Effective Date: June 18, 2025
Last Updated: June 18, 2025
Welcome to https://extanto.com (the “Site”), operated by Extanto Technology, LLC. (“Extanto Technology,” “we,” “us,” or “our”). We understand the importance of privacy to our users, especially when engaging in online transactions. This Privacy Policy outlines our practices regarding the collection, use, and disclosure of personal data for all users of our Site (“Visitors”), and for those who register to transact business on the Site and utilize our services (collectively, “Services”) (“Authorized Customers”).
We process your personal data in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), where applicable.
- Definitions
- Personal Data (or Personal Information): Refers to any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household. This includes, but is not limited to, name, address, phone number, email address, financial profiles (excluding raw credit card data, which we do not directly process or store), IP address, and online identifiers. Personal Data does not include anonymized data or aggregated data not connected to an identified individual.
- Visitor: Any user of the Site who visits without transacting business.
- Authorized Customer: A Visitor who registers to transact business on the Site and makes use of the various Services offered by Extanto Technology.
- Data Controller: The entity that determines the purposes and means of processing personal data. For the purposes described in this policy, Extanto Technology, LLC. is the Data Controller.
- Data Processor: An entity that processes personal data on behalf of the Data Controller.
- What Personal Data Do We Collect?
We collect various types of Personal Data depending on your interaction with our Site:
From All Visitors:
- Usage Data: Information gathered through website analytics (e.g., IP address, browser type, operating system, referral source, pages visited, time spent on site, device information). This information is primarily collected via cookies and similar technologies.
- Contact Information: If you choose to contact us (e.g., through a contact form), we collect your name and email address.
From Authorized Customers (in addition to the above):
- Account Registration Data: Names, addresses, phone numbers, and email addresses.
- Business Profile Data: The nature and size of the business (for business accounts).
- Transaction Data: Details regarding the nature and size of advertising inventory that an Authorized Customer intends to purchase or sell, and order history.
- Payment Information (Processed by Third Parties): While we facilitate payment processing, we do not directly collect or store sensitive payment card data (e.g., full credit card numbers, CVVs) on our servers. This information is securely handled by our PCI DSS compliant payment gateway, Authorize.net, via their Accept.js integration. We only receive a transaction token or confirmation from the payment gateway to process your order.
- How We Use Your Personal Data and Our Lawful Bases for Processing
We use the Personal Data we collect for the following purposes, based on the specified lawful bases under the General Data Protection Regulation (GDPR), where applicable:
- To Provide Services and Fulfill Transactions (Contractual Necessity): We use your Personal Data to operate and customize the Site, facilitate buying and selling requests, process orders, manage your account as an Authorized Customer, and provide customer support related to our services.
- To Communicate With You (Legitimate Interest or Consent):
- To respond to your inquiries and provide requested information.
- To email Visitors and Authorized Customers about research, product updates, purchase, and selling opportunities on the Site, or information related to the subject matter of the Site. (Where required by law, we will obtain your explicit consent for marketing communications, and you will always have the option to opt-out).
- For Site Administration, Security, and Improvement (Legitimate Interest):
- To analyze trends, administer the Site, track user movement and usage patterns, and gather broad demographic information (e.g., IP addresses, ISPs, browser types) to understand user behavior and optimize Site performance and user experience.
- To maintain the security and integrity of our Site, detect and prevent fraud, protect against unauthorized access or cyber threats, and enforce our terms and policies. This includes using data for security logging, malware scanning, and firewall protection.
- For Business Operations and Analytics (Legitimate Interest): To understand the nature and size of the business and advertising inventory for internal analysis, reporting, and business planning.
- For Legal Compliance (Legal Obligation): To comply with legal obligations, court orders, subpoenas, or requests from law enforcement agencies, or when reasonably necessary to protect the safety of our Visitors, Authorized Customers, or the public.
- How We Share Your Personal Data
We may share your Personal Data with the following categories of recipients:
- With Other Authorized Customers (With Your Explicit Consent or Contractual Necessity): For the purpose of facilitating potential transactions between Authorized Customers, certain Personal Data may be shared only if explicitly agreed upon by both parties as part of the transaction facilitation process. We provide mechanisms for you to control this sharing.
