Effective date: January 1, 2020
What we collect
We get information about you in a range of ways.
Information You Give Us
We may collect your name, postal address, email address, phone number, username, password, demographic information (such as your occupation), social security number, tax ID number, bank account information, as well as other information you directly give us on our Services or Websites.
For customers who have paid software services, we collect your billing details such as credit card information, banking information, and/or billing address.
Information We Get From Others
We may get information about you from other sources, such as your employer when they issue you options or shares. We may add this to information you provide us through our Services or Websites
Information Automatically Collected
We may collect information about the devices accessing our Services or Websites. Some examples are: type of device, operating system used, application information, unique device identifiers and crash data. The type of information we collect depends on the type of device used and its settings.
Transactional and Usage Information
We may automatically log information about you and your computer, subject, where necessary, to your consent. For example, like most services when visiting our website, we log your computer operating system type, browser type, browser language, pages you viewed, how long you spent on a page, location (your IP address), access times and information about your use of and actions on our website. This is information we collect from every visitor to the Website, whether they have an account or not. This information may include personal information.
Cookies and Similar Technologies Information
As further described below, and subject, where applicable, to your consent, we automatically collect information from cookies and similar technologies (such as cookie ID and settings) to keep you logged in, to remember your preferences, and to identify you and your device.
Third party data
Carta may receive data about organizations, industries, website visitors, marketing campaigns, and other matters related to our business from affiliates, subsidiaries, partners, or others that we use to make our own information better or more useful. This data may be combined with other information we collect and might include aggregate level data.
Use of personal information
We may use personal information as follows:
- To operate, maintain, and improve the Services or Website. This includes use of other information to support delivery of our services under contract, assist with service request, monitor for errors, remedy security or technical issues, analyze website and application performances.
- To respond to comments and questions, verify permission access, and provide customer service.
- To send information including confirmations, invoices and billing, technical notices, updates, security alerts, and administrative messages.
- To communicate system updates, upcoming events, and other news about products and services offered by us. We may contact you to inform you about important services-related notices, such as privacy and policy update notices or changes in our terms of service. These communications are strictly necessary and you may not opt out of them.
- To link or combine user information with other personal information. An example is when we combine the information a company has provided about their shareholders with the information entered by shareholders in their personal portfolios to improve the user experience.
- To protect, investigate, and deter against fraudulent, unauthorized, or illegal activity.
- To provide and deliver products and service customers requests. An example is when an employee exercises their stock options and we may provide a tax form to the company for their IRS reporting requirements.
Sharing of personal information
We may share personal information as follows:
- To fulfill our customers’ instructions.
- To comply with any applicable law.
- For legal, protection, information security, and safety purposes. Examples include enforcing contracts or policies, reporting on security breaches, or assisting with investigating and preventing fraud or security issues.
- We may share customer and user access on the customer’s account. Equity administrators for the customer, authorized users and other designated representatives may be able to add, modify or restrict access. An example is if the company administrator designates a legal administrator to issue new securities on behalf of the company.
- To comply with laws and regulatory requests. Examples include responding to lawful requests and legal or regulatory processes.
- With those who need it to do work for us. An example is granting a Carta employee the necessary access in order to perform their duties.
- We may share aggregated or anonymized data. We may disclose or use aggregated or anonymized data for any purpose. An example would be for marketing, analytics or research purposes.
- We will not share personal information with investors of the Company beyond any personal information that such investors are entitled to for customary legitimate business purposes.
- If we engage in or negotiate a merger, acquisition, or bankruptcy transaction or proceeding of some or all of Carta’s assets or stock, financing, public offering of securities, acquisition of all or a portion of our business, a similar transaction or proceeding, or steps in contemplation of such activities (e.g. due diligence), some or all personal information may be shared or transferred subject to reasonable confidentiality restrictions with respect to personal information.
- We may share other information with consent with third parties when we have consent to do so. We may engage third party companies or individuals as service providers to process information and support our services. An example would be cloud services for data center colocation and storage services.
- When Customers authorize access to customer data to third parties. An example is when a company grants their financial auditors access for annual audits.
To help the government fight the funding of terrorism and money laundering activities, federal law requires all financial institutions to obtain, verify, and record information that identifies each person who opens an account. What this means for you: we will ask for your name, address, date of birth, and other information that will allow us to identify you. We may also ask to see your driver’s license or other identifying documents.
Carta does not allow the use of our services and Site by anyone younger than 18 years old. If you learn that anyone younger than 18 has unlawfully provided us with personal data, please contact us and we will take steps to delete such information.
