Privacy Terms

REALTYADS PRIVACY TERMS

LAST UPDATED: March 20th, 2024

These Privacy Terms are incorporated by reference into RealtyAds Platform Terms of Service and/or RealtyAds Enterprise Digital Advertise Agreement (the “Applicable Terms”).

For purposes of RealtyAds’ Processing of Company Personal Data governed by these Privacy Terms, Company’s privacy policy is available on its website. In addition to RealtyAds’ obligations and restrictions under the Applicable Terms, including these Privacy Terms, RealtyAds shall Process Company Personal Data on behalf of Company in accordance with that privacy notice.

1. Definitions. The following terms have the meanings set forth below.
1.1. “Affiliate” means an entity that owns or controls, is owned or controlled by, or is under common control or ownership with, either Company or RealtyAds respectively. “Control,” for purposes of this definition, means the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.

1.2. “Company Personal Data” means any Personal Data received by RealtyAds in order to perform obligations under the Applicable Terms. For the avoidance of doubt, Company Personal Data does not include (i) Personal Data that was not provided by Company, (ii) Personal Data that was provided by Company for the purpose of managing the parties business relationship (e.g., accounting and invoicing data), (iii) Personal Data independently created, managed, or controlled by RealtyAds.

1.3. “Data Protection Laws” means any and all laws, rules and regulations related to privacy, security, data protection, and/or the Processing of Personal Data, in any relevant jurisdiction, each as amended, replaced or superseded from time to time.

1.4. “Data Subject” means the identified or identifiable person to whom Personal Data relates.

1.5. “Personal Data” means (a) information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular person or household; and (b) any information defined as “personal data”, “personal information,” or other similar terms under applicable Data Protection Laws.

1.6. “Personal Data Breach” means (a) the accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure of, or access to, Company Personal Data transmitted, stored or otherwise Processed by RealtyAds or any Subprocessor; and (b) any other broader circumstance defined by applicable Data Protection Laws as a “breach,” “data breach,” “personal data breach” or other similar term.

1.7. “Processing” means any operation or set of operations that is performed upon Personal Data, whether or not by automatic means, such as access, collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, return or destruction. The terms “Process”, “Processes” and “Processed” will be construed accordingly.

1.8. “Processor” means any person or entity which Processes Company Personal Data, including as applicable any “contractor” as those terms are defined by applicable Data Protection Laws.

1.9. “Regulator” means any independent public authority, government agency, and any similar regulatory authority responsible for the enforcement of Data Protection Laws.

1.10. “Services” means those Services contemplated under the Applicable Terms.

1.11. “Subprocessor” means any Processor (including any third party and any RealtyAds Affiliate) appointed by or on behalf of RealtyAds who may Process Company Personal Data.

2. Processing of Personal Data
2.1. Subject to RealtyAds’ compliance with these Privacy Terms, Company agrees to make Company Personal Data available to RealtyAds for the limited and specified purpose of providing the Services (i.e., carrying out the mandate or instructions provided by the Company). The subject-matter and details of RealtyAds’ Processing (including the duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects) are set forth in Exhibit 1 attached to these Privacy Terms.

2.2. The subject-matter of the Processing, the types of Company Personal Data to be Processed, and the types of Data Subjects about whom information will be processed shall correspond to what is necessary to perform the Services.

2.3. RealtyAds acknowledges and agrees that, with regard to the Processing of Company Personal Data, RealtyAds is acting as a Processor. RealtyAds further certifies that it (a) understands the obligations and restrictions imposed on it by applicable Data Protection Laws in its role as a Processor; (b) will comply with all such obligations; and (c) will notify Company if RealtyAds determines it can no longer meet its obligations under applicable Data Protection Laws or these Privacy Terms. Company has the right to take reasonable and appropriate steps to help ensure that RealtyAds Processes Company Personal Data in a manner consistent with Company’s obligations under Data Protection Laws, including without limitation, the right upon notice to stop and remediate any unauthorized Processing of Company Personal Data.

2.4. RealtyAds will only Process Company Personal Data on behalf of Company (a) to the extent, and in such a manner, as is necessary for the purposes of fulfilling its obligations under the Applicable Terms; and (b) in accordance these Privacy Terms, which together constitute Company’s instructions. Nothing in this section shall restrict RealtyAds’ ability to Process Company Personal Data where required to do so by applicable law; provided, however, RealtyAds shall notify Company of such legal requirement before Processing, unless prohibited from doing so.

