GoTo is a global company dedicated to making IT and business communications easy, anywhere. GoTo provides Software as a Service products ("Services") that help businesses securely support and connect to what’s most important: their teams and customers.

When we use the term GoTo or we in this policy, we mean GoTo Technologies USA, LLC and our global wholly-owned affiliates (collectively referred to herein as “we” or “GoTo”). To help you understand which GoTo affiliate is the primary controller of your personal data, refer to the GoTo contracting entity table, listed here.

This Privacy Policy covers our online and offline interactions with you where we decide how your personal data is processed. For example, this Privacy Policy applies when you visit a GoTo website or application that links to this Privacy Policy (collectively, our “Sites”), when you interact with our Services, or when you contact our support team, speak to our sales representatives, or otherwise interact with GoTo offline.

Throughout this Policy, we use the term “personal data.” This term generally means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked with an identified or identifiable individual. The laws of some jurisdictions, however, define personal data, or a similar term such as personal information, more broadly than this. Other jurisdictions’ laws may exclude certain information about you, such as your business contact details, from the definition of personal data. We will apply the definition of personal data contained in applicable privacy law.

• Customer Content. This Policy does not apply to personal data that may be included in the files, documents, recordings, chat logs, transcripts, and similar data that we maintain on our customers' behalf, as well as any other information our customers may upload to their GoTo account(s) in connection with their use of our Services (which we refer to as "Content" in our Terms of Service). This is because our customers, and not us, make the decisions about how and why they process your personal data. We process this personal data in accordance with the terms of our agreement with them.
  If you have any questions about how a GoTo customer uses or processes your personal data, or if you wish to exercise your rights with respect to personal data they process about you, contact the GoTo customer directly.
• Anonymized, De-identified, or Aggregated Data. Personal data that has been anonymized or de-identified can no longer identify an individual. Aggregated data is data that has been combined and does not relate to a single individual. Therefore, these data are not personal data and are not covered by this Policy.
• Third-Party Websites and Applications. This Policy does not apply to any third-party websites, applications or services, even if these are accessible through GoTo’s websites or Services. The owners of the third-party websites, services or applications are responsible for establishing the terms and conditions and privacy policies for them. You should familiarize yourself with their privacy practices.
• Personal Data Subject to Other GoTo Privacy Policies. From time to time, GoTo will provide privacy policies that are tailored to specific types of interactions with certain categories of individuals. When we do this, the personal data that is covered by that privacy policy is not covered by this Privacy Policy. For example, we provide a separate privacy policy for job applicants, which you can find here.

As part of its normal business operations, GoTo collects personal data about you from the following sources:

• From You. We may receive personal data about you when you provide it to us, such as when you visit our Sites or interact with our Services or otherwise provide us information online (e.g., when you create an account, fill in a form, register for events, download content, or answer a survey) or when we interact with you offline, such as when you visit a facility, attend an event or trade show, or talk to us over the phone;
• From Others. We may receive personal data about you from other sources, such as our partners that you interact with, data aggregators that may not have a direct relationship with you, or others, such as our service providers, that collect information about you on our behalf; and
• Through Automated Means. We may receive personal data about you automatically, such as when our Sites or Services log certain information about your interactions.

We collect the following categories of personal data about you:

• Identifiers. This category of personal data includes data that serves to uniquely identify you. It includes, for example, information such as your name, alias, social media handles, contact details (such as email addresses, phone or fax numbers or physical or postal addresses), account names, customer numbers, unique personal identifiers, signatures, online identifiers, Internet Protocol addresses, or other similar identifiers.
• Commercial and Financial Information. This category of personal data includes the history and records of products or services you have considered or obtained from us, or other purchasing or consuming histories or tendencies, including information needed to facilitate transactions with GoTo, payment transactions (including credit or debit card number or similar financial information) and payment history data, and details about services you received or GoTo activities in which you participated, including surveys, focus groups, and other GoTo events. In connection with the foregoing, we may also collect demographic data such as income, age bracket and similar information.
• Professional or Employment-Related Information; Education History. This category of personal data relates to your employment and includes information such as your employer, job titles and work locations. In certain limited circumstances, we may also collect information about your educational history, such as if you join us as a guest speaker for a GoTo event or where we are seeking specialized vendor services.
• Protected Characteristics. We do not generally seek to collect Protected Characteristics. This category of information includes data that is typically protected by law, such as age, race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, and veteran or military status. If we collect this type of personal data, which is also treated as sensitive personal data under certain data protection laws, we collect and process it only as permitted by law.
• Internet or Other Electronic Network Activity Information. This category of personal data includes information about your systems or devices, such as your system or network ID, your operating system type and version, your device manufacturer and model, screen resolution, browser type, browser version, the pages of a Site you visit, the time and date of your access to a Site, unique device identifiers, user name and passwords, and usage activity and diagnostic information, including access logs, activity logs, browsing and search history, and other similar information. In addition, we may collect diagnostic data along with information your browser sends us when you visit our Sites or Services. We also use cookies and other similar technologies, as described in Section 8 of this Policy.
• Audio, Electronic, Visual, or Similar Information. This category includes photographs, recordings made during audio or video calls with us, during focus groups or usability testing, conferences or events, testimonials, and otherwise.
• Inferences, Preferences, and Other Information. This category consists of inferences drawn from any of the information identified above, such as your contact mode preferences, product interests, calendar availability, contact time preferences, language preferences, and other similar information.
• Sensitive Personal Data. This category of personal data is typically defined under applicable privacy law, which may limit the way this information may be collected. We do not collect sensitive personal data unless we have complied with applicable legal requirements. This type of information may include your government ID numbers, such as your social security, driver’s license, state identification card, or passport number; your GoTo account log-in and password or credentials allowing access to your account; and your debit card or credit card number in combination with any required security code (CVV).

