Privacy Policy

Last Updated: October 31, 2025

Ogletree, Deakins, Nash, Smoak & Stewart, P.C., and its affiliates and subsidiaries (“Ogletree Deakins,” “the Firm,” “we,” “us,” or “our”) want you to be familiar with how we collect, use and disclose Personal information. This Privacy Policy describes our practices in connection with information that we collect online and offline. “Personal information” is information that identifies, or can reasonably be used to identify, an individual, either alone or in combination with other information.

The specific practices outlined in this privacy statement apply to websites, solutions, and services maintained by or on behalf of the Firm and its subsidiaries or affiliates that display this policy. If you are applying for a job with us or one of our employees, please refer to our HR Privacy Policy and Notice at Collection.

Who is the Controller of the Personal Information?

A “controller” is a person or organization who, alone or jointly, determines the purposes for which, and the manner in which, any personal information is, or is likely to be, processed. Ogletree Deakins is a global law firm operating through a number of separately constituted and regulated legal entities which provide legal and other client services in accordance with the relevant laws of the jurisdictions in which they respectively operate.

Ogletree, Deakins, Nash, Smoak & Stewart, P.C. is the data controller responsible for your personal information processed via the Websites. Please note that, in relation to the Services, the Ogletree Deakins entity that receives your personal information or with which you (or the relevant client entity) contract is the controller responsible for processing your personal information, and Ogletree, Deakins, Nash, Smoak & Stewart, P.C. may also be a joint controller with respect to that information. 

All questions, concerns, or complaints should be directed to Ogletree Deakins’ Privacy Officer by email at privacyofficer@ogletreedeakins.com.

What Personal Information We Collect

Generally speaking, we may collect and process the following personal information relating to you:

• Personal contact information such as name, address, telephone number, and email address;
• Business contact information such as business address, telephone number, and email address;
• Information necessary to perform legal services regarding your legal matter or your organization’s legal matter, such as case files, correspondence, contracts, pleadings, discovery materials, or other documents relevant to a legal matter;
• Other information you may choose to provide, such as instructions, comments, and opinions you provide when you contact us directly by email, telephone or mail;
• Financial information, such as payment and transaction information for billing purposes;
• Commercial and purchase information, such as purchase history, and marketing and event participation data (e.g., webinar registrations, newsletter subscriptions, event RSVPs);
• CCTV and building access information, such as video images or photographs of you through closed-circuit television (CCTV) or other access-control systems, such as security access cards, if you visit one of our offices;

• Information that is automatically logged and combined about you, your device, and your interaction over time with our websites, applications, and other online resources, such as browser and device information;
• Information collected automatically through cookies, pixel tags and other technologies. For more information regarding our use of cookies, please review our cookie notification at the bottom of this page;
• We may also collect demographic information and other information provided by you; and
• Information that has been aggregated in a manner such that it no longer reveals your specific identity.

How We Collect Personal Information

We and our service providers may collect personal information from you online in a variety of ways, including:

• Through our websites linking to this privacy policy (“Websites”);
• Through the software applications made available by us for use on or through computers and mobile devices (“Apps”);
• Through social media properties (“Our Social Media”);
• Through HTML-formatted email messages that we send to you (“Emails”);
• Through extranet sites made available to our clients and third parties (“Extranet Sites”);
• Through services we provide to our corporate and institutional clients (“Client Services”); and
• Through our registration process for newsletters, seminars, webinars and events.

Collectively, we refer to the Websites, Apps, our Social Media, Emails, Extranet Sites, Client Services, and Offline Interactions as the “Services.”  We also may collect personal information from you offline in a variety of ways, including

• When you visit a Firm location;
• When you enter into a contractual arrangement for Services;
• When you provide information in conjunction with our Services; or
• When you interact with us at a Firm event.

We also may collect or receive personal information about you from other sources, including:

• Publicly available databases;
• Joint marketing partners and event sponsors, when they share the information with us;
• Entities to which we provide Services, which may include your employer;
• Referral sources; and
• Social media platforms.

We need to collect personal information in order to provide our services to you.  If you do not provide the information requested, we may not be able to provide our services. If you disclose any personal information relating to other people to us or to our service providers in connection with our services, you represent that you have the authority to do so and that you have informed them of the contents of this Privacy Policy.

