Privacy Notice for California Residents

Company
Compliance
US State Privacy Notices
Privacy Notice for California Residents

Back

Effective Date: January 1, 2020
(updated 18 July 2024)

This PRIVACY NOTICE FOR CALIFORNIA RESIDENTS (“Privacy Notice” of “Collection Notice”) is provided by Epicor Software Corporation (“Epicor” and collectively, “we,” “us,” or “our”) and applies solely to visitors, users, and others who reside in the State of California (“consumers” or “you”).

This Privacy Notice is a California-specific Notice at Collection and is prepared and published in accordance with the California Consumer Privacy Act (“CCPA”) as amended by California Privacy Rights Act (“CPRA”).

This Privacy Notice is supplemental to Epicor’s European and US Privacy Policy.

Any terms defined in the CCPA (as amended by CPRA), and the proposed regulations have the same meaning when used in this Privacy Notice.

Information We Collect

We collect offline and online personal information that you provide us voluntarily or for which you otherwise consent to collection. Personal information means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. (“personal information”, “PI”).

We have as a company collected the following general categories of personal information within the last twelve (12) months and may use or disclose such personal information for one or more business or commercial purposes:

Category	Examples of Personal Information	Categories of Sources from which the PI is Collected	Business or Commercial Purpose	Categories of third parties with whom PI is shared	Retention Period
Identifiers	A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver's license number, passport number, or other similar identifiers.	•From you • From your devices when you interact with our websites or mobile apps • From Epicor employees when you interact with them and provide PI	• To fulfil or meet the reason for which the information is provided. • To provide the services you requested. • To evaluate your potential fit for employment opportunities. • Manage payments, collections, fees and charges. • For testing, analytics, research, analysis, and product development, including to develop and improve our website, products, and services. • To provide you with support and to respond to your inquiries, including to investigate and address your concerns and monitor and improve our responses. • To personalize your website experience and to deliver content and product and service offerings relevant to your interests, through our website, third-party sites, and via email or text messages. • To provide you with email alerts, event registrations and other notices concerning our products or services, or events or news, that may be of interest to you. • To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.	•Co-Marketing Partners •Advertising Platforms •Social Media Platforms •Analytics Providers •Marketing Companies	6 years from last contact
Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).	A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some personal information included in this category may overlap with other categories.	• From you • From your devices when you interact with our websites or mobile apps • From Epicor employees when you interact with them and provide PI	• To fulfil or meet the reason you provided the information. • To evaluate your potential fit for employment opportunities • To carry out our obligations and enforce our rights arising from any contracts entered between you and us, including for billing and collections • To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by us about our website users is among the assets transferred. • To provide you with information, products or services that you request from us. • To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.	• Payment processors	6 years from last contact
Protected classification characteristics under California or federal law.	Age (40 years or older), race, colour, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).	•From you • From your devices when you interact with our websites or mobile apps • From Epicor employees when you interact with them and provide PI	• To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations, such as tracking data on applicants' protected class status for use in measuring the success of our EEO or affirmative action efforts. • To carry out our obligations and enforce our rights arising from any contracts entered between you and us. • To evaluate your potential fit for employment opportunities.	None. Sensitive PI is not shared with third parties other than as required by law.	Not Applicable.
Commercial information	Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.	• From you • From your devices when you interact with our websites or mobile apps • From Epicor employees when you interact with them and provide PI	• To carry out our obligations and enforce our rights arising from any contracts entered between you and us for product or services purchased. • To provide you with information, products or services that you request from us. • To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations. • To perform troubleshooting as requested by customers.	• Service providers and other necessary vendors • Sub-Service Providers and/or sub-processors	6 years from last contact
Internet or other similar network activity.	Browsing history, search history, information on a consumer's interaction with a website, application, or advertisement.	• From you when you interact with our website or any of our internal systems	• To help maintain the safety, security, and integrity of our website, services, databases and other technology assets, used to support our business. • For testing, research, analysis, and product development, including to develop and improve our website and services. • To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.	• Security Operation Centre (SOC) service provider	2 years
Sensory data	Audio	• From you	• Responding to your audio or voice recordings.	Call recording service providers.	2 years
Professional or employment-related information.	Current job history or performance evaluations, Professional Membership information, certifications, licenses or credentials	• From you • From recruiters	• To evaluate your potential fit for employment opportunities. • To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.	• Recruitment Agencies	7 years after employment ends
Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).	Education records directly related to a student or prior student maintained by an educational institution or party acting on its behalf, such as grades, transcripts.	• From you • From an education institution or provider	• To evaluate your potential fit for employment opportunities. • To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.	• Recruitment Agencies	7 years after employment ends
Inferences drawn from other personal information.	Profile reflecting a person's preferences, characteristics, psychological trends, predispositions, behaviour, attitudes, intelligence, abilities, and aptitudes.	• From observations	• To provide career development feedback and guidance to employees. • To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.	• None	Not Applicable.