We use your personal data for the following purposes:

• To Prepare to Enter Into, To Enter Into, and to Perform a Contract With You. We use personal data to prepare to enter into and to enter into contracts and other agreements with you. We also use personal data when we perform our contracts, including when we perform our obligations under them and monitor the parties’ compliance with their undertakings. Examples of contracts we may enter into with you include contracts for Services or Site access, or other arrangements, such as engagements for usability testing, market research, to speak at a forum or to provide testimonials about our Services, or where you provide products or services to us.
• To Operate Our Business. We may use personal data to create and administer your accounts with us; to process payments and other transactions associated with our Services; to communicate with you about our Services; to update, maintain, use and analyze our records; to provide and operate our Sites and Services; to understand how you use our Sites and Services for purposes consistent with this Privacy Policy, including to understand what you like and dislike about them; to provide support and maintenance for our Sites and Services; to respond to support and Service or Site issues; to improve and develop our internal business processes, Sites, and Services; to train our personnel; to answer questions you have asked us; to address requests you have made or concerns you have raised; and to otherwise communicate with you.
• To Conduct Research on New Products, Services, and Markets. We may use personal data to research new products, services and markets, including when we receive your feedback or survey responses or when we otherwise obtain or collect information about your experiences with or opinions about us or your overall business needs; when we engage in market research; when we understand how you use our Sites and Services and what you like and dislike about them; and when we engage in social listening initiatives.
• To Provide You With Information That May Be of Interest To You. We may use your personal data for marketing and communications purposes, such as where we provide you with or send you information about us, our Services or the industry. Examples of these communications include advertisements, news, newsletters, events, conferences and webinars, whitepapers and surveys, special offers, contests, sweepstakes and other similar commercial information. We may use your information to advertise online and offline, which may be targeted to you based on your use of our Sites, Services and other online and offline activity. We also may, to the extent permitted by law, combine, correct, and enrich personal data that we receive from you with data about you from other sources, including publicly available databases or from third parties, to update, expand, and analyze our records, identify new prospects for marketing, and provide Services that may be of interest to you.
• For Security, Integrity, Safety, and Fraud Prevention. We process personal data to protect our, your, or others’ rights, privacy, health, safety, or property; to undertake reasonable efforts to monitor the use of our networks, assets, and facilities (including our Sites and Services) and to secure them; to address technical issues with our networks and assets (including our Sites and Services); to prevent, detect, and respond to security events and incidents; to prevent and respond to alleged fraudulent, unauthorized, or unlawful activity, and violations of our terms of service; and to protect public safety.
• To Comply With Applicable Laws and With Legal and Administrative Requests; To Protect Our Rights; To Assess Compliance With Policies; and To Assert and Defend Against Claims. We use personal data to comply with our obligations under applicable law; to pursue and/or defend legal claims and manage disputes; to enforce our terms of service and other agreements; to audit our internal processes for compliance with our legal and contractual obligations and our internal policies; and to respond to lawful requests from governmental authorities, including writs, subpoenas, or legal discovery processes.

If you link Google Services with your GoTo Connect, GoTo Meeting, GoTo Webinar, GoTo Training (collectively, "GoTo Product") or Grasshopper account, our use of your Google data will be as follows:

• For GoTo Product Google Calendar access (where enabled), we will read the date, time, and title of calendar events and use this information to schedule corresponding web meetings.
• For GoTo Product and Grasshopper Google Contacts access (where enabled), we will access names, phone numbers, and email addresses and make these available in Grasshopper or the GoTo Product.

