GDPR Addendum to Privacy Policy

Last Updated: October 15, 2024

The European Union’s (EU) General Data Protection Regulation (GDPR) provides individuals that are residents of the EU, European Economic Area (EEA)) and Switzerland with specific rights regarding their Personal Data.  This GDPR Addendum to the ManageXR Privacy Policy (the “Privacy Policy”) addresses those rights. Additionally, the UK has recently left the EU but is taking steps to adopt laws that mirror the GDPR, such as the Data Protection Act of 2018. References to the GDPR in this Privacy Policy are intended to cover the Data Protection Act of 2018 and any other similar replacement laws adopted by the UK.  The UK, Switzerland and the countries of the EU and EEA are collectively referred to herein as the “Designated Countries”.  

This GDPR Addendum should be read in conjunction with the ManageXR Privacy Policy, which provides a description of all of our data collection, use and disclosure practices with respect to ManageXR’s website and marketing activities. Capitalized terms used herein and not otherwise defined shall have the respective meanings provided in the ManageXR Privacy Policy. 

Please also note that this GDPR Addendum only applies to our website and marketing activities and Users Interacting with us in connection therewith and their Personal Data.  If you are a company or business to whom we provide our ManageXR Platform and related services (or the employees, representatives or other end users of such companies or businesses), this Addendum does NOT apply to you.  Please visit our Data Processing Addendum, for more information related how we handle information collected from individuals subject to GDPR related to the ManageXR Platform and our related customer services.

1. General.  We may ask you to identify which country you are in when you Interact with us, or we may rely on your IP address to identify which country you are located in. When we rely on your IP address, we cannot apply the terms of this section to any individual that masks or otherwise hides their location information from us so as not to appear located in a Designated Country. If any terms in this Addendum conflict with other terms contained in the Privacy Policy, the terms in this Addendum shall apply to users from Designated Countries.

ManageXR is a data controller with regard to any User Information (as described in the Privacy Policy) collected from Users in connection with the Interactions.  This Addendum applies solely to User Information that is considered “Personal Data” under GDPR, with such GDPR-specific User Information being referred to herein as “Personal Data”.  A “data controller” is an entity that determines the purposes and the manner in which the Personal Data is processed. Any third parties that handle your Personal Data in accordance with our instructions are our service providers and are “data processors.” You are a “user.” Users are individuals providing Personal Data to us in connection with the Interactions, such as requesting to receive information regarding our Services or otherwise accessing or using our Site or Interacting with us.

2. Legal Basis.  Our legal basis for collecting and using the Personal Data as described in our Privacy Policy will depend on the Personal Data concerned and the specific context in which we collect it. We have set out below, in a table format, a description of all the ways we plan to use your Personal Data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.  Note that we may process your Personal Data for more than one legal basis depending on the specific purpose for which we are using your data. Please contact us at support@managexr.com if you need details about the specific legal ground we are relying on to process your Personal Data where more than one ground has been set out in the table below.

Purpose for Processing	Legal Basis for Processing
We may Process your Personal Data to provide the Site and facilitate Interactions.  Specifically, we may Process your Personal Data to: deliver information to you and contact you regarding administrative notices; respond to your requests, inquiries, comments and concerns);  personalize your interactions with us; provide technical, product and other support for the Site and Interactions;better understand you and/or maintain and improve the accuracy of the records we hold about you.	This use of your Personal Data is necessary for our legitimate interests (managing our business, providing the Site, facilitating Interactions), provided our interests are not overridden by your rights and interests.  Please note that you have a right to object to processing of your Personal Data where that processing is carried on for our legitimate interest.   This use of your Personal Data is sometimes also necessary in order for us to comply with legal obligations.    In certain cases, Users also provide their express consent to these data uses.
We may provide Personal Data to our suppliers and third-party service providers that help us provide, operate, analyze and improve the Site and your Interactions with us.	This use of your data is necessary for our legitimate interests (managing our business, providing the Site, improving the Site and our Interactions with uses, studying how users use the Site and otherwise Interact with us), provided our interests are not overridden by your rights and interests.    This use of your Personal Data is sometimes also necessary in order for us to comply with legal obligations.    In certain cases, Users also provide their express consent to these data uses.
We may use Personal Data to evaluate and improve the Site and other Interactions, and our other products and services (i.e., identify usage trends and for data analysis, including for purposes of research, audit and reporting) and to develop new products, services, features and benefits.	This use of Personal Data is necessary for our legitimate interests (managing our business, providing our Site, keeping our records updated, studying how users use our Site and Interact with us, developing our Site and Services, defining types of clients for our Services, and informing our marketing strategy), provided our  interests are not overridden by your rights and interests.
We may use Personal Data to engage in advertising and marketing efforts and provide you with special offers and other information about the Services as well as other products, events and services of ours, our affiliates, and non-affiliated third parties.	This use of Personal Data is necessary for our legitimate interests (studying how users use our Site and Interact with us, to develop our Site and Services, to grow our business and to inform our marketing strategy), provided our   interests are not overridden by your rights and interests.
We may share and transfer Personal Data if we are involved in a merger, sale, acquisition, divestiture, restructuring, reorganization, dissolution, bankruptcy or other change of ownership or control.	This use of Personal Data is necessary for our legitimate interests (managing our business, facilitating Interactions and providing our Site and Services), provided our interests are not overridden by your rights and interests.    This use of your data is sometimes also necessary in order for us to comply with legal obligations.
We may also share Personal Data:   (i) as required or permitted by law, including any requirements from government agencies and taxing authorities; (ii) if we determine that disclosure of specific information is necessary to comply with the request of a law enforcement or regulatory agency or other legal process; (iii) to protect the rights, privacy, property, interests or safety of ManageXR or our affiliated companies, customers, employees or the general public; (iv) to pursue available remedies or limit damages; (v) to enforce ManageXR’s agreements; and (vi) to respond to an emergency.	This use of your data is necessary in order for us to comply with legal obligations.   This use may also be necessary to protect vital interests.

