Picnic Online Privacy Policy

Last updated: November 18, 2021

1. INTRODUCTION Thirty Madison, Inc., d/b/a Picnic, and its subsidiaries, divisions, and affiliates (“Picnic”) understand the importance of your privacy and protecting your personal information. Accordingly, the purpose of this Privacy Policy (the “Policy”) is to describe how Picnic collects, uses, and shares information about you through our website, social media, email exchanges, mobile apps, and other online services on which this Policy is posted (the “Service”) as well as how you can access, change, and remove your information. Please read this Policy carefully to understand what we do. If you do not understand or agree to any aspects of our Policy, please contact us before continuing to use our Service.

This Policy is written in the English language. We do not guarantee the accuracy of any translated versions of this Policy. To the extent that any translated versions of this Policy conflict with the English language version, the English language version of this Policy shall control.

2. COLLECTION OF PERSONAL INFORMATION Information you provide to us. We collect information you provide to us when you create or modify your account; register to use our website, www.PicnicAllergy.com (the “Site”); purchase products or services from us; post comments or reviews on our Site; request information from us; contact customer support; or otherwise communicate with us.

Information we obtain indirectly. We may receive certain information about you through our third-party affiliates or partners and from other companies that provide us with such information as a part of their relationship with us, including Google Analytics and Hotjar.

Information we collect automatically. When you use our Service, we collect certain information about you automatically through our use of cookies and similar technologies, described in more detail below.

3. CATEGORIES OF PERSONAL INFORMATION AND PURPOSE FOR COLLECTION Picnic only collects and processes the minimum amount of personal information from you necessary for purposes of our information processing activities, which includes the following categories of personal information: (1) contact information, including your name, address, email address, and telephone number; (2) authentication information, including the user name and password that you use to register an account on the Site; (3) financial information, including your debit or credit card number, its expiration date, and its security code, for payment processing purposes; (4) personal characteristics, including date of birth, photographs of your head and hair, and other information relevant to diagnosis and treatment, such as hair loss, lifestyle and general medical history; (5) comments, reviews, and suggestions; (6) personal preferences including product preferences, online preferences, and interests; (7) online behavior information including online activity, preferences, and time spent viewing features; and (8) IP address, mobile network information, or device information.

Picnic retains this information only if required to fulfill Picnic’s information processing activities. Additionally, any information sent by you to a doctor regarding your diagnosis or treatment is kept private and confidential. Our information processing activities include conducting our business, customer communications and support, user verification, payment processing, shipping, quality management services, Site maintenance and improvements, enforcing our legal rights, and complying with legal requirements. Where applicable, if Picnic intends to further process your personal information for a purpose other than that for which the personal information was initially collected, Picnic shall, prior to such processing, provide you with any relevant information on such additional purpose, and, to the extent required by applicable law, obtain your consent for this.

4. DISCLOSURE OF PERSONAL INFORMATION Picnic does not trade, rent, or sell your personal information to third parties.

We may share or disclose your personal information for the following limited purposes:

  • Healthcare Providers. We share your personal information with KMG Medical Group MO, PC, doctors, and relevant medical staff (“KMG”) to provide you with services related to your diagnosis and treatment. In addition to this Policy, our disclosure of your personal information to KMG is subject to KMG’s Notice of Privacy Practice Policy.

  • Vendors and Services Providers. We may provide information to third party vendors and service providers that perform services and functions on our behalf to help us operate and manage our Site, process orders, and fulfill and deliver products and services that you purchase from us. These vendors and service providers will have access to your personal information in order to provide these services, but when this occurs we implement reasonable contractual and technical protections to limit their use of that information to helping us provide our Service and support our interactions with you.

  • Your Consent to Have Your Personal Information Shared. In addition to the sharing described elsewhere in this Policy, we will share personal information with companies, organizations, or individuals outside of Picnic when we have your consent to do so.

  • Legal Disclosure. We will share personal information with third party companies, organizations, or individuals outside of Picnic when we believe in good faith that access, use, preservation, or disclosure of the information is reasonably necessary to comply with a legal obligation; when we believe in good faith that the law requires it; at the request of governmental authorities conducting an investigation; to verify or enforce our agreements, terms of use, or other applicable policies; to respond to an emergency; or otherwise to protect the rights, property, safety, or security of Picnic, third parties, visitors to our Site, or the public, as required or permitted by law.

