Data security and privacy

We believe that privacy is a fundamental human right and we endeavour to do right by our customers, to make overall positive contributions to society, and to maintain our decency as human beings.

We collect a minimum amount of personal information required to offer and improve our offerings to you. Any personal information you share with us belongs to you. By understanding what data we collect and why, you are empowered to decide what collection is legitimate.

We are committed to being competent and trustworthy in the secure communication, management, and destruction of information that we do collect or are privy to.

You may be asked to provide your personal information anytime you are in contact with Vivid or a Vivid affiliated company. You are not required to provide the requested personal information, but, if you chose not to do so, we might not be able to provide our services to you. Except information essential to operate our services as described in this notice, whether we collect this data is your decision.

Information you provide voluntarily: We collect information that identifies you, including your name, mailing address, phone number, email address, communication preferences, IP address, company information, and content of communications, when you:

• Contact us, such as to request support, or by leaving feedback through a partner's service.
• Make a purchase.
• Subscribe to a marketing email campaign.
• Interact with Vivid's information services.

When you make purchases, we do not collect credit card or other financial information other than confirmation that your payment has been made in a certain amount.

If you submit any personal information about other people to us or to our service providers, you are responsible for making sure that you have the authority to do so and to allow us to use their personal information in accordance with this Privacy notice (for example, by your asking for their consent).

We collect your personal information from other parties (specific list at Data disclosure to third parties) to help complete and maintain the accuracy of our data in order to provide and improve service to you:

• We combine your personal data with information from commercial partners, data set and information vendors, and other public sources in accordance with applicable law .
• We may co-create data sets with partners, such as for developing new capabilities and features.
• When you interact with Vivid's social networking, we may collect publicly available information about you from your social networking account, such as your name and field of work.

We take steps to confirm that information we receive from these third parties has been collected with your consent or that these parties are otherwise legally permitted to disclose your personal information to us.

We process your personal data mindfully in the operation of our business to generate outcomes that benefit you and Vivid while respecting your privacy.

To the extent necessary to perform our contract with you, or to take steps linked to a contract:

• Authenticate your identity.
• Serve you with our offerings to which you are entitled, and any offerings that you have requested such as information and support.
• Provide you with important communications such as security alerts, changes in policy, or about subscriptions that are ending.

Where you give Vivid your consent or otherwise in accordance with your communication preferences:

• Send you information about Vivid products and services, special offers, and similar information.
• Conduct surveys and market research about our customers, their interests, the effectiveness of our marketing, and customer satisfaction.

As required by Vivid to conduct our business and pursue our legitimate interests, in particular:

• To better understand our offerings so that we can improve them to serve you better.
• Diagnose and correct problems in our offerings.
• To perform accounting, auditing, billing, and reconciliation activities.
• Detect, prevent, or otherwise address fraud, crime, security, or technical issues, helping to protect the legal rights of you and Vivid.
• To fulfill legal duties stipulated by accounting and other laws.
• In connection with legal claims, compliance, regulatory and investigative purposes as necessary (including disclosure of information in connection with legal process or litigation).
• As described in supplemental notices at point of collection.

On other occasions where we solicit your consent, we will use the information for the purposes which we explain at that time in supplementary notices.

We work through our affiliates, authorized suppliers, and business partners to provide some of the Vivid offerings. These companies are located all over the world, and we require them to protect your privacy. They are not authorized by us to use your personal data we disclose to them for their own purposes.

When we share your personal information with these entities, we put in place appropriate measures to limit the use of your information only for legal and authorized purposes that are consistent with this Privacy notice, as well as appropriate confidentiality and security measures.

We may disclose your data in the following circumstances:

• When we have your consent to do so, consistent with this Privacy notice.
• With our partners, service providers, and other third parties Data disclosure to third parties strictly for the purposes indicated in this Privacy notice.
• When we are required to do so by law, such as to respond to a subpoena or a court order.
• When we have a good faith belief that the disclosure is necessary to prevent or respond to fraud or theft, defend ourselves against attacks, or protect the rights, property, and safety of Vivid, our customers, and the public.
• As part of a contemplated or actual corporate transaction such as a reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets, or stock (including in connection with any bankruptcy or similar proceedings). In such an event, your data will likely be transferred to the other entities, while, to the fullest extent manageable, still being subject to the terms of this Privacy notice.
• When the data can no longer identify you. This can happen through aggregation, where your data is combined with other data to become a statistic.