We and our service providers may also collect personal information in a variety of ways, including:

Through your browser or device:

Certain information is collected by most browsers or automatically through your device, such as your Media Access Control (MAC) address, computer type (Windows or Mac), screen resolution, operating system name and version, device manufacturer and model, language, Internet browser type and version and the name and version of our websites you are using.  We use this information to ensure that those services function properly.

Through your use of an Ogletree Deakins App:

When you download and use an Ogletree Deakins App, we and our service providers may track and collect App usage data, such as the date and time the App on your device accesses our servers and what information and files have been downloaded to the App based on your device number.

Your IP address may be identified and logged automatically in our server log files whenever you access our websites or Apps, along with the time of the visit and the page(s) that were visited. Collecting IP addresses is standard practice and is done automatically by many websites, applications and other services. 

Using cookies:

We and our third-party service provider partners use cookies when you use our websites, platforms, applications, or other products and services. Cookies are small text files that web servers place on a user’s hard drive.   Cookies allow us to collect information such as browser type, time spent on our website, pages visited, language preferences, and other traffic data. We do not currently respond to browser do-not-track signals.

In the default setting, only essential cookies are enabled for residents of the European Economic Area, United Kingdom, and Switzerland. Through the consent management system, you can determine whether you consent to the setting of additional cookies or not. You can adjust your preferences at any time through the consent management system. Essential and non-essential cookies are on by default for U.S. residents, who may be able to opt out of the placement of certain categories of non-essential cookies by visiting the consent preferences center.

We use Google Analytics, which uses cookies and similar technologies to collect and analyze information about use of the Services and report on activities and trends.  This service may also collect information regarding the use of other websites, apps and online resources. You can learn about Google’s and YouTube’s practices by going to www.google.com/policies/privacy/partners/, and opt out of them by downloading the Google Analytics opt-out browser add-on, available at https://tools.google.com/dlpage/gaoptout. To view Google’s and YouTube’s privacy policy, please click here.

You have the option at each website to opt-out of being tracked by non-essential cookies. You can also modify your cookie settings or turn off all or certain types of cookies by adjusting your browser settings.

Using pixel tags and other similar technologies:

Pixel tags (also known as web beacons and clear GIFs) may be used to, among other things, track the actions of users of the Services (including email recipients), measure the success of our marketing campaigns, and compile statistics about usage of the services and response rates. The personal data collected using tracking pixels are stored by us and statistically analyzed to optimize the marketing-related communications service as described above. You may withdraw your consent to marketing-related communications tracking at any time.

How We Use Personal Information

We and our service providers use personal information for legitimate business purposes, including:

Providing the Services  

• To contact individuals (including employees of institutional clients) in connection with providing legal services.
• To respond to inquiries and fulfill requests from our clients and others, administer their file(s), provide legal services and manage our relationships.

We engage in these activities to fulfill our contractual relationship with our clients, to comply with a legal obligation, and/or because we have a legitimate interest.

Providing you with our newsletter and/or other marketing materials and facilitating social sharing

• To send newsletters, publications, legal updates, and mailings related to our seminars or events that we think may be of interest.
• To fulfill event registration requests and provide services, including the provision of seminars and other events.
• To send you information about our services and other news about our firm.

We will engage in this activity with your consent (where required by applicable law) or where we have a legitimate interest.

Providing the functionality of our Services, Websites, and Apps and fulfilling your requests

• To provide the functionality of our Services, Websites, and Apps to you, such as arranging access to your registered account, and providing you with related client service.
• To respond to your inquiries and fulfill your requests, when you contact us via one of our online contact forms or otherwise (e.g., when you send us questions, suggestions, compliments or complaints, or when you request other information about our services).
• To send administrative information to you, such as information regarding our services and changes to our terms, conditions and policies.
• To allow you to send services-related content to another person through our services if you choose to do so.

We will engage in these activities to manage our contractual relationship with you, with your consent (where required by applicable law), where we have legitimate business interests, and/or to comply with a legal obligation.

