Privacy policy

Last updated: October 14, 2022

1. Purpose

This privacy policy ("Privacy Policy", "policy") describes how The Westervelt Company ("Westervelt", "we", "us") handles the data of all visitors and users ("you", "your") of websites and services hosted by us: what data is collected and why, how data is handled, how data is used, how data is protected, and the rights to your data.

2. Scope

This policy applies to all visitors and users of websites and services built and maintained by Westervelt, including but not limited to:

• Basil Ede Prints
• The Westervelt Company
• Westervelt Ecological Services
• Westervelt Forest Resources
• Westervelt Lodge
• Westervelt Lumber
• Westervelt Wildlife Services

2.1. Exclusions

2.1.1. Third-party websites

This policy does not apply to websites and services that are not owned or operated by Westervelt.

Our websites and services may contain external links to other websites. If you click on a link to a third-party website, you will be directed to that third party’s website. We do not control these websites and are not responsible for their privacy practices.

We encourage you to review the privacy policy of every website you visit.

2.1.2. Employees of The Westervelt Company

Employees of Westervelt that use our websites and services may be subject to additional privacy policies and procedures. In contrast to the policies outlined in this document, these policies may be more lenient in terms of the information collected and how it is used.

For example, personal information such as name, email address, and IP address may be collected and stored in our internal systems for the purposes of employee onboarding, payroll, and other human resources functions.

3. Definitions and Roles and Responsibilities

3.1 Definitions

3.1.1 California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act ("CCPA") is a California state law that requires companies to protect the personal data and privacy of California residents for transactions that occur within California. The CCPA went into effect on January 1, 2020.

The CCPA applies to any entity that offers goods or services to, or monitors the behavior of, California residents, regardless of the entity's location. The CCPA also applies to any entity that processes the personal data of California residents, regardless of the location of the entity processing their data.

The Westervelt Company is a company based in the US that does offer goods or services to, and monitors the behavior of, California residents. Therefore, we are subject to the CCPA.

3.1.2 Cookies

A cookie is a small text file that is stored on a user's computer or mobile device by a website's server. Cookies are used to store information about a user's preferences and browsing history, and to identify the user's device.

It might also collect information such as your browser type, operating system, web pages visited, duration of visit, content viewed, and other click-stream data.

A user can configure their browser to reject cookies, but doing so may prevent the user from using some or all of the features of the websites and services offered by The Westervelt Company.

3.1.2.1 First-Party Cookies

First-party cookies are cookies that are set by the website that the user is visiting.

3.1.2.2 Persistent Cookies

Persistent cookies are cookies that are not deleted when the user closes their browser. Persistent cookies are used to store information about a user's preferences and browsing history, and to identify the user's device.

3.1.2.3 Session Cookies

Session cookies are cookies that are deleted when the user closes their browser.

3.1.2.4 Third-Party Cookies

Third-party cookies are cookies that are set by a domain other than the one that the user is visiting.

3.1.3 Data Controller

The data controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

3.1.4 Data Processor

The data processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

3.1.5 Data Subject

The data subject is any identified or identifiable natural person, whose personal data is being processed by the controller responsible for the processing.

3.1.6 Do Not Track (DNT)

Do Not Track (DNT) is a privacy preference that users can set in their web browsers. When a user sets the DNT preference, their browser sends a signal to websites, ad networks, plug-in providers, and other web services they interact with, requesting that those services disable their tracking of that user.

3.1.7 General Data Protection Regulation (GDPR)

The General Data Protection Regulation ("GDPR") is a European Union ("EU") regulation that requires companies to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. The GDPR went into effect on May 25, 2018.

The GDPR applies to any entity that offers goods or services to, or monitors the behavior of, EU data subjects, regardless of the entity's location. The GDPR also applies to any entity that processes the personal data of data subjects who are in the EU, regardless of the location of the entity processing their data.

The Westervelt Company is a company based in the United States ("US") that does not offer goods or services to, or monitor the behavior of, EU data subjects. However, we recognize that the GDPR is a global standard for data protection and privacy, and we strive to meet the GDPR's requirements.

3.1.8 Internet Protocol Address (IP Address)

An Internet Protocol ("IP") address is a unique identifier for a device connected to a network or the Internet. An IP address can be used to identify the device, and the location from which the device is connecting.

