Privacy Policy - Ruud-Canada.ca

1.1 This Privacy Notice (“Notice”) describes the information that Rheem Manufacturing Company and its subsidiaries and affiliates (collectively, “Rheem”, or “we”) collects, uses, shares and stores about you, including personal data, and provides guidance and information regarding our processing of personal data. For purposes of this Notice, Data Protection Legislation generally defines “personal data” as any information about an identifiable individual, which includes information that can be used on its own or with other information to identify, contact, or locate a single person.

1.2 We are committed to protecting and respecting your privacy. This Notice sets out the legal bases we rely on when processing any personal data we collect from you that you provide to us, either directly or through our trusted partners, or that we obtain from others. Please read this Notice carefully to understand how we process personal data about you.

1.3 In this Notice, references to “you” means the person about whom we collect, use and process personal data.

1.4 We will use personal data about you only for the purposes and in the manner set forth below, which describes the steps we take to ensure that our processing of personal data complies with U.S. laws and regulations, including the California Privacy Rights Act (“CPRA”), Canadian Privacy laws and regulations, as well as with European Union Law, including Regulation (EU) 2016/679, known as the General Data Protection Regulation GDPR, any subsequent amendments or successor laws thereto, and if applicable any local national laws implementing the GDPR (collectively referred to as “Data Protection Legislation”).

1.5 We seek to maintain the privacy, accuracy, and confidentiality of data (including personal data about you) that we collect and use.

2. WHEN DOES THIS PRIVACY NOTICE APPLY

2.1 This Notice applies to personal data that we collect, use, disclose and otherwise process about you in connection with your relationship with us. This includes personal data we collect about you, or you provide to us, through our websites, mobile applications, or call centers; through product registrations; and through any other online or offline methods through which we communicate with you, as well as when we obtain personal data about you from a third party. It does not apply to Rheem employees or to those applying for jobs with Rheem. While this Notice is inter alia designed to comply with privacy requirements across the United States, it is not meant to imply that all state privacy laws necessarily apply, or apply across all categories of personal data.

3. PROCESSING OF YOUR PERSONAL DATA

3.1 The personal data we collect about you helps us provide the best possible support for your products, optimize your use of our websites and mobile applications, and show advertisements to you based on your interests. In addition, we are required to process certain personal data for legal, regulatory, tax and auditing purposes. The personal data we collect, the basis for our processing, and the purposes of our processing, are detailed below. Sometimes, these activities are carried out by third parties (see “Sharing of Personal Data” section below).

3.2 You are not required to provide all the personal data described below to us; however, if you choose not to do so, we may not be able to offer you certain services and related features. You may provide personal data to us in various ways. The types of personal data we may obtain includes the following:

¹ Note: The collection, use and disclosure of personal data for individuals subject to Canada’s privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA), are based solely on the consent principal.