We do not use this data for serving advertisements, nor do we allow humans to read the data (i.e., by utilization of robust access controls, procedures, etc., inclusive of the principle of least privilege) unless: (i) we have your affirmative agreement for specific data; (ii) doing so is necessary for security purposes, such as investigating abuse; (iii) it is in response to requested support/troubleshooting; (iv) to comply with applicable law; and/or (v) if the data have been anonymized or otherwise deidentified, for our internal operations related to the applicable GoTo Products.

We disclose your personal data: (a) to our affiliated companies that are directly or indirectly owned by our parent company, GoTo Group, Inc.; (b) to third parties at your direction, with separate, specific notice to you, or with your consent; (c) to third-party service providers, business advisors, or consultants, who need it to provide their services to us; (d) in connection with a merger, divestiture, acquisition, reorganization, restructuring, financing transaction or sale of assets; and (e) as required by law or administrative order, to assert claims or rights, or to defend against legal claims.

We use first- and third-party cookies and other tracking technologies on our Sites and Services. We use these technologies for the following purposes:

• To Enable Our Sites. These technologies are essential and must be enabled for our Sites to work.
• To Tailor Your Experience on Our Sites. These technologies help customize your experience by remembering your preferences or facilitating certain Site functionality. For example, they may enable your language preferences or facilitate your login experience. You can disable these technologies, but certain features of our Sites may not work or may work differently.
• To Understand How Users of Our Sites Utilize Our Features. These technologies monitor certain user actions and help us understand how our visitors use our Sites, what webpages, features and functions they like and dislike, and where they may have experienced problems that need to be addressed.
• To Help Us Provide You With Information About Our Services. These types of technologies help us promote our Services or understand whether our marketing efforts are effective.

You can adjust which cookies and tracking technologies you want to allow, as stated in the “Exercising Choice” section below.

Google Analytics and Adobe Marketing Cloud

We use Google Analytics as described in "How Google uses data when you use our partners' sites or apps." You can prevent your data from being used by Google Analytics on our websites by installing the Google Analytics opt-out browser add-on, available here. For enhanced privacy purposes, we also employ IP address masking, a technique used to truncate IP addresses collected by Google Analytics and store them in an abbreviated form to prevent them from being traced back to individual users. Portions of our website may also use Google Analytics for Display Advertisers including DoubleClick or Dynamic Remarketing which provide interest-based ads based on your visit to this or other websites. You can use Ads Settings to manage the Google ads you see and opt-out of interest-based ads. If you opt-out of interest-based ads, you may still see our advertisements, although they will not be targeted to you. We also use Adobe Marketing Cloud as described here. You can similarly exercise your rights with respect to use of this data as described in the "Exercising Choice" section below.

Social Media

Many of our websites include social media features, such as Facebook, LinkedIn, Google, and X (formerly Twitter) "share" buttons. If you use these features they may collect your IP address, which page you are visiting on our site, and may set a cookie to enable the feature to function properly – you can exercise your rights with respect to the use of this data as specified in the "Exercising Choice" section below. These services will also authenticate your identity and provide you the option to share certain personal data with us such as your name and email address to pre-populate our sign-up form or provide feedback. Your interactions with these features are governed by the Privacy Policy of the third-party company providing them.

Exercising Choice

GoTo's Cookie Consent Manager (available via the "Cookie Preferences" hyperlink at the bottom of this page) provides you with information about the types and categories of cookies and other web analytics tools used on GoTo’s Sites and gives you the ability to make choices about which non-essential tools are activated. In addition, the Help Menu on the menu bar of most browsers will tell you how to prevent your browser from accepting new cookies, how to have the browser notify you when you receive a new cookie, and how to disable cookies altogether.

You can still view our websites if you choose to set your browser to refuse all non-essential cookies; however, certain essential cookies are needed to operate the Site.

Certain data privacy laws provide individuals with rights with respect to the “selling” or “sharing” of their personal data. GoTo does not currently provide personal data to others in exchange for monetary compensation. Some of these laws, however, define the “sale” of personal data to include disclosures of personal data for commercial activities such as targeted advertising. Privacy laws may also define “sharing” of personal data as providing it to advertising networks and other companies that facilitate digital advertising for purposes of cross-context behavioral advertising.

Under that broader definition, in the past 12 months, we have sold certain categories of personal data to, or shared it with, advertising networks and other companies that facilitate digital advertising for purposes of cross-context behavioral advertising or targeted advertising. These activities allow us to provide more personalized information about our Services to individuals who may be more interested in learning about them. We do not, however, knowingly sell or share the data of minors under the age of 16.

