Customer Privacy Policy

Last Updated: 24 October, 2024

Plume Design, Inc. (Plume or we) offers software, hardware and other related services that deliver smart home and enterprise-grade small business services built on self-optimizing Wi-Fi technology, mobile applications (Plume Mobile Apps) and www.plume.com (altogether, Plume Services). Plume provides this Plume Privacy Policy to explain the personal information that Plume processes and how and why Plume processes it in connection with the Plume Services. This Plume Privacy Policy also describes the rights and choices that you may have with respect to your personal information and how to exercise those rights.

For the Plume Services:

∙ You are a “Customer” if you are the legal or natural person that purchases or subscribes to the Plume Services.

∙ You are a “User” if you are authorized by a Customer to access and use the Plume Services under Plume’s agreement with the Customer. If you are a natural person who is a Customer, then you also are a User.

Plume Design, Inc. is incorporated under U.S. law, with a place of business at 325 Lytton Avenue, Palo Alto, CA 94301, USA. Please see Section 12 for contact details. Please see Section 1 below to learn more about when Plume is the controller of your personal information.

IF YOU DO NOT ACCEPT PLUME’S PROCESSING OF YOUR PERSONAL INFORMATION AS DESCRIBED IN THIS PLUME PRIVACY POLICY, PLEASE DO NOT USE THE PLUME SERVICES OR OTHERWISE PROVIDE YOUR PERSONAL INFORMATION TO PLUME.

Subject to Plume’s legal and contractual requirements, you may refuse or withdraw your consent to our collection, use, disclosure and other processing of your personal information by contacting our privacy officer at privacy@plume.com. If you refuse or withdraw your consent, Plume may not be able to provide you or continue to provide you with services or information which may be of value to you. Also, the withdrawal of consent does not necessarily apply to processing that occurred before you withdrew your consent.

Throughout this Plume Privacy Policy, we use the following terms with the following meanings:

personal information means information that identifies or can be used to identify an individual person.

processing means any operation (or set of operations) performed on personal information, such as collecting, combining and storing.

controller means the person or entity that determines why and how personal information is processed, including a “business.”

processor means the person or entity processing personal information on behalf of a controller, including a “service provider.”

Services Data means data generated by or derived from use of the Plume Services and data which is derived from that data.

Customer Network means the Wi-Fi network created by a Customer’s use of the Plume Services together with Customer Network Equipment.

Customer Network Equipment means Plume’s SuperPods and similar Wi-Fi extenders, OpenSync-enabled gateways and other on-premise Wi-Fi network equipment, whether made available by a communication services provider or acquired by the Customer.

Plume’s processing of personal information is subject to the laws in the jurisdictions in which Plume operates. Privacy rights also may vary depending on an individual’s place of habitual residence. For more information, please see Section 8 and Section 13.

RESIDENTS OF THE U.S.: Please also see Plume’s U.S. Privacy Rights Notice at https://www.plume.com/legal/privacy-rights-notice/. Plume’s U.S. Privacy Rights Notice serves as Plume’s Notice at Collection for purposes of compliance with the California Consumer Privacy Act. To submit a request to exercise your consumer privacy rights or to submit a request as an authorized agent, visit Plume’s U.S. Privacy Request Form, call us at 844-MY PLUME (844-697-5863) or email us at privacy@plume.com.

This Plume Privacy Policy is divided into the following sections:

1. WHEN AND WHERE DOES THIS PLUME PRIVACY POLICY APPLY?
2. WHAT PERSONAL INFORMATION DOES PLUME COLLECT AND WHY?
3. HOW DOES PLUME USE PERSONAL INFORMATION?
4. DOES PLUME USE AUTOMATED PROCESSING?
5. HOW DOES PLUME SHARE PERSONAL INFORMATION?
6. HOW DOES PLUME PROTECT PERSONAL INFORMATION?
7. HOW LONG DOES PLUME RETAIN PERSONAL INFORMATION?
8. WHAT CHOICES ARE AVAILABLE FOR PERSONAL INFORMATION?
9. HOW DOES PLUME PROTECT CHILDREN’S PRIVACY?
10. DOES PLUME TRANSFER PERSONAL INFORMATION TO OTHER COUNTRIES?
11. WHEN IS THIS PLUME PRIVACY POLICY CHANGED?
12. WHO DO I CONTACT WITH QUESTIONS?
13. PRIVACY RIGHTS AND CHOICES IN SPECIFIC JURISDICTIONS

1. WHEN AND WHERE DOES THIS PLUME PRIVACY POLICY APPLY?

When the Plume Privacy Policy applies depends on your relationship with Plume.

o The Plume Privacy Policy applies when you are asked to acknowledge it and when Plume is the controller of your personal information. In this Plume Privacy Policy, the term “controller” means the entity that is responsible for the purpose and means of processing your personal information. For example:

▪ When you create an account to use HomePass or WorkPass, you may be asked to acknowledge that this Plume Privacy Policy applies to your personal information, which Plume processes as a controller.