Accomplishing our business purposes

• For data analysis, for example, to improve the efficiency of our services.
• For audits, to verify that our internal processes function as intended and are compliant with legal, regulatory or contractual requirements.
• For fraud and security monitoring purposes, for example, to detect and prevent cyberattacks or attempts to commit identity theft.
• To work with our vendors.
• To meet our legal and regulatory obligations.
• For enhancing, improving, or modifying our current products and services.
• For identifying usage trends, for example, understanding which parts of our Services are of most interest to users.
• For determining the effectiveness of our promotional campaigns, so that we can adapt our campaigns to the needs and interests of our users.
• For operating and expanding our business activities, for example, understanding which parts of our Services are of most interest to our users so we can focus our energies on meeting our users’ interests.

We engage in these activities to manage our contractual relationship with you, to comply with a legal obligation, and/or because we have a legitimate interest.

How we disclose personal information

We disclose personal information:

To our affiliates for the purposes described in this Privacy Policy

• Subject to local requirements, this information may be used to provide legal and related services offered by our other legal entities and for all the purposes outlined in this Privacy Policy.
• Ogletree, Deakins, Nash, Smoak & Stewart, P.C. is the party responsible for the management of the jointly-used personal information.
• These can include providers of services such as website hosting, Services-related consulting and monitoring, data analysis, information technology and related infrastructure provision, customer service, email delivery, auditing, and other services.

To our third-party service providers, to facilitate services they provide to us

• These can include providers of services such as website hosting, Services-related consulting and monitoring, data analysis, information technology and related infrastructure provision, customer service, email delivery, auditing, and other services.

By using our Services, you may elect to disclose personal information publicly

• On message boards, chat, profile pages, blogs and other services to which you are able to post information and content (including, without limitation, our Social Media), or through which you are able to send messages through the Services. Please note that any information you post or disclose through these services will become public and may be available to other users and the general public.

Disclosure to public authorities

• Additionally, the Firm may be required to disclose personal information in response to lawful requests by public authorities to comply with national security or law enforcement requirements. This would only be in accordance with the law and for only where a means of redress was available to the subject of the request.                                               

We also use and disclose your personal information as necessary or appropriate, especially when we have a legal obligation or legitimate interest to do so:

• To comply with applicable law and regulations including laws outside your country of residence.
• To cooperate with public and government authorities, including authorities outside your country of residence.
• To cooperate with law enforcement.
• For other legal reasons such as to enforce our terms and conditions and to protect our rights, privacy, safety or property, and/or that of our affiliates, you or others.
• In connection with a sale, merger or business transaction.

How long we retain personal information

We retain personal information for as long as needed or permitted in light of the purpose(s) for which it was obtained and consistent with applicable law. The criteria used to determine our retention periods include:

• The length of time we have an ongoing relationship with you and provide our Services to you (for example, for as long as you have an account with us or keep using our Services);
• The length of time we have an ongoing relationship with you as our client and provide you with Services;
• Whether there is a legal obligation to which we are subject (for example, certain laws require us to keep records of your transactions or communications for a certain period of time before we can delete them); or
• Whether retention is advisable in light of our legal position (such as in regard to applicable statutes of limitations, litigation or regulatory investigations).

We may destroy, de-identify, or anonymize the information when it is no longer needed in identifiable form.

What security measures we use

We have implemented internal policies and technical measures designed to protect personal information from loss, accidental destruction, misuse or disclosure. Such internal policies and technical measures include:

• The use of pseudonymization and encryption of personal data where appropriate;
• Procedures and controls to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
• Procedures and controls to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
• Procedures for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing; and
• Procedures to ensure that data is not accessed, except by individuals in the proper performance of their duties.

