Iconik Privacy Policy

Welcome to the website (the “Site”) of Iconik Securities, Inc. (“Iconik”, “we”, “us” and/or “our”). This Site is operated by Iconik and has been created to provide information about our company, web applications and related services (together with the Site, the “Services”). This Privacy Policy (the “Privacy Policy”) sets forth Iconik’s policy with respect to information including personally identifiable data (“Personal Data”) and other information that is collected from visitors to the Site and users of the Services (the “Visitors”, or individually, “Visitor”, “you”, and/or “your”). Any discussion of your use of the Service in this Privacy Policy is meant to include your visits and other interactions with the Site and Services, whether or not you are a user of Iconik’s trading-related products.

By using the Services, you do hereby warrant and represent that:

• You have read, understood, and agreed to all terms and conditions stated herein;
• You are giving Iconik permission to use and store such information consistent with this Privacy Policy.

Types of information collected

Personal information you provide through the Services

Iconik collects and utilizes certain information through the Services in order to provide the Services to you. For example, your preferences on environmental, social, governance, or business topics may be collected in order to auto-generate voting choices for shareholder ballots you are entitled to vote on. Through the services, the following information may be collected:

• Identity Information: includes your full name.
• Contact Information: includes your email address.
• Profile Information: includes your username and password, purchases or orders made by you, your preferences, feedback, and survey responses.
• Usage Information: includes information about how you access and use our Services, such as your actions on the Services, including for example voting choices you’ve manually submitted (“Usage Information”). Please remember that Iconik may, but has no obligation to, monitor, record, and store Usage Information in order to protect your safety or the safety of other users, to assist with regulatory or law enforcement efforts, to protect and defend our rights and property, or for other reasons relating to our provision of the Services. By using the Services, you consent to the recording, storage, and disclosure of such information you send or receive for these purposes.
• Additional Information includes information that you submit via customer support, or other similar means. We may also collect any communications between Iconik and you (including recording calls made to or by Iconik) and any other information you provide to Iconik.

Sensitive Personal Information. In the course of providing proxy voting services, Iconik may process certain information that qualifies as “sensitive personal information” under applicable U.S. state privacy laws, including:

• Custodial account numbers received from broker-dealers, custodians, and other financial intermediaries, which we use solely to identify the securities you are entitled to vote, to apply your voting preferences to the correct ballots, and to transmit your voting instructions to the appropriate intermediaries.
• Email contents accessed through email API integrations that you have chosen to enable. Where you connect an email account, our systems first examine only email metadata (such as sender, recipient, subject, and routing information) to identify messages that are reasonably likely to contain proxy-related communications. The body of an email is accessed only when the metadata indicates a probable proxy notice, and even then solely for the limited purpose of extracting specific non-sensitive data points (such as proxy notice control numbers) required to deliver the Services. We do not access, read, retain, use, or disclose the contents of email communications that our metadata analysis indicates are not proxy-related, and we do not retain the broader contents of proxy-related emails beyond the specific data points necessary for voting.
• Account login credentials, which are stored only in hashed form and are never accessible to Iconik personnel in plaintext.

Iconik uses sensitive personal information solely to provide the Services you have requested, to ensure the security and integrity of the Services, and to comply with applicable law. We do not use sensitive personal information for any other purpose, including advertising or profiling. You have the right to limit our use of sensitive personal information as described in the “U.S. state privacy rights” section below.

Personal Information Collected Automatically

As is true of many digital platforms, we may collect certain personal information automatically when you visit our online services, including:

