Privacy Policy

IDT Domestic Telecom, Inc.
Boss Revolution Privacy Policy

Updated as of January 1, 2025

 

1. General

IDT is committed to protecting the privacy of your personal information. Through our BOSS Revolution brand we provide consumers with various products and services that let you stay connected to the ones you love.

This Boss Revolution Privacy Policy (the “Policy”) sets forth our policies and procedures regarding the collection, use and sharing of your personal information. We also explain the steps we take to protect your information and how you can limit the collection, use and sharing of your information.

This Policy applies to the following unless otherwise noted:

  • users of our BOSS Revolution products and services, including Boss Revolution Pinless, Boss Revolution Mobile, Call Me, International and Domestic Top-Up and
    E-gift cards (collectively, the “BR Products”) whether purchased through our
    websites, our apps or at an authorized retailer;
  • users and visitors of our BOSS Revolution websites, including www.bossrevolution.comwww.brmarket.bossrevolution.com and www.brclubsaves.com (collectively, the “BR Websites”);
  • members of any BOSS Revolution loyalty or rewards program; and
  • users of our BOSS Revolution calling application (the “BR App”).

When we use the term “Services” it refers to the BR Products, the BR Websites and the BR App collectively. When we refer to IDT or “us,” or “we,” we’re talking about IDT Domestic Telecom, Inc. and, as applicable, its affiliates, subsidiaries, parents, and other related entities.

This Policy does not apply to products or services offered by IDT Payment Services, Inc. or IDT Payment Services of NY LLC, including money transfer, domestic bill payment and international bill payment, and to any information collected during transactions for those products and services.  The policies and procedures governing your personal information collected during transactions for those products are governed by the IDT Payment Services, Inc. and IDT Payment Services of NY LLC Privacy Statement, which can be found at https://www.bossrevolution.com/en-us/services/money-transfer.

This Policy does not apply to any website, product, or service of any third-party companies,advertisers, partners, or service providers, even if the website links to (or is linked from) the BR Websitesand/or the BR App. The BR Websites and BR App may contain links to other third-party websites notowned, operated, maintained by or related to IDT (“Third-Party Sites”). Any such hyperlinks are to beaccessed at the user’s own risk. We are not responsible for the content, privacy practices, data collection,policies, or any other aspect of a Third-Party Site, even if a BR Website or the BR App contains a link tosuch site. This Policy does not apply to Third Party Sites, and we encourage you to independently readand understand each Third-Party Site’s own privacy policies. The presence of a link to a Third-Party Sitedoes not necessarily indicate that such Third-Party Site is sponsored by or affiliated with IDT in any way.

You should also read the terms of service for each Service that you use, which can be found at theapplicable BR Website or in the BR App.

We may update this Policy from time to time and you should review it periodically for changes.Any updated Policy will be posted at the BR Websites and the BR App.

2. Consent for Use of Services

By accessing or using the Services, you agree to this Policy and our terms of use, which areincorporated by reference into this Policy. If you do not agree with our policies and practices, you maychoose not to use our Services. Your use of the Services, and any dispute over privacy, is subject to thisPolicy and our terms of use, including its applicable limitations on damages and the resolution ofdisputes.

We or third parties we work with may automatically collect certain information usingtechnologies such as cookies, web beacons, clear GIF, pixels, internet tags, web server logs, and otherdata collection tools, further described below. By using the BR Websites and BR App, you consent toIDT and third parties obtaining data about your visits to and use of the BR Websites and BR App,including, but not limited, to via technologies like Google Analytics.

Depending on where you reside, you may have additional rights, which are described in greaterdetail in the exhibits to this Policy - see infra Exhibits A-H (further describing the rights of California, Colorado, Connecticut, Montana, Oregon, Texas, Utah, and Virginia residents). Also, if you are a California resident,please review our California Rights Notice, which further supplements this Policy and explains additional rights you may have under California law regarding our use of your personal information.

3. Information We Collect

IDT may receive and collect both personal identifying and non-identifying information from you when we operate and provide you with the Services, when you install, access or use the Services and when you communicate with us.  Personal information means information either on its own or in conjunction with other data that enables a specific person to be identified, but does not include “de-identified,” “anonymous,” or “aggregate” information, which is not otherwise associated with a specific person.  Non-identifying information means information that by itself cannot be used to identify a specific person (e.g., zip code).

A. Information You Provide.  Depending on the particular Service, you may provide the following personal information:

  • name
  • address
  • email address
  • mobile or other phone number
  • payment information, including credit or debit card details
  • birthdate
  • other information necessary to verify you, your account and/or your phone number
  • other information you provide to us for customer support purposes, surveys, sweepstakes or product feedback

B. Information We Collect.  Depending on the particular Service, we may automatically collect the following information:

  • BOSS Revolution security code, password and login credentials
  • Service related diagnostic and performance information, including how you use our Services and performance logs
  • call records, frequently called numbers, and network traffic data
  • messages sent with our Services, including chats, photos, videos and voice messages
  • personal, phone or social network contact information
  • information about your device, including model, browser, operating system, platform type, application software, mobile network, device identifiers and numbers, and Internet connection speed
  • browsing, searching and buying activity
  • IP address
  • BR Websites visited and websites you come from and go to next
  • BR App feature usage and stored content
  • certain data on your device, including your contacts, the phone numbers in your mobile address book, favorite lists and other installed apps
  • device identification number
  • geolocation and device location information, which is derived from your IP or other data that provides a city or postal code location, if you enable location features on your devices
  • transactional information when you purchase a BR Product
     

C. Information Provided by Third Parties.  When you install, access or use the Services we may obtain the following information from third party sources:

  • credit information from credit reporting agencies
  • transactional information when you purchase a BR Product, including receipts or information from app stores or other third parties processing your payment
  • aggregate information from outside companies that collect consumer information such as demographic and interest data (examples of this information include gender, age range, sports enthusiast, or pet owner)
  • unique marketing and/or device IDs, contact and other marketing lead information from third parties, including from app stores
  • users of our Services may provide us with your email address or phone number through the purchase/use of a Service, our refer-a-friend programs, their mobile address book or social networking platforms
  • other information from third parties that helps us operate, provide, understand, customize, support and market our Services

4. How We Use Information

We may use all the information we collect and receive, or you provide, to help us operate, provide, improve, understand, customize, support, and market our Services (and some third party services).  In addition, we may use your information for general, operational and administrative purposes, including maintaining your account, authenticating you and contacting you.  As used in this Policy, the terms “use,” “using” and “processing” information include using cookies or other similar technologies on a computer/phone/device, subjecting the information to statistical or other analysis and using or handling information in any way, including but not limited to, scanning, collecting, storing, evaluating, aggregating, modifying, deleting, using, combining, disclosing and sharing information among our affiliates both in and outside the United States and to select service providers and vendors.

A. Our Services We analyze how our customers use our Services and use that information to evaluate and improve our Services, to research, develop, and test new services and features, and to conduct troubleshooting activities.  For example:

  • we communicate with you about our Services and features and let you know about our terms and policies and other important updates;
  • we may target particular advertisements or other content to you based information we have collected or you provided;
  • we may digitally scan content stored in the BR App, including without limitation, your user information and message content, and use this information to provide you with targeted information and advertising;
  • we use your information to respond to you when you contact us.  Our communications with you, including phone conversations, chats and emails, may be monitored and recorded by us for quality assurance or for legal, regulatory or training purposes; and
  • we verify accounts and activity, and promote safety and security, such as by investigating suspicious activity or violations of our terms, to ensure our Services are being used legally.

B. BR App.  We engage certain service providers and vendors who use mobile software development kits to passively collect information from users of the BR App.  We use this data primarily to help us deliver personalized notifications and to identify you in a unique manner across other devices or browsers for the purposes of customizing advertisements or content. 

5. How We Share Information

We may share all the information we collect and receive with our affiliates, both in and outside the United States, and to select service providers and vendors, to help us operate, provide, improve, understand, customize, support, and market our Services (and some third party services), and for general, operational and administrative purposes, including maintaining your account, authenticating you and contacting you.  When we share information with our service providers and vendors, we require them to use your information only in accordance with our instructions and terms or with express permission from you and not to sell your information.  In addition, you share your information as you use and communicate through our Services.

A. Information Shared Within the IDT Family of Companies.  We may share information within the IDT family of companies, including our affiliates both in and outside the United States (collectively, the “IDT Family of Companies”) primarily to operate, provide, support and market our Services.  For example, if you purchase a BR Product, then we share your purchase information with various IDT affiliates in order to process your transaction.

B. Information Shared with our Service Providers and Vendors.  We work with various service providers and vendors for a variety of business purposes such as to help us offer, operate, provide, improve, understand, customize, support and market our Services.  We may share information with these service providers and vendors to the extent reasonably necessary for them to perform work on our behalf.  For example, we may provide your credit card information and billing address to our payment processing company solely for the purpose of processing payment for a transaction you have requested.  In addition, IDT shares certain information, including unique marketing identifiers, email addresses and mobile phone numbers, with some of our service providers and vendors, including Google and Facebook, for marketing, advertising and analysis purposes, including the delivery of advertising campaigns and preparing and sharing aggregate business and marketing reports, demographic profiling and to deliver targeted advertising about products and services.  When we share information with our service providers and vendors, we request that these parties protect your information and limit their use of the data to the purposes for which it was provided, and not to sell your information.  IDT does not sell, rent or lease its customer lists to third parties.  Finally, if you purchase products or services offered jointly by IDT and one of our service providers or vendors, your customer information may be received by both IDT and the service provider or vendor that is providing the product or service.  For these jointly offered products and services, you should also review the other company’s privacy policy, which may include practices that are different from the practices described here.
 

C. Special Circumstances.  We may share information in certain special circumstances.  For example:

  • to comply with valid legal process including subpoenas, court orders and search warrants, and as otherwise permitted or required by law;
  • to assist law enforcement in cases involving danger of death or serious physical injury to any person or in other emergencies;
  • to protect our rights or property, or the safety of our customers or employees;
  • to protect against fraudulent, malicious, abusive, unauthorized or unlawful use of our Services and to protect our network, Services, devices and users from such use;
  • to advance or defend against complaints or legal claims in court, administrative proceedings and elsewhere;
  • to prospective purchasers of all or part of our business or assets;
  • to outside auditors, lawyers and regulators; and
  • with your consent.

D. Information Shared with Advertising Entities or Social Networks.  You may see third party advertisements on BR Products, the BR Websites and/or the BR App.  Some advertisements are chosen by companies that place advertisements on behalf of advertisers.  These companies, often called ad servers, may place and access cookies on your device to collect information about your visit.  The information they collect from our sites is in a form that does not identify you personally.  This information may be combined with similar data obtained from other websites to help our advertisers better reach their targeted audiences.  Targeting may be accomplished by tailoring advertising to interests that they infer from your browsing of our sites and your interaction with other websites where these ad servers also are present.  If you choose to interact with specific advertisers who advertise on the BR, Products, BR Websites or the BR App, the information you provide to them is subject to the conditions of their specific privacy policies.  The BR Websites and BR App also include plug-ins and widgets that may provide information to their associated social networks or entities about the IDT page you visit, even if you do not click on or otherwise interact with the plug-in or widget.

E. When You Share InformationYou share your information as you use and communicate through our Services.  Your phone number, profile name and photo, and online status may be available to anyone who uses our Services, although you can configure your Services settings to manage certain information available to other users.  Users with whom you communicate may store or share your information (including your phone number or messages) with others on and off our Services.

6.    Cookies and Other Tracking Technology

Our Services may use cookies, web beacons and other tracking technologies (collectively “Cookies”) to automatically collect users’ information (including personal information).  Cookies are small data files that are transferred to users’ web browsers and/or stored on their devices as they are browsing.  We may use Cookies to improve our Services and make your user experience online more customized and efficient.  Among other uses, Cookies help us recognize repeat users, facilitate users’ access to and use of BR Websites, and track users’ behavior on websites they visit.  We may compile aggregate data for statistical purposes to improve the content of our sites or to better administer the web pages available on the sites.  

Web beacons are used to tell us how and when pages in our sites are visited, by how many people, their point of origin and operating system and to monitor performance with our Services. Web beacons do not collect personal information.

