ComponentSource Privacy Statement

Background

At the ComponentSource Group (referred to as “ComponentSource”, “we”, “us”, “our”), we respect your privacy and maintaining it securely is important to us. This privacy statement explains what personal information ComponentSource (and companies in our group) collect from you, how and why we use it, and how long we keep it.

This policy may change from time to time so please check this page occasionally to ensure that you are happy with any changes.

This policy was last updated on November 1, 2023.

Who we are

Our group is made up of numerous individual companies. Whenever dealing with one of our group companies, the ‘controller’ of your personal information will be the company that corresponds with details set out below:

Company Name Location
ComponentSource, Inc. Atlanta, USA
ComponentSource Limited United Kingdom
ComponentSource Software Europe Limited Republic of Ireland and The Netherlands
ComponentSource KK Japan

Where this policy refers to “we”, “our” or “us” below, unless it mentions otherwise, it’s referring to the particular company that is the controller of your personal information.

Your Personal Information

What personal information we collect about you

The types of personal information we collect about you will depend on our relationship with you:

1) Web site Users

We will automatically collect certain types of personal information about you when you visit our Web site. On your first visit this will be your IP address and derivative information such as country and browser version. On return visits you will be recognized as a previous visitor and we will have whatever information you chose to provide on your first visit, such as your email address.

2) Users of our software

When you first visit the ComponentSource Web site we invite you to register with us (a one-time process) and provide us with information that identifies you whenever you return.

We only collect basic personal information about you which does not include any special types of information (other than encrypted debit or credit card details if you elect to purchase from us by this method). The types of personal information we collect may include some or all of your name, organization, job title, address, email address, IP address, telephone number, VAT number (if applicable), language preference, contact history, order history and information selection choices from ComponentSource and/or the publishers / owners of the software we sell.

It also includes information you provide to us (whether requested by us or not) in emails, on the telephone, in voicemails and in computer chats, and a record of sign-ins to your ComponentSource account.

Where you have a relationship with one of our resellers we may receive the above personal information indirectly from the reseller.

How and why we use your personal information

We need to know your basic personal information so that we can operate our business systems effectively, ensure that you enjoy a positive experience whenever you interact with us, and gain the ability to supply you with requested or relevant information, and process your requested trial evaluations and contract documentation in relation to orders placed. The purposes for which we use your information and the lawful basis under data protection laws on which we rely to do this are explained below:

  1. Where you have provided consent
    We may use and process your personal information where you have consented for us to do so for marketing purposes, such as contacting you by email or text with information about our products and services.
  2. Where it is required to complete a contract
    We may use and process your personal information where we have supplied you (or continue to supply you) with any software, products or services, where we have arranged for the supply of another company’s software, products or services to you, or where you are in discussions with us about any new software, product or service. We will use this information in connection with the contract for the supply of software, products or services when it is needed to carry out that contract with you or for you to enter into it.
  3. Where there is a legitimate interest
    We may use and process your personal information where it is necessary for us to pursue our legitimate interests as a business, or that of a third party, for the following purposes:
    1. for marketing activities (other than where we rely on your consent to contact you by email or text with information about our products and services, as stated above);
    2. for analysis to inform our marketing strategy, and to enhance and personalise your customer experience (including to improve the recommendations we make to you on our Web site);
    3. to correspond or communicate with you;
    4. to verify the accuracy of data that we hold about you and create a better understanding of you as a customer;
    5. for network and information security in order for us to take steps to protect your information against loss or damage, theft or unauthorised access;
    6. for prevention of fraud and other criminal activities;
    7. to comply with a request from you in connection with the exercise of your rights (for example where you have asked us not to contact you for marketing purposes, we will keep a record of this on our suppression lists in order to be able to comply with your request);
    8. to assess and improve our service to customers through recordings of any calls with our contact centres;
    9. for the management of queries, complaints, or claims; and
    10. for the establishment and defence of our legal rights.

We will not collect any personal information from you that we do not need. We will keep your personal information confidential and we will use it only for the lawful bases set out above. We will seek your permission first if we wish to use any of your personal information for any other purpose. We will not sell your personal information to any third party.

ComponentSource has a Data Protection regime in place to oversee the effective, secure and confidential processing of your personal information. More information on this can be found on our Web site. See our Data Protection Policy and Data Retention Policy.