We may sell or share the following categories of personal information for purposes of cross-context behavioral advertising, or otherwise use them for targeted advertising:

• Identifiers, such as your IP address or other unique identifier and certain contact details;
• Commercial and Financial Information, such as Services you have considered or purchased from us, and information obtained during GoTo activities and events information or feedback, interests and internet or other electronic activity information;
• Professional or Employment-Related Information; Education History, such as your job title and educational level;
• Internet or other Electronic Network Information, including pages of a Site you may visit and your browsing and search history; and
• Inferences, Preferences and other information.

In certain jurisdictions you have the right to opt out of sales and sharing of personal data. To do so, visit our Individual Rights Management Portal. Certain browsers can also be set to send Global Privacy Control signals, as discussed below.

GoTo Sites that link to this notice recognize GPC signals. GoTo Sites do not respond to or honor other Do Not Track instructions, which are preferences that users can set in certain web browsers.

Global Privacy Control (“GPC”) signals are opt-out signals communicated through the browser-based extension offered through the Global Privacy Control, a non-profit organization that has developed a tool that can be used universally to signal a user’s privacy preferences. Requests made through the GPC extension apply only to the device on which the request is made and will only work with the browser used to activate the opt-out setting. For more details, including how to turn on GPC, please visit https://globalprivacycontrol.org/.

We keep your personal data in an identifiable form for no longer than needed for the business purposes for which it was collected or as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. Personal data processed in the context of a contract with you will be retained by us for the term of the contract and for a reasonable time afterwards as might be required to determine and settle any related claims or as otherwise required by law. Where our processing of your personal data is based on legitimate interests or compliance with legal obligations, it will be deleted as soon as the applicable underlying purpose has expired. Personal data processed based on your consent will be deleted if and when you withdraw such consent or when it is no longer needed.

Unless requested sooner or a shorter retention period is defined in the applicable Technical and Organizational Measures (“TOMs”), your Service account will be deleted or anonymized no later than twenty-four (24) months from the date of Service termination, expiration, or non-use. For specific details on data retention periods for your Service account, as well as the information GoTo maintains on your behalf, consult the section “Return and Deletion of Customer Content” in the applicable Service or suite-specific TOMs documentation located at GoTo’s Trust & Privacy Center (see the “Product Resources” section).

GoTo has implemented reasonable and appropriate controls designed to safeguard personal data that we collect and further process. For example, certain aspects of GoTo's operations, on a product and/or suite-specific basis, have been assessed by independent third-party auditors against recognized security standards and controls, including SOC 2 Type II, BSI C5, SOC 3, and ISO 27001. To learn about GoTo's Service-specific security measures and certifications, please visit the Trust & Privacy Center (see the "Product Resources" section).

Despite GoTo’s efforts, and due to the inherent nature of the Internet, no method of electronic data transmission or storage is 100% secure. While we strive to use reasonable means to protect your personal information, we cannot guarantee its absolute security. You should also take steps to protect your information, including restricting access to your information, securing your passwords, and using SSL/TLS to prevent interception of transmissions.

GoTo operates on a global basis. As a result, we may transfer your personal data to, or store or otherwise process it in, other countries or regions where data protection laws are different from those of your country and may not provide as high a level or protection as your local data protection laws. Regardless of where your personal data is transferred for processing, GoTo will process it in accordance with this privacy policy and will take steps to properly protect it under applicable data protection law. Examples of these steps may include, as applicable, obtaining your consent to transfer such information, agreeing to certain contractual undertakings, or certifying to certain frameworks.

Transfers from the EU, the UK, and Switzerland to Third Countries

Data Privacy Framework

GoTo complies with the EU-US Data Privacy Framework (“EU-US DPF”), the UK Extension to the EU-US DPF (the UK Extension), and the Swiss-US Data Privacy Framework (“Swiss-US DPF”) as set forth by the US Department of Commerce.

GoTo Audio, LLC, GoTo Communications, Inc., GoTo Technologies USA, LLC, GoTo Group, Inc., and Grasshopper Group, LLC have certified to the US Department of Commerce that they adhere to (a) the EU-US Data Privacy Framework Principles with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-US DPF and the UK Extension, and (b) the Swiss-US Data Privacy Framework Principles with regard to the processing of personal data received from Switzerland in reliance on the Swiss-US DPF. If there is any conflict between the terms in this privacy policy and the EU-US DPF Principles and the UK Extension and/or the Swiss-US DPF Principles, the Principles shall govern.

To learn more about the Data Privacy Framework Program, and to view our certification, please visit https://www.dataprivacyframework.gov/s/. For more information on GoTo's commitments and your rights related to the Data Privacy Framework, please review our DPF Notice.