  • Transfer in the Event of Sale or Change of Control. If the ownership of all or substantially all of our business changes, or we otherwise transfer assets relating to our business or the Site to a third party, such as by merger, acquisition, bankruptcy proceeding or otherwise, we may transfer personal information to the new owner. In such a case, unless prohibited by applicable law, your information would remain subject to the privacy policy applicable at the time of such transfer, unless you discontinue use of our Service. We will inform you of any such changes in ownership. We will also inform you if we sell your personal information to any new owners.

  • Use of Non-Personal Information. In addition, where allowed by applicable law, we may use and disclose anonymized data or information that is not in a personally identifiable form for any purpose. If we combine information that is not in personally identifiable form with information that is identifiable (such as combining your name with your geographical location), we will treat the combined information as personal information as long as it is combined.

5. ACCESS TO YOUR INFORMATION AND CHOICES You can access and update certain information we have relating to your online account by signing into your account and going to the Account section of our Site. If you have questions about personal information we have about you or need to update your information, you can contact us online (PicnicAllergy.com/Contact) or call us at (205) 875-8432.

  • Social Media Account Sign On. To the extent that you choose to use a social media account application (such as Google, Facebook, or Apple) to create your online account on the Site or otherwise sign into the Site, you understand that if another person has access to your social media account, they will also have access to your account on the Site. That means that other person could access any personal information contained on the Site. It’s your decision about whether to give another person access to your social media account and whether to use that account to sign on to the Site. Also, if you use a social media account application to sign into the Site, you understand that the social media account application may send information from your social media account to Picnic.

6. SECURITY OF YOUR INFORMATION We use industry standard physical, technical, and administrative security measures and safeguards to protect the confidentiality and security of your personal information. Please be advised, however, that while we take reasonable security measures to protect your personal information, such measures cannot be guaranteed to be secure. Picnic cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third parties will not be able to defeat our security, and improperly collect, access, steal, or modify your personal information. Accordingly, it is your responsibility to protect the security of your login information, including your username and password. Additionally, please note that emails and other communications you send to us through our Site are not encrypted, and we strongly advise you not to communicate any confidential information through these means.

7. COOKIES AND OTHER TECHNOLOGIES We and our service providers use cookies, web beacons, and other technologies to receive and store certain types of information whenever you interact with our Site through your computer or mobile device to improve the quality of our service, including for storing user preferences, tracking user trends, and providing relevant advertising to you. A cookie is a small file containing a string of characters that is sent to your computer when you visit a website. When you visit the Site again, the cookie allows the Site to recognize your browser. Cookies may store unique identifiers, user preferences, and other information. Cookies can be set by the website owner (i.e., us), or they can be set by third parties (e.g., Facebook, Google, etc.) Third party cookies may also be used to enable analytics (e.g. Google Analytics) or advertising functionality (e.g., ad re-targeting on third-party websites) that enables more customized services and advertising by tracking your interaction with our Service and collecting information about how you use the Service.

You can reset your browser to refuse all cookies or to indicate when a cookie is being sent. You can also delete cookies or clear your cache, browser history, stored password, and other browser storage through your browser settings. However, some Site features or services may not function properly without cookies. Please keep in mind that your browser settings may not permit you to control the technologies utilized by third-party companies. If you would like more information about these practices, please click: http://optout.aboutads.info/#!/

We may use third-party advertising companies to serve advertisements regarding goods and services that may be of interest to you when you access and use the Service and other online services, based on information relating to your access to and use of the Service and other online services on any of your devices. To do so, these companies may place or recognize a unique cookie on your browser (including through the use of pixel tags). They may also use these technologies, along with information they collect about your online use, to recognize you across the devices you use, such as a mobile phone and a laptop.If you would like more information about this practice, and to learn how to opt out of it in desktop and mobile browsers on the particular device on which you are accessing this Privacy Policy, please visit http://optout.aboutads.info/#/ and http://optout.networkadvertising.org/#/. You may download the AppChoices app at www.aboutads.info/appchoices to opt out in mobile apps.

Picnic also uses Google Analytics. Google Analytics is a web analytics service provided by Google, Inc. to collect certain information relating to your use of the Site. Google Analytics uses cookies to help the Site analyze user activity. We may also use Google Analytics Advertising Features or other advertising networks to provide you with interest-based advertising based on your online activity.

