Privacy Notice for Iowa Residents
Effective Date: 1 January 2025
(updated 1 January 2025)
This PRIVACY NOTICE and POLICY FOR IOWA RESIDENTS (“Privacy Notice” of “Collection Notice”) is provided by Epicor Software Corporation (“Epicor” and collectively, “we,” “us,” or “our”) and applies solely to visitors, users, and others who reside in the State of Iowa (“consumers” or “you”).
This Privacy Notice is a Iowa-specific Notice at Collection and is prepared and published in accordance with Iowa’s Consumer Data Protection Act (“ICDPA”).
This Privacy Notice is supplemental to Epicor’s European and US Privacy Policy.
Any terms defined in the ICDPA, and the proposed regulations have the same meaning when used in this Privacy Notice.
Information We Collect
We collect offline and online personal data that you provide us voluntarily or for which you otherwise consent to collection. Personal data means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. (“personal data”).
We have as a company collected the following general categories of personal data within the last twelve (12) months and may use or disclose such personal data for one or more business or commercial purposes:
Category |
Examples of Personal data |
Categories of Sources from which the personal data is Collected |
Business or Commercial Purpose |
Categories of third parties with whom personal data is shared |
Retention Period |
Identifiers |
A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver's license number, passport number, or other similar identifiers. |
•From you |
• To fulfil or meet the reason for which the information is provided. |
•Co-Marketing Partners |
6 years from last contact |
Personal data categories listed in Customer Records under federal or state law |
A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some personal data included in this category may overlap with other categories. |
• From you |
• To fulfil or meet the reason you provided the information.
|
• Payment processors |
6 years from last contact |
Protected classification characteristics under federal law. |
Age (40 years or older), race, colour, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information). |
• From you |
• To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations, such as tracking data on applicants' protected class status for use in measuring the success of our EEO or affirmative action efforts. |
None. Sensitive personal data is not shared with third parties other than as required by law. |
Not Applicable. |
Commercial information |
Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. |
• From you |
• To carry out our obligations and enforce our rights arising from any contracts entered between you and us for product or services purchased. |
· Service providers and other necessary vendors
· Sub-Service Providers and/or sub-processors |
6 years from last contact |
Internet or other similar network activity. |
Browsing history, search history, information on a consumer's interaction with a website, application, or advertisement. |
• From you when you interact with our website or any of our internal systems |
• To help maintain the safety, security, and integrity of our website, services, databases and other technology assets, used to support our business. |
• Security Operation Centre (SOC) service provider |
2 years |
Sensory data |
Audio |
• From you |
• Responding to your audio or voice recordings. |
Call recording service providers. |
2 years |
Professional or employment-related information. |
Current job history or performance evaluations, Professional Membership information, certifications, licenses or credentials |
• From you |
• To evaluate your potential fit for employment opportunities. |
· Recruitment Agencies |
7 years after employment ends |
Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)). |
Education records directly related to a student or prior student maintained by an educational institution or party acting on its behalf, such as grades, transcripts. |
• From you |
• To evaluate your potential fit for employment opportunities. |
· Recruitment Agencies |
7 years after employment ends |
Inferences drawn from other personal data. |
Profile reflecting a person's preferences, characteristics, psychological trends, predispositions, behaviour, attitudes, intelligence, abilities, and aptitudes. |
• From observations |
• To provide career development feedback and guidance to employees. |
· None |
Not Applicable. |
Sensitive Personal data
Sensitive personal data is a subtype of personal data consisting of specific categories of personal data. We do not knowingly collect sensitive personal data or use it to infer characteristics about a person. When using Epicor products and applications (including products offered by some Epicor affiliates such as Grow.com through Grow.com website or other web based portal) Epicor has strict contractual measures in place (under Epicor’s Master Customer Agreement, Master Terms and Conditions) that prohibit you from providing and/or uploading and/or sharing sensitive personal data with Epicor and, as such, Epicor does not collect any sensitive personal data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). We do not collect any information about criminal convictions and offences, and you should not provide such sensitive personal data to Epicor.
Sharing Personal data
We may disclose your personal data to a third party, our affiliates, agents, or service providers and other third-party vendors for a business purpose as described above. When we disclose personal data for a business purpose, we enter a contract that describes the purpose and requires the recipient to keep that personal data confidential and not use it for any purpose except for fulfilling requirements and services being performed under contract.
Do Not Sell. We do not sell personal data (including sensitive personal data) and in the preceding twelve (12) months, we have not sold any personal data. However, we do share information with third parties but only as directed by you through your opt-in to non-essential cookies.
Your Rights
ICDPA provides Iowa residents with specific rights regarding their personal data. This section describes those rights.
Right |
Description of Right |
Verification Process |
Actions |
Access to your personal data (Right to Know)
|
You have the right to request that Epicor disclose certain information to you about our collection and use of your personal data over the past 12 months.
|
As part of our verification process of your request we will ensure reasonable measures are in place to detect fraudulent requests and prevent unauthorized access to your personal data. We are required to verify your identity, and the identity of your authorized agent, if the request is submitted via an agent by associating the information provided in the request to any personal data previously collected by us or use a third-party identity verification service.
Any personal data requested or collected for the purpose of identity verification for a “Right to Know” request is only used for that purpose and for security or fraud-prevention.
If the Personal data is de-identified or in aggregate form, we will not re-identify the data to verify your request. We will not disclose your Social Security Number, driver License number or other government-issued identification number, financial account number, or any health insurance or medical identification number and will explain the basis for the denial, as well as any other personal data that is sensitive, as defined in Iowa Civil Code section 1798.81.5 (d).
