MTRAF

CCPA Compliance Policy

Effective Date: January 1, 2024

1. Introduction

This CCPA Compliance Policy ("CCPA Policy") supplements our main Privacy Policy and specifically addresses our compliance with the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). This policy applies to all California residents and consumers whose personal information is collected, processed, or sold by Mtraf Affiliate Network SRL.

Company Information:
Company Name: MTRAF Affiliate Network SRL
Registered Address: Suite 101, 1st Floor, Eden Plaza, Eden Island, Mahe, Seychelles
Business Purpose: Affiliate marketing and digital advertising services
CCPA Contact: [email protected]

2. CCPA Applicability and Consumer Obligations

2.1 Mandatory CCPA Declaration
CRITICAL: Before activating your account or using our services, you MUST declare whether you are a California resident subject to CCPA protection.

CCPA Declaration Requirement:
- All users must indicate whether they are California residents
- This declaration is mandatory and cannot be bypassed
- Failure to provide accurate CCPA status may result in account suspension or termination
- Users must update their CCPA status if they move to or from California

Declaration Options:
✅ I am a California resident (Subject to CCPA protection)
❌ I am not a California resident (Not subject to CCPA protection)

2.2 CCPA Consumer Definition
California Consumer:
- Natural person who is a California resident
- Resident for tax purposes or domiciled in California
- Temporary or permanent California residence
- California-based business or organization

Exclusions:
- Non-California residents
- Business-to-business transactions (in certain circumstances)
- Employment-related information (separate protections apply)
- Publicly available information

3. Categories of Personal Information Collected

3.1 Identifiers
Personal Identifiers:
- Name, alias, postal address, unique personal identifier
- Online identifier, internet protocol address
- Email address, account name, social security number
- Driver's license number, passport number, or other similar identifiers

Collection Sources:
- Direct collection from consumers
- Website and mobile application usage
- Third-party data providers
- Public records and databases

3.2 Personal Information Categories
Personal Information (Cal. Civ. Code § 1798.140(v)):
- Information that identifies, relates to, describes, or is capable of being associated with a particular consumer or household
- Includes but not limited to: name, signature, address, telephone number, education, employment, employment history
- Financial information, medical information, health insurance information

Sensitive Personal Information:
- Social security, driver's license, state identification card, or passport number
- Account log-in, financial account, debit card, or credit card number with security code
- Precise geolocation data
- Racial or ethnic origin, religious or philosophical beliefs, union membership
- Contents of mail, email, and text messages
- Genetic data, biometric information, health information, sex life or sexual orientation

3.3 Commercial Information
Commercial Data:
- Records of personal property, products or services purchased
- Obtained, or considered, or other purchasing or consuming histories or tendencies
- Payment and transaction history
- Marketing preferences and behavior

3.4 Internet Activity
Online Behavior:
- Browsing history, search history, information on consumer's interaction with website
- Application, or advertisement
- Clickstream data, page views, time spent on pages
- Device information and technical data

3.5 Geolocation Data
Location Information:
- Precise geolocation data (within 1,850 feet radius)
- General location information (city, state, country)
- IP address-based location data
- Mobile device location services

4. Business Purposes for Data Collection

4.1 Primary Business Purposes
Service Provision:
- Providing requested products and services
- Processing transactions and payments
- Managing customer accounts and relationships
- Providing customer support and assistance

Business Operations:
- Auditing and quality assurance
- Security and fraud prevention
- Debugging and error correction
- Short-term transient use

Research and Development:
- Internal research and analytics
- Product and service improvement
- Market research and analysis
- Scientific research and development

4.2 Commercial Purposes
Marketing and Advertising:
- Targeted advertising and marketing
- Cross-context behavioral advertising
- Personalization and customization
- Campaign measurement and optimization

Third-Party Sharing:
- Data sharing with business partners
- Affiliate network operations
- Advertising and marketing partners
- Service providers and vendors

5. Consumer Rights Under CCPA

5.1 Right to Know
Right to Know What Personal Information is Collected:
- Categories of personal information collected
- Categories of sources from which personal information is collected
- Business or commercial purpose for collecting personal information
- Categories of third parties with whom personal information is shared

Right to Know What Personal Information is Sold or Shared:
- Categories of personal information sold or shared
- Categories of third parties to whom personal information is sold or shared
- Categories of personal information disclosed for business purposes
- Categories of third parties to whom personal information is disclosed

5.2 Right to Access
Right to Access Personal Information:
- Request for specific pieces of personal information
- Request for categories of personal information
- Request for personal information collected in the past 12 months
- Request for personal information sold or shared in the past 12 months

Access Request Process:
- Verification of consumer identity
- Delivery of personal information in portable format
- Response within 45 days (extendable to 90 days)
- No charge for first two requests per 12-month period