In addition to Google Analytics, Picnic uses Hotjar. Hotjar is a technology service that helps us better understand our users' needs and optimize user experience as well as our Service. Hotjar allows us to determine how much time users spend on which pages, which links users choose to click, and what users do and do not like, among other things, and this enables us to build and maintain our Service with user feedback. Hotjar uses cookies and other technologies to collect data on our users' behavior and their devices. This includes a device's IP address, which is processed during your session and stored in a de-identified form; device screen size; device type (unique device identifiers); browser information; geographic location (country only); and the preferred language used to display our website. Hotjar stores this information on our behalf in a pseudonymized user profile. Hotjar is contractually forbidden to sell any of the data collected on our behalf.

8. ADVERTISEMENT We may use how you browse and shop in order to show you ads for Picnic or our advertising partners that are relevant to your interests. We may use cookies and other information to provide relevant interest-based advertising to you, and ad networks to which we belong may use your browsing activity across participating websites to show you interest-based advertisements on those websites. Interest-based ads are ads presented to you based on your browsing behavior in order to provide you with ads more tailored to your interests. These interest-based ads may be presented to you while you are browsing our Site or third-party sites not owned by Picnic.

Currently, our Site does not recognize if your browser sends a “do not track” signal or similar mechanism to indicate you do not wish to be tracked or receive interest-based ads. If you would like more information about these practices, please click: http://optout.aboutads.info/#!/

9. CHILDREN’S PRIVACY If you are under the age of 18, please do not attempt to register with us at this Site, engage our Service, or provide any personal information about yourself to us. If we learn that we have collected personal information from someone under 18, we will promptly delete that information. If you believe we have collected personal information from someone under the age of 18, please contact us online (PicnicAllergy.com/Contact) or call us at (205) 875-8432.

10. SPECIAL NOTE TO CALIFORNIA RESIDENTS In compliance with California law, we provide California residents with certain information and access upon request (“Consumer Request”). This Policy outlines how California residents can request the information and what you can receive.

If you would like to submit a Consumer Request, you or your authorized agent can contact Picnic at help@picnicallergy.com and (205) 875-8432. If you choose to submit a Consumer Request, you must provide us with enough information to identify you and enough specificity on the requested data. Picnic will only use the information it receives to respond to your request. Picnic will not be able to disclose information if it cannot verify that the person making the Consumer Request is the person about whom we collected information, or someone authorized to act on such person’s behalf.

“Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. “Personal information” does not include publicly available information.

A. Request to Access. You may submit a Consumer Request to obtain a copy of or access to the personal information that Picnic has collected on you.

B. Request to Correct Inaccurate Personal Information. You may submit a Consumer Request to correct inaccurate personal information. Keeps will use commercially reasonable efforts to comply with such request and correct inaccurate personal information.

C. Request to Know. You may submit a Consumer Request to receive information about Picnic’ data collection practices. You may request information on the categories of personal information (as defined by California law) Picnic has collected about you; the categories of data collection sources; Picnic’ business or commercial purpose for collecting or selling personal information; the categories of third parties with whom Picnic shares personal information, if any; and the specific pieces of personal information we have collected about you.

Please note that the categories of personal information and sources will not exceed what is contained in this Policy. Additionally, Picnic is not required to retain any information about you if it is only used for a one-time transaction and would not be maintained in the ordinary course of business. Picnic is also not required to reidentify personal information if it is not stored in that manner already, nor is it required to provide the personal information to you more than twice in a twelve-month period.

If you would like to know if Picnic has disclosed information about you to specific third parties, you may also email help@picnicallergy.com to receive information about the categories of information that we disclosed to third parties for their direct marketing purposes. You may receive the names and addresses of those third parties, and you may request this information for the year prior to your request. Note that these particular requests may only be made once per calendar year. Additionally, please be aware that only sharing activities required by California law will be included in our response to your request.

D. Request to Delete. You may request that Picnic delete your personal information. Subject to certain exceptions set out below we will, on receipt of a verifiable Consumer Request, delete your personal information from our records and direct any service providers to do the same.

Please note that we may not delete your personal information if it is necessary to:

  • complete the transaction for which the personal information was collected;
  • provide a good or service requested by you, or reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform a contract between you and us;
  • detect security incidents, protect against malicious, deceptive activity, and take all necessary and appropriate steps to mitigate current and future risk;
  • debug and repair internal information technology as necessary;
  • undertake internal research for technological development and demonstration;
  • exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law;
  • comply with the California Electronic Communications Privacy Act;
  • engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when our deletion of the information is likely to render impossible or seriously impair the achievement of such research, provided we have obtained your informed consent;
  • enable solely internal uses that are reasonably aligned with your expectations based on your relationship with us;
  • comply with an existing legal obligation; or
  • otherwise use your personal information, internally, in a lawful manner that is compatible with the context in which you provided the information.