2.5. Without limiting RealtyAds obligations under Section 2.4, RealtyAds will not:
2.5.1. retain, use, or disclose Company Personal Data for any purpose other than to perform its obligations under the Applicable Terms;

2.5.2. “sell” or “share” (as those terms are defined by applicable Data Protection Laws) Company Personal Data; or

2.5.3. combine Company Personal Data with Personal Data RealtyAds receives from or on behalf of another person or entity or collects from its own interactions with a Data Subject except to perform a business purpose as defined in regulations adopted pursuant to Cal. Civ. Code 1798.185(10)(a).

3. RealtyAds Personnel. RealtyAds will take reasonable steps to ensure that access to Company Personal Data is limited to those of its Affiliates, employees, agents, and subcontractors who (a) have a need to know or otherwise access Company Personal Data to perform obligations under the Applicable Terms and these Privacy Terms, and (b) who are bound in writing by confidentiality obligations sufficient to protect the confidentiality of Company Personal Data in accordance with the terms of these Privacy Terms.

4. Security. will implement and maintain appropriate technical and organizational safeguards to protect Company Personal Data that are no less rigorous than accepted industry standards for information security and will ensure that all such safeguards comply with applicable Data Protection Laws. Such safeguards are further specified in Exhibit 2 attached to these Privacy Terms. In assessing the appropriate level of security, RealtyAds will take into account the risks that are presented by Processing, in particular from accidental, unauthorized, or unlawful destruction, loss, alteration, damage, disclosure of, or access to Company Personal Data transmitted, stored, or otherwise Processed.

5. Personal Data Breach
5.1. In the event of a Personal Data Breach impacting Company Personal Data, RealtyAds will (a) notify Company promptly, but in any event no later than the time period permitted under any applicable Data Protection Law, after RealtyAds becomes aware of such Personal Data Breach; (b) provide Company with sufficient details of the Personal Data Breach to allow Company to meet any obligations under Data Protection Laws to report or inform Data Subjects or relevant Regulators of the Personal Data Breach; and (c) cooperate with Company in the investigation, mitigation, and remediation of any such Personal Data Breach.

6. Subprocessors
6.1. Company hereby authorizes RealtyAds to retain Subprocessors as needed.

6.2. With respect to any Subprocessor, RealtyAds will:

6.2.1. upon request, provide Company with the identities of each Sub processor;

6.2.2. enter into a written agreement with each Subprocessor containing the same obligations imposed on RealtyAds under these Privacy Terms and applicable Data Protection Laws with respect to Company Personal Data; and

6.2.3. remain fully liable to Company for the performance of its Subprocessors.

7. Data Subject Rights
7.1. RealtyAds will promptly notify Company if it receives a request from a Data Subject regarding Company Personal Data, including a request by a Data Subject to exercise a right under Data Protection Laws.

7.2. RealtyAds will assist Company in fulfilling Company’s obligations to respond to such requests, including at minimum, maintaining the ability to access, modify, remove from Processing, or irrevocably delete or destroy the Personal Data of an individual Data Subject when requested by Company.

7.3. Should RealtyAds or any Subprocessor directly perform any data collection from Data Subjects in connection with the Company’s instructions, the RealtyAds will ensure that Data Subjects receive the Company’s Privacy Policy at or before the point at which any information is collected about the Data Subject.

8. Deletion or Return of Company Personal Data
8.1. At any time during the term of the Applicable Terms at Company’s request, or upon the termination or expiration of the Applicable Terms for any reason, RealtyAds will, and will instruct all Subprocessors to, promptly (a) return to Company all copies of Company Personal Data in its possession, or the possession of such Subprocessor, or (b) delete and procure the deletion of all other copies of Company Personal Data Processed by RealtyAds or any Subprocessor. RealtyAds will comply with all reasonable directions provided by Company with respect to the return or deletion of Company Personal Data.