Personal data we process / Collect	Basis of processing	Purpose of processing / Collection
If your product is registered with us by you, or via contractors or plumbers, we will collect your name, postal address, email address, telephone number, or other identifiers by which we may contact you online or offline. We will also maintain this information with your purchase history.	It is necessary for the performance of our contract with you to provide warranty service (including any potential recalls) as necessary.	This is required to register your product or to provide you with service under the warranty, including any recalls.
If you purchase an extended warranty, or make a claim under any warranty, we will collect your name, postal address, email address, telephone number, or other identifiers by which we may contact you online or offline, purchase history, installation information, and credit card or other payment details.	It is necessary for the performance of our contract with you if you purchase an extended warranty or make a claim under any warranty.	This is required to provide extended warranties to your purchased products, and to process and fulfill claims in connection with our products and to inform you of the status of claims.
If you sign up for a contest or promotion, we will collect your name, email address, telephone number, product interest, and postal address.	Consent.	This is required to enter you into the contest or promotion you have chosen to participate in.
If you correspond with us, we will collect your name, contact details, and the details of your correspondence.	We collect this information because in some cases it is necessary for the performance of a contract with you, and in other cases when it is in our legitimate business interest to do so, depending on the nature of the correspondence.	We retain this information to keep track of our communications with you, to respond to your requests and inquiries, and to provide you with the best possible service
If you respond to any surveys, we will collect your name and your responses, some of which may include personal data.	We retain this information because it is in our legitimate business interest to do so.	We retain this information to understand how you use our products to improve our products and services, for developing new products and features, and to administer your participation in surveys and market research.
If you access our websites, we will collect non-persistent information about your computer equipment, device IP address, operating system, browser type, and browsing behavior including the details of your visits to our website, web traffic data, location data, and logs.	We process this information based on our legitimate business interests, or with your consent.	We process this information to enable and monitor your use of our websites and services, and to improve those services. We also collect this information so you will not have to re-enter it when you use our services, and also track and understand how you use and interact with our websites and applications, and also to tailor our services around your preferences and to enable us to manage and enhance our services.
If you access our websites, we will collect persistent information, including your device IP address, domain name, identifiers associated with your device, device and operating system type, and characteristics, web browser characteristics, language preferences, clickstream data, your interactions with our products and services, the pages that led or referred you to our websites or applications, dates and times of access, geolocation information, and other information about your use of our websites and applications.	We process this information based on your consent.	We use this information to provide you with interest-based (behavioral) advertising or other targeted content. For geolocation information, we use this information to understand where our products are used, and to respond to service requests or automatic service notifications.
Content you post in public areas of our websites, and 3rd party industry and social media sites.	We process this information based on our legitimate business interests. Please note that third party sites may have their own collection policies and processes, which we do not control.	We use this information to effectively communicate to you, respond to your requests or inquiries, and to better understand how our products are used.
If you use any Rheem App, we will collect identifiers such as your name, geolocation information, telephone number, email, IP address and the name or designation you give to your account. The app would also collect certain additional information about your connected products, including but not limited to usage history, functionality and other statistics.	We process this information on the basis of the performance of a contract, or on the basis of consent.	When you sign up for connected services, we use the information to administer your Rheem App account, manage its interaction with your connected products, and to send you fault alerts or status updates. We use geolocation information for various purposes including for you to be able to set your home location, and to determine the distance you are from your home location. This allows your equipment to save energy by only running when you are within a certain distance of your home location. This feature is completely optional and can be controlled from within your App.

Additional Information for California Residents

The personal information that we collect from you may include information within the below categories of data. These categories also represent the categories of personal data that we have collected over the past 12 months. Note that the “category of data” column listed below refers to the category of personal data as defined under the California Privacy Rights Act (“CPRA”). Inclusion of a category in the list below indicates only that we may collect some information within that category. It does not necessarily mean that we collect all information listed in a particular category.

Please see section 3.3 for information on where we obtain the below information.

We disclose the below categories of information to our affiliates and service providers.

Category of Personal Data	Purpose of processing
Personal identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.	This data is necessary to: Set up and administer your account Offer you products or services that may be of interest to you Register you under our warranty program and to make repairs under the warranty Assess the success of our marketing and advertising campaigns Respond to your queries
Additional personal identifiers, including: Information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, your name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.	This data is necessary to: Set up and administer your account Offer you products or services that may be of interest to you Register you under our warranty program and to make repairs under the warranty Assess the success of our marketing and advertising campaigns Respond to your queries
Characteristics protected by federal or state law, including: familial status, disability, sex, national origin, religion, color, race, sexual orientation, gender identity and gender expression, marital status, veteran status, medical condition, ancestry, source of income, age, or genetic information.	We collect this data to the extent necessary to accommodate any accessibility needs you may have if you come in to our facilities.
Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.	This data is processed to detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity, and for data analytics.
Sensory Information: Audio, electronic, visual, thermal, olfactory, or similar information.	A subset of this data is processed in connection with our closed-circuit television footage and system and building login and access records. It is also used to record customer service calls.

