This Consumer Data Privacy Policy applies to VGM Group, Inc. consumers whose data is subject to Data Privacy Laws as defined below. It applies whenever you visit our websites, including www.vgm.com, www.vgmgroup.com, www.vgmhomelink.com, www.vgminsurance.com, www.tworiversmarketing.com, or any other website of one of VGM’s divisions or subsidiaries (“Sites”), or use any of our products or services that link to or otherwise reference this policy. The following policy describes what information VGM Group, Inc. (“VGM” or “We” or “Us”) collects that is subject to Data Privacy Laws, your rights under Data Privacy Laws, and how you can enforce your rights under Data Privacy Laws.
Consumer: A consumer is a natural person who is a resident of a state with a Data Privacy Law, living in a state with a Data Privacy Law for other than a temporary or transitory purpose, or an individual domiciled in a state with a Data Privacy Law.
Data Privacy Laws: All applicable federal, state, and foreign laws, rules, regulations, and guidance (and any implementing legislation or regulations thereunder as amended) pertaining to consumer data privacy.
Personal Information (PI): Information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal Information does not include:
Publicly available information lawfully made available from government records.
De-identified or aggregated consumer information that cannot be reasonably linked to an individual.
Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, health or medical information covered by applicable state privacy and/or confidential laws or regulations, or clinical trial data; and
Personal Information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FCRA), and the Gramm-Leach-Bliley Act (GLBA) or applicable state financial confidentiality laws and regulations.
Note: If certain types of information are excluded from Data Privacy Laws, this policy will not apply to such excluded data.
Sensitive Personal Information (“SPI”): is a subset of PI which includes, but may not be limited to:
Government identification numbers, such as social security numbers, driver’s license numbers, state identification, numbers, or passport numbers;
Account login information;
Financial account, credit or debit card numbers, combined with a password, PIN, or other required security or access codes;
Precise geolocation;
Racial or ethnic origin, religious or philosophical beliefs, or union membership;
Content of postal mail, email, or text messages, unless VGM is the intended recipient of those communications;
Biometric data that uniquely identifies an individual or information concerning an individual’s health, sex life, or sexual orientation; and
Genetic data
VGM has collected the following categories of PI, including SPI, from its consumers within the last twelve (12) months:
| Category | Examples | Collected? |
|---|---|---|
| A. Identifiers. | A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol (IP) address, email address, account name, social security number, driver's license number, passport number, mobile device information (e.g., device model, operating system version, device date and time, unique device identifiers, mobile network information, etc.), or other similar identifiers. | YES |
| B. Personal Information categories listed in Data Privacy Laws. | Information that is protected against security breaches such as: name, signature, social security number, physical characteristics or description, address, telephone or mobile device number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some PI included in this category may overlap with other categories and may not be subject to all the rights under Data Privacy Laws | YES |
| C. Protected classification characteristics under state or federal law. | Age, race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, and genetic information (including familial genetic information). | YES |
| D. Commercial information. | Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. Media information (e.g., advertising engagement in social, digital, and broadcast media, etc.). | YES |
| E. Biometric information. | Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data. | NO |
| F. Internet or other similar network activity. | Use of a Site, including browsing history, search terms and history, and information on a consumer's interaction with a Site (i.e., pages visited), application, or advertisement. | YES |
| G. Geolocation data. | Physical location or movements. | YES |
| H. Sensory data. | Audio, electronic, visual, thermal, olfactory, or similar information. | NO |
| I. Professional or employment-related information. | Current or past job history or performance evaluations. | YES |
| J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)). | Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records. | NO |
| K. Inferences drawn from other PI. | Profile reflecting a person's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. | NO |
| L. Sensitive PI | As defined above. | YES |
We generally do not collect additional categories of PI or use the PI we collected for significantly different or meaningfully unrelated purposes without providing you notice.
We obtain the categories of PI listed above from the following categories of sources:
Directly from you or your devices. For example, from forms or surveys you complete on one of our Sites or one of our service provider’s Sites.
Indirectly from you. For example, from observing your actions on one of our Sites (e.g., cookies).
Automated sources, such as analytics.
Third-party sources (including social media).
Embedded content from other websites and links to third-party websites.
Other users of our services.
VGM divisions and business units.
Internet service providers and other online sources.
State and federal governmental entities.
Operating systems and platforms.
Business partners (e.g., service providers). For example, insurance companies or providers.
Publicly accessible sources.
We may use or disclose the PI we collect for one or more of the following business purposes:
Fulfilling or meeting the reason you provided the information for a business purpose.
Providing you with information, products, or services that you request from VGM, including responses to your inquiries and to notify winners of any promotions.
Contracting with service providers to perform services on our behalf, including but not limited to maintaining or servicing accounts, providing customer service, processing, or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services on our behalf.