8.2. Notwithstanding Section 8.1 above, RealtyAds may retain Company Personal Data if required by applicable Data Protection Laws. If required by law to retain Company Personal Data, RealtyAds will continue to ensure the security and confidentiality of such Company Personal Data and only Process such Company Personal Data as necessary for the purpose specified in the applicable Data Protection Laws requiring such storage.

9. Compliance and Audits
9.1. Upon Company’s request, RealtyAds will provide such assistance as Company reasonably requires in ensuring compliance with Company’s obligations under applicable Data Protection laws.

9.2. In addition to any audit rights Company may have under the Applicable Terms, RealtyAds will cooperate with audits or assessments of these Privacy Terms by providing reasonable access to knowledgeable personnel; physical premises; and any relevant records, documentation, processes, and systems.

10. International Data Transfers
10.1. If the Processing (including storage) of Company Personal Data involves the transfer of Company Personal Data from the European Economic Area (“EEA”) to a jurisdiction outside of the EEA where the transfer would be prohibited by Data Protection Laws in the absence of standard contractual clauses or another adequate transfer mechanism as approved by the European Commission, the parties agree that such transfer(s) will be carried out in accordance with and subject to the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council annexed to the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (“EU SCCs”) as set out in Exhibit 3 attached to these Privacy Terms. To the extent there is any conflict between these Privacy Terms and the EU SCCs, the terms of the EU SCCs will prevail.

10.2. If the Processing (including storage) of Company Personal Data involves the transfer of Company Personal Data from the United Kingdom (“UK”) to a jurisdiction outside of the UK where the transfer would be prohibited by Data Protection Laws in the absence of standard contractual clauses or another adequate transfer mechanism as approved by the UK Information Commissioners Office (“ICO”), the Parties agree that such transfer(s) will be carried out in accordance with and subject to the International Data Transfer Agreement A1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022 (“UK IDTA”) as set out in Exhibit 4 attached to these Privacy Terms. To the extent there is any conflict between these Privacy Terms and the UK IDTA, the terms of the UK IDTA will prevail.

11. Changes in Data Protection Laws. If any variation is required to these Privacy Terms as a result of a change in or subsequently applicable Data Protection Laws, the parties agree to discuss and negotiate in good faith any variations to these Privacy Terms necessary to address such changes, with a view to agreeing and implementing those or alternative variations as soon as practicable.


General Terms. Should any provision of these Privacy Terms be invalid or unenforceable, then the remainder of these Privacy Terms will remain valid and in force. The invalid or unenforceable provision will be either: (a) amended as necessary to ensure its validity and enforceability, while preserving the intent of the provision as closely as possible or, if this is not possible, (b) construed in a manner as if the invalid or unenforceable part had never been contained therein. These Privacy Terms and the other portions of the Applicable Terms will be read together and construed, to the extent possible, to be in concert with each other. In the event of any conflict between the Applicable Terms and these Privacy Terms, these Privacy Terms will govern with respect to the subject matter of these Privacy Terms.


List of Exhibits:
Exhibit 1: Details of Processing
Exhibit 2: Description of Technical and Organizational Security Measures
Exhibit 3: EU SCCs
Exhibit 4: UK IDTA










Exhibit 1
Details of Processing


1. Subject Matter of Processing
The subject-matter of Processing of Company Personal Data by RealtyAds is the performance of the Services pursuant to the Applicable Terms.


2. Nature and Purpose of Processing
Company Personal Data will be Processed as necessary to perform the Services pursuant to the Applicable Terms and will be subject to the processing activities described in any Statement of Work or Order Form that makes reference to, is incorporated under, or is subject to the Applicable Terms.


3. Duration of Processing
Subject to section 8 of these Privacy Terms, RealtyAds will Process Company Personal Data for the duration of the Applicable Terms, unless otherwise agreed upon in writing.


4. Categories of Data Subjects
The types of Data Subject shall be as is contemplated or related to the Processing described in any Statement of Work or Order Form that makes reference to, is incorporated under, or is subject to the Applicable Terms.


5. Types of Personal Data
The types of Company Personal Data shall be as is contemplated or related to the Processing described in any Statement of Work or Order Form that makes reference to, is incorporated under, or is subject to the Applicable Terms.


6. Special Categories of Data (if applicable)
The Processing does not involve any special categories of data.


7. Supervisory Authority
The supervisory authority with jurisdiction over the Exporter is where the Exporter is based if based in Europe.


