Privacy Policy 

Effective Date: June 27, 2018

OVERVIEW

Penn-Troy Manufacturing, Inc. (“Penn-Troy”, “we”, “our”, or “us”) is committed to protecting our customers’ privacy.  This Privacy Policy describes how Penn-Troy collects, uses, and shares the personal information of our clients and users of this website, (the “Site”).  We periodically update this Privacy Policy and reserve the right to change the provisions of this Policy or our privacy practices at any time. We will inform you of any changes to the Privacy Policy by posting the revised Policy on our Site.  Your use of the Site or Penn-Troy’s products or services constitutes consent to any changes in this Policy as in effect on the date of such use.

PERSONAL INFORMATION DEFINED

Personal information means information that specifically identifies an individual person, such as name, mailing address, email address, phone number, or account number.  It may also include other information about you, such as gender, date of birth, or other demographic information, or about your use of the Site, such as IP address or cookies, if that other information is linked to your personal information.

HOW PENN-TROY COLLECTS YOUR PERSONAL INFORMATION

Penn-Troy collects personal information that you provide to us.  For example:

•If you place an order, we may require you to provide us with your name, email address, phone number, billing information, and other information.  

•If you apply for a job with Penn-Troy, we may ask you to provide more detailed and sensitive personal information required for compliance with our hiring and equal opportunity policies and practices.  

•Our website includes social media features, such as links to our LinkedIn, Twitter, and YouTube pages. Your interactions with these features are governed by the privacy policy of the corresponding social media platform.

We also collect some of your information automatically when you visit our Site. For example, our Site collects your IP address and other online identifiers and records the pages that you visit and other information about your activity on the Site.  

Like many other websites, we ask you to allow us to use “cookies” to remember information about you and improve your browsing experience on our Site.  If you reject cookies, you may still use our Site, but your ability to use some features or areas of our Site may be limited.  We may also work with third-parties providers who may use cookies on our Site.  You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. For more information about cookies, including how to set your internet browser to reject cookies, please go to
www.allaboutcookies.org or http://www.networkadvertising.org.

Our Sites may contain links to other websites.  Collection of your information by other websites is governed by those sites’ own privacy policies.

HOW PENN-TROY USES PERSONAL INFORMATION

We may use your personal information for:

•Confirming or tracking your order;

•Registration and subscription purposes;

•Analyzing trends and statistics;

•Informing you of new products, services, and offers; 

•Responding to questions, concerns, and customer support inquiries; or

•Improving the services that we offer you or the functionality of our Site.  

Penn-Troy does not sell personal information to third parties and does not transfer or share customers’ personal information between its clients.  Penn-Troy will share your personal information only:

•With your consent; 

•When the processing is in our legitimate business interests, subject to your interests and fundamental rights;

•To fulfill a legal obligation, including:
•in response to lawful requests or legal process, including in response to law enforcement requirements; or
•as part of a business transaction, sale or transfer, or bankruptcy proceeding;

•For protection of personal or public safety or to prevent illegal activities; or

•To protect our own rights including enforcing our own policies, contracts, and terms of use.

Penn-Troy may also use anonymous or pseudonymous personal information for internal purposes, such as to track the effectiveness of and improve its products, processes, or services.  Penn-Troy may also share anonymous or pseudonymous data with selected third parties. 

HOW PENN-TROY PROTECTS PERSONAL INFORMATION

Penn-Troy follows generally accepted standards to protect personal information and information submitted by our clients, both during transmission and once we receive it.  Specifically, Penn-Troy uses .  Despite these precautions and processes, no data transmission over the Internet can be guaranteed to be 100% secure.  As a result, while we strive to protect your personal information, we cannot guarantee or warrant the security of any information you transmit to or from our Site, and you do so at your own risk.  Once we receive your transmission, we will take commercially reasonable precautions to protect its security on our systems.

YOUR RIGHTS TO ACCESS YOUR PERSONAL INFORMATION

You have the right to access, correct, or request deletion of personal information about you that Penn-Troy has collected.  To access, correct, or request deletion of personal information, contact a customer service representative at 1-800-232-4442 or use the Contact Us feature on the Site at /contact-us.  To verify that the request is authentic, we may require that such request be sent from the email address associated with your personal information.  If you have an account, you can access and correct information such as your name, address, telephone number, or email address on the My Account page.  While we will comply reasonably and promptly with your requests, we may need to retain some of your information for our own recordkeeping or to fulfill a legal obligation. 

DATA TRANSFERS FROM EU TO US

If you provide personal information to us while located in the European Economic Area (“EEA”), you consent to the transfer of personal information to the United States, and potentially to other countries outside of the EEA.  You understand that the current laws of countries outside of the EEA may not provide the same level of protection as the data protection laws of the EEA.  If you provide data about other individuals you agree that you have obtained consent from each such individual to the submission and processing of such information to the terms of the Policy, including without limitation the transfer of such data to the United States.  Nonetheless, we will take all reasonable steps to protect your privacy in accordance with the applicable data protection laws.