If you maintain a password-protected account with us, we may verify your identity through existing authentication practices and also require you to re-authenticate before exercising your right to the personal data requested.
If we suspect fraudulent or malicious activity on or from the password-protected account, we shall not comply with the request until further verification procedures determine that you have made the request, and we have authenticated and verified your identity as the person that has made the request.
|
Once we can confirm your verifiable request we will disclose to you: · The categories of personal data we collected about you. · The categories of sources for the personal data we collected about you. · Our business purpose for collecting that personal data. · The categories of third parties with whom we share that personal data. · Specific pieces of personal data we collected about you, if requested.
|
Deletion Request Rights (Right to Delete) |
You have the right to request that we delete any of your personal data that we collected from you and retained, subject to certain exceptions.
Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your personal data from our records, unless an exception applies.
|
Before actioning your request, we will undertake the same verification process as set out immediately above for Right to Know requests.
If any of the following exceptions apply, we may deny your deletion request if retaining the information is necessary for us or our service providers to: 1. Complete the transaction for which we collected the personal data, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you. 2. Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities. 3. Debug products to identify and repair errors that impair existing intended functionality. 4. Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law. 5. Comply with the Iowa Electronic Communications Privacy Act (Cal. Penal Code § 1546 seq.). 6. Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information's deletion may likely render impossible or seriously impair the research's achievement, if you previously provided informed consent. 7. Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us. 8. Comply with a legal obligation. 9. Make other internal and lawful uses of that information that are compatible with the context in which you provided it.
|
We will delete any new personal data collected as soon as practical after processing the request, except as required to comply with the record keeping requirements.
|
Right to Opt-Out of Sales of personal data (Right to Opt Out) |
You have the right to request that we do not sell your personal data that we collected from you and retained. |
Before actioning your request, we will undertake the same verification process as set out immediately above for Right to Know requests.
|
Epicor does not sell your personal data. In case you are unsure, you may exercise your right to opt-out of the sale of your personal data by submitting your request via our online Do Not Sell My Personal data Form |
Right to opt out of processing for profiling and/or targeted advertising (Right to Opt Out) |
You have the right to opt-out of processing for profiling and/or targeted advertising |
Epicor does not engage in the processing of personal data for the purposes of profiling and/or targeted advertising. |
Not applicable as Epicor does not engage in profiling and/or targeted advertising.
If you wish to withdraw your consent to marketing or opt-out of marketing emails, you can opt-out using this Opt-Out web form. |
Right to Portability
|
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows individuals to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability. Doing this enables individuals to take advantage of applications and services that can use this data to find them a better deal or help them understand their spending habits. |
Before actioning your request, we will undertake the same verification process as set out immediately above for Right to Know requests. The right only applies to information that you, as an individual, have provided to Epicor as a data controller.
|
We will action the request to port personal data collected as soon as practical after processing the request, except as required to comply with laws and/or any record keeping requirements.
|
Right of freedom from discrimination for opting out. (Freedom from Discrimination) |
You have the right to know about and opt out of any type of automated decision-making that may lead to discrimination.
You also have the right not to be discriminated against for withdrawing consent and/or opting out of personal data sharing or sales. |
Epicor does not engage in and/or utilise third parties to conduct automated decision making using personal data thus Epicor will not be able to action any requests to opt-out of automated decision making.
Epicor does not discriminate against any users or consumers from exercising its rights to withdraw consent to the processing of its personal data and/or exercising its rights to opt-out. |
Not applicable. Epicor does not sell personal data. Epicor does not discriminate for opting out. |
Submitting Consumer Rights Requests
To exercise the rights described above, you can contact us by submitting your request by either:
Only you or your authorized agent may make a verifiable consumer request related to your personal data. If you use an authorized agent to submit a request on your behalf, we may require that you (1) provide the authorized agent written permission to do so and provide a copy of the authorization to us; and (2) that we verify the identity of the authorized agent. These will not be required if your authorized agent can provide to us a copy of a power of attorney pursuant to Probate Code sections 4000 to 4465.
You may only make a verifiable consumer request twice within a 12-month period. The verifiable consumer request must:
We cannot respond to your request or provide you with personal data if we cannot verify your identity or authority to make the request and confirm the personal data relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use personal data provided in a verifiable consumer request to verify your identity or authority to make the request.
Response Timing and Format
Upon receiving your request to know or a request to delete, we will process your request or notify you if the request requires an extension or will be denied.
We are required to provide a respond to a verifiable consumer request within 45 days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period. If you have an account with us, we may deliver our response to that account. If you do not have an account with us, we will deliver our response by mail or electronically, at your option. Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request's receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable.
We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
Financial Incentives
We sponsor promotional contests and sweepstakes and use the information we collect for marketing purposes. You must opt-in to receive the incentive and will have the right to subsequently opt-out.
Non-Discrimination
We will not discriminate against you for exercising any of your consumer rights.
Changes to this Privacy Notice and Policy
We reserve the right to amend this Privacy Notice and policy at our discretion and at any time. When we make changes to this Privacy Notice and policy, we will notify you through a notice on our website homepage.
Contact Information
If you have any questions or comments about this Privacy Notice, the ways in which we collect and use your personal data, your choices and rights regarding such use, or wish to exercise your rights under Iowa law, or need this Privacy Notice in another format you may address your questions or comments to:
Epicor Software Corporation
Las Cimas II
807 Las Cimas Parkway, Suite 400
Austin, Texas 78746
USA
Attention: Legal Department