In addition to the information above, we also collect the following categories of sensitive personal information:

Category of Sensitive Personal Information	Purpose of processing
Account log-In, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account.	We collect this information directly from you and it is necessary to open and maintain an account with us, as well as to pay for our goods and services

We only process sensitive personal information for those purposes necessary to provide this service.

3.3 Where does Rheem obtain personal data about me?

Information you provide:

We obtain personal data about you directly from you, or via contractors and plumbers who assist you, when you register a product, when you extend a warranty, and when you submit information to us via our websites or mobile applications. We may also collect personal data in the course of the performance of your contract with us or if you contact us via phone, email or direct messaging services provided by third-party social media platforms.

Information we collect automatically:

As discussed above, when you navigate through and interact with our websites or mobile applications or through email, we may use automatic data collection technologies to collect information about you. This includes browser cookies, Flash cookies, web beacons, device identifiers, server logs, and other technologies.

Some content or applications, including advertisements on our websites, are served by third parties, including advertisers, ad networks and servers, content providers and application providers. These third parties may use cookies alone or in conjunction with web beacons or other tracking technologies to collect information about you when you use our websites, but only with your consent. Third parties that collect such information may associate it with your personal data where permitted by law, or they may collect information, including personal data, about your online activities over time and across different websites and other online services. They or Rheem may use this information to provide you with interest-based (behavioral) advertising or other targeted content.

We do not track information about an individual consumer’s online activities over time and across third-party website or online services (i.e. cross-contextual behavioral advertising) except with your specific, opt-in consent. Accordingly, we do not monitor or take any action with respect to Do Not Track signals (including the Global Privacy Control signal). You may manage your preferences by visiting rheem.com.

Information we obtain about you from third parties:

We may receive personal data about you from contractors or plumbers who may assist you in registering your products and purchasing extended warranties.

We also send out mailings via the post office from public records.

4. SHARING OF PERSONAL DATA

4.1 We do not sell personal data for any commercial or marketing purposes, have not sold personal data in the preceding 12 months and will not sell personal data. We also do not share personal data for cross-context behavioural advertising.

4.2 The following are limited circumstances where we may share your personal data with third parties:

4.2.1 External vendors, service providers, and technicians who help with our data processing and storage;

4.2.2 In connection with a merger or sale of the company and/or parts of its assets, your personal data may be transferred as part of the merger or sale;

4.2.3 Contractors or plumbers who may assist you in registering your products or purchasing extended warranties, or performing diagnostics or service;

4.2.4 Third parties who you have requested information from us for purposes of financing or rebate information;

4.2.5 Affiliates, subsidiaries, divisions, and service providers who provide services to us or on our behalf;

4.2.6 Third parties who assist us in providing our products and services and to help us understand your use of our products;

4.2.7 External professional advisors;

4.2.8 Select third party vendors, business partners, conference sponsors/exhibitors and other companies so that they can send promotional materials about products and services (including special offers or promotions);

4.2.9 For any other purpose disclosed by us when you provide the information; and

4.2.10 With your consent.

We endeavour to require all service providers that we share personal data about you to provide assurances regarding the confidentiality and security of that information, including to only use such information for the purpose for which it was provided and in accordance with this Notice.

Sharing of personal data excludes text messaging originator opt-in data and consent; this information will not be shared with any third parties.

4.3 We may also disclose your personal data:

4.3.1 &nbsp To comply with any court order, law, or legal process, including to respond to any government or regulatory request, in accordance with applicable law.

4.3.2 &nbsp To enforce or apply our terms of use and other agreements (including warranties) and for billing and collection purposes.

4.3.3 &nbsp If we believe disclosure is necessary or appropriate to protect the rights, property, or safety of Rheem, our customers, or others. This includes exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction.

4.3.4 &nbsp To others, where it is permitted by law.