Sensitive Personal information

Sensitive personal information is a subtype of personal information consisting of specific categories of personal information. We do not knowingly collect sensitive personal information or use it to infer characteristics about a person. When using Epicor products and applications (including products offered by some Epicor affiliates such as Grow.com through Grow.com website or other web based portal) Epicor has strict contractual measures in place (under Epicor’s Master Customer Agreement, Master Terms and Conditions) that prohibit you from providing and/or uploading and/or sharing sensitive personal information with Epicor and, as such, Epicor does not collect any sensitive personal information about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). We do not collect any information about criminal convictions and offences, and you should not provide such sensitive personal information to Epicor.

Sharing Personal information

We may disclose your personal information to a third party, our affiliates, agents, or service providers and other third-party vendors for a business purpose as described above. When we disclose personal information for a business purpose, we enter a contract that describes the purpose and requires the recipient to keep that personal information confidential and not use it for any purpose except for fulfilling requirements and services being performed under contract.

Do Not Sell. We do not sell personal information (including sensitive personal information) and in the preceding twelve (12) months, we have not sold any personal information. However, we do share information with third parties but only as directed by you through your opt-in to non-essential cookies. You may exercise your rights to opt out via our Do Not Sell My Personal Information link.

Your Rights

CCPA (as amended by CPRA) provides California residents with specific rights regarding their personal information. This section describes those rights.

Right

Description of Right

Verification Process

Actions

Access to Your Personal Information (Right to Know)

You have the right to request that Epicor disclose certain information to you about our collection and use of your personal information over the past 12 months.

As part of our verification process of your request we will ensure reasonable measures are in place to detect fraudulent requests and prevent unauthorized access to your personal information. We are required to verify your identity, and the identity of your authorized agent, if the request is submitted via an agent by associating the information provided in the request to any personal information previously collected by us or use a third-party identity verification service.

Any personal information requested or collected for the purpose of identity verification for a “Right to Know” request is only used for that purpose and for security or fraud-prevention.

If the Personal Information is de-identified or in aggregate form, we will not re-identify the data to verify your request. We will not disclose your Social Security Number, driver License number or other government-issued identification number, financial account number, or any health insurance or medical identification number and will explain the basis for the denial, as well as any other personal information that is sensitive, as defined in California Civil Code section 1798.81.5 (d).

If you maintain a password-protected account with us, we may verify your identity through existing authentication practices and also require you to re-authenticate before exercising your right to the personal information requested.

If we suspect fraudulent or malicious activity on or from the password-protected account, we shall not comply with the request until further verification procedures determine that you have made the request, and we have authenticated and verified your identity as the person that has made the request.

Once we can confirm your verifiable request we will disclose to you:

The categories of personal information we collected about you.
The categories of sources for the personal information we collected about you.
Our business purpose for collecting that personal information.
The categories of third parties with whom we share that personal information.
Specific pieces of personal information we collected about you, if requested.

Deletion Request Rights

You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions.

Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies.

Before actioning your request, we will undertake the same verification process as set out immediately above for Right to Know requests.