8. List of Subprocessors
The following table sets out the list of Subprocessors that Company has specifically authorized as of the Effective Date.

Entity Name Entity Country Description of Service/Processing Activity
Google Cloud Platform US Physical hosting provider for servers/database and cloud infrastructure
Meta Platforms US Digital advertising network used for client ads and audience creation
Google Ads US Digital advertising network used for client ads and audience creation
X Corp US Digital advertising network used for client ads and audience creation
LinkedIn US Digital advertising network used for client ads and audience creation
Xandr US Digital advertising network used for client ads and audience creation
ByteDance US Digital advertising network used for client ads and audience creation
Atlassian US Internal management/tracking of software development projects
Mailchimp/Mandrill US Transactional email service
Google Workspace US Email and business suite service
Slack US Internal company messaging communication









Exhibit 2
Description of Technical and Organizational Security Measures


RealtyAds will implement and maintain appropriate technical and organizational measures to meet its obligations under applicable Data Protection Laws. For example, RealtyAds will:


  • inform all employees that Company Personal Data is confidential and subject to contractual and legal protections;
  • instruct employees to access or display Company Personal Data only in secure locations;
  • require that all devices used to store or transfer Company Personal Data are encrypted and subject to a strong password policy that requires a password at initial startup and upon waking from sleep;
  • require multi-factor authorization and other account protection as available;
  • prohibit employees from using portable drives to hold Company Personal Data;
  • protect servers behind a firewall and perform vulnerability tests at least biweekly, remediating every 30 days;
  • use reasonable technical and organizational measures to ensure that Company Personal Data is (i) encrypted when in transit and at rest in a manner designed to prevent access by third parties without appropriate credentials (including government agencies); and (ii) anonymized or pseudonymized where appropriate in light of the purposes of the relevant Processing activities; and
  • only transfer Company Personal Data using unique and randomly generated links for sharing files, which automatically expire at a maximum of 10 days.








Exhibit 3
Standard Contractual Clauses - Controller to Processor


The parties hereby agree that they will comply with the EU Standard Contractual Clauses: Module 2, which are incorporated herein by reference, a copy of which can be found at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en. The Parties agree that the following terms apply:

1. Clause 7: The Parties have chosen to include Clause 7.

2. Clause 9(a): The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 20 in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.

3. Clause 11(a): The Parties do not incorporate the optional language.

4. Clause 13(a): The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.

5. Clause 17: These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of the Republic of Ireland.

6. Clause 18(b): The Parties agree that those shall be the courts of the Republic of Ireland.

7. For Annex I(A), (B), and (C) refer to Exhibit 1 of these Privacy Terms.

8. For Annex II a description of the technical and organisational measures implemented by the data importer(s) is set forth in Exhibit 2 of these Privacy Terms.







Exhibit 4
UK International Data Transfer Agreement




Part 1: Tables


Table 1: Parties and signatures

Start date The Effective Date of the Privacy Terms
The Parties Exporter (who sends the Restricted Transfer) Importer (who receives the Restricted Transfer)
Parties’ details Company who accepted the Subscription Agreement RealtyAds
Key Contact Company who accepted the Subscription Agreement RealtyAds
Importer Data Subject Contact Company who accepted the Subscription Agreement RealtyAds
Signatures confirming each Party agrees to be bound by this IDTA Company who accepted the Subscription Agreement RealtyAds


Table 2: Transfer Details

UK country’s law that governs the IDTA:
England and Wales
Northern Ireland
Scotland
Primary place for legal claims to be made by the Parties
England and Wales
Northern Ireland
Scotland
The status of the Exporter
In relation to the Processing of the Transferred Data:
Exporter is a Controller
Exporter is a Processor or Sub-Processor
The status of the Importer
In relation to the Processing of the Transferred Data:
Importer is a Controller
Importer is the Exporter’s Processor or Sub-Processor
Importer is not the Exporter’s Processor or Sub-Processor (and the Importer has been instructed by a Third Party Controller)
Whether UK GDPR applies to the Importer
UK GDPR applies to the Importer’s Processing of the Transferred Data
UK GDPR does not apply to the Importer’s Processing of the Transferred Data
Linked Agreement
If the Importer is the Exporter’s Processor or Sub-Processor – the agreement(s) between the Parties which sets out the Processor’s or Sub-Processor’s instructions for Processing the Transferred Data:

Name of agreement: Data Processing Addendum (the “Privacy Terms”)

Date of agreement: See Privacy Terms

Parties to the agreement: RealtyAds and the Company who accepted the Subscription Agreement.