3. Transfer of Personal Data Outside of the Designated Countries. To the limited extent that it is necessary to transfer Personal Data outside of the Designated Countries, we will ensure appropriate safeguards are in place to protect the privacy and integrity of such Personal Data, including Standard Contractual Clauses under Article 46.2 of the GDPR. Please contact us if you wish to obtain information concerning such safeguards.

4. International Transfers.  ManageXR is located in the United States of America.  Therefore, any Personal Data we collect will be collected and stored in the USA.  For Users that are in the Designated Countries, this means that their Personal Data will be stored in a jurisdiction that offers a level of protection that may, in certain instances, be less protective of their Personal Data than the jurisdiction the User is typically resident in.  Please note that ManageXR uses safeguards designed to protect the privacy and integrity of such Personal Data, including adhering to the Standard Contractual Clauses under Article 46.2 of the GDPR.  Please contact us at support@managexr.com if you wish to obtain information concerning safeguards we employ when transferring Personal Data outside of the Designated Countries.

5. Additional Privacy Rights. We provide you with the rights described below when you Interact with us. We may limit these privacy rights (a) where denial of access is required or authorized by law, (b) when granting access would have a negative impact on others’ privacy, (c) to protect our rights and properties, or (d) where the request is frivolous or burdensome. If you would like to exercise your rights under applicable law, please contact us at support@managexr.com. We may seek to verify your identity when we receive your privacy rights request to ensure the security of your Personal Data.

1. Right to withdraw consent.  For any consent-based processing of your Personal Data, you have the right to withdraw your consent. A withdrawal of consent will not affect the lawfulness of our processing or the processing of any third parties based on consent before your withdrawal.
2. Right of access/right of portability.  You may have the right to obtain information about the categories of your Personal Data that we are processing, the purposes for which we process that Personal Data, and how we share that Personal Data, among other things.  You also have the right to access the Personal Data that we hold about you, and in some circumstances, have the Personal Data provided to you so that you can provide that Personal Data to another controller.  
3. Right to rectification. You may request for us to correct or rectify any inaccurate or incomplete Personal Data we hold about you in our files.
4. Right to erasure. In certain circumstances, you may have a right to the erasure of your Personal Data that we hold on you.
5. Right to restriction. You have the right in some circumstances to request that we restrict our processing of your Personal Data, such as where the accuracy of the Personal Data is contested by you.
6. Right to object to processing. You have a right to object to any processing based on our legitimate interests where there are grounds relating to your particular situation. There may be compelling reasons for continuing to process your personal information, and we will assess and inform you if that is the case. You can object to marketing activities for any reason.
7. Rights to file a complaint.  If you believe we are unlawfully processing your personal information, you also have the right to complain to your local data protection supervisory authority. You can find their contact details here http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm.
8. Notification to third parties. When we fulfill your individual rights requests for correction (or rectification), erasure or restriction of processing, we will notify third parties also handling the relevant Personal Data unless this proves impossible or involves disproportionate effort. Upon your request, we will identify such third parties.

6. Exercising Your Rights. If you wish to exercise one of these rights, please contact us at support@managexr.com. Please include your name and email address with your request. Before we can process any such request, we will need to verify your identity through the email address or telephone number associated with you in our records, and confirm your request prior to fulfilling any such request and reserve the right to deny a request where we are unable to satisfactorily complete this process.  If you authorize someone to make a request on your behalf, we may also deny your request if we are unable to verify that the individual making the request is authorized to act on your behalf.  We will respond to all such requests as soon as reasonably possible and, in any event, within timelines required by GDPR.  ManageXR does not and will not discriminate against you for exercising your rights under GDPR. 

7. Third Party Providers/Sub-Processors.  We may use third party service providers (known as subprocessors) to facilitate use and operation of the Site and/or for other activities related to our Interactions with you  and our other business activities.  We share some Personal Data with these subprocessors to help us provide, manage, secure and improve the Site and related to our Interactions with you. Your Personal Data may be provided to and used by such sub-processors in furtherance thereof.  A current list of our third party subprocessors is available here.  Our subprocessors have privacy and security practices in place to ensure compliance with the GDPR and have contractual requirements to protect the privacy and security of the personal data that they sub-process. 

8. Changes To This Addendum.  We reserve the right to change this GDPR Addendum from time to time at our sole discretion. If we make any changes, we will post those changes here and update the “Last Updated” date at the top of this Addendum. Your continued use of the Site or other Interactions with us after we make changes is deemed to be an acknowledgment of those changes, so please check this GDPR Addendum periodically for updates.