▪ Plume processes your personal information as a controller when Plume collects data (including personal information) for service management purposes, such as to identify and track and record support, to ensure the security and integrity of the Plume Services and for billing and account management.

▪ Plume is the controller of Services Data and uses Services Data to analyse, measure the effectiveness of and improve the Plume Services.

▪ When you visit www.plume.com to learn more about Plume or download resources, Plume is the controller. Plume.com is operated by Plume Design, Inc. as responsible controller.

o When a business Customer asks you to agree to that business Customer’s privacy policy before you connect to a Customer Network, then the business Customer’s privacy policy applies. Generally, Plume is a processor of personal information when a business Customer’s privacy policy applies – except for data collected for services management purposes and Services Data when Plume is the controller.

o If a particular website or service links to a different privacy policy, then that privacy policy – not the Plume Privacy Policy – applies. Please make sure to check those other privacy policies to learn how your personal information is processed.

2. WHAT PERSONAL INFORMATION DOES PLUME COLLECT AND WHY?

Plume processes personal information to provide and promote the Plume Services as described in this Section 2. The specific types of personal information that Plume collects from or about you depends on how you interact with Plume, the Plume Services used and the applicable law.

a. Information you choose to give us

We collect the personal information you choose to share with us. The personal information that you choose to give to us typically includes the following types of personal information:

Types of Personal information
Why this Personal Information is Collected

Contact and account information

Name, email address or other username, password, telephone number and similar contact information and purchase related contact information (e.g., billing and delivery address, payment information and similar information necessary to complete a purchase); profile nicknames and profile photos.

  • To create and maintain your account to use the Plume Services.
  • To create a Customer profile, such as a User profile displaying devices connected to a Customer Network.
  • To enable Plume’s communication service provider (CSP) and other partners to use Plume Services for data analytics about Customer Networks and targeted marketing.
  • To verify identity for certain Plume Services.
  • To complete a purchase of Plume products, such as a purchase of Plume SuperPods from Plume’s online store and a purchase of a HomePass Membership through Plume’s HomePass Mobile App. Payment card information is handled by a third-party payment processor, not Plume.
  • For customer service.
  • To provide information that you request, such as when you participate in an event or sign up to receive Plume emails on www.plume.com, and respond to other inquiries.
  • For marketing and promotions that Plume may offer from time to time.
  • To send information that we think will interest our Customers, which is sometimes personalized based on the information associated with their accounts.
  • To request customer feedback, such as through a survey about a new product feature.
  • For research and innovation, such as algorithmic data matching that enables Plume and its business partners to better understand how Customer Networks are used.

Location Data

location is derived from IP addresses on a Customer Network and is not precise geolocation

  • To provide certain features of the Plume Services, such as to recognize a device that connects to a Customer Network.
  • To customize the experience of the Plume Services.
  • To provide customer support.
Information associated with a social media account
  • When you connect with Plume or connect to a Customer Network through a social media platform, such as Facebook or X, we collect the personal information permitted by the social media platform and your account permissions. (Your personal information also is subject to the social media platform’s privacy policy and practices.) Some of this information is automatically collected.
Personal information you share through the Plume Services
  • To manage features of the Plume Services that allow you to share your personal information.
  • When you receive customer support, including contents of communication that you share by using our chatbot.
  • To respond to your request in a form filled out on Plume’s website to download content or attend an event.

b. Information about use of Plume Mobile Apps

When you download and install one of the Plume Mobile Apps on your smartphone or tablet (Mobile Device), the information that we collect depends on the Mobile Device’s operating system and permissions. The Plume Mobile Apps need to use certain features and data from your Mobile Device to function. For example, we collect mobile operating system and version, Bluetooth data, usage data and crash reports for the Plume Mobile Apps. Some information also is automatically collected by the Plume Services depending on operating system settings (as described in sub-section c below).

To learn more about the specific information collected by one of the Plume Mobile Apps, please check your Mobile Device’s settings or review the permissions available on the mobile app platform (e.g., Google Play or App Store) from which you downloaded a Plume Mobile App. Certain Plume Mobile Apps also allow you to check or change your status for certain data collection in the Plume Mobile App’s settings. If you change your settings, certain features may not function properly.