For site security purposes and to ensure that the services remain available to all users, this computer system employs software programs to monitor network traffic to identify unauthorized attempts to upload or change information, or otherwise cause damage to the information on our websites. Unauthorized attempts to upload information or change information on this service are strictly prohibited and may be punishable under the Computer Fraud and Abuse Act of 1986 or other applicable law. If you have questions regarding our security measures, please contact us at:

Ogletree, Deakins, Nash, Smoak & Stewart, P.C.
ATTN: Director of Information Security
50 International Drive
Patewood IV, Suite 300
Greenville, South Carolina 29615

Email address: infosec@ogletreedeakins.com

Marketing and Exercising Your Right to Opt-Out of Marketing

In jurisdictions where express consent is legally required, we will not use your personal information to send you marketing materials if you have not expressly consented to receive them. You have choices regarding marketing-related communications. If you no longer want us to process your personal information for marketing purposes, or if you no longer want to receive marketing-related emails from us on a going-forward basis, you may opt out by following the unsubscribe instructions in any such message or by contacting us by email at privacyofficer@ogletreedeakins.com  We will try to comply with your request(s) as soon as reasonably practicable. Please note that if you opt out of receiving marketing-related emails from us, we may still send you important administrative messages, from which you cannot opt out.

Privacy rights for residents of the European Economic Area, United Kingdom, and Switzerland

If you are resident of the European Economic Area, United Kingdom, or Switzerland, under European, UK, or Swiss law you have the following rights in respect of your personal information that we hold:

• Right of access / Right to know. You have the right to obtain confirmation of whether, and where, we are processing your personal information; information about the categories of personal information we are processing, the purposes for which we process your personal information and information as to how we determine applicable retention periods; information about the categories of recipients with whom we may share your personal information; and a copy of the personal information we hold about you.
• Right of portability. You have the right, in certain circumstances, to receive a copy of the personal information you have provided to us in a structured, commonly used, machine-readable format that supports re-use, or to request the transfer of your personal data to another person.
• Right to rectification. You have the right to obtain rectification of any inaccurate or incomplete personal information we hold about you without undue delay.
• Right to erasure. You have the right, in some circumstances, to require us to erase your personal information without undue delay if the continued processing of that personal information is not justified.
• Right to restrict processing. You have the right, in some circumstances, to require us to limit the purposes for which we process your personal information if the continued processing of the personal information in this way is not justified, such as where the accuracy of the personal information is contested by you.
• Right to object. You have a right to object to any processing based on our legitimate interests where there are grounds relating to your particular situation. There may be compelling reasons for continuing to process your personal information, and we will assess and inform you if that is the case. You can object to marketing activities for any reason.
• Right not to be subject to automated decision-making, including profiling. You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or significantly affects you. Automated decision-making is not a process currently used by us with respect to individuals who are not our prospective or current employees. If you are a prospective, current, or former Ogletree Deakins employee, please consult our HR Privacy Policy for more information about the rights you may have regarding your personal information. 
• Right to withdraw consent. Where the processing of your personal information is based upon your consent, you have the right to withdraw your consent at any time, with effect for the future.

If you wish to exercise one of these rights, please contact us at privacyofficer@ogletreedeakins.com.

For your convenience, you may contact our European Local Representative as required under GDPR Article 27 at:

Ogletree Deakins International LLP
58 bis rue la Boétie

75008 Paris
France
33(0)1 86 26 27 42

Our Local Representative in the United Kingdom can be reached at:

Ogletree Deakins International LLP
St. Paul’s House
6th Floor
8-10 Warwick Lane
London, EC4M 7BP
44 (0)20 7822 7620

EU residents also have the right to lodge a complaint to their local data protection authority. Further information about how to contact your local data protection authority is available at http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm. Swiss residents have the right to lodge a complaint with the Swiss Federal Data Protection and Information Commissioner at: https://www.edoeb.admin.ch/?lang=en. UK residents have the right to lodge a complaint to the UK Information Commissioner’s Office, additional information for UK residents can be found at https://ico.org.uk/.

Residents of other jurisdictions may also have similar rights to the above. Please contact us at privacyofficer@ogletreedeakins.com if you would like to exercise one of these rights, and we will comply with any request to the extent required under applicable law.

Third Party Services

This Privacy Policy does not address, and we are not responsible for, the privacy, information, or other practices of any third parties. Please be aware that when you follow a link to another site, you are then subject to the privacy policies of the new site. We have no control over the privacy practices of websites or applications that we do not own, and we encourage you to review their privacy practices.

This includes any third party operating any website or service to which the Services link.  The inclusion of a link on the Services does not imply endorsement of the linked site or service by us or by our affiliates.