• Usage and Device Data Collected Automatically Through Tracking Technologies. To provide a personalized and enhanced user experience, we, and our third-party partners, may automatically collect certain types of usage information when you visit or use our Services, read our emails, or otherwise engage with us. We typically collect this information through a variety of tracking technologies, including cookies, web beacons, embedded scripts, and similar technology (collectively, “Tracking Technologies”). For example, we collect information about your device and its software, such as your IP address, browser type, Internet service provider, platform type, device type, operating system, date and time stamp, a unique ID (that allows us to uniquely identify your browser, mobile device, or your account), and other similar information. We use Tracking Technologies to help ensure that you have a high-quality experience on our Services, for example, by adapting our Service to be compatible with your device or operating system, among other things. You may change or disable certain cookie settings in your browser. However, doing so may limit the features available to you through the Services.
• Account Linking. Iconik offers account linking and aggregation services (“Linking Services”) through Plaid Inc. (“Plaid”). By utilizing these Linking Services, you acknowledge and agree that the terms of Plaid’s Privacy Policy (currently located at https://plaid.com/legal/#end-user-privacy-policy) will govern Plaid’s use of such information, and you expressly agree to the terms and conditions of Plaid’s Privacy Policy. Further, you expressly grant Plaid the right, power, and authority to access and transmit your information as reasonably necessary for Plaid to provide the Linking Services to you.
• Google Analytics. We may allow third party service providers to use cookies or similar technologies to collect information about your browsing activities over time following your use of the Services. For example, we use Google Analytics, a web analytics service provided by Google, Inc. (“Google”). Google Analytics uses cookies to help us analyze how users use the Site and enhance your experience when you use the Service.
• Email APIs. Iconik offers email API capabilities that users may optionally utilize to provide Iconik with certain information required to perform voting services as instructed by the user. This includes the automatic collection of non-sensitive information from email inboxes such as proxy notice control numbers. Users are not required to utilize email APIs to enjoy the Services and may discontinue their use at any time through the configuration options available on the Settings page in their online Iconik account. Information collected through email APIs is protected as described in the “Security and data protection” and “Google user data” sections below, is used exclusively to enhance the provision of Services to users, and is not shared with third parties other than for the limited purposes described in the section below (“Use of your information”).

Use of your information

We use and process the information we collect for purposes described in this Privacy Policy or as otherwise described to you on our Services or in connection with our Services. For example, we use your information to:

• Create and process your account and deliver the Services to you, including to allow you to register for the Services and participate in interactive features and for Iconik to authenticate your identity, provide billing and account management, and complete other administrative matters;
• Send you transactional information, including confirmations, invoices, technical notices, product and services information and announcements, software updates, security alerts, support and administrative messages, and information about your transactions with us;
• Communicate with you such as to respond to your comments and questions, deliver newsletters or other content we believe you will be interested in, provide customer service or feedback, conduct surveys, respond to employment opportunities for which you’ve applied, notify you about upcoming events, or for any other purposes in connection with the Services;
• Provide you with updates about products and services offered by us and our partners;
• Make suggestions and recommendations to you;
• Monitor, administer, and enhance our Services, including troubleshooting, data analysis, testing, research, statistical, and survey purposes;
• Enhance the safety and security of our Services, business, and users, and investigate or provide notice of fraud or unlawful or criminal activity;
• Perform audits and protect or exercise our legal rights or defend against legal claims, including to enforce and carry out contracts and agreements; and
• Comply with applicable laws and legal obligations.

We do not use Personal Data, client voting policies, voting preferences, ballot choices, or other client information to train artificial intelligence or machine learning models, whether our own or those of any third party. We also do not permit our sub-processors or service providers to use your Personal Data to train their artificial intelligence or machine learning models.

We are committed to maintaining your trust, and we want you to understand when and with whom we may share the personal information we collect. We may share your personal information in the instances described below.

• Authorized third-party vendors and service providers. We share personal data with certain authorized and vetted contractors, sub-processors, subcontractors, third-party vendors, and service providers who help us run and protect our business. This includes cloud infrastructure (Amazon Web Services), account linking (Plaid), analytics (Google Analytics), email delivery, customer communications, and data processing. These vendors are contractually obligated to use Personal Data only for the purposes of providing services to Iconik and to maintain appropriate safeguards.
• Legal purposes. We disclose personal data to respond to subpoenas, court orders, legal process, law-enforcement requests, legal claims, or government inquiries and to protect and defend the rights, interests, safety, and security of Iconik, our affiliates, users, or the public.
• Third parties you have requested we share your information with. We share limited personal data with third parties to facilitate certain requests you have made through the Service, such as opting into a third party’s mailing list. In these situations, we endeavor to only share the minimum amount of information required to honor your request.
• Business transfers. We may share personal data in connection with a merger, acquisition, financing, reorganization, or sale of assets, or in the event of bankruptcy or insolvency. In any such transaction, personal data will continue to be protected consistent with this Privacy Policy, and we will provide notice to affected users of any material change in how their personal data is handled.
• With your consent. We share personal data for any other purposes disclosed to you with your consent. We may also share information with others in an aggregated or otherwise anonymized form that does not reasonably identify you directly as an individual.

We do not sell your Personal Data, and we do not share your Personal Data with third parties for cross-context behavioral advertising.

Security and data protection

Iconik is committed to protecting the security of your information, including any sensitive data collected through the Services. We implement administrative, technical, and physical safeguards designed to protect Personal Data against unauthorized access, use, alteration, disclosure, or destruction. These safeguards include:

• Encryption in transit using TLS 1.2 or higher for all data transmitted between your device and our servers, and between our servers and third-party APIs.
• Encryption at rest using AES-256 for data stored on our infrastructure, including data collected through email APIs and other integrations.
• Access controls that limit access to Personal Data to authorized personnel on a need-to-know basis, enforced through role-based permissions, multi-factor authentication, and audit logging.
• Infrastructure hosted on Amazon Web Services (AWS), which maintains industry-recognized security certifications including SOC 2 Type II and ISO 27001.
• Regular review of our security practices, including monitoring for unauthorized activity and maintaining an incident response process.

No method of transmission or storage is 100% secure, and we cannot guarantee absolute security. However, we take reasonable and appropriate steps to protect your information and to promptly address any security concerns that may arise.

Data breach notification. In the event of a data security incident affecting your Personal Data, we will notify affected users and applicable regulators in accordance with the timeframes and requirements of applicable law. For users covered by U.S. state breach notification laws, this generally means notification without unreasonable delay and, in any case, within the timeframes specified by the applicable state statute.

Google user data

If you choose to connect a Google account (for example, to enable Gmail API functionality for proxy-related email processing), Iconik’s access to, use of, storage of, and sharing of Google user data is subject to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We access Google user data solely to provide and improve the user-facing features of Iconik that you have knowingly chosen to enable, such as helping you to automatically vote your proxy notices in accordance with your chosen voting policy.
• We do not use Google user data for serving advertising, including retargeting, personalized, or interest-based advertising.
• We do not sell Google user data or transfer it to third parties for advertising, credit-worthiness, or lending purposes.
• We do not use Google user data to develop, improve, or train generalized artificial intelligence or machine learning models.
• We do not transfer Google user data to others except as necessary to provide or improve these user-facing features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to affected users.
• We do not allow humans to read Google user data unless (i) we have your affirmative consent for specific messages, (ii) it is necessary for security purposes such as investigating abuse, (iii) it is necessary to comply with applicable law, or (iv) the data has been aggregated and anonymized and is used for internal operations in accordance with applicable privacy requirements.

Google user data is encrypted in transit and at rest as described in the “Security and data protection” section above.

Data retention and deletion

We retain Personal Data, including Google user data, only for as long as necessary to provide the Services and for legitimate business purposes such as complying with legal obligations, resolving disputes, and enforcing our agreements. You may request deletion of your Personal Data at any time by contacting [email protected] or by cancelling your account as described in the “Your Choices” section. Upon account termination or verified deletion request, we will delete your Personal Data from our active systems within 30 days and from backup systems within 90 days, except where retention is required by law or for the establishment, exercise, or defense of legal claims.

Links to other web sites

This Privacy Policy applies only to the Services. The Services may contain links to other web sites not operated or controlled by Iconik (the “Third Party Sites”). The policies and procedures we described here do not apply to the Third Party Sites. The links from the Services do not imply that Iconik endorses or has reviewed the Third Party Sites. We suggest contacting those sites directly for information on their privacy policies.

Your choices

You can visit the Site without providing any Personal Data yourself. If you choose not to provide any Personal Data, you may not be able to use certain Services. You may also opt out of receiving communications from us, remove your information from our database, and choose not to receive future communications unrelated to the Services (such as those about your account, transactions, servicing, or Iconik’s ongoing business relations) by cancelling your account; which you can do by contacting Iconik at [email protected]. Further, if you use any Services, we may occasionally contact you with information about special events, sales, activities, promotions, contests, submission opportunities, and programs. You always have the option to ask Iconik not to contact you with this information again. If you receive unsolicited email from an Iconik domain, please contact us at [email protected].

U.S. state privacy rights

Depending on the U.S. state in which you reside, you may have certain rights under applicable state privacy laws, including the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, the Texas Data Privacy and Security Act, the Oregon Consumer Privacy Act, the Montana Consumer Data Privacy Act, and similar laws in other states. These rights include:

• Right to Know / Right to Access. You have the right to request confirmation of whether we process your Personal Data and to request a copy of the Personal Data we have collected about you.
• Right to Correct. You have the right to request that we correct inaccurate Personal Data we hold about you.
• Right to Delete. You have the right to request that we delete Personal Data we have collected from you, subject to certain exceptions.
• Right to Data Portability. You have the right to request a copy of your Personal Data in a portable and, to the extent technically feasible, readily usable format.
• Right to Opt Out of Sale or Sharing. You have the right to opt out of the sale of your Personal Data or the sharing of your Personal Data for cross-context behavioral advertising. As stated above, Iconik does not sell your Personal Data and does not share your Personal Data for cross-context behavioral advertising.
• Right to Limit Use of Sensitive Personal Information. You have the right to limit our use of sensitive personal information to those uses that are necessary to provide the Services you have requested or that are otherwise permitted by law.
• Right to Opt Out of Targeted Advertising and Profiling. You have the right to opt out of processing of your Personal Data for purposes of targeted advertising or profiling in furtherance of decisions that produce legal or similarly significant effects. Iconik does not engage in either of these activities with respect to user Personal Data.
• Right to Non-Discrimination. You have the right not to receive discriminatory treatment for exercising any of the rights described above.

To exercise any of these rights, please contact us at [email protected]. We will respond to verifiable requests within the timeframes required by applicable law. You may also designate an authorized agent to make requests on your behalf, provided that the authorized agent has been given written permission by you or holds a valid power of attorney under applicable law. We may require you to verify your identity before responding to a request.

If we deny your request, you may appeal our decision by contacting us at [email protected]. We will respond to appeals within the timeframes required by applicable law.

For California residents

In addition to the rights described in the “U.S. state privacy rights” section above, California residents have the following additional rights:

Shine the Light. California Civil Code Section 1798.83 permits California residents to request certain information regarding our disclosure of Personal Data to third parties for their direct marketing purposes. To make a request, please contact us at [email protected].

Categories of Personal Data collected and disclosed. In the preceding twelve months, we have collected the categories of Personal Data described in the “Types of information collected” section above, including identifiers, customer records, internet or other electronic network activity information, geolocation data, professional or employment-related information, inferences drawn from any of the foregoing, and, where applicable, sensitive personal information (including account log-in credentials and contents of communications processed through email APIs). We have disclosed these categories of Personal Data to the categories of third parties described in the “Authorized third-party vendors and service providers” section above, solely for business purposes.

Methods for submitting consumer requests. You may submit requests to know, correct, delete, or limit the use of sensitive personal information, or any other request under California law, by email to [email protected]. We are not required to respond to requests to know more than twice in a 12-month period.

VISITORS OUTSIDE OF THE U.S.

Important Information for Visitors Outside of the U.S. – Transfer of Data. We primarily store data about you, including Personal Data, on servers located and operated within the United States. If you reside outside of the United States, in order to provide and operate the Site and Services, we may send and store your Personal Data outside of the country where you reside or are located, to the United States. Therefore, our collection and use of your Personal Data is subject to the United States’ laws related to privacy and use of personal data and information. These laws, including what is determined to be “personal data and/or information,” are different and may be less protective than those applicable to you in your country of residence. By accepting the terms of this Privacy Policy, you acknowledge, agree and consent to (1) the transfer to and processing of personal information on servers located outside of the country where you reside, (2) our collection and use of your personal information as described herein and in accordance with the laws of the United States that may be different and may be less protective than those in your country and (3) that you are taking a risk by using the Site and Services.

Children

We do not knowingly collect or solicit any information from anyone under the age of 13 on these Services. In the event that we learn that we have inadvertently collected personal information from a child under age 13, we will take reasonable steps to delete that information. If you believe that we might have any information from a child under 13, please contact us at [email protected].

Changes to this policy

This Privacy Policy will evolve with time, and when we update it, we will revise the “Updated” date above and post the new Policy. To stay informed of our privacy practices, we recommend you review the Policy on a regular basis as you continue to use our Services.

How to contact us

If you have any questions about this United States Privacy Policy or the Services, please contact us at [email protected].