Data Privacy Framework Policy

Boxlight, Inc. (“Boxlight,” “our,” “we” or “us”) complies with the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce (together “Data Privacy Framework Principles”). Boxlight has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles with regard to the processing of DPF Personal Data (defined below) received from the European Union and the United Kingdom in reliance on the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework.  Boxlight has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles with regard to the processing of European Personal data received from Switzerland in reliance on the Swiss-U.S. Data Privacy Framework.  If there is any conflict between the terms in this privacy policy and the EU-U.S. Data Privacy Framework Principles and/or the Swiss-U.S. Data Privacy Framework Principles, the Principles shall govern.  To learn more about the Data Privacy Framework Program, and to view our certification, please visit https://www.dataprivacyframework.gov/.  

Boxlight’s U.S. affiliates also adhere to the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce. These affiliates include Boxlight Corporation, EOSEDU, LLC, and FrontRow Calypso LLC.  

For purposes of enforcing compliance with the Data Privacy Framework Principles, Boxlight is subject to the investigatory and enforcement authority of the US Federal Trade Commission. For more information about the Data Privacy Framework, see the US Department of Commerce’s Data Privacy Framework Principles website located at: https://www.dataprivacyframework.gov/s/.

1. Definitions 
In this Data Privacy Framework Policy: 
“DPF Personal Data” means any information relating to you that identifies or can be used to identify you, either separately or in combination with other readily available data that is received by Boxlight in the U.S. from the European Union, European Economic Area, United Kingdom or Switzerland in connection with the Services. 
“Privacy Policy” means Boxlight’s Privacy Policy located at [https://boxlight.com/privacy-policy/]. 
“Sensitive Personal Data” means DPF Personal Data regarding an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, physical or mental health, or sexual life. 
“Services” means the Sites, Products, and Services as defined in Boxlight’s https://boxlight.com/privacy-policy/. 
“Standard Contractual Clauses” means the standard data protection clauses for the transfer of DPF Personal Data to processors established in third countries which do not ensure an adequate level of data protection, as described in Article 46 of the GDPR. 

2. Scope 
Boxlight commits to comply with the Data Privacy Framework Principles with respect to the DPF Personal Data received you in connection with your use of the Services. This Data Privacy Framework Policy does not apply to DPF Personal Data transferred under Standard Contractual Clauses or any approved derogation under EU data protection law. 

3. Data Privacy Framework Principles 
Boxlight commits to processing DPF Personal Data in accordance with the Data Privacy Framework Principles as follows: 

3.1. Notice 

Boxlight’s Privacy Policy notifies individuals covered by this Data Privacy Framework Policy about the categories of DPF Personal Data that Boxlight collects and the purposes for collection and use of their DPF Personal Data. Boxlight will only process DPF Personal Data in ways that are compatible with the purpose for which Boxlight collected it or for purposes later authorized. 

3.2. Choice 

The DPF Personal Data that Boxlight collects from you depends on how you use the Services. 
 
Our Privacy Policy describes the categories of DPF Personal Data that we may receive in the US as well as the purposes for which we use that DPF Personal Data. Please review the section titled “Personal Data We Collect” and “How We Use Personal Data” in our Privacy Policy for more information on the categories of  DPF Personal Data we collect and how we use your DPF Personal Data. 
 
Before Boxlight uses DPF Personal Data for a purpose that is materially different from the purpose for which Boxlight collected it or that was later authorized, Boxlight will provide you with the opportunity to opt out. 
 
Boxlight shares  DPF Personal Data collected through the Services with third parties that Boxlight engages to help us operate the Services, improve our business or the Services, to provide Services to us (such as web hosting, data storage and similar administrative services), and to market to current and prospective customers. Please review the section titled “How We Share Personal Data” in our Privacy Policy for more information on how we share DPF Personal Data. 
 
If Boxlight collects Sensitive Personal Data, Boxlight will obtain opt-in consent if Data Privacy Framework Principles require, including before Sensitive Personal Data is used for a different purpose than that purpose for which it was collected or later authorized. 

3.3. Accountability for Onward Transfer 

If Boxlight transfers DPF Personal Data covered by this Data Privacy Framework Policy to a third party, Boxlight takes reasonable and appropriate steps to ensure that each third party transferee processes  DPF Personal Data transferred in a manner consistent with Boxlight’s obligations under the Data Privacy Framework Principles. Boxlight will ensure that each transfer is consistent with any privacy notice provided to you. Boxlight requires a written contract with any third party receiving  DPF Personal Data that ensures that the third party (i) processes the  DPF Personal Data for limited and specified purposes consistent with any notice provided to you, (ii) provides at least the same level of protection as is required by the Data Privacy Framework Principles, (iii) notifies Boxlight if it cannot comply with the Data Privacy Framework Principles; and (iv) ceases processing  DPF Personal Data or takes other reasonable and appropriate steps to remediate. 
Under certain circumstances, Boxlight may be required to disclose DPF Personal Data in response to valid requests by public authorities, including for national security or law enforcement requirements. 
 