To stop collection of all information through a Plume Mobile App, please uninstall the Plume Mobile App.

c. Information automatically collected by the Plume Services

The Plume Services automatically collect certain information from and about use of the Plume Services and Customer Networks. Automatically collected information is used to help ensure that the Plume Services deliver the best Wi-Fi experience, quality of service and security on Customer Networks. Some automatically collected information is personal information under certain laws.

Category of Personal information that Plume Automatically Collects
Types of Personal Information Automatically Collected
Information about Customer Networks and Customer Network Equipment

∙ network addresses, Internet connections and operating statistics of Customer Network Equipment.

∙ type, operating system and other identifying information about Customer Network Equipment.

∙ Received Signal Strength Indicator (RSSI), beacon identifiers and other information transmitted to and from Customer Network Equipment.

∙ applications (e.g., Facebook, YouTube) that a User accesses through the Customer Network by application name, by category (e.g., gaming, productivity, social) and by traffic class (e.g., voice, video conferencing, game play, video streaming), including bandwidth usage and access time.

∙ Internet service provider (ISP) name and Internet protocol (IP) address, ISP speeds and outages.

∙ log information from Customer Network Equipment, such as connected computers and Mobile Devices, relative location (based on Bluetooth data when permitted by Mobile Device operating system settings) and software and hardware versions and connection time.

∙ Zones (e.g., kitchen, break room) designated on Customer Network Equipment and which Mobile Devices and computers are connected to them.

∙ hostname and nicknames designated on Customer Network Equipment and network access points.

∙ Customer Network metadata, such as dynamic host configuration protocol (DHCP) fingerprint, hypertext transfer protocol (HTTP) user agent information, Universal Plug and Play (UPnP) discovery protocol and multicast domain name system (mDNS) discovery information related to identifying devices and IP addresses.

∙ virtual private network (VPN) connection status and configuration

∙ domain name system (DNS) requests.

∙ current and historical data transfer speeds and data amount consumed.

∙ source and destination traffic headers, IP addresses, ports, size and counts of transferred bytes and packets, metadata from certificate handshake in a TLS / HTTPS connection and DNS requests.

Information about the specific computers and Mobile Devices connected to a Customer Network

∙ type, operating system and software and hardware versions.

∙ name, MAC address and similar identifiers.

∙ time connected to the Customer Network.

∙ websites and applications used, access and usage time and bandwidth used through the Customer Network, which are displayed to the network administrator.

∙ mobility of computers and Mobile Devices while connected to a Customer Network (aka “motion sensing”), including through Bluetooth.

∙ bandwidth usage by application or device (which a Customer Network administrator can adjust).

Digital well-being data (Data about use of a Customer Network available to a Customer Network’s administrator when certain safety controls and security features are turned on in the Plume Services.)

∙ computers and Mobile Devices currently connected to a Customer Network.

∙ how long a specific computer or Mobile Device is connected.

∙ whether and which computer or Mobile Device was used to attempt access to a blocked domain.

Information specific to a Customer Network created using HomePass and Mobile Devices connected to the Customer Network
∙ motion in the home, which is collected by Bluetooth connections (device proximity and zones) and disruptions in Wi-Fi waves in the Customer Network and which collectively provide a pattern of motion and motion history (aka “motion sensing”).
Information specific to a Customer Network created using WorkPass and Mobile Devices connected to the Customer Network
∙ data collected from or about Users of a small business’ Customer Network created using WorkPass that allow the Customer Network administrator to identify who is connected to the Customer Network, such as name, email address, city, country, year of birth, gender, telephone number, profile photo and social media handle before access to the Customer Network is granted. Many of these data are optional and/or dependent on the User’s social media profile settings.
Data collected about use of Plume’s websites and digital marketing from Plume’s use of cookies, pixels, web beacons and similar data collection technology (collectively, data collection technology)

∙ browser type, operating system version, domains, IP address, browser type, ISP and mobile network of visitors to Plume’s websites.

∙ how a computer or Mobile Device interacts with Plume’s websites, including the date and time accessed, search requests and results, mouse clicks and movements, specific webpages accessed, links clicked, and videos watched, user settings and configurations, reports created and downloaded content.

∙ data about the third-party sites or services accessed before interacting with Plume’s websites, which is used to make advertising more relevant for Users.

∙ interactions with Plume’s marketing communications, such as whether and when a Plume email is opened, to help Plume measure the success of email marketing campaigns.