Standard Contractual Clauses

For personal data transfers from the EU, the UK, and Switzerland to countries whose laws have not been deemed adequate by applicable EU regulatory authorities to that are not covered by GoTo’s Data Privacy Framework certifications, GoTo’s practice is to enter into data processing addendums that incorporate the European Commission’s standard contractual clauses (the “SCCs”).

APEC Cross Border Privacy Rules System and Privacy Recognition for Processors System

GoTo's international transfer of personal data collected in participating Asia Pacific Economic Cooperation ("APEC") countries abides by the Cross-Border Privacy Rules (“CBPR”) System and Privacy Recognition for Processors ("PRP") System for the transfer of personal data. More information about our APEC CBPR certification can be found here. More information about the APEC PRP certification can be found here. If you have raised concerns to GoTo about our APEC CBPR or PRP certifications that remain unresolved, you may contact our dispute resolution provider (at no charge to you) here.

GoTo Sites and Services are intended for general audiences. We do not seek through our Sites to gather personal data from or about persons that are 16 years of age or younger. If you inform us or we otherwise become aware that we have unintentionally received personal data from an individual under the age of 16, we will delete this information from our records.

If you are a resident of California, the UK, the EU, Switzerland, or Brazil, please refer to the applicable regional addenda to this Policy to learn how we honor your personal data rights.

Subject to the conditions, limitations, and exceptions under applicable data privacy law, you may have certain rights with respect to your personal data. Depending on your jurisdiction, you may have the right to request that we:

• confirm what type of personal data we collect, use, disclose or are otherwise processing about you;
• amend or update inaccurate or incomplete personal data about you;
• delete or restrict the use of your personal data;
• no longer process your personal data (including for marketing purposes);
• provide your personal data to you in a structured, electronic format; or
• not “sell” or “share” your personal data (as these terms are defined under applicable law).

To submit a privacy request, please visit our Individual Rights Management Portal. You may also exercise your rights by using one of the methods provided for in Section 15 of this privacy policy.

Once we receive your request, we will seek to verify your identity. If we cannot verify your identify, we will not be able to act on your request. We will respond to your request within the timeframes required by applicable privacy law. In addition, if we deny your request, or a portion of your request, we will tell you why, and provide you with other information, such as the right to appeal our decision, if it applies to you.

Note: If you are seeking to make a privacy request related to personal data about you that we process for our customers, contact the customer and not GoTo.

Unsubscribe Requests

If you no longer wish to receive marketing communications from us, you can opt-out by clicking on the unsubscribe link on any marketing email you receive, or at https://lp.goto.com/unsubscribe.

You also can contact our Data Protection and/or Privacy Officer(s) by sending an e-mail to privacy@goto.com or via post sent to the address below.

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.

To reach our Global Customer Support department, you may contact us here.

In some jurisdictions, you have the right not to be subject to a decision based solely on automated processing, including profiling, if it produces legal effects or similarly significantly impacts you. GoTo routinely requires human review of processing where legal effects or other similar impacts are likely to occur.

We update this Privacy Policy from time to time to reflect changes to our personal data handling practices or respond to new legal requirements and will post updates here. However, if we make any material changes that have a substantive and adverse impact on your privacy, we will provide notice on this website or notify you by email (sent to the e-mail address specified in your account) prior to the change becoming effective. We encourage you to periodically review this page for the latest information on our privacy practices.

If you have questions or requests relating to how we process your personal data, please visit our Individual Rights Management portal here or send an email to privacy@goto.com.

You can also contact us via postal mail at:

North America: Attn: GoTo Privacy Team c/o Legal Team, GoTo, 333 Summer Street, 5th Floor, Boston, MA 02210.

International: Attn: GoTo Privacy Team c/o Legal Team, GoTo, 77 Sir John Rogerson's Quay, Block C, Suite 207 Grand Canal Docklands, Dublin 2, D02 VK60, Republic of Ireland.

Finally, you can contact us via telephone at 1-833-851-8340.

The following sections provide additional information to individuals residing in the European Economic Area (“EEA”), Switzerland, or the United Kingdom (“UK”); California; and Brazil. If the information in this section is different from the information appearing in the main body of the privacy notice, the information in this section controls.



