Agreements

Carta EU-U.S. and Swiss-U.S. Privacy Shield Notice

Effective: May 25, 2018

eShares, Inc. DBA Carta, Inc. (“Carta”, “We”, or “Our”) has certified with the EU-U.S. and Swiss-U.S. Privacy Shield with respect to the personal data we receive and process on behalf of our customers and users through our software tools and platform (the “Hosted Services”). We are committed to the principles all personal data received from the EU in reliance on the Privacy Shield. More information on the Privacy Shield can be found here.

Carta certifies that it adheres to the Privacy Shield Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement for personal data submitted by our customers in participating European countries through the Hosted Services, and our Privacy Shield certification will be available here. We may also process personal data our customers submit relating to individuals in the EU via other compliance mechanisms, including data processing agreements based on the EU Standard Contractual Clauses.

Data Processed

We provide the Hosted Services so that our customers can communicate and operate aspects of their businesses. In providing these Hosted Services, we process data our customers submit to the Hosted Services or instruct us to process on their behalves in connection with the Hosted Services (“Client Data”).

The personal data transferred concern the following categories of data may be: name, address and email address, date of birth, marital status, telephone number, IP address, social security number or government identification number, bank account details, equity account information.

We will provide at least the same level of protection to Customer Personal Data as is required by the Privacy Shield principles.

Purposes of Data Processing

Carta manages Company equity information in a single electronic registry with the participation of its shareholders, employees, auditors, and legal counsel.

We process data submitted by customers and users for the purpose of providing the Hosted Services to our customers.

We may access data to provide the Hosted Services to our customers, users, and to comply with any applicable law enforcement or regulatory body. We may access data to to respond to customer inquiries, prevent or manage service outages, address technical issues, to follow the instructions or abide by contractual obligations of our customers, adhere to regulatory obligations, or manage and prevent fraud.

Who We May Share Customer Data

We may share customer data with subsidiaries or affiliates of Carta. We also use certain third-party providers to assist us in providing the Hosted Services to our customers and users. These third-party providers provide hosted servers, protection against denial of service and other common attack vectors, tools to improve the Hosted Services, database monitoring, data storage and customer support software tools. These third parties may access, process or store personal data in the course of providing these Hosted Services, based solely on our instructions in accordance with the agreements with our customers.

If we transfer data to a third-party service provider acting on behalf of Carta, we have certain liability under the Privacy Shield under the following conditions:

  • The third party processes the data in a manner inconsistent with the Privacy Shield; and
  • Carta instructed the third party to process the data in such a manner. is responsible for the event giving rise to the damage.

Questions or Complaints

If you are a resident of a European country participating in the Privacy Shield and you believe we maintain your personal data within the scope of this Privacy Shield certification, you may direct any questions, complaints, or data corrections, concerning our Privacy Shield compliance to privacy@Carta.com or at our mailing address:

eShares, Inc. DBA Carta, Inc. 195 Page Mill Road, Suite 101 Palo Alto, California 94306

We will work with you to resolve your issue.

Dispute Resolution

If Carta has not responded to your inquiry or complaint within 45 days, you may notify a governing authority.

For unresolved complaints, a resident of a European country participating in the Privacy Shield must first: (1) contact us and provide Carta the opportunity to resolve the issue; (2) or we have not addressed your concern to your satisfaction contact our independent third party arbitrator https://feedback-form.truste.com/watchdog/request and (3) contact the U.S. Department of Commerce (either directly or through a European Data Protection Authority) and afford the Department of Commerce time to attempt to resolve the issue.

For more information on independent recourse, please see https://www.privacyshield.gov/article?id=7-RECOURSE-ENFORCEMENT-AND-LIABILITY.

Privacy Shield has a dispute resolution service that is free of charge to individuals. Complaints that are not obviously unfounded or frivolous may be reviewed by a Privacy Shield Panel (consisting of one or three arbitrators, as agreed by the parties) which has the authority to impose individual-specific, non-monetary equitable relief (such as access, correction, deletion, or return of the individual’s data in question) necessary to remedy the violation of the Principles only with respect to the individual.

Regulatory Bodies

U.S. Federal Trade Commission Enforcement Our Privacy Shield compliance is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

Data Subject Rights

Certain European residents (including those whose personal data is within the scope of this Privacy Shield certification) have certain legal rights to request to access certain personal data we hold about them and to obtain its correction, amendment or deletion. Some of these rights may be limited as by applicable law or contractual obligations.Those users may exercise some of those rights through the options described in our Privacy Policy and in our Privacy FAQs and Team Administration FAQs.

For more information on our data subject rights policies, go here.

Requirement to Disclose

We may disclose personal data to comply with legal requirements or regulatory obligations, including in matters of national security, law enforcement, securities law enforcement; or to fulfill our contractual obligations with our customers.