Otherwise enabling or effecting, directly or indirectly, a business or commercial transaction.
To improve our Sites.
To monitor and analyze trends, usage, and activities in connection with our Sites.
To personalize our Sites and show you content that’s relevant to you.
Survey, test, research, analyze, and product and service development.
Providing you with email alerts, event registrations and other notices concerning VGM’s services, or news that may be of interest to you.
Sending you SMS text messages or push notifications. Your phone number and consent to receive SMS text messages or push notifications will not be shared.
Facilitating the connection of third-party services or applications, such as social medica.
Marketing purposes, such as developing and providing promotional and advertising materials that may be useful, relevant, valuable, or otherwise of interest to you.
Facilitating transactions and payments.
De-identifying and aggregating information collected through our services and using it for any lawful purpose.
Responding to trust and safety issues that may arise as necessary or appropriate to protect the rights, property, or safety of VGM, our employees, our customers, or others.
For automated decision making, including email segmentation and message personalization.
Carrying out our obligations and enforce our rights arising from any contracts or other terms entered into between you and VGM, including billing, or as may be required by applicable laws and regulations or requested by any judicial process or governmental agency.
Auditing related to a current interaction with you and concurrent transactions, and auditing compliance with this specification and other standards.
Undertaking activities to verify or maintain the quality or safety of our services, and to improve, upgrade, or enhance our services.
Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity.
Debugging to identify and repair errors that impair existing intended functionality.
Short-term, transient use.
To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.
For other purposes with your consent for which we provide specific notice at the time the information is collected.
As described to you when collecting your PI or as otherwise set forth in Data Privacy Laws.
As to job applicants, employees, owners, directors, officers, or contractors of VGM who reside in states with Data Privacy Laws and from whom we collect PI as a business under applicable law, we collect, use and disclose your PI in accordance with the specific business purposes below:
If you have any questions, comments, or concerns about our processing activities, please contact Human Capital.
VGM may disclose your PI to a third party for a business purpose. When we disclose PI for a business purpose, we enter into a contract that describes the purpose and requires the recipient to both keep that PI confidential and not use it for any purpose except performing the contract.
In the preceding twelve (12) months, VGM has disclosed the following categories of PI for a business purpose:
Category A: Identifiers
Category B: Customer records
Category C: Protected classification characteristics under state or federal law
Category D: Commercial information
Category F: Internet history
Category G: Geolocation data
Category I: Professional or employment-related information
Category L: Sensitive personal information
In the preceding twelve (12) months, VGM has not disclosed PI for a commercial purpose that constitutes “selling” or “sharing” under the applicable Data Privacy Laws.
Pursuant to VGM’s Consumer Privacy Policy, we share your information with the following categories of third parties for a business purpose:
Advertising Providers: Advertising technology companies, such as advertising networks.
ISPs: Internet service providers.
Analytics Vendors.
Government: State or federal governmental entities.
OS/Platform Provider: Operating systems and platforms.
Social Media.
Vendors: Service providers.
Integrated Third Parties: Third parties integrated into our services.
Cellphone Carriers: Your phone number and consent to receive SMS text messages or push notifications will not be shared.
Third Parties as Legally Required: Third parties as required by applicable state and federal law and regulation and similar disclosures.
Third Parties in Merger/Acquisition: Third parties in connection with a merger, sale, or asset transfer.
Third Parties with Consent: Other third parties for whom we have obtained your permission to disclose your PI.
Data Privacy Laws provide Consumers with specific rights regarding their PI. This section describes your rights and explains how to exercise those rights.