The information collected with these technologies may include (a) your internet protocol (IP) address, unique device identifiers, location, browser type, and internet service provider information; (b) information about when and how you access and use BR Websites or Services, such as the domains you visit, what features you used and for how long, the website that referred you to us, and date/time stamps associated with your usage; (c) information about the device you use to access the BR Websites or the Services, such as device type, device ID, and device/browser settings; and (d) location of the device used to access the BR Websites or Services derived from GPS or WiFi use.

We use and share this data and information to deliver customized content and advertising, to ensure that you see the correct product information, to manage the frequency with which you see an advertisement, to tailor advertisements to better match your interests, and to understand the effectiveness of our advertising.  The content may be delivered on the BR Websites, on non-IDT websites, on the BR App, by our representatives, and via email, SMS, push notifications or other IDT services.  In addition, if you respond to or interact with a particular advertisement, you may later receive a targeted advertisement as a result of an ad server or ad network concluding that you fit within a particular audience we are trying to reach.

Cookies can be “Persistent” or “Session” Cookies. Persistent Cookies remain on your personal computer or mobile device when you go offline, while Session Cookies are deleted as soon as you close your web browser.  We differentiate between Cookies that are essential for the technical features of our sites and optional analytics and advertising Cookies, as follows:

Cookie Type Description
Essential Cookies These are cookies that the BR Websites need to function, and that enable you to move around and use the BR Websites and features.  You do not need to enable cookies to visit the BR Websites; however, some aspects of the BR Websites may be difficult or impossible to use if cookies are disabled.  Examples of where these cookies are used include: to determine when you are signed in, to determine when your account has been inactive, and for other troubleshooting and security purposes.
Analytics Cookies

These cookies allow us to understand more about how many visitors we have to the BR Websites, how many times they visit us and how many times a user viewed specific pages within the BR Websites.  Although analytics cookies allow us to gather specific information about the sites that you visit and whether you have visited the BR Websites multiple times, we cannot use them to find out details such as your name or address. 

We use certain Google Analytics Advertising Features, including Remarketing and Demographics and Interest Reporting.  Google Analytics is a web analysis service provided by Google that allows us to collect data about the traffic on the BR Websites through Google cookies and other identifiers, which enables us, among other things, to create user segments based on demographic or interest data and to deliver relevant advertising.  Google utilizes the data collected to track and examine the use of our websites and to prepare reports on the activities and share them with other Google services.  Google may use the data collected to contextualize and personalize the ads of its own advertising network.  You may be able to opt out of the Google Analytics Advertising Features through your browser ads settings or by visiting Google’s Ads Settings page.  For more information regarding how Google collects, uses and shares your information, please refer to “How Google Uses Information From Sites or Apps that Use Our Services,” which can be found at www.google.com/policies/privacy/partners/, or any other URL Google may provide from time to time.
 

For information on how you can manage Cookies, please see the “Your Rights and How To Limit Sharing Of Information” section below.

7. Your Rights and How To Limit Sharing Of Information

You may have choices about how we use and share your information and there are additional protections that may apply with regard to certain information we collect.

A. Customer Proprietary Network Information (CPNI).   CPNI is information made available to us solely by virtue of our relationship with you that relates to the type, quantity, destination, technical configuration, location, and amount of use of the telecommunications and interconnected VoIP services you purchase from us, as well as related billing information.  You have a right, and we have a duty, under federal law to protect the confidentiality of your CPNI.  We use and share your CPNI within the IDT Family of Companies and with/to their agents, contractors and partners for marketing purposes, including to offer you services that are different from the services you currently purchase from us.  If you don’t want your CPNI used for the marketing purposes described above, please notify us online at support@bossrevolution.com.  Unless you notify us, we may use your CPNI as described above and your choice will remain valid until you notify us that you wish to change your selection.  Your decision about use of your CPNI will not affect the provision of any Services you currently have with us.  Note:  this CPNI notice may not apply to residents of certain states, including Arizona.

B. Do Not Call List.  Federal “Do Not Call” laws allow you to place your phone numbers on the National Do Not Call Registry to prevent telemarketing calls to those numbers.  To add your numbers to this list, please call 1-888-382-1222, or visit  www.donotcall.gov.  Most telemarketing laws allow companies to contact their own customers without consulting the Federal or State Do Not Call lists.  If you would like to be removed from IDT’s telemarketing list, please contact us at  support@bossrevolution.com.  Please allow 30 days for your telephone number to be removed from any sales programs that are currently underway.  Please note that we may still call you regarding your Services and account even if you remove your number from our telemarketing list.

C. Communications.  If you do not wish to receive promotional communications from IDT, you can opt out at any time by following the unsubscribe instructions provided in those communications, or by contacting us as provided in the “Contact Us” section below.  Please note that IDT may still continue to send you non-promotional emails, such as those regarding your orders, feedback submissions, and other service-related matters.  You may refuse to consent to receive calls and texts from IDT and its affiliates that require your consent, including autodialed, pre-recorded or artificial voice telemarketing calls.  You may also withdraw your previously given consent to receive such calls and texts.  Your ability to manage some of our Services could be limited if you withdraw your consent to receive text and SMS messages.  IDT does not recommend using those Services without authorization to receive such messages.


D. Promotional Emails.  You may choose to provide us with your email address for the purpose of allowing us to send free newsletters, surveys, offers, and other promotional materials to you, as well as targeted offers from third parties.  You can opt out of receiving promotional emails by following the unsubscribe instructions in the emails that you receive.  If you decide not to receive promotional emails, we may still send you service-related communications.


E. Promotional Mailings.  If at any time you do not want to receive offers and/or circulars from us by mail, you can remove yourself from our mailing lists by emailing us (our contact information is below) with “NO SNAIL MAIL” in the subject line along with your name, address, and zip code. Please note that our mailings are prepared in advance of their being sent.  Although we will remove your name from our mailing list after receiving your request, you may still receive mailings from us that had been initiated prior to your name being removed.


F. Promotional Text Messages.  You can opt-out of receiving marketing text messages at any time by replying “STOP,” or following the unsubscribe instructions contained in the text messages that you receive.
 

G. Push NotificationsYou can opt out of receiving push notifications from us via the BR App by going to your device “Settings” and clicking on “Notifications,” and then changing those settings for the BR App.  Please note that you cannot withdraw your consent to receive certain in-BR App messages from IDT. 

H. Cookies.  Web browser applications (such as Microsoft Internet Explorer, Google Chrome, Firefox and Apple Safari) typically have features that prevent cookies from being sent or notify you when they are sent.  You will need to update your browser’s cookie settings in accordance with your preferences.  Your ability to limit cookies is subject to your browser settings and limitations.  If you use multiple browsers on your device, you will need to update each browser’s settings separately.  Some web browsers incorporate a “Do Not Track” (“DNT”) or similar feature that signals to websites that a user does not want to have his/her online activity and behavior tracked.  IDT does not respond to DNT signals or other similar mechanisms.  If you are using a mobile device, you can reset your device settings to limit the use of information collected about you, including your location data.  This is typically done by disabling your location settings/permissions.  Please contact Apple Support or Google for Android (as applicable) for more information on how to do this on your device.  You can stop all collection of information via our mobile application by uninstalling the application from your device.

I. Analytics.  Google provides users choices on how their data is collected by Google Analytics by developing an Opt-out Browser Add-on which can be located at: http://tools.google.com/dlpage/gaoptout?hl=en. By installing this Add-on, no information is being sent to Google Analytics.

J. Other Rights.  In certain jurisdictions you may also have one or more of the following rights regarding your personal information (see Section 8 and the Exhibits to this Policy for full details):


(i)    Right to Request Access to Your Personal Information - you may request access to your personal information by contacting us at the address described below or filling out the applicable state request form at www.idt.net.  If required by law, upon request, we will grant you reasonable access to the personal information that we have about you;


(ii)    Right to Request Deletion of Your Personal Information - you may request that we delete your personal information by contacting us at the address described below or filling out the applicable state request form at www.idt.net.  If required by law we will grant a request to delete information, but you should note that in many situations we must keep your personal information to comply with our legal obligations, resolve disputes, enforce our agreements, or for another one of our business purposes;


(iii)    Right to Request Correction of Your Personal Information - you have the right to request that we correct or supplement any inaccurate or incomplete personal information we process about you;


(iv)    Right to Data Portability - in certain circumstances you have the right to request that we provide the personal information which you provided to us in a structured, commonly used, and machine-readable format; and/or


(v)    Right of Non-Discrimination/Retaliation - we do not discriminate against individuals who exercise any of their rights described in this Policy, nor do we retaliate against individuals who exercise these rights.


Many of the above rights are subject to exceptions and limitations.  For example, you may be located in a jurisdiction that does not give you the right to make these requests.  In such a case, your request may not be fulfilled.  To the extent permitted by applicable law, we may reject requests that are unreasonably repetitive, unduly burdensome, risk the privacy of others, or would be very impractical to honor.  If we are not able to provide the requested information or make the change you requested, you will be provided with the reasons for such decisions. 

To exercise these rights, your request must:  (i) provide sufficient information that allows us to reasonably verify that you are the person about whom we collected personal information or an authorized representative of that person; and (ii) describe the request with sufficient detail that allows us to properly understand, evaluate, and respond to it.  We may need additional information to confirm your identity or your authorized agent’s identity (such as your name, email address and date of birth) or to obtain proof that you have given your authorized agent permission to act on your behalf.  If our verification process is successful, we will respond to your request within the time and in the manner required by applicable law.  If we cannot validate the identity of you and/or your authorized agent or obtain proof that you have given your authorized agent permission to act on your behalf, we will attempt to contact you to inform you.

If you designate an authorized agent to submit requests to exercise certain privacy rights on your behalf, we will require verification that you provided the authorized agent permission to make a request on your behalf.  You must provide us with a copy of the signed permission you have given to the authorized agent to submit the request on your behalf and verify your own identity directly with us.  If you are an authorized agent submitting a request on behalf of an individual, you must attach a copy of a completed Authorized Agent Designation Form (or equivalent form) indicating that you have authorization to act on the individual’s behalf.
 

8. Additional State Privacy Rights

If you are a resident of any of the following states, then the additional terms in the applicable Exhibit to this  Policy also apply to you:

  • California – see Exhibit A to this Privacy Policy
  • Colorado – see Exhibit B to this Privacy Policy
  • Connecticut – see Exhibit C to this Privacy Policy
  • Montana – see Exhibit D to this Privacy Policy
  • New Jersey – see Exhibit E to this Privacy Policy
  • Oregon – see Exhibit F to this Privacy Policy
  • Texas – see Exhibit G to this Privacy Policy
  • Utah – see Exhibit H to this Privacy Policy
  • Virginia – see Exhibit I to this Privacy Policy

9. Other Information

A. Keeping Children Safe.  IDT does not knowingly market to or collect information from children under the age of 16 without obtaining verifiable parental consent.  If you allow a child to use your device or our Services, you should be aware that their information could be collected as described in this Policy.  We encourage parents to be involved in the online activities of their children to ensure that no information is collected from a child without parental permission.

B. Security.  IDT has technical, organizational and physical safeguards in place to help protect against unauthorized access to, use or disclosure of the information we collect and store.  Employees are trained on the importance of protecting privacy and on the proper access to, use and disclosure of customer information.  IDT secures information on computer servers in a controlled, secure environment, protected from unauthorized access, use or disclosure.  We use Secure Socket Layer (SSL) encrypted protection to protect the personal information transmitted to the BR Websites.  The BR Websites and BR App are PCI compliant in connection with your credit card information.  Although we work hard to protect your information that we collect and store, no program is 100% secure and we cannot guarantee that our safeguards will prevent every unauthorized attempt to access, use or disclose that information.  By using the Services you accept that risk.  IDT maintains security and incident response plans to handle incidents involving unauthorized access to information  personal information we collect or store.  In the event that we are required by law to inform you of a breach to your personal information we may notify you electronically, in writing, or by telephone, if permitted to do so by lawwe collect or store.  If you become aware of a security issue, please contact us.

C. Contact Information If you have questions, concerns or suggestions related to our Policy or our privacy practices you may contact us at:

IDT Domestic Telecom, Inc.
Boss Revolution Product Team
520 Broad Street, 4th floor
Newark, NJ 07102
Telephone:  973-438-1000
Email:  support@bossrevolution.com

D. Social Networking.   Some of our Services may allow you to participate in blog discussions, message boards, chat rooms, and other forms of social networking and to post reviews.  Please be aware that these forums are accessible to others.  We urge you to not submit any personal information to these forums because any information you post can be read, collected, shared, or otherwise used by anyone who accesses the forum.  IDT is not responsible for the information you choose to submit in these forums.  If you post content to information sharing forums, you are doing so by choice and you are providing consent to the disclosure of this information.