An Internet Service Provider ("ISP") assigns an IP address to a device when it connects to the Internet. The IP address is used to route data packets between networks, and it is also used to track and control the devices that are connected to a network.

Some regulatory authorities, such as the GDPR, consider an IP address to be personal data.

3.1.9 Legitimate Use

A legitimate use is a use of personal data that is deemed to be lawful and fair by the relevant regulatory authority. For example, access, error, and security web server logs containing IP addresses can be considered legitimate uses of personal data.

3.1.10 Log Files

Log files are files that record website activity, including IP addresses, browser type, Internet Service Provider (ISP), referring/exit pages, platform used, and date/time stamp, among other data.

3.1.11 Personal Data

Personal data is any information relating to an identified or identifiable natural person ("data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

3.1.12 SSL/TLS

Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are cryptographic protocols that provide communications security over a computer network. SSL/TLS is used to encrypt data sent between a web server and a web browser.

3.1.13 Third-Party Service Providers

Third-party service providers are companies that provide services to The Westervelt Company, such as website hosting, email delivery, web analytics, and error reporting.

3.1.14 Web Analytics

Web analytics is the measurement, collection, analysis and reporting of data about a website's visitors and their behavior.

3.1.15 Web Vitals

Web Vitals are a set of metrics that measure the user experience of a website. Web Vitals are used to measure the performance of a website, and to identify areas for improvement.

3.1.16 Website

A website is a collection of related web pages, including multimedia content, typically identified with a common domain name, and published on at least one web server.

3.2 Roles and Responsibilities

3.2.1 The Westervelt Company

The Westervelt Company is the data controller for the personal data collected by The Westervelt Company.

3.2.2 Third-Party Service Providers

The Westervelt Company uses the following third-party service providers to provide services on our behalf:

• Amazon Web Services
• Cloudflare, Inc.
• DataDog
• Gandi US, Inc.
• GitHub, Inc.
• Microsoft Corporation
• Plausible Analytics
• PostHog
• Sentry
• Twilio
• Vercel, Inc.

The above third-party service providers are data processors for the personal data collected by The Westervelt Company.

4. Policy

4.1 Data Collection

4.1.1 Personal Data

When you sign up for a service offered by The Westervelt Company, we collect your name, contact information such as email address and/or phone number, and other information that is necessary to provide you with said service.

On some of our websites, you have the option to sign up for a newsletter/mailing list using your email address. We use this information to send you occasional emails about our products and services.

We do not sell your personal info to third parties.

4.1.2 Server Logs

We use DataDog to collect and analyze some amount of server log data, including IP addresses, browser type, Internet Service Provider (ISP), referring/exit pages, platform used, and date/time stamp, among other data. We use this information to monitor and improve the performance of our websites, and to identify possible security threats.

See DataDog's Privacy Policy for more information.

We use Amazon Web Services ("AWS") to store historical server log data. See AWS's Privacy Policy for more information.

4.1.3 Web Analytics

When you browse our websites, your browser automatically shares certain information such as which operating system and browser version you are using. We track that information, along with the pages you are visiting, page load timing, and which website referred you for statistical purposes like conversion rates and to test new designs.

We use the open source Plausible Analytics service to track and store this information. It is a privacy-respecting analytics service developed, built, and hosted in Europe to be compliant with various privacy laws and regulations, such as GDPR and CCPA. You can visit Plausible Analytics's public dashboard for their website at https://plausible.io/plausible.io to see an example of what data is collected and how it is used.

No personal information is shared with Plausible Analytics while you are browsing our websites, such as your name, email address, phone number, or IP address.

See Plausible Analytics’s data policy for more detailed information.

4.1.4 Product Usage and Analytics

We use the open source PostHog product analytics service to track and store information about how you use our websites and services.

Information shared with PostHog may include an approximation of your location (country, city, and/or region), browser type and version, operating system, web pages visited, duration of visit, content viewed, and other click-stream data.

No personal information is shared with PostHog while you are browsing our websites, such as your name, email address, or phone number. Your IP address is scrubbed before your data is stored in PostHog.

See PostHog’s privacy policy for more detailed information.

4.1.5 Web Vitals

We use Vercel Analytics to track and store web vitals performance data, such as page load times, first contentful paint, and other metrics. We use this data to help us improve the performance of our websites.

