Cayuse logo
Request information
Last updated June 1, 2026

Cayuse privacy policy

The use and disclosure of personal information that is collected from the individuals online, through our websites and applications.

Table of Contents

1.0 Introduction

2.0 Personal Information We Collect

3.0 How We Use Personal Information

4.0 How We Share Personal Information

5.0 How We Secure Personal Information

6.0 Your Rights

7.0 How Long We Keep Your Personal Information

8.0 Other Important Information

9.0 Contact Information

10.0 Disciplinary Policy

Appendix

A.1 For Individuals Based in the European Economic Area (EEA), United Kingdom (UK) and Switzerland

A.2 For Individuals Based in California

A.3 For Individuals Based in Australia

A.4 EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension, and the Swiss-U.S. DPF

A.5 For Individuals Based in Virginia

A.6 For Individuals Based in Colorado

A.7 For Individuals Based in Connecticut

A.8 For Individuals Based in Texas

A.9 For Individuals Based in Montana

A.10 For Individuals Based in Oregon

A.11 For Individuals Based in New Hampshire

A.12 For Individuals Based in New Jersey

A.13 For Individuals Based in Nebraska

1.0 Introduction

Cayuse is a technology company headquartered in Portland, Oregon, which focuses on providing services to Global research and compliance communities.

For more information about our services, please refer to our website:

https://cayuse.com/

This Privacy Policy is applicable to Cayuse (“we,” “our,” or “us“) as related to our services, which collectively include:

  • the use of https://cayuse.com/ (“website“)
  • social media messages and marketing campaigns
  • SMS/text message communications
  • the use of our products and services.

This Privacy Policy sets out the essential details relating to your personal data relationships with Cayuse as:

  • A website visitor
  • An end user of the application (“end user“)
  • A prospective client
  • A job applicant
  • Partners

Clients contract the use of our application and give access to their employees and other third parties, as solely decided by them, by creating users who access the application with their email address and credentials. The clients’ administrators grant end users roles, which result in different permissions and access rights to the information held in the Client account.

 

2.0 Personal Information We Collect

2.1 Information You Choose to Provide to Us

WHEN

We may ask you to provide personal information when:

  • You use the website to download articles, data sheets or eBooks.
  • You request a free trial or demo.
  • You refer a friend to us.
  • You connect with us directly via phone calls or video conferencing platforms.
  • We or Client Account Administrators grant you access to the application.
  • You or Client Account Administrators upload or enter personal information into the application.
  • You participate in a marketing or sales promotion.
  • You attend trade events and other industry networking events.
  • You register or attend a webinar or other event.
  • You participate in programs we may offer from time to time.
  • You participate in chats.
  • You pay for our services.
  • You provide your mobile phone number and consent to receive text messages from us.

If you choose to provide us with a third-party’s personal information (the person’s name, email and company) when taking part in our referral program, you represent that you have the third-party’s permission to do so.

WHAT

We collect personal information that may include first and last name, business email address, phone number, mobile phone number, and/or company name.

As an end user of the application, we generally collect your name, business email address and any comments you make in the application.

In addition, we may collect data uploaded by you, your employer or other users of the application that may be required to use Cayuse services. We expect all users to follow their organization’s privacy policy and any applicable regulatory requirements when uploading, accessing and using personal information like:

  • Employee names, email addresses, job title, department and contractual agreements
  • Vendor names, email addresses, contractual agreements or other personal data necessary for Cayuse services
  • Customer names and email addresses used to provide services within Cayuse’s platform

As a job applicant, we may also collect your resume and cover letter.

Further information, including specific obligations of the Cayuse, can be found in the Service and/or Data Processing Agreements.

2.2 Information We Collect Automatically

WHEN

We collect information about your visits to the website and the application when you land on any of our web pages through cookies and similar tracking technology.