E. Changes to this Policy.  We reserve the right to make changes to this Policy, so please check back periodically for changes.  You will be able to see that changes have been made by checking to see the effective date posted at the beginning of the Policy.

©2025 IDT Domestic Telecom, Inc. All Rights Reserved.

 

Exhibit A

California Consumers

If you are a resident of California, then the following section also applies to you.

A. Personal Information.  Personal information (as defined in the California Consumer Privacy Act of 2018 and the California Privacy Rights Act of 2020 (collectively, the “CCPA”)) includes information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.  Personal information does not include publicly available information, including information lawfully made available to the general public by the consumer or from widely distributed media, and deidentified or aggregate consumer information.  IDT may collect and use the following categories of personal information regarding California residents:

Categories of Personal Information Collected

Categories of Sources of Personal Information

Whether Sold, Shared(1) and/or Disclosed for a Business Purpose and Categories of to Whom

Business or Commercial Purposes for Collection and Use of Personal Information

Personal Identifiers and Information, which ,may include name, address, email address, phone number, birthdate, device and marketing identifiers, IP address, payment and financial information, credit/debit card number and details, bank account number and information, personal information necessary to verify you or your account, security code and login credentials, and other personal information you provide

Consumer, consumer’s device, automatic collection by IDT, credit reporting companies, financial companies, third party vendors that provide IDT with transactional services, and data resellers

Sold – no

Shared – no

Disclosed for a Business Purpose – yes

Categories of Third Parties to whom IDT may disclose personal information for a business purpose:  IDT family of companies, including our affiliates both in and outside the United States; our service providers and vendors to the extent reasonably necessary for them to perform work on our and your behalf (e.g., credit card processors); ad networks; data analytics providers; social networks; law enforcement; prospective purchasers of our business; outside auditors and lawyers; and government entities, agencies and regulators

To manage our products and services, including to help us operate, provide, evaluate, improve, monitor, customize, bill and support our products and services

To maintain the quality of our products and services, including to improve, upgrade, and enhance our products and services

To maintain and service your account, including to process orders and payments

To communicate with you about our terms and policies

To verify you, your account activity and your information

To detect, investigate and report fraud, abuse or illegal use of our products and services or customer accounts 

To provide customer service

To perform due diligence, credit and fraud prevention checks

To maintain accurate record keeping

To ensure security and integrity of our customers’ personal information

To perform product, marketing and organizational analysis

To provide advertising and marketing to our customers

To measure our marketing campaigns and to audit consumer interactions

To comply with regulations and legal requirements

To comply with contractual requirements

For risk management and compliance

For legal advice and defense of claims

For general, operational and administrative purposes

Commercial information, which may include records of products or services purchased and used, diagnostic and service performance information, call records and other traffic data, credit information from reporting agencies, transactional information, and other purchasing or consuming histories

Consumer, consumer’s device, automatic collection by IDT, credit reporting companies, financial companies, third party vendors that provide IDT with transactional services, and data resellers

Sold – no

Shared – no

Disclosed for a Business Purpose – yes

Categories of Third Parties to whom IDT may disclose personal information for a business purpose:  see list under Personal Identifiers and Information

Internet or other electronic network activity information, which may include browsing history, search history, messages, personal, phone or social network contact information, device information, device contacts, and information regarding a consumer’s interaction and usage with our websites, apps and advertisements

Consumer, consumer’s device, automatic collection by IDT, credit reporting companies, financial companies, third party vendors that provide IDT with transactional services, and data resellers

Sold – no

Shared – no

Disclosed for a Business Purpose – yes

Categories of Third Parties to whom IDT may disclose personal information for a business purpose:  see list under Personal Identifiers and Information

Geolocation Data (if you enable location features in BR App), which may include the location of your device

Consumer, consumer’s device, and automatic collection by IDT

Sold – no

Shared – no

Disclosed for a Business Purpose – yes

Categories of Third Parties to whom IDT may disclose personal information for a business purpose:  see list under Personal Identifiers and Information

Inferences drawn from any of the information above, which may include profile reflecting the consumer’s marketing preferences, and aggregate information from third parties

Consumer, consumer’s device, automatic collection by IDT, credit reporting companies, financial companies, third party vendors that provide IDT with transactional services, and data resellers

Sold – no

Shared – no

Disclosed for a Business Purpose – yes

Categories of Third Parties to whom IDT may disclose personal information for a business purpose:  IDT family of companies, including our affiliates both in and outside the United States; our vendors and partners to the extent reasonably necessary for them to perform work on our and your behalf (e.g., credit card processors); ad networks; data analytics providers; social networks; and prospective purchasers of our business

 

(1) Share and Shared (as defined in the CCPA) mean sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.

B. Sensitive Personal Information.  IDT may collect limited sensitive personal information (as defined in the CCPA) and limits the use of that information to those uses which are necessary for us to perform the services and provide the goods consumers have requested and for other uses as authorized by applicable California privacy laws and regulations.  IDT may collect the following sensitive personal information:

Categories of Sensitive Personal Information Collected

Whether Sold or Shared(1)

Business or Commercial Purposes for Collection and Use of Sensitive Personal Information

Account information, which may include account log-in, financial account, debit card or credit card number in combination with any required security or access code, password, or credentials allowing access to an account;


Sold – no

Shared – no

To perform the services and provide the goods requested by the consumer, including to help us operate, provide, customize, bill and support our products and services

To ensure the security and integrity of our customers’ personal information, including to prevent, detect, and investigate security incidents that compromise the availability, authenticity, integrity, and confidentiality of stored or transmitted personal information

For short‐term, transient use, including but not limited to non‐personalized advertising shown as part of a consumer’s current interaction with IDT

To perform services on our behalf, including to maintain or service accounts, provide customer service, process or fulfill orders and transactions, verify customer information, process payments, provide financing, provide analytic services, provide storage, or provide similar services on behalf of our business

To maintain the quality and safety of our products and services, including to improve, upgrade, and enhance our products and services

To resist malicious, deceptive, fraudulent, or illegal actions directed at our business and to prosecute those responsible for those actions

To ensure the physical safety of natural persons

Precise geolocation (if you enable location features in BR App), which may include the location of your device

Sold – no

Shared – no

(1) Share and Shared (as defined in the CCPA) mean sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.

C. Your Rights. As a California resident you have certain additional rights regarding your personal information under the

(I) Right to Know Personal Information Collected, Sold, Shared, or Disclosed – you have the right to request that we provide certain information about how we have handled your personal information including: 

(a)    Categories of personal information collected;

(b)    Categories of sources of personal information;

(c)    Business or commercial purpose for collecting;

(d)    Categories of personal information sold or shared with a third party;

(e)    Categories of third parties to whom we have sold or shared personal information;

(f)    Categories of personal information disclosed to third parties for a business purpose; and

(g)    Categories of third parties with whom we have disclosed personal information for a business purpose.  
 

(II) Right to Access Personal Information Collected – you have the right to request the specific pieces of personal information that we have collected about you in a format that is easily understandable to the average consumer, and to the extent technically feasible, in a structured, commonly used, machine-readable format that may also be transmitted to another entity at the consumer’s request without hindrance

(III) Right of No Retaliation - IDT does not discriminate against any California consumer who exercises any of the consumer’s rights under the CCPA.  Pursuant to the CCPA IDT is permitted to (a) charge a consumer a different price or rate and/or provide a different level of service to the consumer if that difference is reasonably related to the value provided to the consumer by the consumer’s data, (b) offer loyalty, rewards, premium features, discounts, or club card programs to its customers, and (c) offer financial incentives, including payments, as compensation for the collection, sale, sharing or retention of personal information.

(IV) Right to Delete – you have the right to request that IDT delete any personal information that it has collected about you.  There are exceptions to this right and IDT does not have to delete your personal information if it is reasonably necessary to complete a transaction with you, to provide you with goods or services you requested, to comply with our legal obligations, and as otherwise provided in the CCPA.  In addition, if your personal information is deleted you may not be able to purchase or use our products and services. 

(V) Right to Correct Inaccurate Personal Information – you have the right to request that IDT correct any inaccurate personal information that it maintains about you.

(VI)Right to Opt Out of Sale or Sharing of Personal Information – IDT does not sell (as defined in the CCPA) or share (as defined in the CCPA) your personal information.  Nonetheless, you have the right to request that IDT not sell or share your personal information should IDT decide in the future to sell or share personal information to third parties.  To exercise this right please go to https://www.idt.net/ccpa-do-not-sell and complete the form.  We will also process any opt-out of sale/sharing preference signal that meets the requirements set forth in the CCPA and its regulations.  IDT does not intentionally collect the personal information of a consumer under the age of 16.  IDT does not intentionally sell or share the personal information of a consumer under the age of 16 unless the consumer (if age 13-16) or the consumer’s parent (for consumers under 13) affirmatively authorizes the sale or sharing. 

(VII) Right to Limit Use and Disclosure of Sensitive Personal Information – IDT does not use your sensitive personal information (as defined in the CCPA) for purposes other than as set forth in the CCPA.  Nonetheless, you have the right to direct IDT to limit its use of your sensitive personal informationto that use which is necessary for IDT to perform the services and provide the goods you requested from IDT, to  ensure the security and integrity of your personal information, to perform services on our behalf, including to maintain or service accounts, provide customer service, process or fulfill orders and transactions, verify customer information, process payments, provide analytic services, to maintain the quality of our products and services, and as otherwise provided in the CCPA.  Please note that sensitive personal information that is collected or processed by IDT without the purpose of inferring characteristics about a consumer, is not subject to this section, and shall be treated as personal information. To exercise this right please go to https://www.idt.net/ccpa-do-not-sell and complete the form.

(viii)    California’s “Shine the Light” law (Civil Code Section § 1798.83) permits you to request certain information regarding our disclosure of your personal information to third parties for marketing purposes.

D. How to Exercise Your Rights.   To exercise your rights to know and access your personal information collected, sold, shared or disclosed by IDT, or to exercise your right to delete your personal information or to correct inaccurate personal information, please go to https://www.idt.net/ccpa-request and complete the form.  To exercise your right to opt out of the sale or sharing of your personal information, or to exercise your right to limit the use and disclosure of your sensitive personal information please go to https://www.idt.net/ccpa-do-not-sell and complete the form.  We will also process any opt-out of sale/sharing preference signal that meets the requirements set forth in the CCPA and its regulations.  In addition, you can exercise your rights by calling the following toll-free number:  888-412-0477.  Your authorized agent can make these requests on your behalf using the same links and methods.

E. Verification of Consumer Requests.  In order to comply with a consumer request, IDT must reasonably verify the requestor.  A record of each request is made as soon as it is received by our data protection team.  IDT will use all reasonable measures to verify the identity of the individual making the request.  We will utilize the requested data to ensure that we can verify the requestor’s identity and where we are unable to do so, we may contact you for further information, or ask you to provide evidence of your identity prior to responding to your request.  This is to protect your data and rights.  If a third party, relative or representative is requesting the data on your behalf, we will verify their authority to act for you and may contact you and them to confirm you and their identity and gain your authorization prior to responding to the request.

F. Responding to Consumer Requests. IDT will attempt to confirm receipt of each request by contacting the requestor either at the email or telephone number submitted, through the consumer’s account or by other electronic means.  IDT will attempt to verify each request and if it is able to verify a request will provide a response (if necessary and applicable) within 45 days of the receipt of the request, which time period may be extended by IDT for an additional 45 days.  If a delay is necessary, IDT will contact the requestor within the original 45 day period and provide the reasons for the delay.  IDT may charge a fee or refuse to act on any request that is manifestly unfounded or excessive.  All IDT responses shall be in writing and cover the previous 12 month period unless the consumer requests information beyond the 12 month period (only applies to personal information collected on or after January 1, 2022).  Where possible the response shall be sent through the consumer’s account.  Otherwise, the response shall be sent by mail or electronically.  IDT is not obligated to provide a response to a consumer more than two times in any 12 month period.  The CCPA contains certain exemptions and exceptions to the exercise of some of these rights.  If one or more of those exemptions or exceptions applies to your request, then we may not be able to act upon your request.  Where possible we will inform you of the reasons for not acting upon your request.