| Right | To Exercise This Right | Time Frame and Response From VGM | If We Cannot Complete Your Request |
|---|---|---|---|
| Access to specific information and the categories of sources and purposes for collection, use, disclosure, and sale in the last 12 months, after verification of your identity. | Submit your request and confirm your "verifiable consumer request" via the contact information below. | We will evaluate and respond to your request by a toll-free telephone number, webform, email, or by mail within 45 days. If we require more time, we will inform you of the reason and extension period in writing. Once we confirm your verifiable consumer request, we will provide you access to your specific information and the categories of sources and purposes for collection, use, disclosure, and sales (and direct VGM’s service providers to do the same) of your personal information. | We will explain the reasons we cannot comply with a request in our response. |
Deletion of information. You have the right to request that VGM delete your PI, subject to certain exceptions and after verification of your identity. | Submit your request and confirm your "verifiable consumer request" via the contact information below. | We will evaluate and respond to your request by a toll-free telephone number, webform, email, or by mail within 45 days. If we require more time, we will inform you of the reason and extension period in writing. Once we confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your PI from our records, unless an exception applies. | We will explain the reasons we cannot comply with a request in our response. The law does not require us to honor requests to delete where it is necessary in certain circumstances for us or a service provider to maintain PI. These include:
|
| Opt-out of the "sale" or “sharing” of PI in some circumstances. | Submit your request and confirm your "verifiable consumer request" via the contact information below. | We will evaluate and respond to your request by a toll-free telephone number, webform, email, or by mail within 45 days. If we require more time, we will inform you of the reason and extension period in writing. | We will explain the reasons we cannot comply with a request in our response. |
Correction of PI You have the right to have VGM correct errors in the PI it maintains about you. | Submit your request and confirm your "verifiable consumer request" via the contact information below. | We will evaluate and respond to your request by a toll-free telephone number, webform, email, or by mail within 45 days. If we require more time, we will inform you of the reason and extension period in writing. Once we confirm your verifiable consumer request, we will correct (and direct our service providers to correct) your PI in our records, unless an exception applies. | We will explain the reasons we cannot comply with a request in our response. |
| Limit use and disclosure of SPI in some circumstances | Submit your request and confirm your "verifiable consumer request" via the contact information below. | We will evaluate and respond to your request a toll-free telephone number, webform, email, or by mail within 45 days. If we require more time, we will inform you of the reason and extension period in writing. Once we confirm your verifiable consumer request, we will limit use and disclosure of your sensitive information (and direct our service providers to do the same) | We will explain the reasons we cannot comply with a request in our response. |
To exercise your rights to access or delete your PI under applicable Data Privacy Laws, you must submit a “verifiable consumer request.” Only you, or a person authorized by you to act on your behalf, may make a verifiable consumer request related to your PI. You may also make a verifiable consumer request on behalf of your minor child.
A verifiable consumer request must:
Provide sufficient information that allows us to reasonably verify you are the person about whom we collected PI or an authorized representative of such a person.
Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
If we cannot verify your identity or authority to make the request, we will not be able to fulfill your request. The information provided for verification will only be used for that purpose.
To authorize an agent to make a request to know or delete on your behalf, please write to the contact address below. To authorize an agent to make an opt-out request on your behalf, please send a written authorization signed by you and the authorized agent to us via the Contact Information section below.
We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
In some circumstances, you may opt out of the sale of your PI.
We will not sell or share the PI of consumers if we have actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of a consumer at least 13 years of age and less than 16 years of age, or the consumer’s parent or guardian, in the case of consumers who are less than 13 years of age, have affirmatively authorized the sale or sharing of the consumer’s PI.
To exercise the right to opt-out, you (or your authorized representative) may submit a request to us by writing using the Contact Information below or by visiting the Data Request tab.
Once you make an opt-out request, we will wait at least twelve (12) months before asking you to reauthorize the sale of your PI.
However, you may change your mind and opt back into PI sales at any time by visiting our Site and sending us a message. We will only use PI provided in an opt-out request to review and comply with the request.
Your PI may be retained for a minimum of ten (10) years in accordance with applicable federal law.
We will not discriminate against you for exercising any of your Data Privacy Law rights. Unless permitted by applicable Data Privacy Laws, we will not:
Deny you goods or services.
Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
Provide you a different level or quality of goods or services.
Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.
You also have the right not to receive discriminatory treatment by VGM for the exercise of privacy rights conferred by any applicable Data Privacy Laws, including an employee’s, applicant’s, or independent contractor’s right not to be retaliated against for the exercise of applicable Data Privacy Laws.
We may offer you certain financial incentives such as discounted prices, rates, or quality levels. Any permitted financial incentive we offer will reasonably relate to your PI’s value and contain written terms that describe the program’s material aspects. Participation in a financial incentive program requires your prior opt-in consent, which you may revoke at any time.
We reserve the right to amend this privacy policy at our discretion and at any time. When we make changes to this privacy policy, we will post the updated policy on the Sites and update the policy’s effective date. Your continued use of our Sites and/or services following the posting of changes constitutes your acceptance of such changes.
You may request a paper copy of this Consumer Data Privacy Policy, free of charge, via the Contact Information section below. Upon request you may also receive a paper or electronic copy of this Consumer Data Privacy in alternative formats or in languages in the ordinary course of business in the states with applicable Data Privacy Laws.
You have the right to receive a copy of this Consumer Data Privacy Policy, free of charge, and to discuss its contents with the VGM Privacy Officer by making a request via the Contact Information below.
You can contact VGM with your questions, comments, consumer rights requests, and other applicable Data Privacy Law inquiries by:
Mail:
Attn: VGM Privacy Officer
1111 Van Miller Way
Waterloo, IA 50701
Phone: 1-877-474-3227
Email: [email protected]
If you believe your PI was accessed without permission, please contact VGM by any means listed above.
July 11, 2024