Children’s Privacy

Our Services are not intended for or designed to attract children under the age of 18, and we will not knowingly solicit or collect personal information through our Websites, Apps, or Extranet Sites from individuals we actually know are under 18.

Special notification about webinars

Webinars offered as a service to users of our Services (“Webinars”) are hosted by unaffiliated third-party vendors, and not by us.

Our third-party vendors require users to provide personal information. This personal information may include name, email address, and other personally identifiable information. Please note that this personal information is collected by our vendors and/or by us. We encourage you to read the privacy statements of our vendors, which control how such vendors handle personal information provided by you to register for and participate in the Webinars.

Additionally, our third-party vendors provide us with personal information about users of our Webinars. We use this personal information to track attendance, to facilitate future communication with such users, and for other purposes set forth in this Privacy Policy.

Cross-border transfers of personal information

Your personal information may be stored and processed in any country where we have facilities or in which we engage service providers. By using our Services, you understand that your information will be transferred to countries outside of your country of residence, including the United States, which may have data protection rules that are different from those of your country.  In certain circumstances, courts, law enforcement agencies, regulatory agencies, or security authorities in those other countries may be entitled to access your personal information.

Some of the non-EEA countries are recognized by the European Commission, the UK and Switzerland as providing an adequate level of data protection according to EEA, the UK, or Swiss standards (the full list of these countries is available here).

For data transfers from the EEA, UK or Switzerland to the U.S., we comply with the EU-U.S. Data Privacy Framework Principles (the “EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (the “Swiss-U.S. DPF”), as set forth by the U.S. Department of Commerce. We have certified to the U.S. Department of Commerce that we adhere to the EU-U.S. DPF Principles with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension. We have certified to the U.S. Department Commerce that we adhere to the Swiss-U.S. DPF Principles with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.  To learn more about the Data Privacy Framework (“DPF”) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

Our certification under the DPF Principles covers the following entities:

Ogletree, Deakins, Nash, Smoak & Stewart, P.C.
Ogletree, Deakins, Nash, Smoak & Stewart LLC (USVI)
Ogletree, Deakins, Nash, Smoak & Stewart PLLC (Detroit)
ODBNI, LLC

In addition to the protections provided under other sections of this Privacy Policy, we will provide the following protections for personal information transferred from the EU, UK, or Switzerland to the U.S.:

Choice

You will be offered a clear, conspicuous, and readily available mechanism to choose (opt out) whether your personal information is (1) to be disclosed to a third party (other than a third party acting as an agent to perform tasks on behalf of and under the instruction of the Firm) or (2) to be used for a purpose that is materially different than or incompatible with the purpose for which it was originally utilized or subsequently authorized by you.

Additionally, you will be offered a similar choice mechanism to give affirmative or explicit (opt-in) choice whether your sensitive personal information is to be disclosed to a third party or used for a purpose other than the purposes for which it was originally collected or subsequently authorized by the individual by opt-in choice.  However, explicit (opt-in) choice is not required when the disclosure of the sensitive personal information is (1) in the vital interests of you or another person; (2) necessary for the establishment of legal claims or defenses; (3) required to provide medical care or diagnosis; (4) necessary to carry out the organization’s obligations in the field of employment law, or (5) related to personal information that is manifestly made public by you.

Transfer of Personal Information from the EU, UK, or Switzerland to Processors in the U.S.

Our EU, UK, and/or Swiss entities may transfer personal information to a processor in the United States solely for processing purposes.  A “processor” is a third party who processes personal information on behalf of and in accordance with the instructions of our EU, UK, and/or Swiss entities.  When personal information is transferred from the EU, UK, and/or Switzerland to the United States solely for processing purposes, our EU, UK, and/or Swiss entities will comply with the applicable data protection laws including the GDPR, UKGDPR, UKDPA, and/or FADP, respectively and enter into a contract with the processor to ensure that the processor (1) acts only on instructions of our EU, UK, and/or Swiss entities; (2) provides appropriate technical and organizational measures to protect the personal information against unlawful destruction or accidental loss, alteration, unauthorized disclosure or access; (3) understands whether onward transfers are allowed; and (4) assists our EU, UK, and/or Swiss entities in responding to individuals exercising their rights under the DPF Principles, taking into account the nature of the processing.