G. How Long will IDT Retain Your Personal Information. IDT retains your personal information for only as long as is necessary to carry out the purposes described above in this privacy policy, and we have strict review and retention policies in place to meet these obligations.  This time period may vary depending on the type of information and the services used, as detailed below, and applicable law, which may require us to maintain information for a set amount of time.  After such time, we will either delete or anonymize your information or, if this is not possible (for example, because the information has been stored in backup archives), then we will securely store your information and isolate it from any further use until deletion is possible.  We may also retain aggregate information beyond this time for research purposes and to help us develop and improve our services.  You cannot be identified from anonymized information retained or used for these purposes.  

(I) Customer account information - we store your account information for as long as your account is active and a reasonable period thereafter in case you decide to re-activate your service.  We also retain some of your information as necessary to comply with our legal obligations, to resolve disputes, to enforce our agreements, to support business operations, and to continue to develop and improve our services.  We are required under certain applicable tax laws to keep your basic personal information (name, address, contact details) for a minimum of six years after which time it will be destroyed unless required to be kept for other purposes.

(II) Communications usage information - while you are an active customer, we retain the communications usage information generated by your use of our services until the information is no longer necessary to provide our services, and for a reasonable time thereafter as necessary to comply with our legal obligations, to resolve disputes, to enforce our agreements, to support business operations, and to continue to develop and improve our services.

(III) Marketing information, cookies and web beacons - where you have consented to us using your details for direct marketing, we will keep such data until you notify us otherwise and/or withdraw your consent.  We retain information derived from cookies and other tracking technologies for a reasonable period of time from the date such information was created.

(IV) Device information - we collect device-specific information from you.  If you do not revoke our access to this information via the privacy settings on your device, we will retain this information for as long as your account is active.

H. For More Info.  For more information on your rights and our obligations under the CCPA please send an email to ccpa-idt@idt.net.  For California residents with a disability please send an email to ccpa-idt@idt.net  for information on how to access this policy in another format.

 

Exhibit B

Colorado Consumers

If you are a resident of Colorado, then the following section also applies to you.

A. Personal Data.  Personal data  (as defined in the Colorado Privacy Act (the “COPA”))  includes any information that is linked or reasonably linkable to an identified or identifiable individual.  Personal data does not include de-identified data or publicly available information.  IDT may collect and process the following categories of personal data regarding Colorado residents:

Categories of Personal Data Collected or Processed

Whether Sold, Shared with Third Parties, Processed for Targeted Advertising or Processed for Profiling in furtherance of Decisions that Produce Legal or Significant Effects and Categories of to Whom

Purposes for Collection and Processing of Personal Data

Personal Identifiers and Information, which may include name, address, email address, phone number, birthdate, device and marketing identifiers, IP address, payment and financial information, credit/debit card number and details, bank account number and information, personal information necessary to verify you or your account, security code and login credentials, and other personal information you provide

Sold – no

Processed for Targeted Advertising – no

Processed for Profiling in furtherance of Decisions that Produce Legal or Significant Effects - no

Shared with Third Parties - yes

Categories of Third Parties to whom IDT may share personal data for a business purpose:  IDT family of companies, including our affiliates both in and outside the United States; our service providers and vendors to the extent reasonably necessary for them to perform work on our and your behalf (e.g., payment processors); ad networks; data analytics providers; social networks; law enforcement; prospective purchasers of our business; outside auditors and lawyers; and government entities, agencies and regulators

To manage our products and services, including to help us operate, provide, evaluate, improve, monitor, customize, bill and support our products and services

To maintain the quality of our products and services, including to improve, upgrade, and enhance our products and services

To maintain and service your account, including to process orders and payments

To communicate with you about our terms and policies

To verify you, your account activity and your information

To detect, investigate and report fraud, abuse or illegal use of our products and services or customer accounts 

To provide customer service

To perform due diligence, credit and fraud prevention checks

To maintain accurate record keeping

To ensure security and integrity of our customers’ personal information

To perform product, marketing and organizational analysis

To provide advertising and marketing to our customers

To measure our marketing campaigns and to audit consumer interactions

To comply with regulations and legal requirements

To comply with contractual requirements

For risk management and compliance

For legal advice and defense of claims

For general, operational and administrative purposes

Commercial Information, which may include records of products or services purchased and used, diagnostic and service performance information, call records and other traffic data, credit information from reporting agencies, transactional information, and other purchasing or consuming histories

Sold – no

Processed for Targeted Advertising – no

Processed for Profiling in furtherance of Decisions that Produce Legal or Significant Effects - no

Shared with Third Parties - yes

Categories of Third Parties to whom IDT may share personal data for a business purpose:  see list under Personal Identifiers and Information

Internet or other Electronic Network Activity Information, which may include browsing history, search history, messages, personal, phone or social network contact information, device information, device contacts, and information regarding a consumer’s interaction and usage with our websites, apps and advertisements

Sold – no

Processed for Targeted Advertising – no

Processed for Profiling in furtherance of Decisions that Produce Legal or Significant Effects - no

Shared with Third Parties - yes

Categories of Third Parties to whom IDT may share personal data for a business purpose:  see list under Personal Identifiers and Information

Geolocation Data (if you enable location features in BR App), which may include the location of your device

Sold – no

Processed for Targeted Advertising – no

Processed for Profiling in furtherance of Decisions that Produce Legal or Significant Effects - no

Shared with Third Parties - yes

Categories of Third Parties to whom IDT may share personal data for a business purpose:  see list under Personal Identifiers and Information

Inferences drawn from any of the information above, which may include profile reflecting the consumer’s marketing preferences, and aggregate information from third parties

Sold – no

Processed for Targeted Advertising – no

Processed for Profiling in furtherance of Decisions that Produce Legal or Significant Effects - no

Shared with Third Parties - yes

Categories of Third Parties to whom IDT may share personal data for a business purpose:  IDT family of companies, including our affiliates both in and outside the United States; our vendors and partners to the extent reasonably necessary for them to perform work on our and your behalf (e.g., payment processors); ad networks; data analytics providers; social networks; and prospective purchasers of our business

 

B.  Your Rights. As a Colorado resident you have certain additional rights regarding your personal data under the “COPA”:

(I) Right to Confirm if a Controller is Processing Your Personal Data and to Access Personal Data – you have the right to request that IDT confirm whether or not it has collected and processed personal data about you and to access the personal data that we have collected about you;

(II) Right to Correct Inaccurate Personal Data – you have the right to request that IDT correct any inaccurate personal data that we maintain about you;

(III) Right to Delete – you have the right to request that IDT delete any personal data that it has collected about you.  There may be exceptions to this right and IDT does not have to delete your personal data if it is reasonably necessary to complete a transaction with you, to provide you with goods or services you requested, to comply with our legal obligations, and as otherwise provided by Colorado law.  In addition, if your personal data is deleted you may not be able to purchase or use our products and services;

(IV) Right to Obtain Copy of Personal Data in Portable Format – you have the right to obtain from IDT a copy of the personal data that we maintain about you in a portable, and to the extent technically feasible a readily usable, format that allows you to transmit the data to another entity without hinderance;

(V) Right to Opt-Out of the Processing of Personal Data for purposes of Targeted Advertising, Sale, or Profiling with Legal Effects – IDT does not sell (as defined in the COPA) your personal data, process your personal data for Targeted Advertising (as defined in the COPA) or process your personal data for Profiling (as defined in the COPA) for decisions that produce legal or similarly significant effects.  Nonetheless, you have the right to request that IDT not process your personal data for those purposes should IDT decide in the future to process your personal data for those purposes.  To exercise this right please go to  https://www.idt.net/copa-request and complete the form.

C. How to Exercise Your Rights.  To exercise any of your rights, please (i) go to https://www.idt.net/copa-request and complete the form, or (ii) send an email to copa@idt.net detailing your request(s).  The COPA applies to individuals who are Colorado residents, but does not apply to individuals acting in a commercial context.  An authorized agent may submit an opt-out request on your behalf using the same methods listed in this section.

D. Authentication of Consumer Requests. In order to comply with a consumer request, IDT must reasonably authenticate the request.  A record of each request is made as soon as it is received by our data protection team.  IDT will use all reasonable measures to authenticate the identity of the individual making the request.  We will utilize the requested data to ensure that we can verify the requestor’s identity and where we are unable to do so, we may contact you for further information, or ask you to provide evidence of your identity prior to responding to your request.  This is to protect your data and rights.  If a third party, agent or representative is submitting an opt-out request on your behalf, we will verify their authority to act for you and may contact you and them to confirm your and their identity and to gain your authorization prior to taking action upon the request.

E. Responding to Consumer Requests.  IDT will attempt to authenticate each request and if it is able to authenticate a request it will provide a response (if necessary and applicable) within 45 days of the receipt of the request, which time period may be extended by IDT for an additional 45 days.  If a delay is necessary, IDT will contact the requestor within the original 45 day period and provide the reasons for the delay.  All IDT responses shall be in writing.  The response shall be sent by mail or electronically.  If IDT is not able to process your request, we will inform you of that and (where possible) of the reasons for not acting upon your request.

F. Appeal of Refusal to Take Action.  Appeal of Refusal to Take Action.  If IDT refuses to take action on your request you have the right to appeal that refusal within 30 days of your receipt of IDT’s response by sending an email to  copa@idt.netand requesting an appeal.  Within 45 days of IDT’s receipt of your appeal, we will inform you in writing of any action taken or not taken in response to the appeal, including the reasons for our decision.  If your appeal is denied, then you may contact the Colorado Attorney General at https://coag.gov/ or 720-508-6000.

 

 

Exhibit C

Connecticut Consumers

If you are a resident of Connecticut, then the following section also applies to you.

A. Personal Data.  Personal data (as defined in the Connecticut Privacy Act (the “CTPA”)) includes any information that is linked or reasonably linkable to an identified or identifiable individual.  Personal data does not include de-identified data or publicly available information.  IDT may collect and process the following categories of personal data regarding Connecticut residents:

Categories of Personal Data Collected or Processed

Whether Sold, Shared with Third Parties, or Processed for Targeted Advertising and Categories of to Whom

Purposes for Collection and Processing of Personal Data

Personal Identifiers and Information, which may include name, address, email address, phone number, birthdate, device and marketing identifiers, IP address, payment and financial information, credit/debit card number and details, bank account number and information, personal information necessary to verify you or your account, security code and login credentials, and other personal information you provide

Sold – no

Processed for Targeted Advertising – no

Shared with Third Parties - yes

Categories of Third Parties to whom IDT may share personal data for a business purpose:  IDT family of companies, including our affiliates both in and outside the United States; our service providers and vendors to the extent reasonably necessary for them to perform work on our and your behalf (e.g., payment processors); ad networks; data analytics providers; social networks; law enforcement; prospective purchasers of our business; outside auditors and lawyers; and government entities, agencies and regulators

To manage our products and services, including to help us operate, provide, evaluate, improve, monitor, customize, bill and support our products and services

To maintain the quality of our products and services, including to improve, upgrade, and enhance our products and services

To maintain and service your account, including to process orders and payments

To communicate with you about our terms and policies

To verify you, your account activity and your information

To detect, investigate and report fraud, abuse or illegal use of our products and services or customer accounts 

To provide customer service

To perform due diligence, credit and fraud prevention checks

To maintain accurate record keeping

To ensure security and integrity of our customers’ personal information

To perform product, marketing and organizational analysis

To provide advertising and marketing to our customers

To measure our marketing campaigns and to audit consumer interactions

To comply with regulations and legal requirements

To comply with contractual requirements

For risk management and compliance

For legal advice and defense of claims

For general, operational and administrative purposes

Commercial Information, which may include records of products or services purchased and used, diagnostic and service performance information, call records and other traffic data, credit information from reporting agencies, transactional information, and other purchasing or consuming histories

Sold – no

Processed for Targeted Advertising – no

Shared with Third Parties - yes

Categories of Third Parties to whom IDT may share personal data for a business purpose:  see list under Personal Identifiers and Information

Internet or other Electronic Network Activity Information, which may include browsing history, search history, messages, personal, phone or social network contact information, device information, device contacts, and information regarding a consumer’s interaction and usage with our websites, apps and advertisements

Sold – no

Processed for Targeted Advertising – no

Shared with Third Parties - yes

Categories of Third Parties to whom IDT may share personal data for a business purpose:  see list under Personal Identifiers and Information

Geolocation Data (if you enable location features in BR App), which may include the location of your device

Sold – no

Processed for Targeted Advertising – no

Shared with Third Parties - yes

Categories of Third Parties to whom IDT may share personal data for a business purpose:  see list under Personal Identifiers and Information

Inferences drawn from any of the information above,  which may include profile reflecting the consumer’s marketing preferences, and aggregate information from third parties

Sold – no

Processed for Targeted Advertising – no

Shared with Third Parties - yes

Categories of Third Parties to whom IDT may share personal data for a business purpose:  IDT family of companies, including our affiliates both in and outside the United States; our vendors and partners to the extent reasonably necessary for them to perform work on our and your behalf (e.g., payment processors); ad networks; data analytics providers; social networks; and prospective purchasers of our business

B. Sensitive Data.  The only sensitive data (as defined in the CTPA) that IDT may collect and process is precise geolocation data (as defined in the CTPA) from the BR App primarily for transaction compliance reasons if the user enables the app’s location feature. Users of the BR App can enable or disable the app’s location feature in the app.  By enabling the location feature, you thereby consent to IDT collecting and processing your precise geolocation data for the purposes identified herein and as outlined in the chart above.