- Third-Party Service Providers (Data Processors): We engage reputable third-party vendors who perform services on our behalf and process Personal Data under our instructions. These include:
- Hosting Provider: WP Engine (for website hosting, daily backups, and server-level security).
- Payment Gateway: Authorize.net (via SkyVerge plugin with Accept.js) for secure payment processing. Sensitive payment card data is directly handled by Authorize.net and never touches our servers.
- Security Services: Wordfence (for Web Application Firewall and malware scanning).
- Analytics Providers: [e.g., Google Analytics, will require specific mention and links to their privacy policies].
- Marketing/CRM Platforms: (if used for email communication or customer relationship management).
- Other vendors who provide services such as credit, insurance, and escrow services. We have entered into Data Processing Agreements (DPAs) or similar contractual arrangements with these service providers to ensure they process your data securely and in compliance with applicable data protection laws.
- Affiliated Entities and Business Partners: We may share aggregated, non-personally identifiable demographic information about our Visitors and Authorized Customers with our affiliated entities and business partners for business analysis and marketing purposes. This data cannot be used to identify any individual.
- Legal & Compliance: With law enforcement, government officials, or other third parties when compelled to do so by a subpoena, court order, or similar legal procedure, or when we believe in good faith that the disclosure of Personal Data is necessary to prevent physical harm or financial loss, to report suspected illegal activity, or to investigate violations of our terms and conditions.
- Business Transfers: In the event of a merger, acquisition, reorganization, bankruptcy, or other sale of all or a portion of our assets, your Personal Data may be transferred as part of that transaction.
We do not sell or rent your Personal Data to third parties for their direct marketing purposes without your explicit consent.
- Data Security and Storage
We are committed to safeguarding your Personal Data. We implement robust technical and organizational security measures, as detailed in our Information Security Policy, to protect against unauthorized access, disclosure, alteration, and destruction of Personal Data.
- Secure Hosting: Personal Data collected by Extanto Technology, LLC. is securely stored on WP Engine’s managed WordPress hosting infrastructure. WP Engine provides features such as server-level security, daily automated backups, and proactive threat detection.
- Access Control: Access to Personal Data is strictly limited to a restricted number of qualified employees who require access to perform their job functions and are provided with unique, strong passwords. All our employees are familiar with our security policy and practices.
- Application Security: We utilize the Wordfence Community plugin to provide a Web Application Firewall (WAF) to block malicious traffic and regularly scan for malware and vulnerabilities across our WordPress core files, themes, and plugins.
- Encryption in Transit: Sensitive information transmitted over the Internet (e.g., login credentials, payment tokens) between your browser and our Site is protected using strong SSL/TLS encryption protocols, ensuring data integrity and confidentiality.
- Payment Data Handling: As detailed in our Information Security Policy, sensitive credit card information is processed directly by Authorize.net via Accept.js. This means raw credit card data never touches or resides on our servers. This architecture significantly reduces our PCI DSS compliance scope to SAQ A-EP.
- Regular Audits: We regularly audit our security systems and processes to ensure ongoing effectiveness and compliance.
While we take commercially reasonable measures to maintain a secure site, no electronic communication or database can be entirely immune to errors, tampering, or malicious attacks. We cannot guarantee absolute security, but we continuously strive to enhance our protective measures and will follow our incident response plan in case of a breach.
- Data Retention
We retain your Personal Data only for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
- Your Rights Regarding Your Personal Data
Depending on your location and applicable data protection laws (e.g., GDPR, CCPA), you have specific rights concerning your Personal Data. We are committed to facilitating the exercise of these rights:
- The Right to Access: You have the right to request confirmation as to whether or not Personal Data concerning you is being processed, and, where that is the case, access to the Personal Data and certain information regarding the processing.
- The Right to Rectification: You have the right to request that we correct any inaccurate or incomplete Personal Data we hold about you.
- The Right to Erasure (“Right to Be Forgotten”): You have the right to request the deletion of your Personal Data under certain circumstances (e.g., if the data is no longer necessary for the purposes for which it was collected, if you withdraw consent and there is no other legal ground for processing, or if you object to the processing). While we endeavor to delete all relevant data, some residual information may remain in backups or archival records for a limited period due to technical necessity or legal obligations, but it will be functionally deleted and not used for any active purpose.
- The Right to Restrict Processing: You have the right to request that we limit the way we use your Personal Data under certain circumstances (e.g., if you contest the accuracy of the data, or if the processing is unlawful and you oppose erasure).
- The Right to Object to Processing: You have the right to object to the processing of your Personal Data in certain situations, particularly where processing is based on legitimate interests (unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms) or for direct marketing purposes.
- The Right to Data Portability: You have the right to receive your Personal Data in a structured, commonly used, and machine-readable format and to transmit that data to another controller where the processing is based on consent or a contract and carried out by automated means.
- The Right to Withdraw Consent: Where we rely on your consent as the lawful basis for processing your Personal Data, you have the right to withdraw that consent at any time. This will not affect the lawfulness of processing based on consent before its withdrawal.
- The Right to Complain to a Supervisory Authority: If you are in the EEA or UK, you have the right to lodge a complaint with a data protection supervisory authority if you believe our processing of your Personal Data violates applicable data protection laws.
How to Exercise Your Rights: To exercise any of these rights, please contact us at [Your contact email for privacy inquiries]. We will respond to your request within the timeframes required by applicable law (e.g., 30 days for GDPR, 45 days for CCPA). We may need to verify your identity before processing your request to ensure the security of your Personal Data.
- Cookies and Similar Technologies
Our Site uses cookies and similar technologies to enhance user experience, provide security, and gather analytical information.
- What are Cookies? A cookie is a small text file that a website stores on a visitor’s computer or mobile device when they visit the site. It stores information that the browser then provides to the website each time the visitor returns, allowing the site to “remember” certain actions or preferences over time.
- How We Use Cookies:
- Essential Cookies: These are strictly necessary for the Site to operate and provide core functionalities, such as allowing you to log in, maintain your session, or process your shopping cart. They are also used for security purposes to protect our Authorized Customers (e.g., automatic logout after inactivity).
- Analytics Cookies: These cookies help us understand how Visitors interact with our Site, which pages are most popular, and identify areas for improvement. They help us gather broad demographic information and analyze trends.
- Marketing/Advertising Cookies: (If applicable) These cookies are used to deliver targeted advertisements or promotions that are more relevant to you and your interests, based on your Browse behavior. They may also be used to limit the number of times you see an advertisement and measure the effectiveness of advertising campaigns.
- Cookies from Service Providers: Our third-party service providers (e.g., WP Engine, Authorize.net, analytics providers) also use cookies on our Site.
- Your Choices Regarding Cookies:
- Cookie Consent Management: For non-essential cookies (e.g., analytics, marketing), we will obtain your explicit consent through a cookie consent management platform when you first visit our Site. You will have the option to accept or reject different categories of cookies.
- Browser Settings: You can also configure your web browser to refuse all cookies or to indicate when a cookie is being sent. However, please be aware that certain features and functionalities of the Site, particularly those reliant on essential cookies, may not function properly if cookies are disabled.
- Links to Other Websites
Our Site contains links to other websites that are not operated by us. Please note that when you click on one of these links, you are moving to another website. We encourage you to review the privacy statements of these linked sites, as their privacy policies may differ from ours. We are not responsible for the privacy practices or content of third-party websites.
- Changes to This Privacy Policy
We reserve the right to update or modify this Privacy Policy at any time to reflect changes in our practices, technology, or legal requirements. We will notify our Visitors and Authorized Customers of any changes by posting the updated Privacy Policy on the Site with a revised “Effective Date” and “Last Updated” date. If we make material changes to our privacy practices that might affect the disclosure of Personal Data you have previously requested not be disclosed, we will endeavor to contact you directly to provide an opportunity to prevent such disclosure. We encourage you to review this policy periodically for any updates.
- Contact Information
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:
Extanto Technology, LLC. Email: security@extanto.com