Sharing sensitive information with Vivid: When weighing a decision to share sensitive information with Vivid, please err on the side of redacting sensitive information prior to sharing. A short, memorable form of this principle is "If in doubt, leave it out." As an example, when sending a screenshot to illustrate a particular situation, correspondents frequently censor identifying information such as titles, summaries, and peoples' names. Should further information be necessary, we can discuss the matter at that time.

Publicly sharing personal data on Vivid properties: When you use certain Vivid offerings the personal information and content you share is globally visible and can be read, collected, or used by others without restriction. You are responsible for the personal information you choose to share or submit in these instances. For example, if you list your name and email address in a forum posting, that information is public. Please take care when using these features.

For the purposes of the GDPR, if you are a resident of the European Economic Area you may be the "data subject" of your personal data processed by Vivid, the "data controller".

You have the right to be informed of what personal data we hold about you and how that data is being processed, to request access that data, and to receive a copy of your personal data in a portable format.

When we process personal data based on your consent, you can withdraw your consent at any time. Withdrawing your consent will not affect (1) the lawfulness of any processing we conducted prior to your withdrawal, or (2) processing your personal data under other legal bases.

If you request correction, updating, or erasure of your personal data, please note that we may still need to retain certain data for recordkeeping purposes, and/or to complete any transactions that you began prior to requesting such change or deletion. For example, when you make a purchase, you may not be able to change or delete the personal data provided until after the completion of such purchase. Some of your data may also remain within our systems and other records where necessary for compliance with applicable law. Vivid will communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.

Similarly, you can restrict or object to the processing of your personal data. We may then no longer process the personal data relating to you unless Vivid demonstrates compelling legitimate grounds, such as to fulfill outstanding obligations to you or for defence of legal claims.

You can access or update your contact details and modify your communication and marketing choices using one of the following methods:

• Adjusting your Vivid ID.
• Modifying your mailing preferences (accessible from within mails sent by Vivid.)
• Making a request to Vivid using the methods described in Contact Vivid.

Vivid does not conduct automated decision-making and profiling based on personal data.

If you wish to exercise a right or need further information, please let us know using the methods described in Contact Vivid. We may charge a processing fee for this service where permitted by law, and we will ask you to authenticate your identity before fulfilling your request. If you believe we are using your personal data in a way that is inconsistent with this Privacy notice or for more data about your rights, contact your data protection authority .

Vivid sends emails to you only under certain conditions, particularly when you apply for a free trial of or purchase a Vivid offering or when you have expressed interest in receiving emails regarding a particular topic such as early product access information or security alerts.

Emails we send you may include a technology (called a beacon) that tells Vivid whether the email has been opened or link in the email has been clicked.

If you do not want us to collect this information, you can change your subscription preferences or opt out of receiving these emails using the subscription management links provided within the emails.

Visits to our websites, use of cookies, and creation of log files: Our system automatically receives information from your computer system every time you visit any of our websites. A variety of identifying information may then be collected by Vivid, particularly:

• Information about the web browser you are using.
• Information about the operating system you are using.
• Your IP address.
• The date and time of your visit.
• Information provided by your web browser, including cookies.

Cookies are stored on your computer whenever you visit our websites. You can control how websites use cookies by configuring your browser's privacy settings. If you disable cookies from our websites, you might not be able to use all website functions in full.

The collected web server log information is stored in our system logs. These logs, taken together with the cookies and those items in the Data disclosure to third parties, comprise the only tracking mechanisms that Vivid explicitly employs throughout our websites.

The primary uses of the collected tracking information are:

• Temporarily store the data referred to, as the IP address must be stored temporarily by the system in order to transmit the web-based contents to your computer.
• Analyze and improve service offerings, including optimizing the navigability of our websites for the express purpose of improving user experience.
• Ensure the functioning of the websites.
• Assist to guarantee the security of our information technology systems.