You are under no statutory or contractual obligation to provide any personal information to us.  However, if having your personal information is necessary to supply goods or services to you, and you do not provide it, then we will not be able to fulfill that order for goods or services.

CONTACT INFORMATION

To report any issues or concerns, or to contact Penn-Troy with any questions regarding this Privacy Policy:

•Use the Contact Us feature on the Site at /contact-us;

•Email [email protected]

•Call 1-800-232-4442; 

•Fax 1-570-297-4136; or

•Send mail to 

Penn-Troy Manufacturing, Inc.
182 Railroad Street
Troy, PA 16947

DATA PROCESSING ADDENDUM
Based on the EU General Data Protection Regulation 

This Data Processing Addendum (“DPA”) is incorporated into and forms part of the (the “Agreement”) between Penn-Troy Manufacturing, Inc. (“Company”) and (“Processor”) (together, the “Parties”) dated .

The purpose of this DPA is to ensure that Personal Data is Processed in accordance with EU Data Protection Laws.  This DPA sets forth the terms that apply when Processor, while providing Services to Company pursuant to the Agreement, Processes Personal Data on the Company’s behalf.

1. Definitions.  As used in this DPA, the following terms shall have the following meaning:

1.1 “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

1.2 “EU Data Protection Laws” means GDPR, as amended; the laws of any European Union member state enacted pursuant to GDPR; and the applicable data protection laws of Switzerland and the United Kingdom. 

1.3 “EEA” means the European Economic Area, which includes member states of the European Union and Norway, Iceland, and Lichtenstein, and for purposes of this DPA, the United Kingdom.

1.4 “Privacy Policy” means the Processor’s Privacy Policy, available at .

1.5 “Standard Contractual Clauses” means the clauses attached as Appendix A to this DPA.

1.6 The following terms have the same meaning as set forth and defined in GDPR: “Processing,” “Personal Data,” “Data Subject,” “Controller,” “Processor”, “Joint Controller, “Personal Data Breach,” “Data Protection Impact Assessment,” “Subprocessor,” and “Supervisory Authority.”

2. Applicability of this DPA.  This DPA shall apply only to the extent Company does business with customers located in the EEA or Switzerland and/or to the extent Processor Processes Personal Data of Data Subjects located in the EEA or Switzerland on behalf of Company or its affiliate(s).

3. Parties’ Roles.  Regarding the Processing of Personal Data in connection with Company’s use of the Services or Professional Services, Company is the Controller, Processor is the Processor, and Processor may engage Subprocessors in accordance with this DPA.  To the extent that Company is a Processor of Personal Data, Company appoints Processor as a Subprocessor, and such appointment does not change the rights or obligations of either Party under this DPA.

4. Data Processing.

4.1 Lawful Basis.  Company shall comply with all applicable laws protecting the privacy of Personal Data, including the EU Data Protection Laws.  Company warrants and represents that it has a lawful basis for acquiring and Processing Personal Data in connection with its use of the Services. 

4.2 Subject Matter.  The Agreement and any additional written instructions (as described in Section 4.5 below) set forth the subject matter of the Processing of Personal Data.

4.3 Duration.  The duration of Processing corresponds to the duration of the Agreement plus thirty (30) days to return or delete Personal Data as set forth in this DPA.  Processor may Process Personal Data beyond the term of the Agreement if required by law.

4.4 Nature and Purpose.  Processor shall only Process Personal Data on behalf of Company in accordance with Company’s documented written instructions for the following purposes:  (i) Processing in accordance with the Agreement; (ii) Processing initiated by Users in their use of the Services; and (iii) Processing to comply with additional written instructions provided by Company (including instructions provided by email) where such instructions are consistent with the terms of the Agreement. Processor may Process Personal Data as required by applicable law. The nature of Processing for these purposes may include collecting, storing, using, analyzing, and deleting Personal Data.

4.5 Types of Personal Data.  The Agreement and Privacy Policy set forth the types of Personal Data that may be Processed in connection with Company’s use of the Services. Company represents that it maintains a public-facing privacy statement or policy that fully and adequately describes the types of Personal Data Company Processes.

4.6 Categories of Data Subjects.  The Agreement and Privacy Policy set forth the categories of Data Subjects whose Personal Data may be Processed in connection with Company’s use of the Services. The categories of Data Subjects are determined by Company and may include Company’s students and prospective students. Company represents that it maintains a public-facing privacy statement or policy that fully and adequately describes the categories of Data Subjects whose Personal Data Company Processes.