Legal Basis for Processing

If you are an individual in the EEA, Switzerland, or the UK, we collect and process your personal data as a controller only where we have a legal basis for doing so. We use the following legal bases to process your personal data:

• To Prepare to Enter Into, or to Perform, a Contract With You. Preparing to enter into an agreement with you, such as our terms or service or another contract or arrangement, or to perform our contractual obligations required by them or to communicate with you related to our agreements;
• With Your Consent or Explicit Consent. From time to time, we process your personal data for purposes we communicate to you with your consent or, where required, your explicit consent. For example, we may obtain consent to send certain communications to you, to use cookies when you visit our Sites, or for other purposes that we communicate to you. When we process your personal data with your consent, you may withdraw it at any time. Your withdrawal of consent will not affect the legality of our processing that occurred before you withdrew your consent;
• To Comply With EU, Member State, UK, or Swiss Law. We process your personal data to help us comply with applicable EU, Member State, Swiss, and UK laws, including tax, privacy, telecommunications and other laws; to communicate with and respond to requests from applicable judicial authorities and tribunals, law enforcement; and other regulators, and to detect, prevent, investigate, and respond to fraudulent, harmful, unauthorized, or illegal activity;
• To Protect Your and Others’ Vital Interests. We process personal data to prevent, detect, investigate and respond to activities that may impact an individual’s vital interest, including public safety, such as threats of violence or harm to children; and
• For Our or Others’ Legitimate Interests, Where They Do Not Override Your Data Protection Rights. We process personal data for our or others’ legitimate interests, for example to develop, test, support, and improve our Sites and Services; to aggregate or de-identify personal data; to perform contracts with an account owner or with a reseller; to provide reasonable security measures and detect security or safety concerns or terms of service violations; where permitted by law, to send marketing and other commercial communications related to our Services and our industry; to comply with non-EU, Member State, UK or Swiss laws or regulations that apply to us, including to communicate with and respond to requests from applicable judicial authorities and tribunals, law enforcement and other regulators; to provide our corporate responsibility communications; to pursue or defend legal claims and to protect our and others’ rights and properties.

Special Category Data

We generally do not seek to process special category data, and we ask that you not provide it to us unless we specifically ask for it. When we do process such data, we will do so in accordance with EU, Member State, UK and Swiss law, including with your explicit consent, where you have manifestly made it public, where it is necessary to protect your or others’ vital interests, to defend or pursue legal claims, and where it is necessary to do so for reasons of substantial public interest, on the basis of EU, Member State, UK, or Swiss law.

Data Subject Rights

If you are in the EEA, Switzerland or the UK, you have the following rights in relation to your personal data where we process it as a controller, subject to the limitations and exceptions set forth in applicable law:

• Right to Access. You have the right to know whether GoTo processes personal data about you and certain details about that data. You may also request a copy of that data.
• Right to Rectification. You have the right to require that GoTo correct inaccurate personal data about you or complete incomplete personal data about you.
• Right to Erasure. You may require GoTo to delete your personal data in certain circumstances, such as where GoTo no longer needs it to fulfill the original purpose for which it was collected and processed.
• Right to Restrict Processing. You may require GoTo to restrict the processing of Personal Data in certain circumstances, such as during the period after you contest its validity while GoTo is confirming the legitimacy of the processing.
• Right to Data Portability. In certain circumstances, you may have the right to obtain the personal data you have provided GoTo in a structured, commonly used and machine-readable format and require us to transmit it to another controller that you designate.
• Right to Object. You may object to the processing by GoTo of your personal data where it is used for direct marketing purposes, where we process it based on our legitimate interests or where we process it for a task carried out in the public interest.
• Right to Not Be Subject to Automated Decision Making. In certain circumstances, you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly impacts you. GoTo routinely requires human review of processing where legal effects or other similar impacts are likely to occur.

You may submit your requests to GoTo as set forth in Section 15. We will handle your request as set forth above, and generally within 30 days of receipt. We may, in certain cases, extend our response period by an additional 30 days. If we do so, we will notify you prior to the expiration of the original 30-day period. If you have any concerns regarding your request, we encourage you to contact us at privacy@goto.com. You also have the right to lodge a complaint with a supervisory authority having appropriate jurisdiction. For more information, please contact your local supervisory authority, available here.





Notice at Collection

The disclosures in this section supplement the sections above, apply to California residents (“Consumers”) and are required under the California Consumer Privacy Act of 2018 and the California Privacy Rights Act of 2020 (collectively, the “CCPA"). For purposes of this section, the term personal data has the same meaning as “personal information” in the CCPA. If you would like to receive these disclosures in an alternative format, please contact us at privacy@goto.com.

During the 12 months prior to the date of this notice, we have collected the categories of personal data about Consumers set forth in Section 5 above from the sources identified in Section 4 above. The purposes for which we collected such information is set forth in Section 6 above. We have also identified the categories of personal data about Consumers we have sold or shared during the past 12 months in Section 9 above.