5.3 Right to Delete
Right to Request Deletion:
- Deletion of personal information from records
- Direct service providers to delete personal information
- Deletion from all systems and backups
- Notification to third parties of deletion request

Deletion Exceptions:
- Complete transactions and provide requested services
- Security and fraud prevention
- Debugging and error correction
- Legal compliance and obligations
- Research and development (deidentified data)
- Internal uses aligned with consumer expectations

5.4 Right to Correct
Right to Request Correction:
- Correction of inaccurate personal information
- Verification of accuracy before correction
- Notification to third parties of corrections
- Documentation of correction process

Correction Process:
- Verification of consumer identity
- Assessment of accuracy and completeness
- Implementation of corrections
- Response within 45 days (extendable to 90 days)

5.5 Right to Opt-Out
Right to Opt-Out of Sale/Sharing:
- Opt-out of sale of personal information
- Opt-out of sharing of personal information
- Opt-out of cross-context behavioral advertising
- Opt-out of targeted advertising

Opt-Out Mechanisms:
- "Do Not Sell or Share My Personal Information" link
- Opt-out preference signals (GPC)
- Account settings and preference centers
- Customer service opt-out requests

5.6 Right to Limit Use and Disclosure
Right to Limit Sensitive Personal Information:
- Limit use of sensitive personal information
- Limit disclosure of sensitive personal information
- Opt-out of certain processing activities
- Control over sensitive data processing

Limitation Process:
- Clear notice of sensitive data processing
- Opt-out mechanisms for sensitive data
- Respect for consumer preferences
- Documentation of limitations

6. Data Sales and Sharing

6.1 Definition of Sale
Sale of Personal Information:
- Selling, renting, releasing, disclosing, disseminating, making available
- Transferring, or otherwise communicating personal information
- To another business or third party for monetary or other valuable consideration

Sharing of Personal Information:
- Sharing, renting, releasing, disclosing, disseminating, making available
- Transferring, or otherwise communicating personal information
- To a third party for cross-context behavioral advertising

6.2 Categories of Personal Information Sold/Shared
Identifiers:
- Name, email address, online identifiers
- IP address, device identifiers
- Account information, user IDs

Commercial Information:
- Purchase history, transaction data
- Marketing preferences, behavior data
- Affiliate performance metrics

Internet Activity:
- Browsing history, search history
- Clickstream data, page views
- Interaction with advertisements

6.3 Third-Party Recipients
Advertising Partners:
- Digital advertising networks
- Social media platforms
- Marketing technology providers
- Data management platforms

Business Partners:
- Affiliate networks and publishers
- Merchants and advertisers
- Payment processors and financial institutions
- Service providers and vendors

7. Verification and Authentication

7.1 Identity Verification
Verification Requirements:
- Reasonable verification of consumer identity
- Matching of information provided with records
- Additional verification for sensitive requests
- Protection against fraudulent requests

Verification Methods:
- Account login and authentication
- Government-issued identification
- Knowledge-based authentication
- Third-party verification services

7.2 Authorized Agent Requests
Authorized Agent Process:
- Written permission from consumer
- Verification of agent identity
- Consumer identity verification
- Documentation of authorization

Agent Requirements:
- Registered with California Secretary of State
- Written permission from consumer
- Consumer identity verification
- Proper documentation and records

8. Response Timeframes and Extensions

8.1 Standard Response Times
Initial Response:
- Acknowledge receipt within 10 business days
- Provide information about verification process
- Explain response timeframe and process
- Contact information for questions

Substantive Response:
- Respond within 45 days of receipt
- Provide requested information or explanation
- Implement requested actions
- Document response and actions taken

8.2 Extension of Time
Extension Circumstances:
- Complex request requiring additional time
- Large volume of personal information
- Need for additional verification
- Technical difficulties or system limitations

Extension Process:
- Notify consumer within 45 days
- Explain reason for extension
- Provide new response date
- Maximum extension of 45 additional days

9. Financial Incentives and Discrimination

9.1 Financial Incentives
Incentive Programs:
- Loyalty programs and rewards
- Discounts and promotional offers
- Premium services and features
- Performance-based incentives

Incentive Requirements:
- Clear notice of incentive terms
- Opt-in consent for participation
- Right to withdraw consent
- Reasonable value for personal information

9.2 Non-Discrimination
Prohibited Discrimination:
- Denying goods or services
- Charging different prices or rates
- Providing different level or quality
- Suggesting different prices or rates

Permitted Differences:
- Reasonable value for personal information
- Differences related to data collection
- Differences required by law
- Differences for security and fraud prevention

10. Notice Requirements

10.1 Notice at Collection
Required Information:
- Categories of personal information collected
- Purposes for which personal information is used
- Whether personal information is sold or shared
- Retention period for personal information