E. Right to Opt-Out. You have the right to opt-out of the sale of your personal information. We do not sell your personal information for money, but we use cookies and similar technologies that may result in your personal information being shared with third-parties in a manner that could be construed as a sale under the CCPA. Please see the sections titled "Cookies and Other Technologies" and “Advertisement” regarding our cookie usage. Additionally, some of our vendors may use your data in a way that could be construed as a sale of data under the CCPA, for example by using machine learning on identity documents to improve an identity verification platform as a whole or for purposes of cross-context behavioral advertising. To opt out of the sale of data, click "Do Not Sell My Personal Information" on Picnic’s homepage or click here.

Picnic may not, and will not, treat you differently because of your Consumer Request or Opt-Out activity. Picnic may not and will not deny goods or services to you; charge different rates for goods or services; provide a different level of quality of goods or services; or suggest any of the preceding will occur. However, we can and may charge you a different rate, or provide a different level of quality, if the difference is reasonably related to the value provided by your personal information.Further, some Service functionality and features may change or become unavailable upon deletion or restriction on use of your personal information.

11. SPECIAL NOTICE FOR NEVADA RESIDENTS Picnic does not sell, rent, or lease your personally identifiable information to third parties. However, if you are a resident of Nevada and would like to submit a request not to sell your personally identifiable information, you may do so by emailing us at help@picnicallergy.com.

12. LINKED SITES The Site may contain links to third-party owned or operated websites, including, without limitation, social media websites (each a “Linked Site”), as a convenient method of accessing information that may be useful or of interest to you. This Policy and the practices that we follow under this Policy do not apply to Linked Sites. We are not responsible for the content, accuracy, or opinions expressed on any Linked Site or for the privacy practices or security standards used by third parties on such Linked Sites. These Linked Sites have separate privacy and data collection practices, and we have no responsibility or liability relating to them.

Accordingly, if you use Linked Sites through our Site, to login to our Site, or to share information about your experience on our Site with others, these Linked Sites may be able to collect information about you, including information about your activity on our Site. In accordance with their own privacy policies, the Linked Sites may further notify your social media connections about your use of our Site.

You understand and agree that by clicking on a link to a Linked Site or using a Linked Site as described above, this Policy, as stated on the Site, is no longer in effect because you have either left our Site or used a Linked Site to interact with our Site.

13. USER CONTENT Some features of the Service may now or in the future allow you to provide content, such as written comments or reviews, to be published or displayed on public areas of the Site (“User Content”). Be careful about giving out information in public areas of the Service. The information you share in public areas may be read, collected, or used by any user of the Service. We cannot control the actions of other users of the Site with whom you may choose to share your User Content.

14. CONSENT TO PROCESSING OF PERSONAL DATA IN UNITED STATES This Site is intended for use only by residents of the United States. If you are a citizen of the European Economic Area (EEA) or other jurisdiction outside of the U.S., please note that in order to provide our Site, products, and services to you, we may send and store your personal information (also commonly referred to as personal data) outside of the EEA, including to the U.S. Accordingly, your personal information may be transferred outside of the country where you reside or are located, including to countries that may not or do not provide the same level of protection for your personal information. We are committed to protecting the privacy and confidentiality of personal information when it is transferred. Where such transfers occur, we take appropriate steps to provide the same level of protection for the processing carried out in any such countries as within the EEA to the extent feasible under applicable law. By using and accessing our Site, users who reside or are located in countries outside of the United States agree and consent to the transfer to and processing of personal information on servers located outside of the country where they reside, and that the protection of such information may be different than required under the laws of their residence or location.

15. CHANGES TO OUR PRIVACY POLICY While this Policy may change from time to time, Picnic will enforce and comply with all applicable laws with respect to this Policy, any future versions of this Policy, our Service, our rights, and our obligations to you. We will post any privacy policy changes on this page and, if the changes are significant, we will provide a more prominent notice, including, for certain services, email notification of privacy policy changes.

16. QUESTIONS AND HOW TO CONTACT US If you have any questions, concerns, complaints, or suggestions regarding this Policy, please contact us online (PicnicAllergy.com/Contact), call us at (205) 875-8432, email us help@picnicallergy.com, or writing us by US postal mail at the following address:

Thirty Madison Inc. 27 E 28th St, 12th Floor New York, NY 10016