform their duties.
  • We may share aggregated or anonymized data. We may disclose or use aggregated or anonymized data for any purpose. An example would be for marketing, analytics or research purposes.
  • We will not share personal information with investors of the Company beyond any personal information that such investors are entitled to for customary legitimate business purposes.
  • If we engage in or negotiate a merger, acquisition, or bankruptcy transaction or proceeding of some or all of Carta’s assets or stock, financing, public offering of securities, acquisition of all or a portion of our business, a similar transaction or proceeding, or steps in contemplation of such activities (e.g. due diligence), some or all personal information may be shared or transferred subject to reasonable confidentiality restrictions with respect to personal information.
  • We may share other information with consent with third parties when we have consent to do so. We may engage third party companies or individuals as service providers to process information and support our services. An example would be cloud services for data center colocation and storage services.
  • When Customers authorize access to customer data to third parties. An example is when a company grants their financial auditors access for annual audits.

Legal Requirements

To help the government fight the funding of terrorism and money laundering activities, federal law requires all financial institutions to obtain, verify, and record information that identifies each person who opens an account. What this means for you: we will ask for your name, address, date of birth, and other information that will allow us to identify you. We may also ask to see your driver’s license or other identifying documents.

Age Limitations

Carta does not allow the use of our services and Site by anyone younger than 18 years old. If you learn that anyone younger than 18 has unlawfully provided us with personal data, please contact us and we will take steps to delete such information.

Information choices and changes

Our marketing emails tell you how to “opt-out.” If you opt-out, we may still send you non-marketing emails. Non-marketing emails include emails about your accounts and our business dealings with you that are necessary for fulfilling our obligations to our customers.

You may send requests about personal information to our Contact Information below. You can request to change contact choices, opt-out of our sharing with others, and update your personal information.

You can typically remove and reject cookies from our website with your browser settings. Many browsers are set to accept cookies until you change your settings. If you remove or reject our cookies, it may affect how our website works for you.

We strive to provide you the tools to update your personal information. If you are unable to correct inaccurate information on your own, you may request our assistance to update such information by contacting privacy@Carta.com.

Notice for California Residents

Scope. This section applies to your Personal Information that we handle as a “business” (as defined under the California Consumer Privacy Act of 2018 (“CCPA”)) if you are a California resident.  For purposes of this section, “Personal Information” has the meaning given in the CCPA but does not include information exempted from the scope of the CCPA.  In addition, this section does not apply to Personal Information reflecting communications or transactions with you in your capacity as an employee, controlling owner, director, officer or contractor of a company, partnership, sole proprietorship, non-profit or government agency, where your communications or transactions with us occur solely within the context of our provision of services to, or receipt of services from, such an entity.

Carta does not sell (as such term is defined in the CCPA) the Personal Information we collect (and will not sell it without providing a right to opt out).

Your California privacy rights. You have the following rights under the CCPA:

  • Information.  To request the following information about how we have collected and used your Personal Information during the past 12 months:
    • The categories of Personal Information that we have collected.
    • The categories of sources from which we collected Personal Information.
    • The business or commercial purpose for collecting Personal Information.
    • The categories of third parties with whom we share Personal Information.
    • Whether we have disclosed your Personal Information for a business purpose, and if so, the categories of Personal Information disclosed to each category of third party recipient.
  • Access.  To request a copy of the Personal Information that we have collected about you during the past 12 months.
  • Deletion.  To request that we delete the Personal Information that we have collected from you.
  • Nondiscrimination.  To exercise the rights described above free from discrimination as provided in the CCPA.

How to exercise your rights.  You may submit a request to exercise your information, access or deletion rights by emailing support@carta.com.  We will need to verify your identity to process your information, access and deletion requests and we reserve the right to confirm your California residency.  Government identification may be required.  If you wish to designate an authorized agent to make a request on your behalf, we will need to verify both your and your agent’s identities and your agent must provide a valid power of attorney or other proof of authority acceptable to us in our reasonable discretion.  We cannot process your request if you do not provide us with sufficient detail to allow us to understand and respond to it.  In certain cases, we may be required or permitted by law to deny your request.