Notice Timing:
- At or before point of collection
- Clear and conspicuous notice
- Easy to understand language
- Accessible format and location

10.2 Notice of Financial Incentives
Incentive Notice:
- Material terms of incentive program
- Right to withdraw consent
- Value of personal information
- Opt-in consent requirement

10.3 Notice of Right to Opt-Out
Opt-Out Notice:
- Right to opt-out of sale/sharing
- "Do Not Sell or Share My Personal Information" link
- Opt-out preference signals
- Contact information for opt-out requests

11. Service Providers and Contractors

11.1 Service Provider Requirements
Contractual Obligations:
- Written contract with service provider
- Prohibition on selling or sharing personal information
- Use only for business purposes
- Reasonable security measures

Service Provider Restrictions:
- Cannot sell or share personal information
- Cannot use for purposes other than business purposes
- Cannot combine with other personal information
- Must maintain confidentiality

11.2 Contractor Requirements
Contractor Obligations:
- Written contract with contractor
- Prohibition on selling personal information
- Use only for business purposes
- Reasonable security measures

Contractor Restrictions:
- Cannot sell personal information
- Cannot use for purposes other than business purposes
- Cannot combine with other personal information
- Must maintain confidentiality

12. Data Retention and Deletion

12.1 Retention Periods
Retention Standards:
- Retain only as long as necessary
- Specific retention periods for different data types
- Regular review and deletion of outdated data
- Documentation of retention decisions

Retention Categories:
- Account information: Duration of account plus legal requirements
- Transaction data: Legal and business requirements
- Marketing data: Until opt-out or account deletion
- Analytics data: Aggregated and deidentified after retention period

12.2 Deletion Process
Deletion Requirements:
- Complete deletion from all systems
- Deletion from backup and archive systems
- Notification to third parties
- Documentation of deletion process

Deletion Verification:
- Confirmation of deletion completion
- Verification of third-party deletion
- Documentation of deletion actions
- Audit trail of deletion process

13. Training and Compliance

13.1 Employee Training
Training Requirements:
- Annual CCPA training for relevant employees
- Understanding of consumer rights
- Proper handling of consumer requests
- Security and privacy best practices

Training Topics:
- CCPA requirements and consumer rights
- Request handling and verification procedures
- Data security and privacy practices
- Incident response and breach notification

13.2 Compliance Monitoring
Monitoring Activities:
- Regular compliance assessments
- Audit of consumer request handling
- Review of data practices and procedures
- Testing of opt-out mechanisms

Compliance Reporting:
- Annual compliance reports
- Documentation of compliance activities
- Identification of compliance gaps
- Implementation of corrective actions

14. Enforcement and Penalties

14.1 Civil Penalties
Penalty Amounts:
- Intentional violations: Up to $7,500 per violation
- Unintentional violations: Up to $2,500 per violation
- Data breaches: Up to $100 per consumer per incident
- Actual damages and injunctive relief

Penalty Factors:
- Nature and seriousness of violation
- Number of violations and affected consumers
- Willfulness and intent
- Mitigation efforts and cooperation

14.2 Private Right of Action
Consumer Lawsuits:
- Data breaches involving personal information
- Actual damages or statutory damages
- Attorney's fees and costs
- Class action lawsuits

Lawsuit Requirements:
- Written notice to business
- 30-day cure period
- Actual damages or statutory damages
- Attorney's fees and costs

15. Contact Information and Support

15.1 CCPA-Specific Contacts
Primary Contact:
- Email: [email protected]
- Address: MTRAF Affiliate Network SRL, Suite 101, 1st Floor, Eden Plaza, Eden Island, Mahe, Seychelles
- Response Time: Within 45 days for CCPA requests

15.2 Request Submission
Online Requests:
- Website request forms
- Account settings and preference centers
- "Do Not Sell or Share My Personal Information" link
- Email request submission

Verification Process:
- Identity verification requirements
- Authorized agent procedures
- Documentation requirements
- Response timeframes and extensions

16. Policy Updates and Changes

16.1 Regular Review
Review Schedule:
- Annual CCPA policy review
- Updates based on regulatory changes
- Incorporation of best practices
- Consumer feedback and improvement

Update Process:
- Legal review and approval
- Consumer notification of changes
- Implementation timeline
- Training and awareness updates

16.2 Change Notification
Notification Methods:
- Email notification to California consumers
- Website policy updates
- Account notification systems
- Public announcements and press releases

Effective Date:
- Immediate effect for new consumers
- Notice period for existing consumers
- Grace period for compliance
- Retroactive application where permitted

Last Updated: January 1, 2024
Version: 1.0
Next Review Date: January 1, 2025
CCPA Declaration Required: ✅ MANDATORY