C. Your Rights.  As a Connecticut resident you have certain additional rights regarding your personal data under the “CTPA”:

(I) Right to Confirm if a Controller is Processing Your Personal Data and to Access Personal Data – you have the right to request that IDT confirm whether or not it has collected and processed personal data about you and to access the personal data that we have collected about you;

(II) Right to Correct Inaccurate Personal Data – you have the right to request that IDT correct any inaccurate personal data that we maintain about you;

(III) Right to Delete – you have the right to request that IDT delete any personal data that it has collected about you.  There may be exceptions to this right and IDT does not have to delete your personal data if it is reasonably necessary to complete a transaction with you, to provide you with goods or services you requested, to comply with our legal obligations, and as otherwise provided by Connecticut law.  In addition, if your personal data is deleted you may not be able to purchase or use our products and services;

(IV) Right to Obtain Copy of Personal Data in Portable Format – you have the right to obtain from IDT a copy of the personal data that we maintain about you in a portable , and to the extent technically feasible a readily usable, format that allows you to transmit the data to another entity without hinderance;

(V) Right to Opt-Out of the Processing of Personal Data for purposes of Targeted Advertising, Sale, or Profiling with Legal Effects – IDT does not sell (as defined in the CTPA) your personal data, process your personal data for Targeted Advertising (as defined in the CTPA) or process your personal data for Profiling (as defined in the CTPA) for decisions that produce legal or similarly significant effects.  Nonetheless, you have the right to request that IDT not process your personal data for those purposes should IDT decide in the future to process your personal data for those purposes.  To exercise this right please go to  https://www.idt.net/ctpa-request and complete the form.

D. How to Exercise Your Rights.  To exercise any of your rights, please go to https://www.idt.net/ctpa-request and complete the form.  The CTPA applies to individuals who are Connecticut residents, but does not apply to individuals acting in a commercial context.  An authorized agent may submit an opt-out request on your behalf using the same method listed in this section.

E. Authentication of Consumer Requests.  In order to comply with a consumer request, IDT must reasonably authenticate the request.  A record of each request is made as soon as it is received by our data protection team.  IDT will use all reasonable measures to authenticate the identity of the individual making the request.  We will utilize the requested data to ensure that we can verify the requestor’s identity and where we are unable to do so, we may contact you for further information, or ask you to provide evidence of your identity prior to responding to your request.  This is to protect your data and rights.  If a third party, agent or representative is submitting an opt-out request on your behalf, we will verify their authority to act for you and may contact you and them to confirm your and their identity and to gain your authorization prior to taking action upon the request.

F. Responding to Consumer Requests.  IDT will attempt to authenticate each request and if it is able to authenticate a request it will provide a response (if necessary and applicable) within 45 days of the receipt of the request, which time period may be extended by IDT for an additional 45 days.  If a delay is necessary, IDT will contact the requestor within the original 45 day period and provide the reasons for the delay.  All IDT responses shall be in writing.  The response shall be sent by mail or electronically.  If IDT is not able to process your request, we will inform you of that and (where possible) of the reasons for not acting upon your request.

G. Appeal of Refusal to Take Action.  Appeal of Refusal to Take Action.  If IDT refuses to take action on your request you have the right to appeal that refusal within 30 days of your receipt of IDT’s response by sending an email to ctpa@idt.net and requesting an appeal.  Within 60 days of IDT’s receipt of your appeal, we will inform you in writing of any action taken or not taken in response to the appeal, including the reasons for our decision.  If your appeal is denied, then you may contact the Connecticut Attorney General by email at Attorney.General@ct.gov or by phone at 860-808-5318.

 

Exhibit D

Montana Consumers

 


If you are a resident of Montana, then the following section also applies to you.


A.    Personal Data.  Personal data (as defined in the Montana Consumer Data Privacy Act (the “MCDPA”)) includes any information that is linked or reasonably linkable to an identified or identifiable individual.  Personal data does not include de-identified data or publicly available information.  IDT may collect and process the following categories of personal data regarding Montana residents:
 

Categories of Personal Data Collected or Processed Whether Sold, Shared with Third Parties, or Processed for Targeted Advertising and Categories of to Whom Purposes for Collection and Processing of Personal Data
Personal Identifiers and Information, which may include name, address, email address, phone number, birthdate, device and marketing identifiers, IP address, payment and financial information, credit/debit card number and details, bank account number and information, personal information necessary to verify you or your account, security code and login credentials, and other personal information you provide Sold – no
Processed for Targeted Advertising – no
Shared with Third Parties - yes
Categories of Third Parties to whom IDT may share personal data for a business purpose:  IDT family of companies, including our affiliates both in and outside the United States; our service providers and vendors to the extent reasonably necessary for them to perform work on our and your behalf (e.g., payment processors); ad networks; data analytics providers; social networks; law enforcement; prospective purchasers of our business; outside auditors and lawyers; and government entities, agencies and regulators
To manage our products and services, including to help us operate, provide, evaluate, improve, monitor, customize, bill and support our products and services.
To maintain the quality of our products and services, including to improve, upgrade, and enhance our products and services.
To maintain and service your account, including to process orders and payments.
To communicate with you about our terms and policies.
To verify you, your account activity and your information.
To detect, investigate and report fraud, abuse or illegal use of our products and services or customer accounts. 
To provide customer service.
To perform due diligence, credit and fraud prevention checks.
To maintain accurate record keeping.
To ensure security and integrity of our customers’ personal information.
To perform product, marketing and organizational analysis.
To provide advertising and marketing to our customers.
To measure our marketing campaigns and to audit consumer interactions.
To comply with regulations and legal requirements.
To comply with contractual requirements.
For risk management and compliance.
For legal advice and defense of claims.
For general, operational and administrative purposes.

Commercial Information, which may include records of products or services purchased and used, diagnostic and service performance information, call records and other traffic data, credit information from reporting agencies, transactional information, and other purchasing or consuming histories

Sold – no
Processed for Targeted Advertising – no
Shared with Third Parties - yes
Categories of Third Parties to whom IDT may share personal data for a business purpose:  see list under Personal Identifiers and Information
Internet or other Electronic Network Activity Information, which may include browsing history, search history, messages, personal, phone or social network contact information, device information, device contacts, and information regarding a consumer’s interaction and usage with our websites, apps and advertisements Sold – no
Processed for Targeted Advertising – no
Shared with Third Parties - yes
Categories of Third Parties to whom IDT may share personal data for a business purpose:  see list under Personal Identifiers and Information
Geolocation Data (if you enable location features in BR App), which may include the location of your device Sold – no
Processed for Targeted Advertising – no
Shared with Third Parties - yes
Categories of Third Parties to whom IDT may share personal data for a business purpose:  see list under Personal Identifiers and Information
Inferences drawn from any of the information above, which may include profile reflecting the consumer’s marketing preferences, and aggregate information from third parties Sold – no
Processed for Targeted Advertising – no
Shared with Third Parties - yes
Categories of Third Parties to whom IDT may share personal data for a business purpose:  IDT family of companies, including our affiliates both in and outside the United States; our vendors and partners to the extent reasonably necessary for them to perform work on our and your behalf (e.g., payment processors); ad networks; data analytics providers; social networks; and prospective purchasers of our business

B.    Sensitive Data.  The only sensitive data (as defined in the MCDPA) that IDT may collect and process is precise geolocation data (as defined in the MCDPA) from the BR App primarily for transaction compliance reasons if the user enables the app’s location feature.  Users of the BR App can enable or disable the app’s location feature in the app.  By enabling the location feature, you thereby consent to IDT collecting and processing your precise geolocation data for the purposes identified herein and as outlined in the chart above.


C.    Your Rights.  As a Montana resident you have certain additional rights regarding your personal data under the MCDPA:


(i)    Right to Confirm if a Controller is Processing Your Personal Data and to Access Personal Data – you have the right to request that IDT confirm whether or not it has collected and processed personal data about you and to access the personal data that we have collected about you;


(ii)    Right to Correct Inaccurate Personal Data – you have the right to request that IDT correct any inaccurate personal data that we maintain about you;


(iii)    Right to Delete – you have the right to request that IDT delete any personal data that it has collected about you.  There may be exceptions to this right and IDT does not have to delete your personal data if it is reasonably necessary to complete a transaction with you, to provide you with goods or services you requested, to comply with our legal obligations, and as otherwise provided by Montana law.  In addition, if your personal data is deleted you may not be able to purchase or use our products and services;


(iv)    Right to Obtain Copy of Personal Data in Portable Format – you have the right to obtain from IDT a copy of the personal data that we maintain about you in a portable and to the extent technically feasible a readily usable, format that allows you to transmit the data to another entity without hinderance; and


(v)    Right to Opt-Out of the Processing of Personal Data for purposes of Targeted Advertising, Sale, or Profiling with Legal Effects – IDT does not sell (as defined in the MCDPA) your personal data, process your personal data for Targeted Advertising (as defined in the MCDPA) or process your personal data for profiling for decisions that produce legal or similarly significant effects (as defined in the MCDPA).  Nonetheless, you have the right to request that IDT not process your personal data for those purposes should IDT decide in the future to process your personal data for those purposes.  To exercise this right please go to https://www.idt.net/mtpa-request and complete the form.


D.    How to Exercise Your Rights.  To exercise any of your rights, please go to https://www.idt.net/mtpa-request and complete the form.  The MCDPA applies to individuals who are Montana residents, but does not apply to individuals acting in a commercial context.  An authorized agent may submit an opt-out request on your behalf using the same method listed in this section.


E.    Authentication of Consumer Requests.  In order to comply with a consumer request, IDT must reasonably authenticate the request.  A record of each request is made as soon as it is received by our data protection team.  IDT will use all reasonable measures to authenticate the identity of the individual making the request.  We will utilize the requested data to ensure that we can verify the requestor’s identity and where we are unable to do so, we may contact you for further information, or ask you to provide evidence of your identity prior to responding to your request.  This is to protect your data and rights.  If a third party, agent or representative is submitting an opt-out request on your behalf, we will verify their authority to act for you and may contact you and them to confirm your and their identity and to gain your authorization prior to taking action upon the request.


F.    Responding to Consumer Requests.  IDT will attempt to authenticate each request and if it is able to authenticate a request it will provide a response (if necessary and applicable) within 45 days of the receipt of the request, which time period may be extended by IDT for an additional 45 days.  If a delay is necessary, IDT will contact the requestor within the original 45 day period and provide the reasons for the delay.  All IDT responses shall be in writing.  The response shall be sent by mail or electronically.  If IDT is not able to process your request, we will inform you of that and (where possible) of the reasons for not acting upon your request.


G.    Appeal of Refusal to Take Action.  If IDT refuses to take action on your request you have the right to appeal that refusal within 30 days of your receipt of IDT’s response by sending an email to mtpa@idt.net and requesting an appeal.  Within 60 days of IDT’s receipt of your appeal, we will inform you in writing of any action taken or not taken in response to the appeal, including the reasons for our decision.  If your appeal is denied, then you may contact the Montana Attorney General at https://dojmt.gov/consumer/consumer-complaints/.
 

Exhibit E

New Jersey Consumers

If you are a resident of New Jersey, then the following section also applies to you.