4.7 Children’s Consent.  Company shall not use the Services to Process the Personal Data of a child under age 16 unless Company obtains specific and adequate consent from the holder of parental responsibility over such child.  

4.8 Special Categories of Personal Data.  Company shall not use the Services to Process special categories of Personal Data, as defined in Article 9 of GDPR. 

5. Security Measures and Confidentiality.

5.1 Technical and Organizational Measures.  Processor shall implement and maintain appropriate technical and organizational measures for protection of the security of Personal Data, taking into account the state of the art; the costs of implementation; the nature, scope, context, and purposes of Processing; and the risk to the rights and freedoms of Data Subjects.  Processor may modify these measures to reflect technical progress and further development, but Processor will not materially decrease the overall security of the Services.  

5.2 Confidentiality.  Processor shall ensure that any person authorized to Process Personal Data, including its employees and Subprocessors’ employees, is subject to a duty of confidentiality regarding the Personal Data.

5.3 Legal Compliance.  Processor shall comply with all applicable laws protecting the privacy of Personal Data.  In the case of any legal or regulatory obligation of Processor to disclose Personal Data, Processor shall (i) notify Company within three (3) business days; (ii) cooperate with Company; (iii) limit any disclosure to the minimum required by law; and (iv) request that such information be kept confidential.  

5.4 Return or Deletion of Personal Data.  Upon termination or expiration of the Agreement, to the extent allowed by applicable law, Processor will either delete or return all Personal Data that Processor possesses in connection with Company’s use of the Services within thirty (30) days.

5.5 Audits.  Subject to the confidentiality provisions of the Agreement, Processor shall allow Company (or Company’s representative) to conduct an on-site audit of the procedures relevant to the protection of Personal Data.  Prior to any such audit, the Parties will agree on the scope, timing, and duration of the audit, as well as any applicable security and confidentiality controls. 

6. Subprocessors.

6.1 Appointment; Data Transfers.  Company authorizes Processor to engage subcontractors to process Personal Data.  A list of the current Subprocessors may be found at .  Processor shall impose data protection obligations on each Subprocessor that are substantially similar to the data protection obligations set forth in this DPA.  Before transferring Personal Data to any Subprocessor located in a country deemed not to provide an adequate level of protection for Personal Data, the Subprocessor must (i) execute the Standard Contractual Clauses approved under EU Data Protection Laws; or (ii) adhere to another safeguard for data transfers recognized under EU Data Protection Laws.

6.2 Changes.  Processor will notify Company prior to any changes to the Subprocessors.  Company has thirty (30) days after Processor’s notification of the intended change to object to the addition or replacement of a Subprocessor.  If Company does not object within such period, the Subprocessor may process Personal Data.  If Processor does not accommodate Company’s objection, Company may terminate the affected services.  Processor will refund any pre-paid charges for the period after such termination date.

7. Assistance.

7.1 Data Subject Request.  Processor shall assist Company in responding to any inquiry or request from a Data Subject exercising his or her rights related to the Processing of Personal Data (e.g., the right to access or rectification).  Processor will inform Company of any Data Subject inquiry or request addressed directly to Processor within three (3) business days.  

7.2 Data Protection Impact Assessments.  Processor shall assist Company in complying with Company’s obligation under GDPR to carry out a Data Protection Impact Assessment related to Company’s use of the Services.

7.3 Prior Consultation with Supervisory Authority.  Processor shall provide Company with reasonable assistance in prior consultation with the Supervisory Authorities.

7.4 Personal Data Breach.  Processor shall notify Company within three (3) days after becoming aware of a Data Breach involving Personal Data Processed in connection with Company’s use of the Services.  Processor shall assist Company with Company’s obligation to notify the Supervisory Authority and, when necessary, Data Subjects.  Processor shall make reasonable efforts to identify and remediate the cause of a Personal Data Breach.  

8. Miscellaneous.

8.1 Indemnification and Limitation of Liability.  This DPA does not modify, alter, or amend the Parties’ rights and obligations regarding Indemnification and Limitation of Liability under the Agreement, and any breach of this DPA constitutes a breach of the Agreement.

8.2 Order of Precedence.  In the event of a conflict between the Agreement and the DPA, the DPA controls.  In the event of a conflict between the DPA and the Standard Contractual Clauses, the Standard Contractual Clauses control.

8.3 Data Protection Officer.  Company shall send any inquiries or communications related to this DPA or to the Processing of Personal Data to Processor’s Data Protection Officer .

IN WITNESS WHEREOF, each Party has caused this DPA to be executed by its duly authorized representative.

“Company”: “Processor”:

Penn-Troy Manufacturing, Inc.                                                 

Print Name:                                                   Print Name: 
 
Title:                                                    Title:               

Date:                   Date: