This Data Privacy Addendum (this “Addendum”) forms part of the Agreement between Customer and Boulevard and governs the Processing of Personal Data that Customer provides or otherwise makes available to Boulevard in connection with the Boulevard Services.  This Addendum is incorporated into and made part of the Main Services Agreement (“MSA”). This Agreement may refer to Boulevard and Customer each as a “Party” and collectively as the “Parties.”  

This Addendum reflects the Parties’ agreement with respect to the Processing of the Customer Personal Data (as defined below). In the event of any inconsistency between the terms of the Agreement and this Addendum, the terms of this Addendum shall prevail; provided, however, that nothing in this Addendum is intended to, and shall not restrict Boulevard’s rights with respect to Customer Data, including its limited license to Customer Data described in the MSA. 

This Addendum may be updated by Boulevard from time to time upon reasonable notice, which may be provided via your Account, email, or by posting an updated version of this Addendum at https://www.joinblvd.com/legal/data-privacy-addendum. Your continued use of the Boulevard Services shall be deemed your conclusive acceptance of any such revisions.

1. Definitions. Capitalized terms used in this Addendum that are not defined herein shall have the same meaning as set forth in the MSA.

1.1. “Aggregated” means information that relates to a group or category of individuals and from which individual identities have been removed and which is not linked or reasonably linkable to any individual or household.

1.2. “Customer Personal Data” means any Personal Data provided to Boulevard by or on behalf of Customer or that Customer otherwise makes available to Boulevard in connection with the Services.

1.3. “Data Protection and Privacy Laws” means the data protection and privacy laws and regulations applicable to the Processing of Personal Data in any relevant jurisdiction, including the U.S. State Privacy Laws, and any other similar applicable laws that are in effect or come into effect during the term of the Agreement.  

1.4. “De‑identified” means information that cannot reasonably be used to infer information about, or otherwise be linked to a particular individual, household, or device, consistent with Cal. Civ. Code § 1798.140 and other Data Protection and Privacy Laws.

1.5. “Personal Data” means any information relating to an identified or identifiable individual that is subject to protection under the Data Protection and Privacy Laws and includes information that is referred to as “personal data” or “personal information” in the Data Protection and Privacy Laws.  

1.6. “Personal Data Breach” means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to the Customer Personal Data. 

1.7. “Privacy Rights Request” means a request made by (or on behalf of) an individual to exercise his or her rights under the Data Protection and Privacy Laws in relation to the Customer Personal Data.

1.8. “Process” means any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means. 

1.9. “Service Provider” has the meaning of “service provider” (or equivalent term) under Data Protection and Privacy Laws.

1.10. “Subcontractor” means a party engaged by Boulevard in the Processing of the Customer Personal Data on Customer’s behalf.

1.11. “U.S. State Privacy Laws” means the U.S. state privacy laws and  regulations applicable to the Processing of Personal Data, including the California Consumer Privacy Act, Cal. Civ. Code 1798.100 et seq., as amended including by the California Privacy Rights Act; the Virginia Consumer Data Protection Act, Code of Virginia title 59.1, Chapter 52; the Colorado Privacy Act, Colorado Rev. Stat. 6-1-1301 et seq.; the Utah Consumer Privacy Act, Utah Code 13-61-101 et seq.;  the Connecticut Act Concerning Personal Data Protection and Online Monitoring, Conn. Gen. Stat. 42-515 et seq.; the Iowa Act Relating to Consumer Data Protection, Iowa Code § 715D.1 et seq.; the Indiana Consumer Data Protection Act, Ind. Code Ann. § 24-15; the Tennessee Information Protection Act, Tenn. Code Ann. 47-18-3301 et seq.; the Texas Data Privacy and Security Act, Tex. Bus. & Com. Code § 541.001 et seq.; the Montana Consumer Data Privacy Act, SB 384 (2023); the Oregon Act Relating to Protections for Personal Data of Consumers, SB 619 (2023); the Delaware Personal Data Privacy Act, Del. Code Ann. tit. 6, § 12D-101 et seq.; the Minnesota Consumer Data Privacy Act, Minn. Stat. § 3250.01 et seq.; the New Jersey Act Concerning Online Services, Consumers, and Personal Data, P.L. 2023, c. 266; New Hampshire Expectation of Privacy law, N.H. Rev. Stat. 507-H:1 et seq.; Nebraska Data Privacy Act, Nebraska Rev. Stat. § 87-1101 et seq.; Kentucky Act relating to consumer data privacy, KRS § 367.3611 et seq.; and any other similar applicable laws that are in effect or come into effect during the term of the Agreement.  

1.12. The terms “Business,” “Service Provider,” “Sell” and “Share,” have the meanings ascribed to them in the CCPA. 

2. Processing of the Customer Personal Data

2.1. Roles of the Parties. For the Processing of Customer Personal Data performed under the MSA and this Addendum, Boulevard acts as a Service Provider to Customer and will process such data only on Customer’s behalf, except as expressly permitted in the MSA or this Addendum. In addition, each Party shall comply with the obligations that apply to it under the Data Protection and Privacy Laws and provide the Customer Personal Data the level of privacy protection required by such laws. In the event that either Party determines that it can no longer meet its obligations under the Data Protection and Privacy Laws with respect to the Customer Personal Data, it shall take commercially reasonable steps to notify the other Party.  

2.2. Boulevard’s Processing of Customer Personal Data. Boulevard may Process Customer Personal Data solely for business purposes as defined in the Data Protection and Privacy Laws, which include the following Permitted Purposes: (a) providing, operating, and supporting the Services described in the Agreement; (b) providing analytics services for or on behalf of Customer, including to assess the effectiveness of the Services and to enhance the Services on behalf of the Customer; (c) maintaining, troubleshooting, or improving the quality, performance, or security of the Services; (d) providing customer service and support to Customer; (e) undertaking internal research to develop and upgrade the Services for the Customer; (f) detecting, preventing, or investigating security incidents, fraud, or other unlawful activity; and (g) complying with applicable law, court orders, or protecting the rights, property, or safety of Boulevard, Customer, Users, or Clients.  If Boulevard is required by applicable law to Process the Customer Personal Data for another purpose, Boulevard shall take commercially reasonable steps to inform Customer of the legal obligation unless that law prohibits such disclosure.  Boulevard will grant access to the Customer Personal Data only to its personnel who require access and are subject to appropriate duties of confidentiality. 

For the avoidance of doubt, Customer Personal Data does not include information that has been De-identified or Aggregated. Boulevard may create, use, disclose and otherwise Process De-identified or Aggregated data derived from Customer Personal Data to operate, analyze, improve, develop and market the Boulevard Services and related machine-learning models, provided that Boulevard (i) maintains and complies with technical and organizational measures designed to prevent re-identification, (ii) does not attempt to re-identify such data and (iii) publicly commits to these safeguards. Boulevard will not combine Customer Personal Data with personal information obtained from other customers, or from its own interaction with a data subject.

2.3. Prohibited Activities. Except as otherwise permitted under Section 2.2, Boulevard will not (i) Sell or Share Customer Personal Data, (ii) Process Customer Personal Data for cross-context behavioral advertising, (iii) Process the Customer Personal Data outside the direct business relationship between Customer and Boulevard where restricted by the Data Protection and Privacy Laws; or (iv) otherwise Process Customer Personal Data for any commercial purpose other than the Permitted Purposes specified in the Agreement and this Addendum.

2.4. Customer’s Processing Obligations. Customer shall ensure that the Customer Personal Data is collected and provided or otherwise made available to Boulevard in compliance with the Data Protection and Privacy Laws. In particular, Customer shall ensure that it has provided all legally-required notices and privacy disclosures to all individuals to whom the Customer Personal Data relates. Customer shall also be responsible for the accuracy and use of the Customer Personal Data.

3. Data Security. Taking into account the nature of the Processing, Boulevard shall maintain reasonable technical and organizational measures designed to protect the Customer Personal Data against any breach of security leading to the accidental or unlawful destruction, use, loss, alteration, unauthorized disclosure of, or unauthorized access to the Customer Personal Data. Boulevard shall notify Customer without undue delay after becoming aware of a Personal Data Breach. 

4. Assessments and Other Assistance. Upon reasonable written request, Boulevard shall provide Customer with available information and documentation regarding Boulevard’s Processing of the Customer Personal Data to assist Customer in fulfilling its obligation under the Data Protection and Privacy Laws to conduct and document data protection impact assessments (or other similar assessments). Additionally, taking into account the nature of the Processing and the information available to Boulevard, upon reasonable written request, Boulevard shall assist Customer in ensuring compliance with other obligations pursuant to the Data Protection and Privacy Laws. 

5. Compliance Verification and Audits. At reasonable intervals during the term of the Agreement not to exceed more than once in a given twelve (12) month period, Boulevard shall, upon written request, make available to Customer information or documentation necessary to demonstrate its compliance with its obligations under this Addendum with respect to the Customer Personal Data. In the event of a Personal Data Breach, at the reasonable written request of Customer, Boulevard shall allow for and contribute to an audit conducted by an independent third-party auditor mutually agreed upon by the Parties to assess Boulevard’s data security measures. Any such audit shall be at the expense of Customer and conducted during normal business hours and in a manner that minimizes any disruption to Boulevard’s business and operations. If an audit conducted pursuant to this Section 5 reveals any unauthorized use of the Customer Personal Data by Boulevard, Customer and Boulevard shall promptly work together in good faith to agree upon reasonable and appropriate steps to stop and remediate the unauthorized use. If, in Boulevard’s opinion, any instruction from Customer pursuant to this Section 5 infringes the Data Protection and Privacy Laws, Boulevard shall take commercially reasonable steps to notify Customer. 

6. Privacy Rights Requests. Customer shall notify Boulevard in writing or through other methods agreed upon by the Parties of all Privacy Rights Requests it receives relating to the Customer Personal Data. Taking into account the nature of the Processing and the information available, Boulevard shall assist Customer in fulfilling its obligation to respond to Privacy Rights Requests, insofar as this is possible.  

7. Subcontractors. As of the Effective Date, Customer authorizes Boulevard to engage Subcontractors in the Processing of the Customer Personal Data, provided that Boulevard has in place a written agreement with each party that imposes on it the same restrictions and requirements with respect to Personal Data imposed on Boulevard in this Addendum. Boulevard shall notify the Customer of any intended changes concerning the addition or replacement of subcontractors. 

8. Deletion or Return of the Customer Personal Data. Boulevard will Process Customer Personal Data only as long as necessary to fulfil the Permitted Purposes. Upon termination or expiration of the Services, unless otherwise expressly provided in an Order, and provided Customer has paid all amounts owed under the Agreement, Boulevard will, for up to thirty (30) days from the effective date of termination, make all Customer Personal Data available to Customer through the Platform or through its export services (at Boulevard’s discretion). After such 30-day period, Boulevard will have no obligation to retain or provide Customer Personal Data and may delete or destroy it unless retention is required by applicable law, regulation, valid court order, or as otherwise agreed in writing by the Parties.

9. Use of AI Tools. Where Boulevard or an authorized third-party AI Subcontractor (“AI Provider”) Processes Customer Personal Data using proprietary machine-learning models and/or technology (collectively, “AI Tools”) in accordance with the MSA, Boulevard agrees to (i) limit such Processing to the Permitted Business Purposes set out in Section 2.2 of this DPA, (ii) take commercially reasonable steps to prohibit any AI Provider from using Customer Personal Data to train or improve its models, and (iii) take commercially reasonable steps to implement data minimization measures to ensure that only the minimum necessary Customer Personal Data is processed by AI Tools. The content generated by an AI Tool (“AI Outputs”) on Boulevard’s behalf for the Permitted Business Purposes is incorporated directly into the Services and is not provided, licensed, or assigned to Customer as a stand-alone product, feature, or data set to Customer. Customer acknowledges and agrees that it does not interface with, control, or otherwise access the AI Tools or AI Outputs and acquires no ownership, license, or other rights, title, or interest in the AI Tools or AI Outputs. If Boulevard makes any AI-powered feature directly available for Customer’s use, that feature will be governed by the MSA or any applicable Supplemental Terms.

9.1. AI Outputs. Because large-language models can generate errors, AI Outputs may contain inaccuracies. Boulevard applies reasonable quality-control and validation procedures before incorporating AI Outputs into the Services and does not rely on any AI Outputs without appropriate human or automated review.  Boulevard will use commercially reasonable efforts to de-identify AI Outputs to the extent feasible and appropriate for the intended business purpose.

9.2. Security & Confidentiality. Boulevard will take commercially reasonable steps to ensure each AI Provider is bound by confidentiality obligations and security controls at least as protective as those in this Addendum. Boulevard will maintain a current list of AI Providers and, upon Customer’s written request, will provide information regarding the AI Providers used to Process Customer Personal Data, including the nature and purpose of such Processing. Customer may request additional information regarding the security and privacy practices of an AI Provider, subject to reasonable confidentiality, security, and operational requirements, and only as required by Data Protection and Privacy Laws or in response to a substantiated concern.

9.3. No New Rights Granted. This Section does not expand Boulevard’s rights to Customer Personal Data beyond those already granted in this Addendum and the MSA; it simply notifies Customer that AI techniques may be used to provide and improve the Services, consistent with Data Protection and Privacy Laws.

Data Privacy Addendum (OLD VERSION)