A.    Personal Data.  Personal data (as defined in the New Jersey Data Privacy Act (the “NJDPA”)) includes any information that is linked or reasonably linkable to an identified or identifiable individual.  Personal data does not include de-identified data or publicly available information.  IDT may collect and process the following categories of personal data regarding New Jersey residents:

Categories of Personal Data Collected or Processed Whether Sold, Shared with Third Parties, or Processed for Targeted Advertising or Profiling in furtherance of Decisions that Produce Legal or Similarly Significant Effects and Categories of to Whom Purposes for Collection and Processing of Personal Data
Personal Identifiers and Information, which may include name, address, email address, phone number, birthdate, device and marketing identifiers, IP address, payment and financial information, credit/debit card number and details, bank account number and information, personal information necessary to verify you or your account, security code and login credentials, and other personal information you provide Sold – no
Processed for Targeted Advertising or Profiling in furtherance of Decisions that Produce Legal Effect – no
Shared with Third Parties - yes
Categories of Third Parties to whom IDT may share personal data for a business purpose:  IDT family of companies, including our affiliates both in and outside the United States; our service providers and vendors to the extent reasonably necessary for them to perform work on our and your behalf (e.g., payment processors); ad networks; data analytics providers; social networks; law enforcement; prospective purchasers of our business; outside auditors and lawyers; and government entities, agencies and regulators
To manage our products and services, including to help us operate, provide, evaluate, improve, monitor, customize, bill and support our products and services.
To maintain the quality of our products and services, including to improve, upgrade, and enhance our products and services.
To maintain and service your account, including to process orders and payments.
To communicate with you about our terms and policies.
To verify you, your account activity and your information.
To detect, investigate and report fraud, abuse or illegal use of our products and services or customer accounts. 
To provide customer service.
To perform due diligence, credit and fraud prevention checks.
To maintain accurate record keeping.
To ensure security and integrity of our customers’ personal information.
To perform product, marketing and organizational analysis.
To provide advertising and marketing to our customers.
To measure our marketing campaigns and to audit consumer interactions.
To comply with regulations and legal requirements.
To comply with contractual requirements.
For risk management and compliance.
For legal advice and defense of claims.
For general, operational and administrative purposes.
Commercial Information, which may include records of products or services purchased and used, diagnostic and service performance information, call records and other traffic data, credit information from reporting agencies, transactional information, and other purchasing or consuming histories Sold – no
Processed for Targeted Advertising or Profiling in furtherance of Decisions that Produce Legal Effect – no
Shared with Third Parties - yes
Categories of Third Parties to whom IDT may share personal data for a business purpose:  see list under Personal Identifiers and Information
Internet or other Electronic Network Activity Information, which may include browsing history, search history, messages, personal, phone or social network contact information, device information, device contacts, and information regarding a consumer’s interaction and usage with our websites, apps and advertisements Sold – no
Processed for Targeted Advertising or Profiling in furtherance of Decisions that Produce Legal Effect – no
Shared with Third Parties - yes
Categories of Third Parties to whom IDT may share personal data for a business purpose:  see list under Personal Identifiers and Information
Geolocation Data (if you enable location features in BR App), which may include the location of your device Sold – no
Processed for Targeted Advertising or Profiling in furtherance of Decisions that Produce Legal Effect – no
Shared with Third Parties - yes
Categories of Third Parties to whom IDT may share personal data for a business purpose:  see list under Personal Identifiers and Information
Inferences drawn from any of the information above, which may include profile reflecting the consumer’s marketing preferences, and aggregate information from third parties Sold – no
Processed for Targeted Advertising or Profiling in furtherance of Decisions that Produce Legal Effect – no
Shared with Third Parties - yes
Categories of Third Parties to whom IDT may share personal data for a business purpose:  IDT family of companies, including our affiliates both in and outside the United States; our vendors and partners to the extent reasonably necessary for them to perform work on our and your behalf (e.g., payment processors); ad networks; data analytics providers; social networks; and prospective purchasers of our business

B.    Sensitive Data.  The only sensitive data (as defined in the NJDPA) that IDT may collect and process is precise geolocation data (as defined in the NJDPA) from the BR App primarily for transaction compliance reasons if the user enables the app’s location feature.  Users of the BR App can enable or disable the app’s location feature in the app.  By enabling the location feature, you thereby consent to IDT collecting and processing your precise geolocation data for the purposes identified herein and as outlined in the chart above.


C.    Your Rights.  As a New Jersey resident you have certain additional rights regarding your personal data under the NJDPA:


(i)    Right to Confirm if a Controller is Processing Your Personal Data and to Access Personal Data – you have the right to request that IDT confirm whether or not it has collected and processed personal data about you and to access the personal data that we have collected about you;


(ii)    Right to Correct Inaccurate Personal Data – you have the right to request that IDT correct any inaccurate personal data that we maintain about you;


(iii)    Right to Delete – you have the right to request that IDT delete any personal data that it has collected about you.  There may be exceptions to this right and IDT does not have to delete your personal data if it is reasonably necessary to complete a transaction with you, to provide you with goods or services you requested, to comply with our legal obligations, and as otherwise provided by New Jersey law.  In addition, if your personal data is deleted you may not be able to purchase or use our products and services;


(iv)    Right to Obtain Copy of Personal Data in Portable Format – you have the right to obtain from IDT a copy of the personal data that we maintain about you in a portable and, to the extent technically feasible, a readily usable, format that allows you to transmit the data to another entity without hinderance; and


(v)    Right to Opt-Out of the Processing of Personal Data for purposes of Targeted Advertising, Sale, or Profiling in Furtherance of Decisions that Produce Legal Effects – IDT does not sell (as defined in the NJDPA) your personal data, process your personal data for Targeted Advertising (as defined in the NJDPA) or process your personal data for profiling in furtherance of decisions that produce legal or similarly significant effects (as defined in the NJDPA).  Nonetheless, you have the right to request that IDT not process your personal data for those purposes should IDT decide in the future to process your personal data for those purposes.  To exercise this right please go to https://www.idt.net/njpa-request and complete the form.


D.    How to Exercise Your Rights.  To exercise any of your rights, please go to https://www.idt.net/njpa-request and complete the form.  The NJDPA applies to individuals who are New Jersey residents, but does not apply to individuals acting in a commercial context.  An authorized agent may submit an opt-out request on your behalf using the same method listed in this section.


E.    Authentication of Consumer Requests.  In order to comply with a consumer request, IDT must reasonably authenticate the request.  A record of each request is made as soon as it is received by our data protection team.  IDT will use all reasonable measures to authenticate the identity of the individual making the request.  We will utilize the requested data to ensure that we can verify the requestor’s identity and where we are unable to do so, we may contact you for further information, or ask you to provide evidence of your identity prior to responding to your request.  This is to protect your data and rights.  If a third party, agent or representative is submitting an opt-out request on your behalf, we will verify their authority to act for you and may contact you and them to confirm your and their identity and to gain your authorization prior to taking action upon the request.


F.    Responding to Consumer Requests.  IDT will attempt to authenticate each request and if it is able to authenticate a request it will provide a response (if necessary and applicable) within 45 days of the receipt of the request, which time period may be extended by IDT for an additional 45 days.  If a delay is necessary, IDT will contact the requestor within the original 45 day period and provide the reasons for the delay.  All IDT responses shall be in writing.  The response shall be sent by mail or electronically.  If IDT is not able to process your request, we will inform you of that and (where possible) of the reasons for not acting upon your request.


G.    Appeal of Refusal to Take Action.  If IDT refuses to take action on your request you have the right to appeal that refusal within 30 days of your receipt of IDT’s response by sending an email to njpa@idt.net and requesting an appeal.  Within 45 days of IDT’s receipt of your appeal, we will inform you in writing of any action taken or not taken in response to the appeal, including the reasons for our decision.  If your appeal is denied, then you may contact the New Jersey Division of Consumer Affairs in the Department of Law and Public Safety at https://www.njconsumeraffairs.gov/Pages/Consumer-Complaints.aspx.


H.    How to Contact IDT.  You can contact IDT by sending an email to njpa@idt.net.

Exhibit F

Oregon Consumers

If you are a resident of Oregon, then the following section also applies to you.


A.    Personal Data.  Personal data (as defined in the Oregon Privacy Act (the “ORPA”)) includes any information that is linked or reasonably linkable to an identified or identifiable individual.  Personal data does not include de-identified data or publicly available information.  IDT may collect and process the following categories of personal data regarding Oregon residents:

Categories of Personal Data Collected or Processed Whether Sold, Shared with Third Parties, or Processed for Targeted Advertising or Profiling for Decisions that Produce Legal Effects, and Categories of to Whom Purposes for Collection and Processing of Personal Data
Personal Identifiers and Information, which may include name, address, email address, phone number, birthdate, device and marketing identifiers, IP address, payment and financial information, credit/debit card number and details, bank account number and information, personal information necessary to verify you or your account, security code and login credentials, and other personal information you provide Sold – no
Processed for Targeted Advertising or Profiling for Decisions that Produce Legal Effects – no
Shared with Third Parties - yes
Categories of Third Parties to whom IDT may share personal data for a business purpose:  IDT family of companies, including our affiliates both in and outside the United States; our service providers and vendors to the extent reasonably necessary for them to perform work on our and your behalf (e.g., payment processors); ad networks; data analytics providers; social networks; law enforcement; prospective purchasers of our business; outside auditors and lawyers; and government entities, agencies and regulators
To manage our products and services, including to help us operate, provide, evaluate, improve, monitor, customize, bill and support our products and services
To maintain the quality of our products and services, including to improve, upgrade, and enhance our products and services
To maintain and service your account, including to process orders and payments
To communicate with you about our terms and policies
To verify you, your account activity and your information
To detect, investigate and report fraud, abuse or illegal use of our products and services or customer accounts 
To provide customer service
To perform due diligence, credit and fraud prevention checks
To maintain accurate record keeping
To ensure security and integrity of our customers’ personal information
To perform product, marketing and organizational analysis
To provide advertising and marketing to our customers
To measure our marketing campaigns and to audit consumer interactions
To comply with regulations and legal requirements
To comply with contractual requirements
For risk management and compliance
For legal advice and defense of claims
For general, operational and administrative purposes
 
Commercial Information, which may include records of products or services purchased and used, diagnostic and service performance information, call records and other traffic data, credit information from reporting agencies, transactional information, and other purchasing or consuming histories Sold – no
Processed for Targeted Advertising or Profiling for Decisions that Produce Legal Effects – no
Shared with Third Parties - yes
Categories of Third Parties to whom IDT may share personal data for a business purpose:  see list under Personal Identifiers and Information
Internet or other Electronic Network Activity Information, which may include browsing history, search history, messages, personal, phone or social network contact information, device information, device contacts, and information regarding a consumer’s interaction and usage with our websites, apps and advertisements Sold – no
Processed for Targeted Advertising or Profiling for Decisions that Produce Legal Effects – no
Shared with Third Parties - yes
Categories of Third Parties to whom IDT may share personal data for a business purpose:  see list under Personal Identifiers and Information
Geolocation Data (if you enable location features in BR App), which may include the location of your device Sold – no
Processed for Targeted Advertising or Profiling for Decisions that Produce Legal Effects – no
Shared with Third Parties - yes
Categories of Third Parties to whom IDT may share personal data for a business purpose:  see list under Personal Identifiers and Information
Inferences drawn from any of the information above, which may include profile reflecting the consumer’s marketing preferences and aggregate information from third parties Sold – no
Processed for Targeted Advertising or Profiling for Decisions that Produce Legal Effects – no
Shared with Third Parties - yes
Categories of Third Parties to whom IDT may share personal data for a business purpose:  IDT family of companies, including our affiliates both in and outside the United States; our vendors and partners to the extent reasonably necessary for them to perform work on our and your behalf (e.g., payment processors); ad networks; data analytics providers; social networks; and prospective purchasers of our business

B.    Sensitive Data.  The only sensitive data (as defined in the ORPA) that IDT may collect and process is precise geolocation data (as defined in the ORPA) from the BR App primarily for transaction compliance reasons if the user enables the app’s location feature. Users of the BR App can enable or disable the app’s location feature in the app.  By enabling the location feature, you thereby consent to IDT collecting and processing your precise geolocation data for the purposes identified herein and as outlined in the chart above.