Please see Plume’s Cookie Policy for more information.

d. Information collected from third parties

From time to time, Plume receives personal information from third parties that help Plume learn more about Customers and more effectively promote and improve the Plume Services.

The types of personal information that we receive from third parties are:

∙ Information from internet-connected devices and services when using the Plume Command (Voice Assistant) service, such as technical data and usage information from the Google or Amazon device connected to a Customer Network. Plume does not receive or process audio files. Please check your device settings and the privacy policy for those internet-connected devices and services to learn more about the data that may be shared with Plume.

∙ Location information using MaxMind’s GeoIP service, which is not precise geolocation data.

∙ Personal information associated with purchases from Plume on www.plume.com or through a mobile application platform. Payments for purchases are processed by third-party payment processors; Plume does not have access to complete bank account numbers, credit card numbers or debit card numbers.

∙ Personal information from vendors and other third parties (such as Cognism) to help identify individuals who may be interested in learning more about the Plume Services and to supplement personal information we already have.

∙ Personal information from the third-party advertising partners that use cookies on the Plume website to collect information about browsing activities over time and across websites. Through a process called “retargeting,” each advertising partner places cookie(s) in your browser when you visit our website so that they can identify you and serve you ads on other websites around the web based on your browsing activity. Please see Plume’s Cookie Policy for more information.

∙ Personal information from publicly available sources (where permitted and subject to confirmation of Plume’s right to use that information).

∙ Personal information from law enforcement and other government authorities (but only in rare cases and when legally required).

When Plume combines personal information from third-party data sources to enhance the personal information that Plume or its business Customers hold, Plume requires that each third party confirms the lawfulness of its sharing of personal information with Plume for the purposes described in this Plume Privacy Policy.

The Plume Services may occasionally contain links to other websites and online services not operated by Plume. Plume is not responsible for the privacy practices or the content of those other websites and services. Please be sure to review the privacy policies of those other websites and online services.

The use of social media platforms in connection with Plume Services may lead to the collection and exchange of some personal information between Plume and such social network. We invite you to read the privacy policy posted on each platform to learn more. You can directly configure and control the access to and confidentiality of your personal information. Plume is not responsible for any use of your personal information by the social media platforms on their account.

e. Other information collected with your consent

We may ask you for your consent to collect specific types of personal information, such as when you choose to participate in events, request exclusive content or participate in testing new products or features.

3. HOW DOES PLUME USE PERSONAL INFORMATION?

Plume uses personal information to provide and improve the Plume Services, manage our business, protect Users and enforce our legal rights.

To operate and provide the Plume Services for its small business and communication service provider Customers:

o create User accounts and verify User identity

o provide customer support and respond to customer requests

o identify security threats (e.g., malicious Internet locations or websites) and activity that may indicate unauthorized use of Customer Networks

o schedule network optimizations and firmware updates for Customer Network Equipment

o enable Customer Network administration, such as offering tools for administrators to manage access, security and confidentiality policies, blocking content identified as inappropriate in accordance with content filters set by the Customer Network administrator and generating live motion visuals and motion history for Customer Networks

o offer data analytics tools that enable Customers to match and augment their own data sets with data generated by Customer Networks in order to help improve market and audience segments and profiles, identify and analyse trends and better target advertising campaigns

Whether Plume is a controller or processor depends on the Customer relationship. If you have questions about whether Plume is a processor or controller of your personal information, please contact the administrator of the Customer Network you are using or privacy@plume.com.

For Plume’s lawful business purposes. Plume processes personal information as a controller to:

o monitor use of and protect the Plume Services and information processed through the Plume Services

o track customer support, billing and account management

o analyse, measure the effectiveness of and improve the Plume Services

o identify customer needs and develop new products and services to meet them

o conduct marketing about the Plume Services or related third-party products and services (where permitted)

o invite Customers and others to participate in market research and testing of current and new features or products

o create statistical analyses and segment and combine data sets to identify trends

o detect and prevent fraud (e.g., if you provide a credit or debit card, we may use third parties to check the validity of the sort code, account number and card number you submit)

o enforce Customer contracts and other legal agreements

o prevent, investigate and/or report security incidents, crime, fraud or misrepresentation

To comply with applicable laws and protect legal rights. Plume processes personal information as a controller to:

o enforce and investigate actual or suspected violations of our agreements

o protect the safety, security and legal rights of Customers and Users of Customer Networks

o detect, prevent and remediate fraud or other unlawful behaviour, security issues and other technical issues related to the Plume Services

With consent. Plume processes personal information as a controller based on consent for certain marketing activities and advertising practices for automated processing (as described below).