Boxlight complies with the DPF Principles for all onward transfers of personal data from the EU, UK, and Switzerland, including the onward transfer liability provisions.Boxlight remains liable under the Data Privacy Framework Principles if an agent processes DPF Personal Data covered by this Data Privacy Framework Policy in a manner inconsistent with the Data Privacy Framework Principles unless Boxlight is not responsible for the event giving rise to the damage.   

3.4. Security 

Boxlight takes reasonable and appropriate measures to protect DPF Personal Data covered by this Data Privacy Framework Policy from loss, misuse and unauthorized access, disclosure, alteration and destruction. In determining these measures, Boxlight takes into account the risks involved in the processing and the nature of the DPF Personal Data. 

3.5. Data Integrity and Purpose Limitation 

Boxlight takes reasonable steps to ensure that such DPF Personal Data is reliable for its intended use, accurate, complete and current. Boxlight adheres to the Data Privacy Framework Principles for as long as it retains  DPF Personal Data in identifiable form. Boxlight takes reasonable and appropriate measures to comply with the requirement under the Data Privacy Framework Principles to retain  DPF Personal Data in identifiable form only for as long as it serves a purpose of processing. 
Boxlight limits the collection of DPF Personal Data covered by this Data Privacy Framework Policy to information that is relevant for the purposes of processing. Boxlight does not process DPF Personal Data in a way that is incompatible with the purpose for which it was collected or subsequently authorized by you. 

3.6. Access 

If you are covered by this Data Privacy Framework Policy you may have the right to access your DPF Personal Data and to correct, amend or delete the DPF Personal Data if the DPF Personal Data is inaccurate or processed in violation of the Data Privacy Framework Principles. Boxlight is not required to grant the rights to access, correct, amend and delete DPF Personal Data if the burden or expense of providing access, correction, amendment or deletion is disproportionate to the risks to your privacy or if the rights of persons other than you are or could be violated. 
To send requests for access, correct, amendment or delete DPF Personal Data, please follow the instructions in Privacy Policy under the section titled “Your Rights Regarding Your Personal Data.” 

3.7. Recourse, Enforcement, and Liability 

In compliance with the Data Privacy Framework Principles, Boxlight commits to resolve complaints about your privacy and our collection or use of your DPF Personal Data. Please first contact Boxlight with inquiries or complaints regarding this Data Privacy Framework Policy at [email protected]. 

3.7.1. Customer Inquiries.  

In compliance with the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework, Boxlight commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework to the International Centre for Dispute Resolution (IDCR), an alternative dispute resolution mechanism operated by the American Arbitration Association. If you do not receive timely acknowledgment of your Data Privacy Framework Principles-related complaint from us, or if we have not addressed your complaint to your satisfaction, please visit https://go.adr.org/dpf_irm.html for more information or to file a complaint.  The services of ICDR are provided at no cost to you.  

Under certain conditions detailed in the Data Privacy Framework Principles, you may be able to invoke binding arbitration when other dispute resolution procedures have been exhausted. The availability of binding arbitration is described more fully on the Data Privacy Framework website at:  https://www.dataprivacyframework.gov/s/article/How-to-Submit-a-Complaint-Relating-to-a-Participating-Organization-s-Compliance-with-the-DPF-Principles-dpf 

Boxlight commits to periodically review and verify its compliance with the Data Privacy Framework Principles and to remedy any issues arising out of failure to comply with the Data Privacy Framework Principles. Boxlight acknowledges that its failure to provide an annual self-certification to the U.S. Department of Commerce will remove it from the Department’s list of Data Privacy Framework participants. 

4. Changes to this Data Privacy Framework Policy 
 
Boxlight may amend this Data Privacy Framework Policy consistent with the requirements of the Data Privacy Framework, including notice about any amendment. 

5. How to Contact Boxlight 
 
If you have any questions about this Data Privacy Framework Policy or would like to request access to your DPF Personal Data, please contact us as follows: 
 
Email: [email protected] 
Phone: (360) 464.2119 
Mail: Attention: Boxlight Data Protection Lead 
Boxlight, Inc. 
2750 Premier Parkway, Suite 900 
Duluth, GA 30097