Grasp Technologies Privacy & Cookie Policy


1.0 Overview
GRASP Technologies Inc. (“we/us/our”) are committed to protecting and respecting our clients' privacy.
This policy (and any other documents referred to on it) sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.

GRASP Technologies Inc. complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union to the United States. GRASP Technologies Inc. has certified to the U.S. Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit www.privacyshield.gov

In compliance with the Privacy Shield Principles, GRASP Technologies Inc. commits to resolve complaints about our collection or use of your personal information. EU individuals with inquiries or complaints regarding our Privacy Shield policy should first contact GRASP Technologies Inc. at +1 866-278-3821.

In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Since the requirements for compliance with Privacy Shield vary depending on whether GRASP is acting as a processor on behalf of Grasp’s clients or as a data controller, Grasp’s policies and manner of compliance are described separately below.

2.0 GRASP as a Data Processor/Consolidator on Behalf of Clients
GRASP Technologies, Inc. established the Global Enterprise Solutions Division to provide advanced business intelligence and analytics to companies seeking to better understand their travel and expense spend and proactively control costs. This division partners with its clients through a software as a service (SaaS) model using a dedicated global infrastructure that enables the client to have worldwide access to their data.

GRASP consolidates travel data on behalf of corporate customers. These data are derived from travel agencies, credit card companies, and other data consolidators. In this capacity, GRASP does not own or control any of the information it processes on behalf of Grasp’s clients. All such information is owned and controlled by Grasp’s clients. In this capacity GRASP receives information transferred from the EU to the United States merely as a processor/consolidator on behalf of our clients.

When GRASP acts as a processor/consolidator on behalf of its clients, the policies outlined below apply to all data processing operations concerning personal information that has been transferred from the EU to the United States.

3.0 Policy
Any data processed/consolidated by GRASP will not be further disclosed to third parties except
where permitted or required by the processing contract, Privacy Shield, or the applicable Member
State Data Protection law. Any information Grasp’s client (acting as the EU controller) identifies
as sensitive, will be treated accordingly.

The processing contract will also specify that the processing will be carried out with appropriate
data security measures. GRASP has in place measures to protect personal information from loss,
misuse, unauthorized access, disclosure, alteration and destruction.

As a processor on behalf of GRASP clients (who are the EU data controllers), GRASP is not in a
position to apply other Privacy Shield Principles applicable to data controllers with respect to the
personal information received for processing from a clients.

4.0 Cookie Policy
Cookies are small bits of data cached or stored on your computer based on Internet activity. We use cookies to monitor individual activity in aggregate to improve the website. The information we gather includes IP address, user language, operating system, browser type, presence or absence of Flash plug-ins, screen resolution, connection type, and information that identifies the cookie. However, no other user information is generally collected unless you choose to provide it to us.

Your use of this website signifies your consent to us using cookies in this manner. You can use your browser settings to prevent us from storing cookies on your computer. You can find out how to do this, and find more information on cookies, at: www.allaboutcookies.org.

 

4.1 Treatment of Confidential Data
For clarity, the following sections on storage, transmission, and destruction of confidential data
are restated from the Data Classification Policy.

4.1.1 Data Ownership
GRASP affirms that the data transferred to GRASP is the exclusive property of the client
company and that GRASP will follow the company’s direction in the treatment of the
data.

4.1.2 Restricted Use
GRASP agrees that it will not use client data for any unauthorized purpose, including but
not limited to benchmarking, consulting, or reselling the data to unauthorized third
parties.

4.1.3 Data Transmission
Data acquired is travel data so it will include a variety of passenger information required
for reporting, but GRASP Technologies does not provide any data to other third parties
without a DRA (Data Release Authorization) form submitted and signed by the client and
related Travel Management Company.

4.1.4 Data Confidentiality
GRASP agrees that all data are confidential. GRASP will take every reasonable
precaution to safeguard the privacy of the data from unauthorized use.

4.2 U.S.-EU Privacy Shield Framework
GRASP complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S.
Department of Commerce regarding the collection, use, and retention of personal information
transferred from the European Union to the United States. GRASP has certified to the
Department of Commerce that it adheres to the Privacy Shield Principles. If there is any
conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy
Shield Principles shall govern. To learn more about the Privacy Shield program, and to view
our certification, please visit https://www.privacyshield.gov

4.3 Independent Recourse Mechanism for Privacy Shield Complaints
In compliance with the Privacy Shield Principles, GRASP commits to resolve complaints about
our collection or use of your personal information. EU individuals with inquiries or complaints
regarding our Privacy Shield policy should first contact GRASP at:
GRASP Technologies
6465 Reflections Drive
Suite 250
Dublin, Ohio 43017
Attn: Privacy Shield Complaints
GRASP Technologies has further committed to cooperate with EU data protection authorities
(DPAs) with regard to unresolved Privacy Shield complaints concerning human resources data
transferred from the EU in the context of the employment relationship. If you do not receive
timely acknowledgment of your complaint from us, or if we have not addressed your complaint
to your satisfaction, please contact the EU DPAs for more information or to file a complaint.
The services of EU DPAs are provided at no cost to you.

4.3.1 Onward Transfer
Data consolidated by GRASP are only transferred at the written direction of the company
that owns the data through a Data Release Authorization. Otherwise, all data remain
exclusively under GRASP control and are transferred for no other purpose.

4.3.2 Notice
GRASP acts as an agent for the collection of corporate data. Data are provided to
corporate customers for the management of travel. All data transfers occur only upon written direction of the owner of the data, the corporate customer

4.3.3 Choice
Companies contract directly with GRASP for data consolidation services.
Where GRASP serves as a third-party data consolidator for a clients, data consolidation
requirements have been agreed upon between the GRASP and corporate customer.

4.3.4 Security
GRASP maintains reasonable measures to protect data from loss, misuse, and
unauthorized access, disclosure, alteration and destruction. Only authorized users, bound
by confidentiality agreements, have access to the data stored by GRASP.

4.3.5 Sensitive Information
Sensitive information, such as credit card numbers, is not stored except as directed by the
company that owns the data.

4.3.6 Data Integrity
GRASP collects only data authorized by the corporate customer. Where GRASP is
directed to transfer data to a third-party, GRASP follows the data masking and
confidentiality provisions agreed to by the airline and customer.

4.3.6 Access
An individual may request access to the information GRASP maintains in its information
products. The individual has the right to learn whether or not data about him or her is
found in GRASP information products and to correct, amend or delete that information
when it is inaccurate. This right applies only to personal information about the individual
making the request and is subject to other limitations as defined by law. Individuals can
request access by writing or calling:
GRASP Technologies
6465 Reflections Drive
Suite 250
Dublin, Ohio 43017
Attn: Privacy Shield Complaints