Registration gives you unlimited access to our Web site and when you sign-in to your ComponentSource account you are able to amend your personal details, enjoy an efficient user experience on our Web site, access product information and request trials, create your own quotations, establish payment mechanisms, receive product upgrades, information on new releases, product selection assistance, receive special offers, and enable other features designed to further improve your experience.

We also use your personal information to communicate with you, for example about your account, product updates and information, and to improve your user experience.

Who we share your personal information with

Group Companies

We may share your information with other companies within the ComponentSource group. They may use your personal information in the ways set out in the How and why we use your personal information section, in connection with the products and/or services that complement our own range of products and/or services.

Please see the start of this policy for the details of our group companies with whom we may share your personal information.

Software publishers and owners

We are authorized resellers and official distributors for the software products that we resell and have legal agreements with the software product publishers and owners appointing us. In compliance with those agreements when you order software products your name, organization, street address and email address are registered with the applicable software publisher or owner identifying you as a legitimate licensee. This also ensures that you receive the latest software product version to download and install, and in addition, that you receive, or are offered, the latest software updates, maintenance and support from our publishers. Publishers may be located anywhere in the world as identified on their publisher home page links from our Web site .

In some cases, they will be acting as a controller of your information and therefore we advise you to read their own privacy policy.

In the legal agreements we have with our publishers we require that your personal information is protected in compliance with the EU General Data Protection Regulation (“GDPR”), the UK General Data Protection Regulation (“UK GDPR”), the EU-US Data Privacy Framework and its UK Extension ("DPF"), the California Consumer Privacy Act (“CCPA”),and the Japanese data protection laws and regulations, or their equivalents.

Other ways we may share your personal information

We may transfer your personal information to a third party as part of a sale of some or all of our business and assets to any third party or as part of any business restructuring or reorganisation. We may also transfer your personal information if we are under a duty to disclose or share it in order to comply with any legal obligation, to detect or report a crime, to enforce or apply the terms of our contracts or to protect the rights, property or safety of our visitors and customers. We will always take steps with the aim of ensuring that your privacy rights continue to be protected.

Where your personal information is located

All the personal information processing we need to do is carried out by our employees or by third parties contracted by us for this purpose. All such third parties are contractually obligated by us to adhere to the principles embodied in this privacy statement. For the purposes of IT hosting and maintenance your personal information is located on servers controlled by ComponentSource within the United Kingdom, or the European Union, or in the USA, or in Japan.

For purposes of data analytics (intended to provide you with information we think might be of relevance or interest to you based on your buying and searching history) your personal information may be located on third party servers in any country which is within or determined to be adequate by the European Union for the purposes of the GDPR.

If we transfer your information outside of the UK and EEA, we will take steps to ensure that appropriate security measures are taken with the aim of ensuring that your privacy rights continue to be protected as outlined in this policy. These steps include imposing contractual obligations on the recipient of your personal information or ensuring that the recipients are subscribed to ‘international frameworks’ that aim to ensure adequate protection. Please contact us using the details at the end of this policy for more information about the protections that we put in place.

How long we keep your personal information for

The length of time we retain your personal information for is determined by a number of factors including the purpose for which we use that information and our obligations under other laws. We do not retain personal information in an identifiable format for longer than is necessary.

We may need your personal information to establish, bring or defend legal claims in the UK. For this purpose, we will always retain your personal information for 7 years after the date it is no longer needed by us for any of the purposes listed under How and why we use your personal information above. The only exceptions to this are where:

  • the law requires us to hold your personal information for a longer period, or delete it sooner;
  • you exercise your right to have the information erased (where it applies) and we do not need to hold it in connection with any of the reasons permitted or required under the law (see further Erasing your personal information or restricting its processing below); or
  • if you have purchased any perpetual product licences your personal information will be kept indefinitely. Our licensing records and certain identification metadata used by our anti-fraud systems will also be maintained indefinitely.

Any of your personal information used with your consent for marketing or support purposes will be kept by us until you notify us that you no longer wish to receive such information or support services (including notices about and/or the supply of product updates). More information on our Data Retention Policy can be found on our Web site.

What we would also like to do with it

We would also like to use your name and email address to inform you of future offers, product developments and new products we think may be of interest to you based on your previous enquiries and orders. We will only use this information with your consent to do so. This information is not shared with third parties and you can unsubscribe at any time via phone, email or our Web site.

You can select, amend or update your preferences on your Personal Profile here.