Onward Transfers to Third Party Agents

After personal information is transferred from the EU, UK, and/or Switzerland to our entities in the United States, we may thereafter transfer the personal information to third parties acting as controllers.  A “controller” is a person or organization which, alone or jointly with others, determines the purposes and means of the processing of personal information.  Examples of third party controllers may include banks and healthcare providers, or management personnel in our other offices outside of the U.S.  When we make such onward transfers to third party controllers, we will enter into a contract with the third party controller that provides that (1) such personal information may be processed only for limited and specified purposes consistent with the consent provided by you; (2) the third party controller will provide the same level of protections as required by the DPF Principles; (3) the third party controller will notify us if the third party can no longer meet its obligation to provide the same level of protection for the personal information as required by the DPF Principles; and (4) upon such notice by the third party controller, the third party controller will cease processing the personal information and/or take reasonable and appropriate steps to remediate any unauthorized processing.

Onward Transfers to Public Authorities

The Firm may be required to disclose personal information in response to lawful requests by public authorities to comply with national security or law enforcement requirements.

Verification

We have verified and will verify annually through self-assessment that the attestations and assertions made about our DPF privacy practices are true and that those privacy practices have been implemented as represented and in accordance with the DPF Principles. This verification has been and will be signed by an officer of the Firm or another authorized representative of the Firm at least once a year and is available upon request by individuals or in the context of an investigation or a complaint about non-compliance. The verification includes the following:

• That the Policy is accurate, comprehensive, prominently displayed, completely implemented and accessible;
• That the Policy conforms to the DPF Principles;
• That individuals are informed of any in-house arrangements for handling complaints and of the independent mechanisms through which they may pursue complaints;
• That it has in place procedures for training employees in the implementation of this Policy and disciplining them for failure to follow it;
• That it has in place internal procedures for periodically conducting objective reviews of compliance with the above.

Recourse Mechanisms for Personal Information Transferred Under DPF Principles

Inquiries or complaints regarding transfers of personal data from the EEA, UK, or Switzerland to the U.S. pursuant to the DPF Principles should be directed to:  privacyofficer@ogletreedeakins.com.

If a complaint remains unresolved, individuals in the EEA or UK should contact the state or national data protection or labor authority in the jurisdiction where they live for resolution.

A listing of the EU Data Protection Authorities (“DPAs”) is located at:  http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm.  Individuals in Switzerland should contact the Swiss Federal Data Protection and Information Commissioner (the “Swiss Commissioner”) for resolution.  Information regarding the Swiss Commissioner is located at:  https://www.edoeb.admin.ch/?lang=en. Individuals in the UK should contact the UK Information Commissioner’s Office (the “UK ICO”). Information regarding the UK ICO is located at: https://ico.org.uk/.

We will cooperate with the DPAs, the Swiss Commissioner, and/or the UK ICO, and comply with the advice of the DPAs, Swiss Federal Data Protection and Information Commissioner (“FDPIC”), and/or the UK ICO and the Gibraltar Regulatory Authority with regard to unresolved complaints concerning our handling of personal information received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DOF, and the Swiss-U.S. DPF.  In the event that the DPAs, the FDPIC, and/or the UK ICO determines that we did not comply with this Policy or DPF Principles where applicable, we will take appropriate steps to address any adverse effects and to promote future compliance, comply with any advice given by the DPAs, the FDPIC, and/or the UK ICO where the DPAs, the FDPIC and/or the UK ICO has determined that we need to take specific remedial or compensatory measures for the benefit of individuals affected by any non-compliance with this Policy or the DPF Principles, and provide the DPAs, the FDPIC, and/or the UK ICO with written confirmation that such action has been taken.

Individuals have the possibility, under certain conditions, to invoke binding arbitration for complaints regarding DPF compliance not resolved by any of the other DPF mechanisms.  Please visit Annex I for additional information: https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2.

Enforcement

The United States Federal Trade Commission has jurisdiction over our compliance with the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework.