5. INTERNATIONAL DATA TRANSFERS

5.1 From time to time your personal data may be transferred, stored and processed in foreign countries, including the United States, with different privacy laws that may or may not be as comprehensive as the Data Protection Legislation in your home country or may not be subject to an adequacy decision (as applicable) by the European Commission or the United Kingdom. In these circumstances, the governments, courts, law enforcement, or regulatory agencies of the that country may be able to obtain access to your personal data through the laws of the foreign country. For transfers of personal data to foreign countries, we take additional steps in line with all applicable laws, including European and Canadian Data Protection Legislation. We have put in place adequate safeguards with respect to the protection of your privacy, fundamental rights and freedoms, and the exercise of your rights. Whenever we engage a service provider in a foreign country, we require that its privacy and security standards adhere to this policy and applicable Data Protection Legislation.

6. HOW IS MY PERSONAL DATA SECURED

6.1 We operate and use reasonable administrative, technical and physical security measures to protect your personal data.

6.2 We have in particular taken security measures to protect personal data about you from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access, to personal data about you. Access is granted on a need-to-know basis to those employees and other people whose roles require them to process personal data about you.

7. RETENTION OF PERSONAL DATA

7.1 We will keep personal data about you for as long as it is necessary to fulfill the purposes for which we process it as described above in Section 3, or if we have another lawful basis for retaining the data beyond the period for which it is necessary to serve the original purpose for collecting the data. This may mean that we will retain some information about you for longer than we retain other information. The criteria we use to determine data retention periods for personal data includes the following:

7.1.1 Retention of user account details; we will retain it for a reasonable period after the relationship between us has ceased;

7.1.2 Retention in case of queries; we will retain it for a reasonable period after the relationship between us has ceased;

7.1.3 Retention in case of claims; we will retain it for the period in which it may be enforced; and

7.1.4 Retention in accordance with legal and regulatory requirements; we will consider whether we need to retain any additional period because of a legal or regulatory requirement.

7.2 Under some circumstances we may anonymize your personal data so that it can no longer be associated with you. We reserve the right to use such anonymous and de-identified data for any legitimate business purpose, including sharing it with utility companies, without further notice to you or your consent.

7.3 If you would like further information about our data retention practices, please contact us.

8. ADDITIONAL INFORMATION FOR CALIFORNIA RESIDENTS AND OTHER US STATE RESIDENTS

8.1 Depending on your residency, you may be entitled to the following rights under the California Consumer Privacy Rights Act (“CCPA”) or other US state privacy law, subject to certain conditions and limitations. We may choose to provide these rights, even if we are not required to do so.

8.1.1 RIGHT TO KNOW
You may request to receive, in a portable and, to the extent technically feasible, readily usable format:

(1) The categories of personal information
(2) The categories of sources from which the personal information is collected
(3) The business or commercial purpose for collecting or selling personal information
(4) The categories of third parties with whom we share the personal information
(5) The specific pieces of personal information we have collected about you (although note that we cannot provide you with sensitve personal information)

8.1.2 RIGHT TO DELETE

You may request that we delete any personal information about you which we have collected. If it is necessary for us to maintain the personal information for certain purposes, we are not required to comply with your deletion request. If we determine that we will not delete your personal data when you request us to do so, we will inform you and tell you why we are not deleting it.

8.1.3 RIGHT TO OPT-OUT OF SALE OR SHARING OF PERSONAL DATA

As stated above, we do not sell personal information or share it for cross context behavioral advertising.

8.1.4 RIGHT TO LIMIT THE USE OR DISCLOSURE OF SENSITIVE PERSONAL INFORMATION

As stated above, we only process sensitive personal information for necessary purposes.

8.1.5 NO DISCRIMINATION

You will not be discriminated against because you exercised any of these rights.

8.2 HOW TO SUBMIT A REQUEST

To exercise certain rights, you must submit a verifiable request to us by clicking here to submit a request via our web portal, or by contacting us directly at compliancemanager@rheem.com and providing the requested information.