The following table provides data about the categories of recipients to whom we have disclosed each category of personal data about Consumers for a business purpose. In addition to the types of recipients identified below, we may disclose any category of personal data about Consumers to the recipients identified in Section 7 above.

Category of Personal Information:	Categories of Recipients of Disclosures for a Business Purpose:
Identifiers Internet or Other Electronic Network Activity Information Commercial & Financial Information Professional or Employment-related Information; Education History Inferences, Preferences, and Other Information	Vendors and service providers, including for data analytics, vendors who help us deliver features, and marketing purposes. Service providers who help us operate our business, including data hosting companies, payment processors, IT service providers, business consultants and advisors, security and fraud prevention consultants, and customer and contract management vendors. Service providers whose products and services are included as components of our Sites or Services, or who may provide services for us, including data hosting providers, vendors who help provide features of the products, chat bot providers, AI technology providers, and technology services providers. Business partners who may determine the purposes and means of processing who help to facilitate certain transactions, auditors, and resellers and channel partners who may assist in providing or who may provide Services to you.
Protected Characteristics	We do not generally seek to collect this type of personal data. Where we do, we may disclose it to the following recipients: Service providers who help us operate our business, including data hosting companies, payment processors, IT service providers, business consultants and advisors, security and fraud prevention consultants, and customer and contract management vendors. Business partners who may determine the purposes and means of processing who help to facilitate certain transactions, such as auditors.
Audio, Electronic, Visual, or Similar Information	Service providers who help us operate our business, including data hosting companies, payment processors, IT service providers (such as IVR service providers), business consultants and advisors, security and fraud prevention consultants, chatbot and other AI technology providers, and customer and contract management vendors. Service providers whose products and services are included as components of our Sites or Services (such as those who help us provide audio and video communication services), or who may provide services for us, including data hosting providers, vendors who help provide features of the products, chat bot and other AI technology providers, and technology services providers. Business partners who may determine the purposes and means of processing who help to facilitate certain transactions, auditors, and resellers and channel partners who may assist in providing or who may provide Services to you.
Sensitive Personal Data	Service providers who help us operate our business, including data hosting companies, payment processors, IT service providers, business consultants and advisors, and security and fraud prevention consultants. Service providers whose products and services are included as components of our Sites or Services, or who may provide services to us, including data hosting providers, vendors who help provide features of the products (such as log in or similar information). We do not require or recommend that you input any sensitive information into AI-powered features or tools, such as chatbots. Business partners who may determine the purposes and means of processing who help to facilitate certain transactions, such as auditors. This information would only be provided to business partners where required or where you provide it. We do not use sensitive personal data to infer characteristics about you.

California Privacy Rights

Consumers have the following rights under the CCPA:

• Right to Know. You have the right to request that we disclose what personal information we collect, use, and disclose about you specifically.
• Right to Delete. You have a right to request the deletion of personal information that we collect or maintain about you, subject to certain exceptions.
• Right to Correct. You have the right to request that we correct inaccurate personal information we may have about you.
• Right to Opt-Out of the Sale or Sharing of Personal Information. You have the right to opt out of the selling or sharing of your personal information, as we describe in Section 9. If you wish to do so, please click here or contact us at the email or phone number in the Contact Us section of this privacy policy. In addition, GoTo Sites respond to Global Privacy Control (“GPC”) signals; for more details, including how to turn on GPC, please visit https://globalprivacycontrol.org/.
• Right to Limit the Use of Sensitive Personal Information. Consumers have the right to limit how we use or disclose their sensitive information; however, as set forth above, GoTo does not use or disclose sensitive personal information for purposes other than permitted under applicable U.S. state data privacy laws.

GoTo will not discriminate against you for exercising any of your rights under the CCPA.

Exercising Your Rights

To submit a request to exercise your rights or for information on self-service procedures (where available), please visit Individual Rights Management portal here, submit an email request to privacy@goto.com, or call us at 1-833-851-8340. We will acknowledge your request in the timeframe set forth in the CCPA and seek to verify your identity. For example, if you have a password-protected account with us, we may verify your identity through our existing authentication practices for your account. We will respond to your request in accordance with the CCPA. If we cannot verify your identify, we will not be able to act on your request. Once we have verified your identity, we will respond to your request in accordance with the CCPA. If we deny your request, we will tell you why.

Authorized Agent

You can designate an agent to make a request under the CCPA on your behalf. If an authorized agent is used to submit a request to exercise your right to know or your right to request deletion, we will verify your identity and the agent’s authority to act on your behalf.