Information choices and changes
Our marketing emails tell you how to “opt-out.” If you opt-out, we may still send you non-marketing emails. Non-marketing emails include emails about your accounts and our business dealings with you that are necessary for fulfilling our obligations to our customers.
You may send requests about personal information to our Contact Information below. You can request to change contact choices, opt-out of our sharing with others, and update your personal information.
You can typically remove and reject cookies from our website with your browser settings. Many browsers are set to accept cookies until you change your settings. If you remove or reject our cookies, it may affect how our website works for you.
We strive to provide you the tools to update your personal information. If you are unable to correct inaccurate information on your own, you may request our assistance to update such information by contacting privacy@Carta.com.
Notice for California Residents
Scope. This section applies to your Personal Information that we handle as a “business” (as defined under the California Consumer Privacy Act of 2018 (“CCPA”)) if you are a California resident. For purposes of this section, “Personal Information” has the meaning given in the CCPA but does not include information exempted from the scope of the CCPA. In addition, this section does not apply to Personal Information reflecting communications or transactions with you in your capacity as an employee, controlling owner, director, officer or contractor of a company, partnership, sole proprietorship, non-profit or government agency, where your communications or transactions with us occur solely within the context of our provision of services to, or receipt of services from, such an entity.
Carta does not sell (as such term is defined in the CCPA) the Personal Information we collect (and will not sell it without providing a right to opt out).
Your California privacy rights. You have the following rights under the CCPA:
Information. To request the following information about how we have collected and used your Personal Information during the past 12 months:
- The categories of Personal Information that we have collected.
- The categories of sources from which we collected Personal Information.
- The business or commercial purpose for collecting Personal Information.
- The categories of third parties with whom we share Personal Information.
- Whether we have disclosed your Personal Information for a business purpose, and if so, the categories of Personal Information disclosed to each category of third party recipient.
- Access. To request a copy of the Personal Information that we have collected about you during the past 12 months.
- Deletion. To request that we delete the Personal Information that we have collected from you.
- Nondiscrimination. To exercise the rights described above free from discrimination as provided in the CCPA.
How to exercise your rights. You may submit a request to exercise your information, access or deletion rights by visiting the Carta Help Center. We will need to verify your identity to process your information, access and deletion requests and we reserve the right to confirm your California residency. Government identification may be required. If you wish to designate an authorized agent to make a request on your behalf, we will need to verify both your and your agent’s identities and your agent must provide a valid power of attorney or other proof of authority acceptable to us in our reasonable discretion. We cannot process your request if you do not provide us with sufficient detail to allow us to understand and respond to it. In certain cases, we may be required or permitted by law to deny your request.
Notice for Residents of the European and Swiss Economic Areas, Privacy Shield and Contractual Terms
The following Carta subsidiaries also adhere to the Privacy Shield Principles: Carta Securities LLC, Carta Valuations LLC, and Carta Investor Services, Inc.
Carta is responsible for the processing of personal data we receive, and subsequently transfers to a third party acting as an agent on our behalf. Carta abides by the Privacy Shield Principles for all onward transfers of personal data from the EU and Switzerland, including, unless we prove that we are not responsible for the event giving rise to the damage, the onward transfer of liability provisions.
Carta commits to cooperate with EU data protection authorities and the Swiss Federal Data Protection and Information Commissioner and comply with the advice given by such authorities with regard to human resources data transferred from the EU and Switzerland in the context of the employment relationship.
Carta is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, Carta may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
If these processes do not result in a resolution, you may then contact your local data protection authority, the U.S. Department of Commerce, and/or the Federal Trade Commission for assistance.
Under certain circumstances an arbitration option is available to you to determine, for residual claims, whether Carta has violated its obligations to you under the Privacy Shield Principles, and whether any such violation remains fully or partially unremedied. This option is available only for these purposes. Please be advised that the arbitrator(s) may only impose individual-specific, non-monetary, equitable relief necessary to remedy any violation of the Privacy Shield Principles with respect to the resident.
Carta may transfer your Personal Data to countries other than the one in which you live. We deploy the following safeguards if Carta transfers Personal Data originating from the European Union or Switzerland to other countries not deemed adequate under applicable data protection law.
These frameworks were developed to enable companies to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States. Carta offers European Union Model Clauses, also known as Standard Contractual Clauses, to meet the adequacy and security requirements for our Customers that operate in the European Union, and other international transfers of Customer Data. A copy of our standard data processing addendum, incorporating Model Clauses, is available upon request to privacy@Carta.com.
eShares, Inc. DBA Carta, Inc. 333 Bush St., Floor 23, Suite 2300 San Francisco, CA 941014