To submit a verifiable request, you will be asked to provide certain information to help us verify your identity. The information we ask you to provide to initiate a request may differ depending upon the type of request, the type, sensitivity, and value of the personal data that is the subject of the request, and the risk of harm to you that may occur as a result of unauthorized access or deletion, among other factors. We may also require you to provide a written declaration that you are who you say you are.

You may designate an authorized agent to make a request to know or delete on your behalf by submitting a signed declaration of representation.

If we cannot verify your identity or authority to make the request, we will not be able to comply with your request. We will inform you if we cannot verify your identity or authority. We will only use personal information provided in a verifiable request to verify the requestor’s identity or authority to make the request.

We will notify you if we are unable to honor your request. Based on your residency, you may have the right to appeal our decision with regard to your request by contacting us directly at compliancemanager@rheem.com or by using the “Contact Us” details provided at the end of this Notice.

8.3 HOW WE COLLECT, USE AND SHARE PERSONAL DATA OF CONSUMERS

8.3.1 Categories of Personal Data and Business Purposes for Collection

The categories of personal data we have collected from Consumers in the past twelve (12) months and the business purpose(s) for collecting the information are listed above in Section 3.2.

8.3.2 The Sources of Collection

The sources from which we might collect personal data about you are listed above in Section 3.3.

8.3.3 Who We May Share Your Personal Data

The categories of third parties we may share your personal data with are listed above in Section 4.2

8.4 PERSONAL DATA OF MINORS

Rheem does not intentionally collect or process personal data about minors under the age of 16.

9. SHINE THE LIGHT LAW

Annually California residents may be able to request and obtain information that Rheem shared with other businesses for their own direct marketing use within the prior calendar year (as defined by “California’s Shine the Light Law”). If applicable, the information would include a list of categories of Personal Data that was shared with the names and addresses of all third parties that Rheem shared this information in the immediately preceding calendar year. To obtain this information under the Shine the Light Law, please send an email to compliancemanager@rheem.com with “California Shine the Light Privacy Request” in the subject line.

CONTACT FOR MORE INFORMATION

If you have any questions or concerns about Rheem’s Privacy Notice and practices, please contact our Chief Privacy Officer at Rheem Manufacturing Company, Attn: Chief Privacy Officer, 1100 Abernathy Road, Suite 1700, Atlanta, GA 30328 or call 770-351-3000.

10. ADDITIONAL RIGHTS FOR NON-U.S. RESIDENTS

You may have various rights under data protection legislation in your state or country (where applicable).

To the extent permitted by applicable law and subject to certain conditions, you may (1) seek confirmation regarding whether Rheem is processing personal data about you; (2) request access to the personal data that we maintain about you; (3) request that we update, correct, amend or erase or restrict information about you; or (4) exercise your right to data portability, by clicking here to submit a request via our web portal, or by contacting us directly at compliancemanager@rheem.com. In addition, you may object to Rheem’s processing of your personal data at any time; however, doing so may impact your use of the services that we provide. To protect your privacy, Rheem will take commercially reasonable steps to verify your identity before granting access to or making any changes to your personal data. We may ask that you provide us with your name, postal address, email address, telephone number, and/or equipment serial number.