Plume also anonymizes personal information and uses the anonymized data as permitted by applicable law and contracts. (Once personal information is anonymized in compliance with applicable law, it is no longer personal information and not subject to this Plume Privacy Policy.)

4. DOES PLUME USE AUTOMATED PROCESSING?

Where permitted by law, Plume uses automated decision-making and profiling tools (collectively, automated processing). We provide notice or obtain consent for, and/or allow you to opt out of, automated processing as required.

We use automated processing in the following situations:

∙ To analyse certain personal information for targeted marketing strategies.

∙ To support interconnections with Facebook, Google and similar providers for advertising on behalf of a CSP partner.

∙ For behaviour-based modelling and customer segmentation analysis.

∙ For data loss prevention.

∙ To monitor use of the Plume Services in accordance with content, governance and information security policies.

∙ To comply with legal obligations and defend legal rights.

∙ To prevent, investigate and/or detect unauthorized or illegal use of the Plume Services.

Plume works to provide meaningful information about the logic involved in automated processing to help ensure that, when consent to automated processing is required, it is specific, informed and voluntary and to ensure that Users of the Plume Services are not adversely affected by a decision to withhold or revoke consent to automated processing.

5. HOW DOES PLUME SHARE PERSONAL INFORMATION?

How Plume shares personal information depends on the Plume Services used. Generally, Plume shares personal information according to Customer contracts, with people and businesses that help operate the Plume Services and otherwise when Plume is legally permitted or required to do so.

Plume shares personal information with the following categories of recipients:

∙ Professional advisors, such as lawyers, accountants, insurers and information security and forensics experts.

∙ Marketing vendors that help promote the Plume Services (such as by email marketing) and to supplement personal information that we already have. For example, Meta receives and uses certain data related to the use of the Services to help us deliver personalized advertising on its platform and assess the effectiveness of this advertising.

∙ Service providers to enable them to perform services on our behalf, including data analytics, geo-location based on IP address analytics, data security, cloud storage providers, ecommerce operations, surveys, research, administration of promotions, offers and promotions and otherwise to help us carry out our business.

∙ Business Customers when Plume is acting as a processor of personal information.

∙ Business partners, such as the providers of the Internet-connected devices and services that a Customer chooses to connect to a Customer Network (e.g., Google Nest and Amazon Alexa). If you acquire the Plume Services through a CSP or other Internet service provider, Plume shares personal information with that provider. Plume also shares personal information with partners to enable them to segment their customers who are Users based on machine learning-determined “traits” of that location.

∙ Potential or actual acquirers or investors and their professional advisers in connection with any actual or proposed merger, acquisition or investment in or of all or any part of our business. We will use our best efforts to ensure that the terms of this Plume Privacy Policy apply to personal information after the transaction or that Users receive advance notice of changes to personal information processing.

∙ Our subsidiaries/branch offices in Slovenia, Switzerland and Taiwan (Plume Entities).

∙ Competent law enforcement, government regulators and courts when we believe disclosure is necessary (i) to comply with the law, (ii) to exercise, establish or defend legal rights, or (iii) to protect the vital interests of Users, business partners, service providers or another third party.

∙ Other third parties with consent.

When Plume shares anonymized data, Plume takes administrative measures to prohibit efforts by recipients to attempt to re-identify anonymized data.

6. HOW DOES PLUME PROTECT PERSONAL INFORMATION?

Plume uses technical, physical, and administrative safeguards intended to protect the personal information that we process from unauthorized access and use.

Our safeguards are designed to provide a level of security appropriate to the risk of processing your personal information and include (as applicable) measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and a procedure for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing of personal information. Like any other organization, Plume cannot fully eliminate security risks associated with the processing of personal information.

You are responsible for maintaining the security of your account credentials. Plume will treat access to the Plume Services through your account credentials as authorized by you.

We may suspend your use of all or part of the Plume Services without notice if we suspect or detect any breach of security. If you believe that information you provided to Plume or your account is no longer secure, please notify us immediately at privacy@plume.com.

If we become aware of a breach that affects the security of your personal information, we will provide you with notice as required by applicable law. When permitted by applicable law, Plume will provide this notice to you through the email address associated with your account or other permitted method associated with your account.

UNAUTHORIZED ACCESS TO PERSONAL INFORMATION AND THE PLUME SERVICES – INCLUDING SCRAPING – IS PROHIBITED AND MAY LEAD TO CRIMINAL PROSECUTION.