No personal information is shared with Vercel Analytics while you are browsing our websites, such as your name, email address, phone number, or IP address.

See Vercel Analytics’s documentation and Vercel's privacy policy for more detailed information.

4.1.6 Error Reporting

When you encounter an error on our websites, we collect information about the error and your browser to help us debug and fix any issues you and other users may be experiencing.

We use the open source Sentry error tracking service to collect and store this information.

Information shared with Sentry may include your browser, operating system, and the URL of the page you were on when the error occurred.

No personal information is shared with Sentry, such as your name, email address, or phone number. Your IP address is scrubbed before your data is shared with Sentry.

See Sentry’s privacy policy for more detailed information.

4.1.7 Cookies

We use persistent first-party cookies for authentication, to store preferences, and make it easier and more secure for you to use our websites.

We use certain third-party cookies to track and store information about your browsing behavior on our websites. This information is used to help us understand how our websites are being used, and to help us improve our websites and services.

You have the right to accept or refuse these third-party cookies. You can manage your cookie preferences by the initial cookie banner that appears on our websites.

4.1.8 IP Addresses

When you request pages from our websites, our web servers log your IP address, what pages you requested, and when. We use this information to help diagnose problems with our server, to administer our websites, and to potentially identify and block malicious activity. We do not link IP addresses to anything personally identifiable. This means that a user’s session will be tracked, but the user will be anonymous.

Some regulatory authorities consider IP addresses to be personal information, and as such we endeavor to remove IP addresses where possible before sharing any data with third parties, unless we consider it a legitimate use of the data. For example, we scrub IP addresses before sharing data with PostHog and Sentry (see 4.1.3 and 4.1.4), while we do not scrub IP addresses before storing server logs with DataDog or AWS (see 4.1.2).

4.1.9 Voluntary Communication

When you send us an email, we may keep a record of that correspondence. We use this information to respond to your requests, and to help us provide you with the best possible service.

4.1.10 Do Not Track

We do not currently respond to Do Not Track signals for the following reasons:

• We do not track your browsing behavior across third-party websites to serve you targeted advertising.
• We do not use third-party advertising services.
• We do not use third-party analytics services that track your browsing behavior across third-party websites.

4.1.11 Information Not Collected

We do not collect any characteristics of protected classifications including age, race, gender, religion, sexual orientation, gender identity, gender expression, or physical and mental abilities or disabilities. You may provide these data voluntarily, such as if you include a pronoun preference in your email signature when writing into our Support team.

We do not collect any biometric data, such as facial recognition or fingerprint data.

4.2 Data Storage

4.2.1 Location

The Westervelt Company stores your personal data in the United States.

If you are located in the European Union or elsewhere outside of the United States, please be aware that any information you provide to us will be transferred to the United States. By using our websites, participating in any of our services and/or providing us with your information, you consent to this transfer.

4.2.2 Retention

We retain your personal data for as long as necessary to provide you with our services. We may also retain your personal data for a longer period of time if necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

4.3 Data Sharing

4.3.1 Service Providers

We may share your personal data with third-party service providers who perform services on our behalf. These service providers are required to keep your personal data confidential and are prohibited from using your personal data for any other purpose than to provide the services they are performing for us.

4.3.2 Legal Requests

We may disclose your personal data if required to do so by law or in the good faith belief that such action is necessary to (a) comply with a legal obligation, (b) protect and defend our rights or property, (c) prevent or investigate possible wrongdoing in connection with our websites, (d) protect the personal safety of users of our websites or the public, or (e) protect against legal liability.

4.3.3 Business Transfers

If we are involved in a merger, acquisition, or sale of all or a portion of our assets, you will be notified via email and/or a prominent notice on our websites of any change in ownership or uses of your personal data, as well as any choices you may have regarding your personal data.

4.4 Data Security

We take reasonable precautions to protect your personal data from loss, misuse, and unauthorized access, disclosure, alteration, or destruction. However, no data transmission over the Internet or any wireless network can be guaranteed to be 100% secure. As a result, while we strive to protect your personal data, you acknowledge that (a) there are security and privacy limitations of the Internet which are beyond our control; (b) the security, integrity, and privacy of any and all information and data exchanged between you and our websites cannot be guaranteed; and (c) any such information and data may be viewed or tampered with in transit by a third party, despite best efforts.