If any of the following exceptions apply, we may deny your deletion request if retaining the information is necessary for us or our service providers to:

Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.
Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
Debug products to identify and repair errors that impair existing intended functionality.
Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 seq.).
Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information's deletion may likely render impossible or seriously impair the research's achievement, if you previously provided informed consent.
Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
Comply with a legal obligation.
Make other internal and lawful uses of that information that are compatible with the context in which you provided it.

We will delete any new personal information collected as soon as practical after processing the request, except as required to comply with the record keeping requirements.

Right to Opt-Out of Sales of Personal Information

You have the right to request that we do not sell your personal information that we collected from you and retained.

Before actioning your request, we will undertake the same verification process as set out immediately above for Right to Know requests.

You may exercise your right to opt-out of the sale of your personal information by submitting your request via our online Do Not Sell My Personal Information Form

Right to correct inaccurate personal information

You have the right to request that we correct any of your personal information that we have collected from you and retained, subject to certain exceptions.

Once we receive and confirm your verifiable consumer request, we will correct (and direct our service providers to correct) your personal information from our records, unless an exception applies.

Before actioning your request, we will undertake the same verification process as set out immediately above for Right to Know requests.

We will correct any personal information collected as soon as practical after processing the request, except as required to comply with the record keeping requirements and/or by law.

Right of freedom from discrimination for opting out.

You have the right to know about and opt out of any type of automated decision-making that may lead to discrimination.

You also have the right not to be discriminated against for withdrawing consent and/or opting out of personal information sharing or sales.

Epicor does not engage in and/or utilise third parties to conduct automated decision making using personal information thus Epicor will not be able to action any requests to opt-out of automated decision making.

Epicor does not penalise any users or consumers from exercising its rights to withdraw consent to the processing of its personal information and/or exercising its rights to opt-out.

Epicor does not sell personal information, so not applicable

Submitting Consumer Rights Requests

To exercise the rights described above, you can contact us by submitting your request by either:

Calling us Toll-Free at 800.999.1809, Option #8
Submitting you request online at www.epicor.com/en-us/company/compliance/ccpa/personal-information-request

Only you or your authorized agent may make a verifiable consumer request related to your personal information. If you use an authorized agent to submit a request on your behalf, we may require that you (1) provide the authorized agent written permission to do so and provide a copy of the authorization to us; and (2) that we verify the identity of the authorized agent. These will not be required if your authorized agent can provide to us a copy of a power of attorney pursuant to Probate Code sections 4000 to 4465.

You may only make a verifiable consumer request twice within a 12-month period. The verifiable consumer request must:

Provide sufficient information that allows us to verify you are the person about whom we collected personal information or an authorized agent.
Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use personal information provided in a verifiable consumer request to verify your identity or authority to make the request.

Response Timing and Format

Upon receiving your request to know or a request to delete, we will process your request or notify you if the request requires an extension or will be denied.

We are required to provide a respond to a verifiable consumer request within 45 days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period. If you have an account with us, we may deliver our response to that account. If you do not have an account with us, we will deliver our response by mail or electronically, at your option. Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request's receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Financial Incentives

We sponsor promotional contests and sweepstakes and use the information we collect for marketing purposes. You must opt-in to receive the incentive and will have the right to subsequently opt-out.

Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights (amended by CPRA).

“Shine the Light Law”

While we do not provide your personal information to third parties for their use in marketing, under California law, California residents have the right to opt-out of such use of your personal information if it occurs.

Changes to this Privacy Notice and Policy

We reserve the right to amend this privacy notice and policy at our discretion and at any time. When we make changes to this Privacy Notice and policy, we will notify you through a notice on our website homepage.

Contact Information

If you have any questions or comments about this Privacy Notice, the ways in which we collect and use your personal information, your choices and rights regarding such use, or wish to exercise your rights under California law, or need this disclosure in another format you may address your questions or comments to:

Epicor Software Corporation
Las Cimas II

807 Las Cimas Parkway, Suite 400
Austin, Texas 78746
USA