Reference (if any): N/A

Other agreements – any agreement(s) between the Parties which set out additional obligations in relation to the Transferred Data, such as a data sharing agreement or service agreement:

Name of agreement: See Applicable Terms

Date of agreement: See Applicable Terms

Parties to the agreement: RealtyAds and the Company who accepted the Subscription Agreement.

Reference (if any): N/A
Term
The Importer may Process the Transferred Data for the following time period:
the period for which the Linked Agreement is in force
time period:
(only if the Importer is a Controller or not the Exporter’s Processor or Sub-Processor) no longer than is necessary for the Purpose.
Ending the IDTA before the end of the Term
the Parties cannot end the IDTA before the end of the Term unless there is a breach of the IDTA or the Parties agree in writing.
the Parties can end the IDTA before the end of the Term by serving: ___ months’ written notice, as set out in Section 29 (How to end this IDTA without there being a breach).
Ending the IDTA when the Approved IDTA changes
Which Parties may end the IDTA as set out in Section ‎29.2:
Importer
Exporter
neither Party
Can the Importer make further transfers of the Transferred Data?
The Importer MAY transfer on the Transferred Data to another organisation or person (who is a different legal entity) in accordance with Section 16.1 (Transferring on the Transferred Data).
The Importer MAY NOT transfer on the Transferred Data to another organisation or person (who is a different legal entity) in accordance with Section 16.1 (Transferring on the Transferred Data).
Specific restrictions when the Importer may transfer on the Transferred Data
The Importer MAY ONLY forward the Transferred Data in accordance with Section 16.1:
if the Exporter tells it in writing that it may do so.
to: ___
to the authorised receivers (or the categories of authorised receivers) set out in:
there are no specific restrictions.
Review Dates
First review date: Effective Date of the Privacy Terms The Parties must review the Security Requirements at least once:
each ____ month(s)
each quarter
each 6 months
each year
each ___ year(s)
each time there is a change to the Transferred Data, Purposes, Importer Information, TRA or risk assessment, to the extent that Importer is made aware of such changes; Importer will conduct a review at the time of contract renewal


Table 3: Transferred Data

UK country’s law that governs the IDTA:
The personal data to be sent to the Importer under this IDTA consists of that data outlined in Exhibit 1 of the Privacy Terms.

The categories of Transferred Data will update automatically if the information is updated in the Linked Agreement referred to.
Special Categories of Personal Data and criminal convictions and offences
The Transferred Data includes data relating to that data outlined in Exhibit 1 of the Privacy Terms.

The categories of special category and criminal records data will update automatically if the information is updated in the Linked Agreement referred to.
Relevant Data Subjects
The Data Subjects of the Transferred Data are those data subjects outlined in Exhibit 1 of the Privacy Terms.

The categories of Data Subjects will update automatically if the information is updated in the Linked Agreement referred to.
Purpose
The Importer may Process the Transferred Data for the purposes set out in the Privacy Terms. The purposes will update automatically if the information is updated in the Linked Agreement referred to.


Table 4: Security Requirements

Security of Transmission
As set out in Exhibit 2 of the Privacy Terms.
Security of Storage
As set out in Exhibit 2 of the Privacy Terms.
Security of Processing
As set out in Exhibit 2 of the Privacy Terms.
Organisational security measures
As set out in Exhibit 2 of the Privacy Terms.
Technical security minimum requirements
As set out in Exhibit 2 of the Privacy Terms.
Updates to the Security Requirements
The Security Requirements will update automatically if the information is updated in the Linked Agreement referred to.


Part 2: Extra Protection Clauses
Extra Protection Clauses:
N/A


Part 3: Commercial Clauses
Commercial Clauses
Commercial Clauses are not used


Part 4: Mandatory Clauses
Mandatory Clauses
Part 4: Mandatory Clauses of the Approved IDTA, being the template IDTA A.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎5.4 of those Mandatory Clauses.