4.4.1 Encryption

All data is encrypted in transit using SSL/TLS when transmitted between your browser and our servers.

For websites and services provided by Westervelt, most data are not encrypted at rest in our databases. However, certain sensitive data, such as passwords, are encrypted at rest using industry-standard encryption.

4.5 User's Rights

At Westervelt, we apply the same data rights to all users, regardless of their location. Currently some of the most privacy-forward regulations in place are the GDPR in the EU and CCPA in the US. We recognize all of the rights granted in these regulations, except as limited by applicable law.

These rights include:

• Right to Know. You have the right to know what personal information is collected, used, shared or sold. We outline both the categories and specific bits of data we collect, as well as how they are used, in this privacy policy.
• Right of Access. This includes your right to access the personal information we gather about you, and your right to obtain information about the sharing, storage, security and processing of that information.
• Right to Correction. You have the right to request correction of your personal information.
• Right to Erasure / “To be Forgotten”. This is your right to request, subject to certain limitations under applicable law, that your personal information be erased from our possession and, by extension, all of our service providers. Fulfillment of some data deletion requests may prevent you from using Basecamp services because our applications may then no longer work. In such cases, a data deletion request may result in closing your account.
• Right to Complain. You have the right to make a complaint regarding our handling of your personal information with the appropriate supervisory authority. To identify your specific authority or find out more about this right, EU individuals should go to https://edpb.europa.eu/about-edpb/board/members_en.
• Right to Restrict Processing. This is your right to request restriction of how and why your personal information is used or processed, including opting out of sale of personal information. (Again: we never have and never will sell your personal data.)
• Right to Object. You have the right, in certain situations, to object to how or why your personal information is processed.
• Right to Portability. You have the right to receive the personal information we have about you and the right to transmit it to another party.
• Right to not be subject to Automated Decision-Making. You have the right to object and prevent any decision that could have a legal, or similarly significant, effect on you from being made solely based on automated processes. This right is limited, however, if the decision is necessary for performance of any contract between you and us, is allowed by applicable law, or is based on your explicit consent.
• Right to Non-Discrimination. This right stems from the CCPA. We do not and will not charge you a different amount to use our products, offer you different discounts, or give you a lower level of customer service because you have exercised your data privacy rights. However, the exercise of certain rights (such as the right “to be forgotten”) may, by virtue of your exercising those rights, prevent you from using our Services.

If you have questions about exercising these rights or need assistance, please contact us at privacy@westervelt.com or at The Westervelt Company, 1400 Jack Warner Pkwy NE, Tuscaloosa, AL 35404.

For requests to delete personal information or know what personal information has been collected, we will first verify your identity using a combination of at least two pieces of information already collected including your user email address. If an authorized agent is corresponding on your behalf, we will first need written consent with a signature from the account holder before proceeding.

If you are in the EU, you can identify your specific authority to file a complaint or find out more about GDPR, at https://edpb.europa.eu/about-edpb/board/members_en.

4.6 Children's Privacy

Our websites are not intended for children under 13 years of age. No one under age 13 may provide any personal data to or on our websites. We do not knowingly collect personal data from children under 13.

If you are under 13, do not use or provide any information on our websites or on or through any of our services, make any purchases through our websites, use any of the interactive or public comment features of our websites or provide any information about yourself to us, including your name, address, telephone number, email address, or any screen name or user name you may use.

If we learn we have collected or received personal data from a child under 13 without verification of parental consent, we will delete that data.

If you believe we might have any data from or about a child under 13, please contact us at privacy@westervelt.com.

5. Additional Information

5.1 Changes to this Privacy Policy

We may update this policy as needed to comply with relevant regulations and reflect any new practices. We will notify you of any changes to this policy by posting the new policy here and changing the “Last Updated” date at the top of this page.

5.2 Contact Information

If you have any questions about this Privacy Policy, please contact us at privacy@westervelt.com or at The Westervelt Company, 1400 Jack Warner Pkwy NE, Tuscaloosa, AL 35404.

---

Portions of this policy have been adapted from the Basecamp open-source policies, licensed under CC BY 4.0.