Cookies and similar technologies

ComponentSource and some of our third party service suppliers use cookies (small text files placed on your device) and similar technologies to enable effective provision of our Web site and online services and to help collect usage and performance data. Cookies allow us, among other things, to help us recognise you when you return, store your preferences and settings, enable you to sign-in, combat fraud, and analyse how our Web site and online services are performing. Our Web site may include cookies and similar technologies from third-party service providers.

It is possible to switch off all but essential cookies by setting your browser preferences. For more information on how we use cookies and how to switch them off on your device, please visit our Cookies Policy. (If you ask us to switch off essential cookies excluded from those that you can opt to switch off this will render our Web site unusable to you for all operational and transactional purposes).

Your company or employer

If you use an email address provided by another party such as your employing organisation, to access ComponentSource online services, the owner of the domain (e.g. your employer) associated with your email address may control and administer your ComponentSource online services account and access and process your data, including the contents of your communications and files.

ComponentSource is not responsible for the privacy or security practices of our customers, which may differ from those set out in this privacy statement.

What are your rights?

You have a number of rights in relation to your personal information under data protection law. In relation to certain rights, we may ask you for information to confirm your identity and, where applicable, to help us to search for your personal information. Except in rare cases, we will respond to you within one month from either (i) the date that we have confirmed your identity or (ii) where we do not need to do this because we already have this information, from the date we received your request.

  • Accessing your personal information

    You have the right to ask for a copy of the information that we hold about you by emailing or writing to us at the address at the end of this policy. We may not provide you with a copy of your personal information if this concerns other individuals or we have another lawful reason to withhold that information.

  • Correcting and updating your personal information

    The accuracy of your information is important to us and we are working on ways to make it easier for you to review and correct the information that we hold about you.

    In the meantime, if you change your name or address/email address, or you discover that any of the other information we hold is inaccurate or out of date, please let us know by contacting us in any of the details described at the end of this policy or by updating your details online in “My Account” and “Personal Profile”.

  • Withdrawing your consent

    Where we rely on your consent as the legal basis for processing your personal information, as set out under How and why we use your personal information, you may withdraw your consent at any time by contacting us using the details at the end of this policy. If you would like to withdraw your consent to receiving any direct marketing to which you previously opted-in, you can do so using our unsubscribe tool. If you withdraw your consent, our use of your personal information before you withdraw is still lawful.

  • Erasing your personal information or restricting its processing

    In certain circumstances, you may ask for your personal information to be removed from our systems by emailing or writing to us at the address at the end of this policy. Unless there is a reason that the law allows us to use your personal information for longer, we will make reasonable efforts to comply with your request.

    You may also ask us to restrict processing your personal information where you believe it is unlawful for us to do so, you have objected to its use and our investigation is pending or you require us to keep it in connection with legal proceedings. In these situations we may only process your personal information whilst its processing is restricted if we have your consent or are legally permitted to do so, for example for storage purposes, to protect the rights of another individual or company or in connection with legal proceedings.

  • Transferring your personal information in a structured data file (“data portability”)

    Where we rely on your consent as the legal basis for processing your personal information or need to process it in connection with your contract, as set out under How and why we use your personal information, you may ask us to provide you with a copy of that information in a structured data file. We will provide this to you electronically in a structured, commonly used and machine readable form, such as a CSV file.

    You can ask us to send your personal information directly to another service provider, and we will do so if this is technically possible. We may not provide you with a copy of your personal information if this concerns other individuals or we have another lawful reason to withhold that information.

  • Complaining to a data protection regulator

    If you are not satisfied with our response or believe we are not processing your personal information in accordance with the law, you are entitled to submit a complaint to the applicable authority, being the respective Information Commissioner’s Office (ICO) in the UK or Ireland, or in the EU the relevant EU Data Protection Authority (DPA), or in the USA the Department of Commerce or in Japan the Personal Information Protection Commission.

If you are from the United States, please see Annex I

Changes to this Privacy Statement

We reserve the right to amend or modify this Privacy Statement at any time. Any amendments will be effective when posted on our Web site. We recommend you regularly check for changes and review this policy whenever you visit our Web site. If you do not agree with any aspect of the updated policy you must immediately notify us and cease using our services.