7. HOW LONG DOES PLUME RETAIN PERSONAL INFORMATION?

Plume retains personal information associated with a Customer’s account for as long as the account is active and as required by Plume’s Customer contracts and otherwise for as long as necessary to carry out the purposes described above. Plume also retains personal information for as long as Plume believes necessary to comply with our legal obligations, resolve disputes and enforce our legal agreements.

When determining the relevant retention period, Plume takes into account the Plume Services used, the nature and length of Plume’s relationship with the Customer, mandatory retention periods provided by law and other relevant criteria.

At the end of the relevant retention period, Plume either deletes or anonymizes personal information or, if Plume cannot delete or anonymize the personal information, then Plume segregates and securely stores personal information until deletion or anonymization is possible. Plume anonymizes and then uses anonymized data subject to applicable law and contracts.

8. WHAT CHOICES ARE AVAILABLE FOR PERSONAL INFORMATION?

Plume offers various options in the Plume Services for exercising choices about personal information processing, which include:

Opting out of Plume’s Marketing Emails: To stop receiving promotional emails from Plume, please click the “Unsubscribe” link at the bottom of the email. Your account settings also may allow you to change your notification preferences. After you opt out, we may still send you non-promotional communications, such as receipts for purchases or administrative information about your account.

Customer Network settings: Depending on the Plume Services used, a Customer Network administrator has different options. For example:

Device Names: A Customer Network’s administrator may assign profiles and nicknames to Customer Network Equipment, computers and Mobile Devices connected to a Customer Network.

Motion Sensing: A Customer Network’s administrator can disable the motion detection features that allow the Plume Services to generate live motion and motion history reports. Once disabled, Plume will no longer collect information about the live motion within a Customer Network and can no longer generate the reports.

Privacy Mode: Certain Plume Services also offer a Privacy Mode setting. When on, this setting limits data sent from the Customer Network to the Plume Cloud.

Security settings: A Customer Network’s administrator may configure policies for security protection, schedules or content filters through the account settings.

Account Deactivation: You can deactivate your Plume account through the Mobile App (for HomePass) or through the Plume website and by contacting Customer Support (for other Plume Services).

Mobile Device Tools: Mobile operating systems and mobile app platforms (e.g., Google Play, App Store) have permission settings for specific types of mobile device data and notifications, such as for access to contacts, geo-location services and so-called push notifications. You can use the settings on your Mobile Device to consent to or deny certain information collection and/or push notifications. You can stop all information collection from a Plume Mobile App by uninstalling it. If you uninstall a Plume Mobile App, please also consider checking your operating system’s settings to confirm that the unique identifier and other activity associated with your use of the Plume Mobile App is deleted from your Mobile Device.

Other rights and choices about your personal information depend on your place of habitual residence and the applicable Plume Services. Please see Section 13 for more information.

IF YOU RESIDE IN A JURISDICTION WITH PRIVACY LAWS THAT OFFER YOU PRIVACY RIGHTS NOT DESCRIBED IN THIS PRIVACY POLICY, PLEASE CONTACT PLUME AT PRIVACY@PLUME.COM. PLUME RESPECTS YOUR PRIVACY RIGHTS AND WE WILL DO OUR BEST TO ACCOMMODATE YOUR REQUESTS.

9. HOW DOES PLUME PROTECT CHILDREN’S PRIVACY?

You must be the age of majority in your place of residence or older to subscribe to the Plume Services. Plume does not knowingly collect personal information from minors without parental consent.

Plume does however offer various content control tools, including controls that parents can use. For example, a HomePass Customer Network administrator can set content access limitations for individuals and devices (e.g., making content that is tagged as ‘adult content’ inaccessible).

To learn more, please search the Support section on www.plume.com.

10. DOES PLUME TRANSFER PERSONAL INFORMATION TO OTHER COUNTRIES?

Plume may transfer personal information across borders to any of the places where Plume, the Plume Entities and its suppliers and partners do business. Other jurisdictions may have data protection laws that are different from (and, in some cases, less protective) than the laws where you reside.

Plume transfers personal information within the EU and to the UK and U.S. and to our customer service vendor in Egypt.

If your personal information is transferred across borders by Plume or on Plume’s behalf, Plume uses appropriate safeguards to protect personal information in accordance with this Plume Privacy Policy. Plume’s safeguards include standard contractual clauses and similar model contracts for transfers of personal information among Plume’s affiliates and among Plume’s suppliers and partners. When in place, these contracts require Plume’s affiliates, suppliers and partners to protect personal information in accordance with applicable privacy laws.