Collection, use and disclosure of Personal Information.  The categories of Personal Information that we collect and the sources from which we collect them are described above in the section entitled What we collect.  These categories include identifiers, commercial information, financial data, internet activity information and professional or employment-related information as described in Section 1798.140(o) of the CCPA.  The business/commercial purposes for which we use these categories of Personal Information are described in the section above entitled Use of personal information. The categories of third parties to which we these categories of Personal Information are described in the section above entitled Sharing of personal information.  The foregoing describes our practices as of, and during the twelve month period preceding, the effective date of the Privacy Policy.     

Notice for Residents of the European and Swiss Economic Areas, Privacy Shield and Contractual Terms

Carta complies with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States.  Carta has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/

The following Carta subsidiaries also adhere to the Privacy Shield Principles: Carta Securities LLC, Carta Valuations LLC, and Carta Investor Services, Inc.

Carta is responsible for the processing of personal data we receive, and subsequently transfers to a third party acting as an agent on our behalf. Carta abides by the Privacy Shield Principles for all onward transfers of personal data from the EU and Switzerland, including, unless we prove that we are not responsible for the event giving rise to the damage, the onward transfer of liability provisions.

Carta commits to cooperate with EU data protection authorities and the Swiss Federal Data Protection and Information Commissioner and comply with the advice given by such authorities with regard to human resources data transferred from the EU and Switzerland in the context of the employment relationship.

Carta is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, Carta may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

EU or Swiss residents with inquiries or complaints regarding this Privacy Policy should first contact Carta at privacy@carta.com. Please allow a reasonable amount of time to respond to your request. If you do not receive timely acknowledgement of your complaint, if your complaint is not satisfactorily addressed by Carta, or if you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.

If these processes do not result in a resolution, you may then contact your local data protection authority, the U.S. Department of Commerce, and/or the Federal Trade Commission for assistance. 

Under certain circumstances an arbitration option is available to you to determine, for residual claims, whether Carta has violated its obligations to you under the Privacy Shield Principles, and whether any such violation remains fully or partially unremedied.  This option is available only for these purposes. Please be advised that the arbitrator(s) may only impose individual-specific, non-monetary, equitable relief necessary to remedy any violation of the Privacy Shield Principles with respect to the resident.

Carta may transfer your Personal Data to countries other than the one in which you live. We deploy the following safeguards if Carta transfers Personal Data originating from the European Union or Switzerland to other countries not deemed adequate under applicable data protection law.

These frameworks were developed to enable companies to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States. Carta offers European Union Model Clauses, also known as Standard Contractual Clauses, to meet the adequacy and security requirements for our Customers that operate in the European Union, and other international transfers of Customer Data. A copy of our standard data processing addendum, incorporating Model Clauses, is available upon request to privacy@Carta.com.

Contact information

We welcome your comments or questions about this Privacy Policy. You may also contact us at our address:

eShares, Inc. DBA Carta, Inc. 333 Bush St., Floor 23, Suite 2300 San Francisco, CA 941014

Changes to this Privacy Policy

We may change this privacy policy. If we make any substantive changes related to how we collect or use data, we will change the effective date above. Other changes including grammar or spelling corrections will automatically update the timestamp at the bottom of this document.

eShares, Inc. DBA Carta, Inc. is a transfer agent registered with the U.S. Securities and Exchange Commission. The services and information described in this communication are provided to you “as is” and “as available” without warranties of any kind, expressed, implied or otherwise, including but not limited to all warranties of merchantability, fitness for a particular purpose, or non-infringement. Neither eShares, Inc. DBA Carta, Inc. nor any of its affiliates will be liable for any damages, including without limitation direct, indirect, special, punitive or consequential damages, caused in any way or arising from the use of the services or reliance upon the information provided in this communication or in connection with any failure of performance, error, omission, interruption, defect, delay in operation or transmission, computer virus or line or system failure. Transfer Agent services for DTC-eligible registered companies provided by Philadelphia Stock Transfer, a Carta affiliate. Carta Securities LLC is a broker-dealer and a member of FINRA and SIPC. Contact: eShares, Inc. DBA Carta, Inc., 195 Page Mill Road, Suite 101, Palo Alto, CA 94306.

© 2020 ESHARES, INC. DBA CARTA, INC.