C.    Your Rights.  As an Oregon resident you have certain additional rights regarding your personal data under the “ORPA”:


(i)    Right to Confirm if a Controller is Processing Your Personal Data and to Access Personal Data – you have the right to request that IDT confirm whether or not it has collected and processed personal data about you and to access the personal data that we have collected about you;


(ii)    Right to Correct Inaccurate Personal Data – you have the right to request that IDT correct any inaccurate personal data that we maintain about you;


(iii)    Right to Delete – you have the right to request that IDT delete any personal data that it has collected about you.  There may be exceptions to this right and IDT does not have to delete your personal data if it is reasonably necessary to complete a transaction with you, to provide you with goods or services you requested, to comply with our legal obligations, and as otherwise provided by Oregon law.  In addition, if your personal data is deleted you may not be able to purchase or use our products and services;


(iv)    Right to Obtain Copy of Personal Data in Portable Format – you have the right to obtain from IDT a copy of the personal data that we maintain about you in a portable and to the extent technically feasible a readily usable, format; and


(v)    Right to Opt-Out of the Processing of Personal Data for purposes of Targeted Advertising, Sale, or Profiling with Legal Effects – IDT does not sell (as defined in the ORPA) your personal data, process your personal data for Targeted Advertising (as defined in the ORPA) or process your personal data for profiling for decisions that produce legal or similarly significant effects (as defined in the ORPA).  Nonetheless, you have the right to request that IDT not process your personal data for those purposes should IDT decide in the future to process your personal data for those purposes.  To exercise this right please go to https://www.idt.net/orpa-request and complete the form.


D.    How to Exercise Your Rights.  To exercise any of your rights, please go to https://www.idt.net/orpa-request and complete the form.  The ORPA applies to individuals who are Oregon residents, but does not apply to individuals acting in a commercial context.  An authorized agent may submit an opt-out request on your behalf using the same method listed in this section.


E.    Authentication of Consumer Requests.  In order to comply with a consumer request, IDT must reasonably authenticate the request.  A record of each request is made as soon as it is received by our data protection team.  IDT will use all reasonable measures to authenticate the identity of the individual making the request.  We will utilize the requested data to ensure that we can verify the requestor’s identity and where we are unable to do so, we may contact you for further information, or ask you to provide evidence of your identity prior to responding to your request.  This is to protect your data and rights.  If a third party, agent or representative is submitting an opt-out request on your behalf, we will verify their authority to act for you and may contact you and them to confirm your and their identity and to gain your authorization prior to taking action upon the request.


F.    Responding to Consumer Requests.  IDT will attempt to authenticate each request and if it is able to authenticate a request it will provide a response (if necessary and applicable) within 45 days of the receipt of the request, which time period may be extended by IDT for an additional 45 days.  If a delay is necessary, IDT will contact the requestor within the original 45 day period and provide the reasons for the delay.  All IDT responses shall be in writing.  The response shall be sent by mail or electronically.  If IDT is not able to process your request, we will inform you of that and (where possible) of the reasons for not acting upon your request.


G.    Appeal of Refusal to Take Action.  If IDT refuses to take action on your request you have the right to appeal that refusal within 30 days of your receipt of IDT’s response by sending an email to orpa@idt.net and requesting an appeal.  Within 45 days of IDT’s receipt of your appeal, we will inform you in writing of any action taken or not taken in response to the appeal, including the reasons for our decision.  If your appeal is denied, then you may contact the Oregon Attorney General by email at AttorneyGeneral@doj.state.or.us or by phone at 877-877-9392.

Exhibit G

Texas Consumers

If you are a resident of Texas, then the following section also applies to you.


A.    Personal Data.  Personal data (as defined in the Texas Data Privacy and Security Act (the “TDPSA”)) includes any information that is linked or reasonably linkable to an identified or identifiable individual.  Personal data does not include de-identified data or publicly available information.  IDT may collect and process the following categories of personal data regarding Texas residents:
 

Categories of Personal Data Collected or Processed Whether Sold, Shared with Third Parties, or Processed for Targeted Advertising and Categories of to Whom Purposes for Collection and Processing of Personal Data
Personal Identifiers and Information, which may include name, address, email address, phone number, birthdate, device and marketing identifiers, IP address, payment and financial information, credit/debit card number and details, bank account number and information, personal information necessary to verify you or your account, security code and login credentials, and other personal information you provide Sold – no
Processed for Targeted Advertising – no
Shared with Third Parties - yes
Categories of Third Parties to whom IDT may share personal data for a business purpose:  IDT family of companies, including our affiliates both in and outside the United States; our service providers and vendors to the extent reasonably necessary for them to perform work on our and your behalf (e.g., payment processors); ad networks; data analytics providers; social networks; law enforcement; prospective purchasers of our business; outside auditors and lawyers; and government entities, agencies and regulators
To manage our products and services, including to help us operate, provide, evaluate, improve, monitor, customize, bill and support our products and services.
To maintain the quality of our products and services, including to improve, upgrade, and enhance our products and services.
To maintain and service your account, including to process orders and payments.
To communicate with you about our terms and policies.
To verify you, your account activity and your information.
To detect, investigate and report fraud, abuse or illegal use of our products and services or customer accounts. 
To provide customer service.
To perform due diligence, credit and fraud prevention checks.
To maintain accurate record keeping.
To ensure security and integrity of our customers’ personal information.
To perform product, marketing and organizational analysis.
To provide advertising and marketing to our customers.
To measure our marketing campaigns and to audit consumer interactions.
To comply with regulations and legal requirements.
To comply with contractual requirements.
For risk management and compliance.
For legal advice and defense of claims.
For general, operational and administrative purposes.
Commercial Information, which may include records of products or services purchased and used, diagnostic and service performance information, call records and other traffic data, credit information from reporting agencies, transactional information, and other purchasing or consuming histories Sold – no
Processed for Targeted Advertising – no
Shared with Third Parties - yes
Categories of Third Parties to whom IDT may share personal data for a business purpose:  see list under Personal Identifiers and Information
Internet or other Electronic Network Activity Information, which may include browsing history, search history, messages, personal, phone or social network contact information, device information, device contacts, and information regarding a consumer’s interaction and usage with our websites, apps and advertisements Sold – no
Processed for Targeted Advertising – no
Shared with Third Parties - yes
Categories of Third Parties to whom IDT may share personal data for a business purpose:  see list under Personal Identifiers and Information
Geolocation Data (if you enable location features in BR App), which may include the location of your device Sold – no
Processed for Targeted Advertising – no
Shared with Third Parties - yes
Categories of Third Parties to whom IDT may share personal data for a business purpose:  see list under Personal Identifiers and Information
Inferences drawn from any of the information above, which may include profile reflecting the consumer’s marketing preferences, and aggregate information from third parties Sold – no
Processed for Targeted Advertising – no
Shared with Third Parties - yes
Categories of Third Parties to whom IDT may share personal data for a business purpose:  IDT family of companies, including our affiliates both in and outside the United States; our vendors and partners to the extent reasonably necessary for them to perform work on our and your behalf (e.g., payment processors); ad networks; data analytics providers; social networks; and prospective purchasers of our business

B.    Sensitive Data.  The only sensitive data (as defined in the TDPSA) that IDT may collect and process is precise geolocation data (as defined in the TDPSA) from the BR App primarily for transaction compliance reasons if the user enables the app’s location feature.  Users of the BR App can enable or disable the app’s location feature in the app.  By enabling the location feature, you thereby consent to IDT collecting and processing your precise geolocation data for the purposes identified herein and as outlined in the chart above.


C.    Your Rights.  As a Texas resident you have certain additional rights regarding your personal data under the TDPSA:


(i)    Right to Confirm if a Controller is Processing Your Personal Data and to Access Personal Data – you have the right to request that IDT confirm whether or not it has collected and processed personal data about you and to access the personal data that we have collected about you;


(ii)    Right to Correct Inaccurate Personal Data – you have the right to request that IDT correct any inaccurate personal data that we maintain about you;


(iii)    Right to Delete – you have the right to request that IDT delete any personal data that it has collected about you.  There may be exceptions to this right and IDT does not have to delete your personal data if it is reasonably necessary to complete a transaction with you, to provide you with goods or services you requested, to comply with our legal obligations, and as otherwise provided by Texas law.  In addition, if your personal data is deleted you may not be able to purchase or use our products and services;


(iv)    Right to Obtain Copy of Personal Data in Portable Format – you have the right to obtain from IDT a copy of the personal data that we maintain about you (if available in a digital format) in a portable and to the extent technically feasible a readily usable, format that allows you to transmit the data to another entity without hinderance; and


(v)    Right to Opt-Out of the Processing of Personal Data for purposes of Targeted Advertising, Sale, or Profiling with Legal Effects – IDT does not sell (as defined in the TDPSA) your personal data, process your personal data for Targeted Advertising (as defined in the TDPSA) or process your personal data for profiling for decisions that produce legal or similarly significant effects (as defined in the TDPSA).  Nonetheless, you have the right to request that IDT not process your personal data for those purposes should IDT decide in the future to process your personal data for those purposes.  To exercise this right please go to https://www.idt.net/txpa-request and complete the form.


D.    How to Exercise Your Rights.  To exercise any of your rights, please go to https://www.idt.net/txpa-request and complete the form.  The TDPSA applies to individuals who are Texas residents, but does not apply to individuals acting in a commercial context.  An authorized agent may submit an opt-out request on your behalf using the same method listed in this section.


E.    Authentication of Consumer Requests.  In order to comply with a consumer request, IDT must reasonably authenticate the request.  A record of each request is made as soon as it is received by our data protection team.  IDT will use all reasonable measures to authenticate the identity of the individual making the request.  We will utilize the requested data to ensure that we can verify the requestor’s identity and where we are unable to do so, we may contact you for further information, or ask you to provide evidence of your identity prior to responding to your request.  This is to protect your data and rights.  If a third party, agent or representative is submitting an opt-out request on your behalf, we will verify their authority to act for you and may contact you and them to confirm your and their identity and to gain your authorization prior to taking action upon the request.


F.    Responding to Consumer Requests.  IDT will attempt to authenticate each request and if it is able to authenticate a request it will provide a response (if necessary and applicable) within 45 days of the receipt of the request, which time period may be extended by IDT for an additional 45 days.  If a delay is necessary, IDT will contact the requestor within the original 45 day period and provide the reasons for the delay.  All IDT responses shall be in writing.  The response shall be sent by mail or electronically.  If IDT is not able to process your request, we will inform you of that and (where possible) of the reasons for not acting upon your request.


G.    Appeal of Refusal to Take Action.  If IDT refuses to take action on your request you have the right to appeal that refusal within 30 days of your receipt of IDT’s response by sending an email to txpa@idt.net and requesting an appeal.  Within 60 days of IDT’s receipt of your appeal, we will inform you in writing of any action taken or not taken in response to the appeal, including the reasons for our decision.  If your appeal is denied, then you may contact the Texas Attorney General at https://www.texasattorneygeneral.gov/consumer-protection/file-consumer-complaint.

Exhibit H

Utah Consumers

If you are a resident of Utah, then the following section also applies to you.