ANNEX I: NOTICE TO UNITED STATES RESIDENTS:

1. OVERVIEW:

UNITED STATES STATE LEGISLATION SUCH AS THE CALIFORNIA CONSUMER PRIVACY ACT (“CCPA”) PROVIDES RESIDENTS OF THE APPLICABLE STATE WITH SPECIFIC RIGHTS WHICH ARE EXPLAINED TO THESE PARTIES IN THE FOLLOWING SECTIONS OF THIS PRIVACY STATEMENT:

SPECIFIC DATA RIGHTS PURSUANT TO THE CCPA; OTHER NOTICES UNDER THE CCPA SECTIONS IN THIS PRIVACY STATEMENT PROVIDING SUCH NOTICE
THE CATEGORIES OF PERSONAL INFORMATION THAT WE COLLECT FROM YOU. ABOVE
THE PURPOSES FOR WHICH WE USE YOUR PERSONAL INFORMATION. ABOVE
WHO WE SHARE YOUR PERSONAL INFORMATION WITH AND FOR THOSE PURPOSES. ABOVE
YOUR RIGHT TO HAVE ACCESS TO YOUR PERSONAL INFORMATION, YOUR DATA PORTABILITY RIGHTS, AND YOUR DELETION REQUEST RIGHTS; AND HOW TO ACCESS THESE RIGHTS SECTION 2 BELOW
NOTICE REGARDING SALE OF ANY PERSONAL INFORMATION TO A THIRD PARTY SECTION 2 BELOW
NON-DISCRIMINATION NOTICE SECTION 2 BELOW

2. NOTIFICATION OF ADDITIONAL RIGHTS OF UNITED STATES RESIDENTS UNDER STATE LEGISLATION.

In addition to the other notices and disclosures that we have provided above in this Privacy Statement, we hereby provide the following notices to all US Residents regarding their rights under the CCPA or equivalent:

A. UNITED STATES RESIDENTS’ ACCESS TO SPECIFIC INFORMATION AND DATA PORTABILITY RIGHTS

Each US Resident has the right to request that ComponentSource disclose certain information to that US Resident about ComponentSource’s collection and use of that US Resident’s personal information over the past 12 months. Once ComponentSource receives and confirms a verifiable consumer request from that US Resident (see below Section D: Exercising A United States Resident’s Access, Data Portability, and Deletion Rights), ComponentSource will disclose to that US Resident (per such US Resident’s request):

  • The categories of personal information that we collected about such US Resident.
  • The categories of sources for the personal information that we collected about such US Resident.
  • Our business or commercial purpose for collecting or selling that personal information.
  • The categories of third parties with whom we share that personal information.
  • The specific pieces of personal information that we collected about such US Resident (also called a data portability request).
  • If we sold or disclosed such US Resident’s personal information for a business purpose; two separate lists disclosing:
    • Sales (if any), identifying the personal information categories that each category of recipient purchased; and
    • disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained.

B. UNITED STATES RESIDENTS’ DELETION REQUEST RIGHTS

Each US Resident has the right to request that ComponentSource delete any of that US Resident’s personal information that ComponentSource collected from such US Resident and retained, subject to certain exceptions. Once ComponentSource receives and confirms a verifiable consumer request from such US Resident (see below Section D: Exercising A United States Resident’s Access, Data Portability, and Deletion Rights), ComponentSource will delete (and direct our service providers to delete) such US Resident’s personal information from our records, unless an exception applies. However, ComponentSource may deny such US Resident’s deletion request if retaining the information is necessary for ComponentSource or its service provider(s) to:

  • Complete the transaction for which we collected the personal information, provide a good or service that such US Resident has ordered or requested, take actions reasonably anticipated within the context of our ongoing business relationship with such US Resident, or otherwise perform our contract with such US Resident;
  • Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities;
  • Debug products to identify and repair errors that impair existing intended functionality;
  • Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law;
  • In the case of a California resident, comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.);
  • Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information's deletion may likely render impossible or seriously impair the research's achievement, if such US Resident previously provided informed consent;
  • Enable solely internal uses that are reasonably aligned with consumer expectations based on the US Resident’s relationship with us; or
  • Comply with a legal obligation; or
  • Make other internal or lawful uses of that information that are compatible with the context in which the US Resident provided it.

C. NOTIFICATION TO UNITED STATES RESIDENTS REGARDING “SALE” (IF ANY) OF PERSONAL INFORMATION UNDER THE CCPA OR EQUIVALENT

In view of the definition of “sale” under the CCPA, we may, either now or in the future, exchange, share, and/or “sell” (as defined under the CCPA) certain personal information to certain third parties. See ComponentSource’s “DO NOT SELL MY PERSONAL INFORMATION” notice to US Residents about their right to stop any such “sales”, if any such “sales” exist.