California’s Shine the Light Law

Under California’s Shine the Light law, Consumers may ask GoTo to provide the names of third parties to whom we disclosed personal data during the preceding calendar year for their direct marketing purposes and identify the categories of personal data we disclosed to them. You may send us requests for this information to privacy@goto.com. Your request must include the statement “Shine the Light Request", your first name, your last name, your mailing address, and your certification that you are a California resident. We reserve the right to require additional information to confirm your identity and California residency.





Legal Basis for Processing

If you are an individual in Brazil, we collect and process your personal data as a controller only where we have a legal basis for doing so. We use the following legal bases to process your personal data:

• To Prepare to Enter Into, or to Perform, a Contract With You. Preparing to enter into an agreement with you, such as our terms of service or another contract or arrangement, or to perform our contractual obligations or communicate with you related to our agreements;
• With Your Consent. When we process your personal data with your consent, we will tell you what consequences may arise if you do not provide it. If you provide your consent, you may withdraw it at any time. Subject to certain limitations under the law, when you withdraw your consent, you can ask us to delete the information about you that we processed with your consent. Your withdrawal of consent will not affect the legality of our processing that occurred before you withdrew your consent;
• To Comply With the Law. We process your personal data to help us comply with laws that apply to us and to respond to requests from applicable judicial authorities and tribunals, law enforcement, and other regulators, and to detect, prevent, investigate, and respond to fraudulent, harmful, unauthorized, or illegal activity;
• For the Regular Exercise of Rights in Judicial, Administrative or Arbitral Proceedings. We may process personal data when we exercise our rights to pursue or defend legal claims;
• To Protect Your and Others’ Lives or Physical Safety. We process personal data to prevent, detect, investigate and respond to activities that may impact an individual’s life or physical safety, such as threats of violence or harm to children;
• For Our or Others’ Legitimate Interests, Where They Do Not Override Your Data Protection Rights. We process personal data for our or others’ legitimate interests, for example to develop, test, support, and improve our Sites and Services; to aggregate or de-identify personal data; to process personal data to perform contracts with an account owner or with a reseller; provide reasonable security measures and detect security or safety concerns or terms of service violations; where permitted by law, to send marketing and other commercial communications related to our Services and our industry; to comply with non-Brazilian laws or regulations that apply to us, including to communicate with and respond to requests from applicable judicia authorities and tribunals, law enforcement; and other regulators; to comply; to meet our corporate responsibility communications, to pursue or defend legal claims and to protect our and others’ rights and properties; and
• For Debt Collection or Credit Protection. We may process personal data for the purpose of collecting debts owed to us for Services.

Sensitive Personal Data

We generally do not seek to process sensitive data, and we ask that you not provide it to us unless we specifically ask for it. When we do process such data, we will do so in accordance with the law, including where we are required to do so to comply with a law that applies to us; for the regular exercise of rights, including by contract, and in judicial, administrative and arbitral proceedings; to protect your or others’ life or physical safety; and in furtherance of fraud prevention and your security (such as in the authentication of your registration to our Services).

Data Subject Rights

You have the following rights in relation to your personal data where we process it as a controller, subject to the limitations and exceptions set forth in the law:

• Right to Confirmation and Access. You have the right to know whether GoTo processes personal data about you and certain details about that data. You may also request a copy of that data.
• Right to Rectification. You have the right to require that GoTo correct inaccurate or outdated personal data about you or to complete incomplete personal data about you.
• Right to Anonymization, Blocking or Deletion. You may require GoTo to anonymize, block or delete your personal data in certain circumstances, such as where it is unnecessary, excessive or processed in violation of law.
• Right to Restrict Processing. You may require GoTo to restrict the processing of personal data in certain circumstances, such as during the period after you contest its validity while GoTo is confirming the legitimacy of the processing.
• Right to Data Portability. In certain circumstances, you may have the right to require us to transmit your personal data to another service provider that you designate.
• Right to Information About the Entities to Whom We Have Provided Your Personal Data. You may ask us to provide you with certain information about the public and private entities to whom we have provided your information.

You may submit your requests to GoTo as set forth in Section 15. We will handle your request as set forth above. For access requests, we will respond within 15 days of your request. For other requests, we will respond in a reasonable period of time if no time period is specified in the law. If you have any concerns regarding your request, we encourage you to contact us. You also have the right to lodge a complaint with the ANPD, Brazil’s privacy regulator, or consumer protection agencies.

Person In Charge (Encarregado)

GoTo has appointed a Person in Charge (Encarregado) as required by the LGPD, who may be contacted as follows:

Attn: GoTo Privacy Team c/o Legal Team (MP Kang), GoTo, 333 Summer Street, Boston, MA 02210.

You may also reach our person in charge via email at privacy@goto.com.