Privacy Policy

The Privacy Principles EPAG Follows

There are ten principles that form the basis of EPAG’s policy. These principles are interrelated and EPAG adheres to them as a whole. Each principle must be read in conjunction with the accompanying commentary. The commentary in EPAG’s policy may be tailored to reflect personal information issues specific to EPAG.

Definitions

To better understand our policy, EPAG has set out some basic definitions to use when reading and interpreting the principles below:

Collection: the act of gathering, acquiring, recording, or obtaining personal information from any source, including third parties, by any means.
Consent: voluntary agreement with the collection, use, and disclosure of personal information for defined purposes. Consent can be provided directly by the individual or by an authorized representative of an entity.

Customer: an individual or entity that uses, or applies to use, EPAG’s products or services including, but not limited to, both resellers and registrants.
Disclosure: making personal information available to a third party.

Personal information: information about an identifiable individual that is recorded in any form; this does not include aggregated information that cannot be associated with an individual. For a customer, such information does not include information that is aggregated in such a manner that it cannot be connected to them and/or information that is publicly listed in a written or online directory.

Third party: an individual or organization outside EPAG.

Use: the treatment, handling, and management of personal information by and within EPAG.

Principle 1: Accountability

EPAG is responsible for personal information under its control. In response, it has designated its Data Protection Officer (“DPO”) as accountable for the company’s compliance with the following principles.

  1. Responsibility for ensuring compliance with the provisions of the EPAG policy rests with the Legal Department within EPAG, which shall designate one or more persons to be accountable for compliance with the EPAG policy. Other individuals within EPAG may be delegated to act on behalf of the designated person(s) or to take responsibility for the day-to-day collection and processing of personal information. The DPO has been designated in order that EPAG may ensure that consumers have a resource to answer their privacy-related inquiries.
  2. EPAG shall make known, upon request, the identity of the person or persons designated to oversee EPAG’s compliance with its policy.
  3. EPAG is responsible for personal information in its possession or control. EPAG shall use appropriate means to provide a comparable level of protection while information is being processed by a third party.
  4. EPAG shall implement policies and practices to give effect to these principles, including:
    • Implementing procedures to protect personal information and to oversee EPAG’s compliance with its policy;
    • Establishing procedures to receive and respond to inquiries or complaints;
    • Training and communicating to staff about EPAG’s policies and practices; and
    • Developing information to explain EPAG’s policies and practices.

Principle 2: Identifying Purposes for Collection of Personal Information

EPAG shall identify the purposes for which personal information is collected within a reasonable period after obtaining the data, and prior to using the data.

  1. EPAG collects personal information only for the following purposes:
    • To establish and maintain responsible commercial relations with customers and to provide ongoing services and offers;
    • To understand customer needs;
    • To develop, enhance, market, or provide products and services;
    • To manage and develop EPAG’s business and operations, including personnel and employment matters; and
    • To meet legal, regulatory, and contractual requirements.
  2. Further references to “identified purposes” mean the purposes identified in this Principle 2.
    • EPAG shall specify orally, electronically, or in writing the identified purposes to the customer or employee at the time personal information is collected or within a reasonable period. Upon request, persons collecting personal information shall explain these identified purposes or refer the individual to a designated person within EPAG who shall explain the purposes.
    • Unless required by law, EPAG shall not use or disclose for any new purpose personal information that has been collected without first identifying and documenting the new purpose and obtaining the consent of the customer.

Principle 3: Obtaining Consent for Collection, Use, or Disclosure of Personal Information

The knowledge and consent of a customer is required for the collection, use, or disclosure of personal information, except where inappropriate.

NOTE: In certain circumstances personal information can be collected, used, or disclosed without the knowledge and consent of the individual. For example, when required to fulfil a contract or when information is being collected for the detection and prevention of fraud or for law enforcement, seeking the consent of the individual might defeat the purpose of collecting the information.

  1. In obtaining consent, EPAG shall use reasonable efforts to ensure that a customer is advised of the identified purposes for which personal information collected will be used or disclosed. Purposes shall be stated in a manner that can be reasonably understood by the customer or employee.
  2. Generally, EPAG shall seek consent to use and disclose personal information at the same time it collects the information. However, EPAG may seek consent to use and disclose personal information after it has been collected but before it is used or disclosed for a new purpose.
  3. EPAG will only require customers to consent to the collection, use, or disclosure of personal information as a condition to the supply of a product or service if such collection, use, or disclosure is required to fulfill the identified purposes.
  4. In determining the appropriate form of consent, EPAG shall take into account the sensitivity of the personal information and the reasonable expectations of its customers.
  5. Unless required by contract, EPAG will obtain express consent within a reasonable period after obtaining the data and prior to using the data.
  6. A customer may withdraw consent at any time, subject to legal, regulatory, or contractual restrictions and reasonable notice. For example, if consent is required to perform the service requested by the customer, withdrawal of consent may result in termination of the service. Customers may contact EPAG at the address below for more information regarding the implications of doing so.

Principle 4: Limiting Collection of Personal Information

EPAG shall limit the collection of personal information to that which is necessary for the identified purposes. EPAG shall collect personal information by fair and lawful means.

  1. EPAG collects personal information primarily from its customers.
  2. EPAG may also collect personal information from other sources including but not limited to credit bureaus or other third parties who represent that they have the right to disclose the information.

Principle 5: Limiting Use, Disclosure, and Retention of Personal Information

EPAG shall not use or disclose personal information for purposes other than those for which it was collected, except with the consent of the individual or as required by a registry or by law. EPAG shall retain personal information only as long as necessary for the fulfillment of those purposes or as required by law.