Liability

In the context of an onward transfer of personal information, we have responsibility for the processing of personal information we receive under the DPF and subsequently transfer to a third-party agent.  We will remain liable under the DPF Principles if the third-party agent processes such personal information in a manner inconsistent with the DPF Principles, unless we prove that we are not responsible for the event giving rise to the damage.

Training

All of our employees who handle personal information transferred from the EEA, UK or Switzerland to the U.S. will receive training regarding the data privacy principles and procedures under DPF Principles and this Policy.

Updates to this privacy policy

The “Approved” label at the top of this Privacy Policy indicates when this Privacy Policy was last revised.  Any changes will become effective when we post the revised Privacy Policy on the Services.  Your use of our Services following these changes means that you accept the revised Privacy Policy.

How to contact us

Ogletree, Deakins, Nash, Smoak & Stewart, P.C. is the company responsible for collection, use and disclosure of your personal information under this Privacy Policy.

If you have any questions about this Privacy Policy, please contact us at privacyofficer@ogletreedeakins.com or at:

Ogletree, Deakins, Nash, Smoak & Stewart, P.C.
ATTN:  Privacy Officer
SunTrust Plaza
401 Commerce Street
Suite 1200
Nashville, TN  37219

Because email communications are not always secure, please do not include credit card or other sensitive information in your emails to us.

Privacy Statement for U.S. Residents

This Privacy Statement for U.S Residents supplements our Privacy Policy and applies solely to residents of those U.S. jurisdictions that grant consumers specific rights regarding their personal information. This Statement does not apply to (i) our personnel or job applicants, or (ii) personnel working on behalf of our business partners.

This Privacy Statement uses certain terms that have the meanings given to them in the California Consumer Privacy Act of 2018 and its implementing regulations (the “CCPA”). Consumers with disabilities may access this Statement in an alternative format by sending an email to privacyofficer@ogletree.com.

Personal Information We Collect

Depending on your interactions with us, we may collect and use the following categories of personal information about you and, in the 12-month period prior to the effective date of this Policy, we may have collected and used the following categories of personal information about you, as described below.

• Personal Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
• Categories of personal information described in California Civil Code § 1798.80, such as name, signature, telephone number, credit and transaction information for billing purposes.
• Commercial information including products or services purchased, obtained or considered; and other purchase histories or tendencies.
• Internet and other electronic network and app activity information such as browsing history, search history, and information regarding your interaction with an internet website, application or advertisement.
• Geolocation information, such as time and physical location related to use of an internet website, application, device, or physical access to an office location.
• Professional, employment-related, and educational information, such asinformation relating to your position, (e.g., job title, job description, or department), employment status, employment history, business email address, or non-public education information.
• Sensory or surveillance information, such as video surveillance of our physical locations.
• Inferences drawn from any of the categories of personal information listed above to create a profile about you regarding your preferences, characteristics, psychological trends, predispositions, behavior attitudes, intelligence, abilities and aptitudes.
• Other information you choose to provide.

We do not collect or process “sensitive personal information” (as defined by the CCPA) for the purpose of inferring characteristics about individuals.

Sources of Personal Information

We collect and receive, and during the 12-month period prior to the effective date of this Privacy Policy, may have collected and received personal information from the sources identified in “How We Collect Personal Information,” above.

We do not sell your personal information in exchange for monetary consideration, nor do we share or disclose your personal information for cross-context behavioral advertising purposes. We do not use sensitive personal information for purposes other than those allowed by the CCPA as set out in Cal. Code Regs. tit. 11 § 7027(m). We likewise do not sell or share the personal information of individuals under the age of 16.

We may use the categories of personal information listed above for the purposes described in “How We Use Personal Information,” above.  In addition, we may use these categories of personal information for certain business purposes specified in the CCPA, as described in this table:

We generally disclose for a business or commercial purpose as stated herein, and in the preceding 12 months, we may have disclosed for a business or commercial purpose as stated herein, the above-listed categories of personal information to the following categories of individuals:

• To our subsidiaries and affiliates;
• To our service providers we use to support our business, such as IT operating system and platform vendors, security vendors, monitoring and data analytics providers, payment service providers; and
• Other third parties, such as regulatory authorities or other third parties in response to legal process or other legal reporting requirements; to potential buyers (and their agents and advisors) in connection with any proposed merger, acquisition, or any form of sale or transfer of some or all of our stock or assets (including in the event of a reorganization, dissolution or liquidation); to our marketing and advertising partners, including platforms that enable or participate in targeted and cross-context behavioral advertising, social media platforms, and analytics partners that help us collect information on how our websites are used; and to other similar third parties where disclosure is required for an ordinary business purpose in connection with our provision of services.

U.S. Consumer Privacy Rights

Depending on your state of residence, you may have specific legal rights regarding your personal information. This section describes the legal rights that are available to some individuals and explains how to exercise them.

• Know and Access: Residents of certain states may have the legal right to request, subject to certain limitations, that we disclose the personal information we have collected about them, such as the categories of personal information, the categories of sources from which the personal information is collected, the business or commercial purpose for collecting, selling, or sharing personal information, the categories of third parties to whom we disclose personal information, and the specific pieces of personal information we have collected about them.
• Correction: Residents of certain states may have the legal right to request that we correct the personal information we maintain about them, if that information is inaccurate.
• Deletion: Residents of certain states may have the legal right to request that we delete certain personal information we have collected about them, subject to certain exceptions.
• Portability: Residents of certain states have the legal right of portability, or the right to have us transfer their personal information to other persons or entities upon their request, subject to certain exceptions.
• Non-Discrimination: Residents of certain states have the legal right to not be discriminated against for exercising their privacy rights.

Residents of states that provide the specific legal rights listed above, may exercise their privacy rights by submitting a request to us (i) by clicking here and completing the webform request or (ii) calling us at our toll-free telephone number: 1-844-463-2272.

To help protect your privacy and maintain the security of your personal information, we will take steps to verify your identity before granting you access to your personal information or complying with your request. If you ask us to provide you with specific pieces of personal information, we may require you to sign a declaration under penalty of perjury that you are the consumer whose personal information is the subject of the request and provide appropriate proof of identity.

For requests to know or delete information about a child under the age of 13, we accept requests for information regarding minors under the age of 13 if we can determine that such requests were submitted by a parent or guardian.

If you designate an authorized agent to make a request, we will require your authorized agent to provide us with either (1) your power of attorney authorizing the authorized agent to act on your behalf or (2) your written authorization permitting the authorized agent to act on your behalf. We may also require you to verify your own identity directly with us.

In connection with your request, you must:

• Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized agent.
• Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

To the extent permitted by applicable law, we may charge a reasonable fee to comply with your request.

We may deny the request if we cannot verify the individual’s identity or are legally permitted to deny the request, such as if doing so proves impossible or would involve disproportionate effort, where permitted by applicable law.

If we deny the request, we will explain the basis for the denial, provide or delete any personal information that is not subject to the denial, and refrain from using the personal information retained for any purpose other than permitted by the denial. Where required by law, we will also provide instructions on how the individual may appeal our decision or submit a complaint. We will maintain a record of the request and our response for 24 months. If applicable state law grants the individual the right to appeal our denial of their request to exercise their privacy rights, they may appeal our denial by contacting us by email at privacyofficer@ogletreedeakins.com or calling us at 844-463-2272

If your browser supports it, you can turn on the Global Privacy Control (“GPC”) to opt out of the “sale” or “sharing” of your personal data. We do not currently honor the GPC and other universal opt-out signals because we do not “sell” or “share” personal data. These are signals you can send from your browser to a website to convey your choice to exercise certain opt-out rights granted by individual states.

Some internet browsers have a “Do Not Track” feature that lets you tell websites that you do not want to have your online activities tracked. Given that there is not a uniform way that browsers communicate the “Do Not Track” signal, our website does not currently interpret, respond to or alter its practices when it receives “Do Not Track” signals.

Contact Us

If you have any questions about this Privacy Policy or the rights you may have under applicable law, please contact us at privacyofficer@ogletreedeakins.com, by calling 844-463-2272, or at:

Ogletree, Deakins, Nash, Smoak & Stewart, P.C.
ATTN:  Privacy Officer
SunTrust Plaza
401 Commerce Street
Suite 1200
Nashville, TN  37219