D. EXERCISING A UNITED STATES RESIDENT’S ACCESS, DATA PORTABILITY, AND DELETION RIGHTS

To exercise the access, data portability, deletion rights, and other rights of a US Resident described above, a US Resident must submit a verifiable consumer request to ComponentSource by either:

  • Calling ComponentSource at: (770) 250-6105 or +1 (770) 250-6105
  • Emailing ComponentSource at: dpm@componentsource.com

Only a US Resident, or a person registered with the applicable Secretary of State that such US Resident authorize to act on such US Resident’s behalf, may make a verifiable consumer request to ComponentSource related to such US Resident’s personal information. The US Resident may also make a verifiable consumer request on behalf of your minor child. The US Resident may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:

  • Provide sufficient information that allows ComponentSource to reasonably verify that such US Resident is the person about whom we collected personal information or an authorized representative.
  • Describe the US Resident’s request with sufficient detail that allows ComponentSource to properly understand, evaluate, and respond to it.

ComponentSource cannot respond to a US Resident’s request or provide a US Resident with personal information if ComponentSource cannot verify your identity or authority to make the request and confirm the personal information relates to such US Resident. Making a verifiable consumer request does not require the US Resident to create an account with us. ComponentSource will only use personal information provided in a verifiable consumer request to verify the requestor's identity or authority to make the request.

E. RESPONSE TIMING AND FORMAT

If a US Resident sends a verifiable consumer request as set forth in Section D above (Exercising A United States Resident’s Access, Data Portability, and Deletion Rights) ComponentSource will endeavour to respond to such verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to a total aggregate of 90 days), ComponentSource will inform such US Resident of the reason and extension period in writing. If such US Resident has an account with us, we will deliver our written response to that account. If such US Resident do not have an account with us, we will deliver our written response by mail or electronically. Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request's receipt.

The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide such US Resident’s personal information that is readily useable and should allow such US Resident to transmit the information from one entity to another entity without hindrance. We do not charge a fee to process or respond to a US Resident’s verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell such US Resident why we made that decision and provide such US Resident with a cost estimate before completing such US Resident’s request.

F. NON-DISCRIMINATION NOTICE TO UNITED STATES RESIDENTS

ComponentSource will not discriminate against US Residents for exercising any of their rights under the CCPA or equivalent. Unless permitted by the CCPA or equivalent, we will not:

  • Deny any such US Resident goods or services;
  • Charge any such US Resident different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties;
  • Provide any such US Resident a different level or quality of goods or services; or
  • Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

G. SPECIAL NOTICE ABOUT EXCLUSION OF CERTAIN INFORMATION FROM GOVERNANCE OF THE CCPA OR EQUIVALENT

IN ACCORDANCE WITH THE CCPA, THE COLLECTION AND USE OF THE FOLLOWING INFORMATION IS NOT SUBJECT TO OR GOVERNED BY THE CCPA AND, THUS, IS EXCLUDED FROM THE TERMS AND CONDITIONS OF THIS PRIVACY STATEMENT WHICH ADDRESS THE RIGHTS OF UNITED STATES RESIDENTS UNDER THE CCPA OR EQUIVALENT:

  • ANY HEALTH OR MEDICAL INFORMATION COVERED BY OR OTHERWISE SUBJECT TO: (A) THE U.S. FEDERAL HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) AND ITS RELATED REGULATIONS; OR (B) IN THE CASE OF CALIFORNIA RESIDENTS THE CALIFORNIA CONFIDENTIALITY OF MEDICAL INFORMATION ACT (CMIA) AND ITS RELATED REGULATIONS); OR
  • ANY INFORMATION COVERED BY CERTAIN OTHER INDUSTRY SECTOR-SPECIFIC PRIVACY LAWS, INCLUDING THE U.S. FAIR CREDIT REPORTING ACT (FRCA), THE U.S. GRAMM-LEACH-BLILEY ACT (GLBA), IN THE CASE OF CALIFORNIA RESIDENTS THE CALIFORNIA FINANCIAL INFORMATION PRIVACY ACT (FIPA), AND THE U.S. DRIVER’S PRIVACY PROTECTION ACT OF 1994.

How to contact us

Our Data Protection Manager can be contacted at dpm@componentsource.com, or by telephone at either (770) 250-6105 or + 1 (770) 250-6105 or +44 (118) 982 2108. Please direct any queries about this policy or about the way we process your personal information to our Data Protection Manager.

CSPrivacy 11/2023