For further information about the types of cookies we use, you can access our Cookie Policy at this link https://cayuse.com/privacy/

WHAT

The information collected includes:

  • access times
  • the pages you view
  • the links you click on
  • the search terms you enter
  • actions you take in connection with any of the visited pages
  • your device information such as IP address, location, browser type and language
  • the Uniform Resource Locator (URL) of the website that referred you to our website
  • the URL you browse away from our pages if you click on an external link

We use the following categories of tracking technologies on our website: (1) Strictly Necessary Cookies, required for the site to function and which cannot be disabled; (2) Performance and Analytics Cookies, which collect information about how visitors use the site in order to improve it; (3) Functional Cookies, which enable enhanced functionality and personalization; and (4) Targeting and Advertising Cookies, placed by our advertising partners to build a profile of your interests.

We may also collect information when you open email messages from us or click on links within those email messages.

2.3 Information We May Collect From Third Parties

WHEN

We may combine the information we collect from your direct interactions with us with information obtained through other third-party sources. We also obtain and/or purchase lists from third parties about individuals and companies interested in our products. When we do so, we rely on applicable lawful bases for processing, including legitimate interest, and take reasonable steps to verify that such data was collected lawfully by the source.

WHAT

The personal information collected includes your name, email address, business address, job title, company name, and telephone number.

3.0 How We Use Personal Information

We use your personal information to:

  • Deliver the contracted services and allow full use of the application functionality as purchased by the clients.
  • Deliver training and support to our application end users and/or carry out the transactions you have requested.
  • Communicate with you directly through emails, calls, chats, video conferencing, and text messages.
  • Process payments for application subscriptions.
  • Send communications to you about: new application features and upgrades; our services and offerings; event announcements; product notices and changes to our terms and policies; particular programs in which you have chosen to participate; and promotional offers and surveys.
  • Scheduling demos and managing free trials.
  • Advertise and market our products and services, including delivering interest-based advertisements on this website and other sites or content syndication platforms and websites.
  • Carry out market research to understand how to improve our services and their delivery.
  • Create and manage marketing campaigns.
  • Generate sales leads and increase our market share.
  • Analyze user clicks and usage of the application and website to improve user experience and maximize usage of our services.
  • Manage our website and application to maintain and deliver the contracted functionality and services.
  • Enforce our website and application terms and/or separate contracts (if applicable) with you.
  • Prevent fraud and other prohibited or illegal activities.
  • Protect the security or integrity of the website, application, our business or services.
  • Or otherwise, as disclosed to you at the point of collection or as required or permitted by law.

 

Please note that sometimes we may record the video conferencing call in which you participate to analyze and improve our staff’s communication skills. If we do so, we will be announcing it at the beginning of the conference call and in the meeting invite, and we will be providing a link to our Privacy Policy in the meeting invites and on the registration page.

We do not sell your personal information to any third party. We do not share your personal information for cross-context behavioral advertising purposes. To the extent we use third-party advertising or analytics tools, we implement contractual protections to limit the use of personal information for those purposes.

4.0 How We Share Personal Information

Our Application and Services

If you are an end user of our application, your personal information may be viewed by other users with access to the application.

Service Providers

We use third parties to help us provide our services. They will have access to your information as collected by the website or the application, as reasonably necessary to perform the contracted tasks on our behalf. We sign contractual agreements to obligate them to protect the personal information, only use it to deliver the contracted services to us, prohibit them from selling it and not disclose it without our knowledge and permission.

Service Provider Name Business Purpose Information Collected by the Service Provider Data Location
Amazon Web Services Infrastructure Hosting provider Limited, no PII Cloud
Sentree Cayuse Web Page Hosting Limited, no PII Cloud
Sigma Computing Cayuse Analytics Provider Limited PII Cloud

Legal Disclosures

Cayuse is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).

Cayuse abides by Annex I of the Data Privacy Framework (DPF) Principles, in regards to arbitration. Cayuse is obligated to arbitrate claims and follow the terms as set forth in Annex I, provided that an individual has invoked binding arbitration by delivering notice to Cayuse and following the procedures and subject to conditions set forth in Annex I of the DPF Principles. This includes all Cayuse U.S. entities and U.S. subsidiaries, including:

  • Cayuse, LLC
  • Cayuse Topco, Inc
  • Cayuse Holdings, LLC
  • Cayuse Intermediate Holdings, LLC
  • ERA Software, Inc
  • NTM Consulting Services, LLC
  • Information Technology Works, LLC
  • iMedRIS Data Corporation

 

Cayuse does not transfer any personal information collected to third-parties, but if in the future we do transfer personal information to a third party acting as an agent on its behalf, Cayuse shall remain liable under the DPF Principles if its agent processes such personal information in a manner inconsistent with the DPF Principles, unless Cayuse proves that it is not responsible for the event giving rise to the damage.