A. Personal Data.  Personal data  (as defined in the Utah Privacy Act (the “UTPA”)) includes any information that is linked or reasonably linkable to an identified or identifiable individual.  Personal data does not include de-identified data, aggregated data or publicly available information.  IDT may collect and process the following categories of personal data regarding Utah residents:

Categories of Personal Data Collected and Processed

Whether Sold, Shared with Third Parties and/or Processed for Targeted Advertising and Categories of to Whom

Purposes for Collection and Processing of Personal Data

Personal Identifiers and Information, which may include name, address, email address, phone number, birthdate, device and marketing identifiers, IP address, payment and financial information, credit/debit card number and details, bank account number and information, personal information necessary to verify you or your account, security code and login credentials, and other personal information you provide

Sold to Third Parties – no

Processed for Targeted Advertising – no

Shared with Third Parties - yes

Categories of Third Parties to whom IDT may share personal data for a business purpose:  IDT family of companies, including our affiliates both in and outside the United States; our service providers and vendors to the extent reasonably necessary for them to perform work on our and your behalf (e.g., payment processors); ad networks; data analytics providers; social networks; law enforcement; prospective purchasers of our business; outside auditors and lawyers; and government entities, agencies and regulators

To manage our products and services, including to help us operate, provide, evaluate, improve, monitor, customize, bill and support our products and services

To maintain the quality of our products and services, including to improve, upgrade, and enhance our products and services

To maintain and service your account, including to process orders and payments

To communicate with you about our terms and policies

To verify you, your account activity and your information

To detect, investigate and report fraud, abuse or illegal use of our products and services or customer accounts 

To provide customer service

To perform due diligence, credit and fraud prevention checks

To maintain accurate record keeping

To ensure security and integrity of our customers’ personal information

To perform product, marketing and organizational analysis

To provide advertising and marketing to our customers

To measure our marketing campaigns and to audit consumer interactions

To comply with regulations and legal requirements

To comply with contractual requirements

For risk management and compliance

For legal advice and defense of claims

For general, operational and administrative purposes

Commercial Information, which may include records of products or services purchased and used, diagnostic and service performance information, call records and other traffic data, credit information from reporting agencies, transactional information, and other purchasing or consuming histories

Sold to Third Parties – no

Processed for Targeted Advertising – no

Shared with Third Parties - yes

Categories of Third Parties to whom IDT may share personal data for a business purpose:  see list under Personal Identifiers and Information

Internet or other Electronic Network Activity Information, which may include browsing history, search history, messages, personal, phone or social network contact information, device information, device contacts, and information regarding a consumer’s interaction and usage with our websites, apps and advertisements

Sold to Third Parties – no

Processed for Targeted Advertising – no

Shared with Third Parties - yes

Categories of Third Parties to whom IDT may share personal data for a business purpose:  see list under Personal Identifiers and Information

Geolocation Data (if you enable location features in the BR App), which may include the location of your device

Sold to Third Parties – no

Processed for Targeted Advertising – no

Shared with Third Parties - yes

Categories of Third Parties to whom IDT may share personal data for a business purpose:  see list under Personal Identifiers and Information

Inferences drawn from any of the information above, which may include profile reflecting the consumer’s marketing preferences and aggregate information from third parties

Sold to Third Parties – no

Processed for Targeted Advertising – no

Shared with Third Parties - yes

Categories of Third Parties to whom IDT may share personal data for a business purpose:  IDT family of companies, including our affiliates both in and outside the United States; our vendors and partners to the extent reasonably necessary for them to perform work on our and your behalf (e.g., payment processors); ad networks; data analytics providers; social networks; and prospective purchasers of our business

B. Sensitive Data.  The only sensitive data (as defined in the UTPA) that IDT may collect and process is specific geolocation data (as defined in the UTPA) from the BR App, primarily for transaction compliance reasons, if the user enables the app’s location feature.  Users of the BR App can enable or disable the app’s location feature in the app. By enabling the location feature, you thereby consent to IDT collecting and processing your precise geolocation data for the purposes identified herein and as outlined in the chart above.

C. Your Rights.  As a Utah resident you have certain additional rights regarding your personal data under the “UTPA”:

(I) Right to Confirm if a Controller is Processing Your Personal Data and to Access Your Personal Data – you have the right to request that IDT confirm whether or not it has collected and processed personal data about you and to access the personal data that we have collected about you;

(II) Right to Delete – you have the right to request that IDT delete any personal data that you provided to it.  There may be exceptions to this right and IDT does not have to delete your personal data if it is reasonably necessary to complete a transaction with you, to provide you with goods or services you requested, to comply with our legal obligations, and as otherwise provided by Utah law.  In addition, if your personal data is deleted you may not be able to purchase or use our products and services;

(III) Right to Obtain Copy of Personal Data in Portable Format – you have the right to obtain from IDT a copy of the personal data that you previously provided to us in a portable and readily usable format to the extent technically feasible and practicable portable  that allows you to transmit the data to another entity without impedimentformat; and

(IV) Right to Opt-Out of the Processing of Personal Data for purposes of Targeted Advertising and/or Sale – IDT does not sell (as defined in the UTPA) your personal data or process your personal data for Targeted Advertising (as defined in the UTPA).  Nonetheless, you have the right to request that IDT not process your personal data for those purposes should IDT decide in the future to process your personal data for those purposes.  To exercise this right please go to https://www.idt.net/utpa-request and complete the form.

D. How to Exercise Your Rights.  To exercise any of your rights, please go to https://www.idt.net/utpa-request and complete the form.  The UTPA applies to individuals who are Utah residents, but does not apply to individuals acting in a commercial context.  An authorized agent may submit an opt-out request on your behalf using the same method listed in this section.

E. Authentication of Consumer Requests.   In order to comply with a consumer request, IDT must reasonably authenticate the request.  A record of each request is made as soon as it is received by our data protection team.  IDT will use all reasonable measures to authenticate the identity of the individual making the request.  We will utilize the requested data to ensure that we can verify the requestor’s identity and where we are unable to do so, we may contact you for further information, or ask you to provide evidence of your identity prior to responding to your request.  This is to protect your data and rights.  If a third party, agent or representative is submitting an opt-out request on your behalf, we will verify their authority to act for you and may contact you and them to confirm your and their identity and to gain your authorization prior to taking action upon the request.

F. Responding to Consumer Requests.  IDT will attempt to authenticate each request and if it is able to authenticate a request it will provide a response (if necessary and applicable) within 45 days of the receipt of the request, which time period may be extended by IDT for an additional 45 days.  If a delay is necessary, IDT will contact the requestor within the original 45 day period and provide the reasons for the delay.  All IDT responses shall be in writing.  The response shall be sent by mail or electronically.  If IDT is not able to process your request, we will inform you of that and (where possible) of the reasons for not acting upon your request.

Exhibit I

Virginia Consumers

If you are a resident of Virginia, then the following section also applies to you.


A.    Personal Data.  Personal data (as defined in the Virginia Consumer Data Protection Act (the “VCDPA”)) includes any information that is linked or reasonably linkable to an identified or identifiable natural person.  Personal data does not include de-identified data or publicly available information.  IDT may collect and process the following categories of personal data regarding Virginia residents:

Categories of Personal Data Collected and Processed

Whether Sold, Shared with Third Parties and/or Processed for Targeted Advertising and Categories of to Whom

Purposes for Collection and Processing of Personal Data

Personal Identifiers and Information, which may include name, address, email address, phone number, birthdate, device and marketing identifiers, IP address, payment and financial information, credit/debit card number and details, bank account number and information, personal information necessary to verify you or your account, security code and login credentials, and other personal information you provide

Sold – no

Processed for Targeted Advertising – no

Shared with Third Parties - yes

Categories of Third Parties to whom IDT may share personal data for a business purpose:  IDT family of companies, including our affiliates both in and outside the United States; our service providers and vendors to the extent reasonably necessary for them to perform work on our and your behalf (e.g., credit card processors); ad networks; data analytics providers; social networks; law enforcement; prospective purchasers of our business; outside auditors and lawyers; and government entities, agencies and regulators

To manage our products and services, including to help us operate, provide, evaluate, improve, monitor, customize, bill and support our products and services

To maintain the quality of our products and services, including to improve, upgrade, and enhance our products and services

To maintain and service your account, including to process orders and payments

To communicate with you about our terms and policies

To verify you, your account activity and your information

To detect, investigate and report fraud, abuse or illegal use of our products and services or customer accounts 

To provide customer service

To perform due diligence, credit and fraud prevention checks

To maintain accurate record keeping

To ensure security and integrity of our customers’ personal information

To perform product, marketing and organizational analysis

To provide advertising and marketing to our customers

To measure our marketing campaigns and to audit consumer interactions

To comply with regulations and legal requirements

To comply with contractual requirements

For risk management and compliance

For legal advice and defense of claims

For general, operational and administrative purposes

Commercial Information, which may include records of products or services purchased and used, diagnostic and service performance information, call records and other traffic data, credit information from reporting agencies, transactional information, and other purchasing or consuming histories

Sold – no

Processed for Targeted Advertising – no

Shared with Third Parties - yes

Categories of Third Parties to whom IDT may share personal data for a business purpose:  see list under Personal Identifiers and Information

Internet or other Electronic Network Activity Information, which may include browsing history, search history, messages, personal, phone or social network contact information, device information, device contacts, and information regarding a consumer’s interaction and usage with our websites, apps and advertisements

Sold – no

Processed for Targeted Advertising – no

Shared with Third Parties - yes

Categories of Third Parties to whom IDT may share personal data for a business purpose:  see list under Personal Identifiers and Information

Geolocation Data (if you enable location features in the BR App), which may include the location of your device

Sold – no

Processed for Targeted Advertising – no

Shared with Third Parties - yes

Categories of Third Parties to whom IDT may share personal data for a business purpose:  see list under Personal Identifiers and Information

Inferences drawn from any of the information above, which may include profile reflecting the consumer’s marketing preferences and aggregate information from third parties

Sold – no

Processed for Targeted Advertising – no

Shared with Third Parties - yes

Categories of Third Parties to whom IDT may share personal data for a business purpose:  IDT family of companies, including our affiliates both in and outside the United States; our vendors and partners to the extent reasonably necessary for them to perform work on our and your behalf (e.g., credit card processors); ad networks; data analytics providers; social networks; and prospective purchasers of our business

B.    Sensitive Data.  The only sensitive data (as defined in the VCDPA) that IDT may collect and process is precise geolocation data (as defined in the VCDPA) from the BR App primarily for transaction compliance reasons if the user enables the app’s location feature. Users of the BR App can enable or disable the app’s location feature in the app.  By enabling the location feature, you thereby consent to IDT collecting and processing your precise geolocation data for the purposes identified herein and as outlined in the chart above.


C.    Your Rights.  As a Virginia resident you have certain additional rights regarding your personal data under the  “VCDPA":


(i)    Right to Confirm if a Controller is Processing Your Personal Data and to Access Personal Data – you have the right to request that IDT confirm whether or not it has collected and processed personal data about you and to access the personal data that we have collected about you;


(ii)    Right to Correct Inaccurate Personal Data – you have the right to request that IDT correct any inaccurate personal data that we maintain about you;


(iii)    Right to Delete – you have the right to request that IDT delete any personal data that it has collected about you.  There may be exceptions to this right and IDT does not have to delete your personal data if it is reasonably necessary to complete a transaction with you, to provide you with goods or services you requested, to comply with our legal obligations, and as otherwise provided by Virginia law.  In addition, if your personal data is deleted you may not be able to purchase or use our products and services;


(iv)    Right to Obtain Copy of Personal Data in Portable Format – you have the right to obtain from IDT a copy of the personal data that we maintain about you in a portable and to the extent technically feasible a readily usable, format that allows you to transmit the data to another entity without hinderance;


(v)    Right to Opt-Out of the Processing of Personal Data for purposes of Targeted Advertising, Sale, or Profiling with Legal Effects – IDT does not sell (as defined in the VCDPA) your personal data, process your personal data for Targeted Advertising (as defined in the VCDPA) or process your personal data for Profiling (as defined in the VCDPA) for decisions that produce legal or similarly significant effects.  Nonetheless, you have the right to request that IDT not process your personal data for those purposes should IDT decide in the future to process your personal data for those purposes.  To exercise this right please go to https://www.idt.net/vcdpa-request and complete the form.


D.    How to Exercise Your Rights.  To exercise any of your rights, please go to https://www.idt.net/vcdpa-request and complete the form.  The VCDPA applies to individuals who are Virginia residents, but does not apply to individuals acting in a commercial context.


E.    Authentication of Consumer Requests.  In order to comply with a consumer request, IDT must reasonably authenticate the request.  A record of each request is made as soon as it is received by our data protection team.  IDT will use all reasonable measures to authenticate the identity of the individual making the request.  We will utilize the requested data to ensure that we can verify the requestor’s identity and where we are unable to do so, we may contact you for further information, or ask you to provide evidence of your identity prior to responding to your request.  This is to protect your data and rights.


F.    Responding to Consumer Requests.  IDT will attempt to authenticate each request and if it is able to authenticate a request it will provide a response (if necessary and applicable) within 45 days of the receipt of the request, which time period may be extended by IDT for an additional 45 days.  If a delay is necessary, IDT will contact the requestor within the original 45 day period and provide the reasons for the delay.  All IDT responses shall be in writing.  The response shall be sent by mail or electronically.  If IDT is not able to process your request, we will inform you  of that and (where possible) of the reasons for not acting upon your request.


G.    Appeal of Refusal to Take Action.  If IDT refuses to take action on your request you have the right to appeal that refusal within 30 days of your receipt of IDT’s response by sending an email to vcdpa@idt.net and requesting an appeal.  Within 60 days of IDT’s receipt of your appeal, we will inform you in writing of any action taken or not taken in response to the appeal, including the reasons for our decision.  If your appeal is denied, then you may contact the Virginia Attorney General at (804)786-2071 to submit a complaint.