For transfers of personal information from the European Union, the United Kingdom (and Gibraltar) and Switzerland to the United States, Plume currently complies with the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework. For more information, please see the Plume Design Data Privacy Framework Privacy Policy available at www.plume.com/legal/en-GB/data-privacy-framework.

To request information about Plume’s standard contractual clauses and other safeguards for cross-border personal information transfers, please contact privacy@plume.com.

11. WHEN IS THIS PLUME PRIVACY POLICY CHANGED?

Plume may update this Plume Privacy Policy from time to time in response to changing legal, technical or business developments. When Plume updates the Plume Privacy Policy, Plume will post the updated version and change the “Last Updated” date above. You will have an opportunity to review the revised Plume Privacy Policy before it applies to you. Plume will provide you with 30-days’ prior written notice and ask that you consent to the updated Plume Privacy Policy in the manner required by applicable privacy laws. If you do not consent to the new Plume Privacy Policy, your ability to use the Plume Services may be limited.

Prior versions available upon request at legal@plume.com.

12. WHO DO I CONTACT WITH QUESTIONS?

The entity responsible for the processing of your personal information is Plume Design, Inc. unless otherwise stated for a certain Plume Mobile App or Plume Services or when Plume is acting as processor or service provider on behalf of one of Plume’s business Customers.

If you have questions or comments about the Plume Privacy Policy or Plume’s privacy practices, please contact us:

∙ by email at privacy@plume.com

∙ by mail at: Plume Design, Inc. Attn: Privacy325 Lytton Ave, Palo Alto, CA 94301

13. PRIVACY RIGHTS AND CHOICES IN SPECIFIC JURISDICTIONS

RESIDENTS OF EEA, SWITZERLAND AND UK

Plume Design, Inc., based in the United States of America, processes personal information jointly together with Plume Entities. Each Plume Entity will remain responsible for any requests in relation to the data processing and will provide you with the relevant information in this regard. You may, however, exercise your data subject rights described in this section also towards Plume Design, Inc.

EU Representative. Since Plume Design, Inc. is a U.S. business, Plume’s EU representative according to Art. 27 of the General Data Protection Regulation (GDPR) is Plume Design d.o.o., Železna cesta 14, 1000 Ljubljana, Slovenia.

Data Protection Officer. Plume’s data protection officer is available at privacy@plume.com.

Legal Bases for Processing. The legal bases for our processing of your personal information depend on the context in which the personal information is collected and processed. Generally, we only collect personal information (i) when we need the personal information to perform a contract with you (such as our Terms of Service), in which case we will advise you whether providing your personal information is mandatory and the possible consequences if you do not provide your personal information; (ii) when we have consent to do so; or (iii) when the processing is in our legitimate business interests and is not overridden by the privacy or other fundamental rights and freedoms of Users. If we collect and use personal information in reliance on our legitimate interests (or those of any third party), this interest is to provide the Plume Mobile Apps and Plume Services, communicate with you about Plume Mobile Apps and Plume Services, respond to queries, improve the Mobile Apps and Plume Services, advise Users about new features or maintenance, or undertake marketing activities and similar commercial interests to make the Mobile Apps and Plume Services available for you. We may have other legitimate interests and if appropriate, we will make clear our legitimate interests at the relevant time. In some cases, we also may have a legal obligation to collect personal information from Users. If we ask you to provide personal information to comply with a legal requirement, we will make this clear at the relevant time and advise you whether providing your personal information is mandatory and the possible consequences if you do not provide your personal information.

Data Subjects Rights. To the extent provided under the GDPR, UK GDPR and the Swiss Federal Act on Data Protection (FADP), you have the following rights with respect to personal information concerning you:

∙ Right to access your personal information in order to check and verify your personal information

∙ Right to rectification (i.e., correction, update), which also includes the right to complete incomplete or incorrect personal information by providing a supplementary statement

∙ Right to erasure of your personal information unless the processing is necessary on grounds listed in the applicable data protection laws (which might be the case if the processing is necessary to comply with a legal obligation, or to establish, exercise or defend legal claims)

∙ Right to restrict processing of your personal information if the conditions listed in the applicable data protection laws are met (which might be the case if you contest the accuracy of the personal information)

∙ Right to object to the processing. Pursuant to Art. 21 GDPR and the equivalent provisions under the UK GDPR and FADP, you have the right to object to certain processing of personal information processed by Plume, including processing based on the basis of Plume’s legitimate interests pursuant to Art. 6 par. 1 (f) GDPR and the equivalent provisions under the UK GDPR and FADP and to processing of personal information for the purpose of direct marketing.