The data will be erased or redacted in a way that prevents them being associated to you as soon as they cease to serve the purposes outlined in this section. Data stored in web system logs are automatically erased after an interval, typically measured in months.

Secure Communications: Vivid's websites are accessible only by HTTPS. Because compliant web browsers do not send the referer to Vivid in the HTTP meta-data, your browsing activity immediately prior to visiting the website will not be communicated to Vivid, and following offsite links will not inform the next website that you are coming from Vivid.

Origin of Content: Excepting Vivid's use of customer-facing systems from third-party vendors such as the Vivid Support system and items in the Data disclosure to third parties, all content downloaded by the web browser user agent from Vivid's websites is hosted within Vivid's web properties; no content is hosted off-site. An advantage to this approach is that the web content does not direct web browsers to seek content hosted on other websites such that their operators would be informed of your browsing activity.

Data may be transferred between Vivid's IT systems or to Data disclosure to third parties in countries other than the country of your residence.

Vivid implements appropriate physical, technical, and administrative industry-standard security measures to protect data, including personal data, against loss, misuse, tampering, and unauthorized processing.

Data in Transit: For example, when transmitting information over the Internet we require the use of encryption such as Transport Layer Security (TLS).

Data at Rest: A portion of infrastructure hosting and software is entrusted to third parties. While Vivid cannot vouch for the integrity of these elements, Vivid has taken and continues to take significant, pragmatic steps to systematically eliminate the possibility for security breach and information leakage to any party outside of Vivid, such as storing data in encrypted form on third-party storage.

We require our suppliers and vendors to apply similar protections when we share personal data between us.

Vivid employs third-party systems to offer service to you. Such third-party systems may include tracking mechanisms unknown to us; we claim no knowledge or involvement in these schemes. We take an interest in multi-level isolation of each such system to blindly preempt technical possibilities, and within reason in attempting actual nullification of any such mechanisms that we learn of.

Vivid will never ask you for your password or other security tokens.

Vivid Inc. is not aware of any obligation, legal or otherwise, to undermine customer security.

To ensure your personal information is always securely handled consistent with this notice, we communicate our privacy and security guidelines to Vivid members and strictly enforce privacy safeguards within the company.

Vivid offerings are explicitly designed to respect your privacy.

We store data including your personal data and content on our systems as well as those of our service providers. Because we and our service providers maintain servers in global locations, your personal data may be transferred across national borders.

We retain your personal information for the period necessary to fulfill the purposes outlined in this Privacy notice and in supplemental notices and as needed to comply with our legal obligations. When assessing these periods we carefully examine our need to collect personal information at all and if we establish a relevant need we only retain it for the shortest possible period to realize the purpose of collection unless a longer retention period as outlined elsewhere in this notice.

Personal data is deleted or destroyed using appropriate security protocols so that it cannot be reconstructed or read.

We may provide links to external websites and services operated by unaffiliated third parties which we believe may be of interest to you. Because this Data security and privacy refers exclusively to Vivid Inc. and its properties, we encourage you to review the data security and privacy policies applicable to those external services.

Vivid does not knowingly collect the personal information of children without proper consent from a parent or legal guardian. If you believe that we may have collected personal information from a child without the requisite consent, please let us know using the methods described in Contact Vivid and we will investigate and promptly address the issue.

Children, or their legal guardians, may change or revoke the consent choices previously made or request access to or removal of any personal information that they have provided or posted to Vivid sites by contacting us using the methods described in Your Rights and Choices or Contact Vivid. Within thirty days of such a request (unless another period is provided by law) Vivid will anonymize, or remove from public view such content unless legally required to retain such content or information.

If and when the way we treat your personal data changes, we will inform you by updating this Data security and privacy and revising the "Effective Date" at the top of this notice. Should the changes materially affect the use of your personal data, we will also attempt to inform you by email.

If you have a question, concern, or request regarding Vivid's privacy practices or wish to exercise any of your rights and choices as described in this Data security and privacy you can contact us by email at .