It is possible that we may need to disclose personal information when required by law, subpoena or other legal processes as identified in the applicable legislation. We attempt to notify our clients about legal demands for their personal data when appropriate in our judgment unless prohibited by law or court order or when the request is an emergency.

Change in Control

We can also share your personal data as part of a sale, merger, change in control or in preparation for any of these events. Any other entity which buys us or part of our business will have the right to continue to use your data, but only in the manner set out in this Privacy Policy unless you agree otherwise.

5.0 How We Secure Personal Information

We are committed to protecting the security of all of the personal information we collect and use. We use a variety of physical, administrative and technical safeguards designed to help protect it from unauthorized access, use and disclosure. We have implemented best-practice standards and controls in compliance with internationally recognized security frameworks. We use encryption technologies to protect data at rest and in transit.

6.0 Your Rights

We provide the same suite of services to all of our clients and end users worldwide. We offer the following rights to all individuals regardless of their location or applicable privacy regulations.

For personal information we have about you, you can:

  • Access your personal information or request a copy.

You have the right to obtain information about what personal information we process about you or to obtain a copy of your personal information. If you have provided personal information to us, you may contact us to obtain an outline of what information we have about you or a copy of the information. If you are an end user of the application, you can log in to see the personal information in the account or approach your employer for more information.

  • Right to be notified.

You have the right to be notified of what personal information we collect about you and how we use it, disclose it and protect it. This Privacy Policy describes what personal information we collect and our privacy practices. We may also have additional privacy notices and statements available to you at the point of providing information to us directly.

  • Change or correct your personal information.

You have the right to update or correct your personal information or ask us to do it on your behalf. You can edit your information through the user account in the application or ask us to change or correct it by contacting us at dataprivacy@cayuse.com.

  • Delete or erase your personal information.

You have the right to request the deletion of your personal information at any time. We will communicate back to you within reasonable timelines the result of your request. We may not be able to delete or erase your personal information, but we will inform you of these reasons and any further actions available to you.

  • Object to the processing of your personal information.

You have the right to object to our processing of your personal information for direct marketing purposes. This means that we will stop using your personal information for these purposes.

  • Ask us to restrict the processing of your personal information.

You may have the right to ask us to limit the way that we use your personal information.

  • Export your personal data.

You have the right to request that we export to you in a machine-readable format all of the personal information we have about you.

Cayuse does not currently use automated decision-making or profiling of personal information that produces legal or similarly significant effects on individuals. If this changes, we will update this policy and provide appropriate disclosures at the point of collection. We do not make solely automated decisions about you that produce legal or similarly significant effects without providing human review upon request.

Response Timeline: We will respond to all rights requests within 30 days of receipt. In complex cases, we may extend this period by an additional 30 days with prior notice to you. If you are located in a jurisdiction with a shorter statutory response period, the applicable statutory deadline will govern.

If you would like to exercise any of the rights described above, please contact us at dataprivacy@cayuse.com.

You also have the right to lodge a complaint with the local organizations in charge of enforcing the privacy legislation applicable in your territory.

7.0 How Long We Keep Your Personal Information

We retain information as long as it is necessary to provide the services to you and our clients, subject to any legal obligations to further retain such information. We may also retain information to comply with the law, prevent fraud, collect fees, resolve disputes, troubleshoot problems, assist with investigations, enforce our Terms of Service and take other actions permitted by law.

The information we retain will be handled following this Privacy Policy. Information connected to you that is no longer necessary and relevant to provide our services may be de-identified or aggregated with other non-personal data. This information may provide insights that are commercially valuable to Cayuse, such as statistics of the use of the services.

As a general guide, we retain the following categories of personal information for the following periods: account and application data for the duration of the contract plus applicable legal hold periods; marketing and prospecting data for up to three years from last interaction or until opt-out; job applicant data for up to two years from submission unless a longer period is required by law; and website usage and analytics data for up to thirteen months. Specific retention periods applicable to your data may be set out in your organization’s Data Processing Agreement with Cayuse. You may request information about retention periods for specific categories by contacting us at dataprivacy@cayuse.com.

8.0 Other Important Information

We process data in locations United States, Canada, EU, UK, Asia and Australia and rely on legally-provided mechanisms to lawfully transfer data across borders, such as contracts incorporating data protection and sharing obligations. We provide the capability for the return, transfer and/or disposal of personal data in a secure manner.

We will only collect and process your personal data where we have a lawful reason for its collection.

When you visit our website and provide us with your personal information, we collect and use it with your consent.

As an application end user, you consent to our collection of your personal information when you log in for the first time. However, your employer has control of the account and may upload and share additional personal information. Your employer’s responsibility is to ensure that collecting, using and sharing the personal information uploaded to the application complies with all applicable legislation.

Where we rely on your consent to process personal data, you have the right to withdraw or decline your consent at any time. If you have any questions about the lawful bases upon which we collect and use your personal data, please contact us at isc@cayuse.com.

Data Breach Notification

In the event of a personal data breach, Cayuse will notify affected parties in accordance with applicable law. Under GDPR Article 33, we will notify the relevant supervisory authority within 72 hours of becoming aware of a breach likely to result in a risk to the rights and freedoms of individuals. Where a breach is likely to result in a high risk to individuals, we will notify affected individuals without undue delay. For U.S. residents, we will provide notification in accordance with applicable state breach notification laws, which may require notification within 30 to 72 hours depending on the state, and may require notification to state Attorneys General. We will notify affected Cayuse clients in accordance with the terms of applicable Data Processing Agreements.

Children’s Privacy

Our application and services are intended for business use by adults and are not directed at children. Consistent with the Children’s Online Privacy Protection Act (COPPA), we do not knowingly collect personal information from children under the age of 13. If we become aware that we have inadvertently collected personal information from a child under 13, we will take prompt steps to delete it. If you believe we may have collected information from a child under 13, please contact us at dataprivacy@cayuse.com. Note: California law separately requires opt-in consent before selling or sharing personal information of consumers between the ages of 13 and 16; see Section A.2 for details.

How to select your communications preferences

You may choose to receive or not receive marketing communications from us.

Email: Please click the “Unsubscribe” link in any marketing email we send you to stop receiving marketing email communications.

SMS/Text Messages: If you have opted in to receive text messages from Cayuse, reply STOP to any message to opt out. Reply HELP for assistance. You will receive one final confirmation message after opting out.

SMS / Text Messaging Communications

Program Name: Cayuse SMS Notifications

Program Description: Cayuse sends transactional and informational text messages to registered users and clients regarding platform updates, support communications, and service announcements.

Message Frequency: Message frequency varies based on account activity and your engagement with Cayuse services.

Message and Data Rates: Message and data rates may apply. Check with your mobile carrier for details.

Opt-Out Instructions: Reply STOP to any message to opt out. Reply HELP for assistance. Carriers are not liable for any delayed or undelivered messages.

You may choose to receive or not receive marketing communications from us. Please click the “Unsubscribe” link in the email we sent you to stop receiving marketing communications.
You may choose which information we collect automatically from your device by controlling cookie settings on your browser or by selecting your preferences through our Cookie Policy. https://cayuse.com/privacy/

Even if you opt-out of receiving marketing communications, we may still communicate with you regarding security and privacy issues, servicing your account, fulfilling your requests, or administering any promotion or any program in which you may have elected to participate.

Do Not Track

Some web browsers offer a “Do Not Track” (DNT) signal indicating a user does not want to be tracked across websites. Our website does not currently alter its behavior in response to DNT signals. We will update this policy if our practices change. Pursuant to California’s CalOPPA, this disclosure satisfies the requirement to describe how we respond to DNT signals. Cayuse does honor Global Privacy Control (GPC) signals for California residents as described in Section A.2.

9.0 Contact Information

Artificial Intelligence and Automated Tools

Cayuse does not currently use artificial intelligence, machine learning, or automated decision-making tools that process personal data in connection with its products or services. This policy will be updated if our practices change, and any future use of such tools that processes personal data will be disclosed at the point of collection or in applicable product documentation.

You may contact us to exercise any of your rights or ask for more information about your personal information and our privacy practices by contacting us at dataprivacy@cayuse.com.

10.0 Disciplinary Policy

Failure to adhere to the requirements set forth in this policy could lead to disciplinary action. Please refer to the disciplinary policy highlighted in the Cayuse Employee Handbook for further details.

Appendix

A.1 For Individuals Based in the European Economic Area (EEA), United Kingdom (UK) and Switzerland

If you are based in one of these jurisdictions, Cayuse is the controller of your personal data collected in the following instances:

  • When you visit our website https://www.cayuse.com
  • When we process your personal data for sales and marketing purposes

Note for UK Residents: Following the UK’s exit from the European Union, personal data of UK residents is processed under the UK GDPR and the Data Protection Act 2018. References to GDPR in this section apply equally to UK GDPR where the context requires. The lawful bases, individual rights, and transfer mechanisms described apply to UK residents, with the UK Information Commissioner’s Office (ICO) serving as the relevant supervisory authority

Cayuse is a processor of all personal data processed on the application, on behalf of our clients. We only process the personal data under their direction. Please contact your employer or the organization that granted you access to the application for details on their privacy practices.

We only process personal data if we have a lawful basis for doing so. The lawful bases applicable to our processing as controller are:

  • Consent: We will ask for your express and informed consent every time we collect your personal data on this legal basis.
  • Contractual basis: We process the personal data as necessary to fulfill our contractual terms with you or our clients.
  • Legitimate interest: We process the names, contact details, job titles, companies of our existing and prospective clients for our marketing purposes, including market research and sales leads generation.
  • A Legitimate Interest Assessment (LIA) is available upon request at dataprivacy@cayuse.com.

You have the following rights under the GDPR:

  • Be informed about the collection and use of your personal data Access your personal data
  • Access your personal data
  • Correct errors in your personal data
  • Erase your personal data
  • Object to the processing of your personal data.
    • This right is also available to individuals whose personal data is processed by us for direct marketing purposes. If you object to the processing of your personal data for direct marketing purposes, we shall stop processing within 30 days of receipt of your request.
  • Export your personal data
  • Restrict our processing of your personal data for specific reasons, including any of the purposes supported by the legitimate interest legal bases (see the section above).
  • Not to be subject to a decision based solely on automated decision making

We process personal data in our AWS operating regions stipulated in the contract of the Data Controller and share it with our service providers in those regions. We use standard contractual clauses, approved by the European Commission or competent UK authority (as applicable), as the data transfer mechanism for transferring personal data from the EEA or UK to other countries subject to data transfer requirements. See the table of our service providers above.

You may contact us at dataprivacy@cayuse.com

You may also lodge a complaint with your local supervisory authority:

  • EU Data Protection Authorities (DPAs). See their contact details here National Data Protection Authorities.
  • Information Commissioner’s Office (ICO)
  • Swiss Federal Data Protection and Information Commissioner (FDPIC).

A.2 For Individuals Based in California

This section provides additional specific information for consumers based in California as required by the California Consumer Privacy Act of 2018 (“CCPA“) and the California Privacy Rights Act of 2020 (“CPRA“) – which significantly amends and expands the CCPA.

A.2.1 Collection and Use of Personal Information

In the last 12 months, we have collected the following categories of personal information:

  • Identifiers, such as your name, mailing address, email address, zip code, telephone number or other similar identifiers
  • California Customer Records (Cal. Civ. Code § 1798.80(e)), such as username and password, company name, job title, business email address and department
  • Internet or network information, such as your browsing history, log and analytics data, information about the device(s) used to access the services and information regarding your interaction with our websites or services and other usage data
  • Geolocation data, such as information about your location (at country and city level) collected from your IP address
  • Sensory Information, the content, audio and video recordings of conference calls between you and us that we record where permitted by you and/or the law
  • Sensitive personal information (“SPI”), including account log-in credentials (username and password) required to access the Cayuse platform, as defined under Cal. Civ. Code § 1798.140(ae).
  • Profession/employment information that you send to us when applying for a position included in your CV and cover letter
  • Other personal information, such as personal information you provide to us in relation to a survey, comment, question, request, article download or inquiry and any other information you upload to our application

A.2.2 Recipients of Personal Information

We share personal information with third parties for business purposes. The categories of third parties to whom we disclose your personal information may include: (i) our service providers and advisors, (ii) marketing and strategic partners; (iii) ad networks and advertising partners; (iv) analytics providers; and (v) social networks.

Cayuse recognizes and honors the Global Privacy Control (GPC) signal as a valid opt-out of the sale and sharing of personal information for California residents. If your browser or device transmits a GPC signal when you visit our website, we will treat it as a request to opt out of sale and sharing.

A.2.3 California Privacy Rights

As a California resident, you may be able to exercise the following rights under the CCPA in relation to the personal information about you that we have collected (subject to certain limitations at law):

  • The right to access/know any or all of the following information relating to your personal information that we have collected and disclosed in the last 12 months (upon verification of your identity): the specific pieces of personal information we have collected about you; the categories of personal information we have collected about you; the categories of sources of the personal information; the categories of personal information that we have disclosed to third parties for a business purpose, and the categories of recipients to whom this information was disclosed; the categories of personal information we have sold and the categories of third parties to whom the information was sold; and the business or commercial purposes for collecting, selling or sharing the personal information.
  • The right to request deletion of personal information we have collected from you, subject to certain exceptions.
  • The right to opt-out of the sale or sharing of personal information for cross-context behavioral advertising. We do not sell your personal information. To the extent any of our advertising or analytics activities constitute “sharing” under the CPRA, you may opt out by contacting us at dataprivacy@cayuse.com or by transmitting a Global Privacy Control (GPC) signal.
  • The right to opt-in before sale or sharing of personal information of consumers between the ages of 13 and 16 (consumers under 13 require parental opt-in). This threshold is distinct from COPPA’s collection prohibition for children under 13 described in Section 8.0. We do not sell the personal information of consumers of any age.
  • You also have the right to be free of discrimination for exercising these rights.

 

In addition to the rights mentioned above, the CPRA grants California residents with the following additional rights:

  • The right to opt-out of sharing of personal information to third parties now or in the future.
  • The right to request rectification/correction of inaccurate personal information, considering the nature and purposes of the processing of the information.

The right to limit use and disclosure of sensitive personal information to that which is necessary to perform the services or provide the goods reasonably expected by an average consumer. To exercise this right, contact us at dataprivacy@cayuse.com.

A.2.4 How to Exercise Your California Consumer Rights

To exercise any of your right mentioned above, please submit a request by contacting us at dataprivacy@cayuse.com.

We will need to verify your identity before processing your request.

In order to verify your identity, we will generally require sufficient information from you so that we can match it to the information we maintain about you in our systems. Sometimes we may need additional personal information from you to be able to identify you. We will notify you.

We may decline a request to exercise the right to know and/or right to deletion under the CCPA as well as your right to rectification under the CPRA, particularly where we cannot verify your identity or locate your information in our systems or as permitted by law.

You may choose to designate an authorized agent to make a request under the CCPA or CPRA on your behalf. No information will be disclosed until the authorized agent’s authority has been reviewed and verified. Once an authorized agent has submitted a request, we may require additional information (i.e., written authorization from you) to confirm the authorized agent’s authority.

If you are an employee/former employee of a Cayuse client that uses our application and services, please direct your requests and/or questions directly to your employer or former employer.

If you are a third party (auditor, business associate, etc.), who was given access to the Cayuse application by a Cayuse client, please direct your requests and/or questions directly to the Cayuse client that gave you access.

Conditions for the right to be effective:
  • The consumer has not made the same request twice before, during the previous 12 months.
  • Personal information is not part of the information collected for a single, one-time transaction; it was not sold or was not retained.
  • The information cannot be re-identified or linked to the consumer in the ordinary course of business.
Minors Under Age 16

Retention: For information about our retention practices, please refer to Section 7.0 of this Privacy Policy. You may also request information about retention periods for specific categories of personal information by contacting us at dataprivacy@cayuse.com.

Our application and services are intended for business use, and we do not expect them to be of any interest to minors. We do not intentionally collect any personal information of consumers below the age of 16. We do not sell the personal information of California consumers.

A.3 For Individuals Based in Australia

This section is applicable to individuals whose personal information is collected, stored, used or disclosed by an APP Entity under the Australian Privacy Principles (“APPs”) contained in the Privacy Act of 1988.

A.3.1 Providing Anonymous and Pseudonymous Options

You have the option of anonymity or using a pseudonym when dealing with Cayuse. However, this option may not be made available to you in certain cases, including if it’s impractical for Cayuse to allow this option or when Cayuse is required or authorized to deal with an identified individual by or under the law.

A.3.2 Collection, Use and Disclosure of Personal Information

Cayuse collects personal information only by lawful and fair means. Additionally, Cayuse collects personal information directly from you or your authorized representative, unless we have your consent for collection from another source, it is required or authorized by law, or it is unreasonable to collect the information only from you.

A.3.3 Your Rights Under the APPs

You have the following rights related to the collection, use and disclosure of your personal data:

  • Be informed about the collection and use of your personal data
  • Access your personal information
  • Correction of your personal information to ensure accuracy and completeness
  • Request to not receive direct marketing communications from us or to not disclose your personal information to others for direct marketing purposes

If you wish to access your personal information or correct that information, please contact us at dataprivacy@cayuse.com. You may opt-out (unsubscribe) of receiving marketing communications by using the links provided in our emails. You may also complain directly to the Office of the Australian Information Commissioner (OAIC).

A.4 EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension, and the Swiss-U.S. DPF

Cayuse complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Cayuse has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Cayuse has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

A.5 For Individuals Based in Virginia

This section applies to Virginia residents under the Virginia Consumer Data Protection Act (“VCDPA“), effective January 1, 2023.

As a Virginia resident, you have the following rights:

  • Confirm whether we are processing your personal data and access such data.
  • Correct inaccuracies in your personal data.
  • Delete personal data you provided to us or that we obtained about you.
  • Obtain a copy of your personal data in a portable, readily usable format.
  • Opt out of the processing of your personal data for targeted advertising, sale of personal data, or profiling for decisions with legal or similarly significant effects.

To exercise these rights, contact us at dataprivacy@cayuse.com.. We will respond within 45 days, extendable by 45 days when reasonably necessary with notice. If we decline your request, you may appeal by emailing dataprivacy@cayuse.com with the subject line “VCDPA Appeal.” Unresolved appeals may be submitted to the relevant state Attorney General.

A.6 For Individuals Based in Colorado

This section applies to Colorado residents under the Colorado Privacy Act (“CPA“), effective July 1, 2023.

As a Colorado resident, you have the following rights:

  • Opt out of the processing of personal data for targeted advertising, sale of personal data, or profiling.
  • Access your personal data.
  • Correct inaccurate personal data.
  • Delete personal data concerning you.
  • Data portability.

To exercise these rights, contact us at dataprivacy@cayuse.com.. We will respond within 45 days, extendable by 45 days when reasonably necessary with notice. If we decline your request, you may appeal by emailing dataprivacy@cayuse.com with the subject line “CPA Appeal.”

A.7 For Individuals Based in Connecticut

This section applies to Connecticut residents under the Connecticut Data Privacy Act (“CTDPA“), effective July 1, 2023.

As a Connecticut resident, you have the following rights:

  • Access and confirm processing of your personal data.
  • Correct inaccuracies in your personal data.
  • Delete personal data concerning you.
  • Data portability.
  • Opt out of targeted advertising, sale of personal data, or profiling.

To exercise these rights, contact us at dataprivacy@cayuse.com.. We will respond within 45 days, extendable by 45 days when reasonably necessary with notice. If we decline your request, you may appeal by emailing dataprivacy@cayuse.com with the subject line “CTDPA Appeal.”

A.8 For Individuals Based in Texas

This section applies to Texas residents under the Texas Data Privacy and Security Act (“TDPSA“), effective July 1, 2024.

As a Texas resident, you have the following rights:

  • Confirm whether we process your personal data and access such data.
  • Correct inaccuracies in your personal data.
  • Delete your personal data.
  • Data portability.
  • Opt out of the processing of personal data for targeted advertising, sale of personal data, or profiling.

To exercise these rights, contact us at dataprivacy@cayuse.com.. We will respond within 45 days, extendable by 45 days when reasonably necessary with notice. If we decline your request, you may appeal by emailing dataprivacy@cayuse.com with the subject line “TDPSA Appeal.”

A.9 For Individuals Based in Montana

This section applies to Montana residents under the Montana Consumer Data Privacy Act (“MCDPA“), effective October 1, 2024.

As a Montana resident, you have the following rights:

  • Access and confirm whether we are processing your personal data.
  • Correct inaccuracies in your personal data.
  • Delete personal data concerning you.
  • Data portability.
  • Opt out of the processing of your personal data for targeted advertising, sale, or profiling.

To exercise these rights, contact us at dataprivacy@cayuse.com. We will respond within 45 days, extendable by 45 days when reasonably necessary with notice. If we decline your request, you may appeal by emailing dataprivacy@cayuse.com with the subject line “MCDPA Appeal.”

A.10 For Individuals Based in Oregon

This section applies to Oregon residents under the Oregon Consumer Privacy Act (“OCPA“), effective July 1, 2024.

As a Oregon resident, you have the following rights:

  • Confirm whether we are processing your personal data and access a copy.
  • Correct inaccuracies in your personal data.
  • Delete personal data concerning you.
  • Data portability.
  • Opt out of the processing of your personal data for targeted advertising, sale, or profiling.
  • Obtain a list of specific third parties to whom Cayuse has disclosed your personal data.

To exercise these rights, contact us at dataprivacy@cayuse.com.. We will respond within 45 days, extendable by 45 days when reasonably necessary with notice. If we decline your request, you may appeal by emailing dataprivacy@cayuse.com with the subject line “OCPA Appeal.”

A.11 For Individuals Based in New Hampshire

This section applies to New Hampshire residents under the New Hampshire Privacy Act (“NHPA“), effective January 1, 2025.

As a New Hampshire resident, you have the following rights:

  • Access and confirm whether we are processing your personal data.
  • Correct inaccuracies in your personal data.
  • Delete personal data concerning you.
  • Data portability.
  • Opt out of the processing of your personal data for targeted advertising, sale, or profiling.

To exercise these rights, contact us at dataprivacy@cayuse.com.. We will respond within 45 days, extendable by 45 days when reasonably necessary with notice. If we decline your request, you may appeal by emailing dataprivacy@cayuse.com with the subject line “NHPA Appeal.”

A.12 For Individuals Based in New Jersey

This section applies to New Jersey residents under the New Jersey Data Privacy Act (“NJDPA“), effective January 15, 2025.

As a New Jersey resident, you have the following rights:

  • Access and confirm whether we are processing your personal data.
  • Correct inaccuracies in your personal data.
  • Delete personal data concerning you.
  • Data portability.
  • Opt out of the processing of your personal data for targeted advertising, sale, or profiling.

To exercise these rights, contact us at dataprivacy@cayuse.com.. We will respond within 45 days, extendable by 45 days when reasonably necessary with notice. If we decline your request, you may appeal by emailing dataprivacy@cayuse.com with the subject line “NJDPA Appeal.”

A.13 For Individuals Based in Nebraska

This section applies to Nebraska residents under the Nebraska Data Privacy Act (“NDPA“), effective January 1, 2025.

As a Nebraska resident, you have the following rights:

  • Access and confirm whether we are processing your personal data.
  • Correct inaccuracies in your personal data.
  • Delete personal data concerning you.
  • Data portability.
  • Opt out of the processing of your personal data for targeted advertising, sale, or profiling.

To exercise these rights, contact us at dataprivacy@cayuse.com. We will respond within 45 days, extendable by 45 days when reasonably necessary with notice. If we decline your request, you may appeal by emailing dataprivacy@cayuse.com with the subject line “NDPA Appeal.”