Your right	What does it mean?	How do I execute this right?	Conditions to exercise?
Right of access	Subject to certain conditions, you may have a right to access personal data about you which we hold.	You may make a request for access to personal data via our web form by clicking here, or in writing to compliancemanager@rheem.com. Please specify the type of personal data you would like to access.	1. We must be able to verify your identity. 2. Your request may not affect the rights and freedoms of others. 3.We generally do not provide access to data we keep solely for data backup purposes. 4. Applicable law may allow or require us to refuse to provide you with access to some or all of the personal data that we hold about you, or we may have destroyed, erased, or made your personal data anonymous in accordance with our record retention obligations and practices. If we cannot provide you with access to your personal data, we will inform you of the reasons why, subject to any legal or regulatory restrictions.
Right of data portability	Subject to certain conditions and limitations, you may have the right to receive from us personal data which you have provided to us.	You may make a request for data portability via our web form by clicking here, or in writing to compliancemanager@rheem.com. Please specify the type of information you would like to receive.	Your right to data portability is limited. It applies only when: 1. our processing is based on your consent or on our contract with you; and 2. when our processing is done through automated means (e.g. not paper records); and 3. You provided us with the personal data at issue.
Rights in relation to inaccurate personal or incomplete data	You may challenge the accuracy or completeness of personal data about you. If the personal data is inaccurate, you may be entitled to have the inaccurate data removed, corrected or completed, as appropriate.	Please notify us of any changes regarding personal data about you as soon as they occur. You may make a request via our web form by clicking here, or in writing to compliancemanager@rheem.com.	This right applies only if our processing of personal data about you is based on our legitimate interests (see Section 3 above). Any objections must be based on your particular situation and must contain specific reasons.
Right to object to or restrict our data processing	Subject to certain conditions, you may have the right to object to or ask us to restrict the processing of personal data about you.	You may make a request via our web form by clicking here, or in writing to compliancemanager@rheem.com.	This right applies only if our processing of personal data about you is based on our legitimate interests (see Section 3 above). Any objections must be based on your particular situation and must contain specific reasons.
Right to have personal data erased	Subject to certain conditions, you may have a right to have your personal data erased e.g., where you think that the information we are processing is inaccurate, or the processing is unlawful.	You may make a request via our web form by clicking here, or in writing to compliancemanager@rheem.com .	We may not be in a position to erase personal data about you, for example when: 1. where we have to comply with a legal obligation; 2. in case of exercising or defending legal claims; or 3. where retention periods apply by law or regulations.
Right to withdrawal	You may have the right to withdraw your consent to any processing for which you have previously given that consent.	You may make a request via our web form by clicking here, or in writing to compliancemanager@rheem.com .	If you withdraw your consent, this will only take effect for the future.

11. IDENTITY OF THE CONTROLLER OF PERSONAL DATA

For the purposes of Data Protection Legislation, the Data Controller is Rheem Manufacturing Company, a U.S. organization with its principal place of business at 1100 Abernathy Road, Suite 1700, Atlanta, GA 30328.

12. YOUR RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY

Without prejudice to any other administrative or judicial remedy you might have, you may have the right under data protection legislation in your country (where applicable) to lodge a complaint with the relevant data protection supervisory authority in your country if you consider that we have infringed applicable data protection legislation when processing personal data about you. This means the country where you are habitually resident, where you work or where the alleged infringement took place.

13. CHILDREN’S PERSONAL DATA

The products and services that we offer are designed for a general audience and are not intended for children under the age of 16. We do not knowingly collect personal data from children under 16. If we learn we have collected or received personal data form a child under the age of 16, we will promptly delete the information.

14. UPDATES TO PRIVACY NOTICE

We reserve the right to change this Notice at any time in our sole discretion without prior notice to you to reflect changes. You are responsible for ensuring we have an up-to-date, active, and deliverable email address for you, and for periodically visiting our website and this Notice to check for any changes. We will indicate at the top of the Notice when it was most recently updated. Accordingly, please refer back to this Privacy Notice frequently as it may change.

15. CONTACT US

For further information or if you have any questions or queries about this Privacy Notice, please contact the Chief Privacy Officer, Law Department, Rheem Manufacturing Company, 1100 Abernathy Road, Suite 1700, Atlanta, GA 30328, or call (770) 351-3000. Alternatively, you may make a request via our web form by clicking here, or in writing to compliancemanager@rheem.com . We have procedures in place to receive and respond to complaints or inquiries about our handling of personal data, our compliance with this Notice and with applicable privacy laws.