∙ Right to data portability (i.e., to receive an electronic copy of your personal information that you have provided to us in a structured, commonly used, and machine-readable format for purposes of transmitting it to another controller)

∙ Right to withdraw consent at any time with future effect.

If you would like to access, rectify, erase, restrict or object to processing of personal information, or if you would like to receive an electronic copy of your personal information for purposes of transmitting it to another company (where this right to portability is provided to you by law), or if you would like to withdraw your consent please submit your request to using our Data Subject Rights Request form, or by sending your request to privacy@plume.com. (In your email, please include your email address and other information that you believe will help us verify and take action on your request.)

Transfer outside the EEA and UK. Plume transfers your personal information to countries outside the EEA or UK that are considered to offer adequate protection for personal information. In these cases, we will rely on an adequacy decision of the European Commission or Information Commissioner’s Office.

For transfers to countries outside of the EEA or UK that are not considered to offer an adequate protection of personal information:

o For transfers to the United States, Plume currently complies with the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework. For more information, please see the Plume Design Data Privacy Framework Privacy Policy available at www.plume.com/legal/en-GB/data-privacy-framework.

o For other transfers, unless an exception applies (e.g., Art. 49 GDPR), Plume relies on the standard contractual clauses approved by the European Commission and Information Commissioner’s Office and other permitted safeguards.

Transfers to countries outside of Switzerland. Plume transfers personal information to the EU, UK and U.S. and to our customer service vendor in Egypt. Plume transfers your personal information to countries that are considered to offer adequate protection of personal information. In these cases, we will rely on the FADP’s adequacy decision. For transfers to the United States, Plume currently complies with the Swiss-U.S. Data Privacy Framework. For more information, please see the Plume Design Data Privacy Framework Privacy Policy available at www.plume.com/legal/en-GB/data-privacy-framework. For other transfers, unless an exception applies, Plume relies on data protection clauses in contracts and other safeguards as permitted by the FADP.

Where necessary, Plume also agrees on additional measures to ensure an adequate level of data protection.

To request information about Plume’s standard contractual clauses and other safeguards for cross-border personal information transfers, please contact privacy@plume.com.

Statutory/Contractual Requirements. In some cases, you may choose not to provide your personal information or provide incomplete personal information. Some data is usually necessary for the execution of the contractual relationship with you since your personal information is required for setting up an account and the proper functioning of the Plume Services. Therefore, we might not be able to engage in or continue a contractual relationship with you should you refuse to provide us with the necessary information. In other cases, the fact of not providing your data may prevent you from benefitting from an advantage or service.

Data Protection Authority. You also have the right to lodge a complaint with a data protection authority in your place of residence if you consider that the collection and use of your personal data is inconsistent with this Plume Privacy Policy or applicable law.

For residents of EU: The contact details for data protection authorities are at https://edpb.europa.eu/about-edpb/about-edpb/members_en

For residents of UK: Your data protection authority is:

United Kingdom’s Data Protection Regulator

Information Commissioner’s Office (ICO)

Wycliffe House, Water Lane, Wilmslow Cheshire SK9 5AF

Telephone: 0303 123 1113

Fax: 01625 524510

https://ico.org.uk/global/contact-us/

For residents of Switzerland: Your data protection authority is:

Switzerland’s Data Protection Regulator

Office of the Federal Data Protection and Information Commissioner (FDPIC)

Feldeggweg 1

CH - 3003 Berne

Tel: 41 (0)58 462 43 95 (mon.-fri., 10-12 am)

Telefax: 41 (0)58 465 99 96

https://www.edoeb.admin.ch/edoeb/en/home/deredoeb/kontakt.html

RESIDENTS OF JAPAN

Plume shares personal information collected from or about residents of Japan or otherwise subject to the privacy laws of Japan under the following terms:

∙ all personal information described in this Plume Privacy Policy is used jointly (within the meaning of the privacy laws of Japan)

∙ the joint users are the Plume Entities (as defined in Section 5)

∙ the purpose of joint use of personal information is described above in this Plume Privacy Policy

∙ Plume Design, Inc., 325 Lytton Ave., Palo Alto, CA 94301 is responsible for the management of personal information under this Plume Privacy Policy

RESIDENTS OF SINGAPORE

If you believe that Plume’s personal information processing violates applicable law, please contact privacy@plume.com. You also have the right to lodge a complaint with the PDPC as follows:

Personal Data Protection Commission Singapore

Address: 10 Pasir Panjang Road, #03-01 Mapletree Business City Singapore 117438

Prior version: June 29, 2022, September 30, 2021