Version: 1.0

General Information

This privacy policy (“Privacy Policy”) describes the types of Information that are identifiable to a particular person (“Personal Information”) that TLA Innovation, Inc. d/b/a BoomID (“BoomID,” “we,” “us,” and “our”) collects from you or about you when you use or access our websites, www.boomid.io (“Site”) or BoomID Identity Assurance Platform™ (the “Services”), our practices for using, sharing, and protecting that Information. Please read this Privacy Policy to understand your rights and obligations.

Who is BoomID?

Privacy is at the core of BoomID, and we take care first to avoid processing personal data, but when we do, we respect your privacy. BoomID offers a “Bring Your Own Identity” service that can be carried with you to multiple products and services on the Internet as we expand.  We facilitate a passwordless user experience on your mobile phone and multi-factor authentication for your enterprise applications or websites.

What is BoomID Identity Assurance Platform™?

BoomID Mobile will securely store digital identity information on your mobile devices in an encrypted format (“Unverified Record”) to provide you with password management and digital identity wallet services.  When prompted within BoomID mobile, you may choose to upload specific categories of identity information to the cloud (Amazon Web Services) and allow third parties to verify information that will be stored encrypted in blockchain (“Verified Record”). Verified Records contain Identity data you may choose to share with businesses and their third-party applications that use the “Login with BoomID” button by BoomID SSO. You may monitor data access consent and revoke data consent within the BoomID Mobile Application. Enterprises may also use BoomID Mobile for employee password management, which will securely store an employee’s digital identity on a specified mobile device in an encrypted business vault (“Unverified Record”) or encrypted in blockchain hosted in the cloud (Amazon Web Services) (“Verified Record”). BoomID will not be able to access your Personal Information vault or your Business information vault in plaintext because we will not store your private key data in our cloud or have access to your vault and mobile device, which is required to access your private key data. Abstract reporting information such as the password quality standards may be used to provide identity assurance scoring data consumed by companies that utilize the BoomID SDK and BoomID SSO to provide authentication and transaction assurance within their applications. Zappa is a bot detection service that allows alternative methods such as Palm Verify™ for “proving you are human.” Zappa bot detection data is used to provide real-time threat feed data within the BoomID Identity Assurance Platform™. 

BoomID reserves the right to change this Privacy Policy at any time. If we decide to change the Privacy Policy, we will post the changes on the Site and in our Services so that you are aware of the changed Privacy Policy. We encourage you to check the Site or the Privacy Link in our Services for policy revisions.  To stay current on our practices, please update your email address with us if it changes. We will send you an email if you have opted for email notifications; all users will see a prominent notification on the homepage of the BoomID mobile, BoomID Hub, and BoomID.io commercial website with a link to any material revisions to the Privacy Policy.

This Privacy Policy does not apply to any activity on third-party websites and mobile applications that link to the Site or Services.  We do not control third-party websites and applications and are not responsible for their actions or privacy practices.

Your use of this Site and the Services constitutes your acceptance of and agreement to this Privacy Policy.  If you do not agree to this Privacy Policy, do not use this Site or our Services.

What Personal Information does BoomID Collect?

Information Provided By You or Your Company

• Contact Information – this may include your full name, alias, phone number, and email address. Your company may provide contact information if your company directly contracts with BoomID to provide you with services. 
• Biometric Data – this may include an image of your palm in connection with providing you the Services. Such information is collected directly by BoomID. Any image of your palm being processed or temporarily stored provides identity assurance services and improves your user experience with our services. Your palm image data, including mathematical representations of your palm, is encrypted and protected with AWS security best practices. This data will be refined and updated as you use your palm to improve your experience, including when you successfully authenticate.
• Verified Records – as a user of the BoomID Mobile application, you may voluntarily upload personal Information to BoomID Mobile, such as vaccine records or other personal health information, a driver’s license, a passport, or other sensitive information. This information may be verified by third-party tools such as ID.me before the verified Information is stored in the blockchain. Verified records data stored in the blockchain may only be shared with companies by you, as you have the only copy of the encryption key in your BoomID Mobile wallet.
• Payment Information – for Enterprise clients, you may purchase additional services on the administrative hub. BoomID partners with Stripe via a fully tokenized integration and Stripe will process any payment information collected on the administrative hub; BoomID never processes or stores any cardholder data.

Information Collected Automatically

Information we collect from your interactions with us – When you interact with our Sites (which include the administrative hub and www.boomid.io) and the Services, we may collect your Internet protocol (IP) address, login information, device data, such as device/browser type and version, time zone setting, and the operating system/platform. This also may include the web address of the page you were on prior to coming to our Sites and the page you visit after you leave. We may also process information about what you do on our Sites, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, downloads, and mouse-overs), and methods used to browse away from the page.  We use this data to drive traffic back to our website and improve our Sites and Services. See our Cookies Policy for more information about your choices in relation to cookies technology.

Data Retention

The image of your palm will be destroyed when the initial purposes for collecting or obtaining such palm image have been satisfied or within three years of the individual’s last interaction with BoomID, whichever occurs first.

How We Use Your Information

Your privacy is a serious matter, and we will not share this information with third parties for the purposes of marketing to you or to profit from marketing your data to others. Instead, we may use your Personal Information to send users of the Services and visitors to our Sites email notifications of new features or information available through the Services. We will also use the information categories below to identify you, process your account, and operate the Services.  

• Contact information
• Biometric data 
• Payment information
• Website data
• Sensitive Information (i.e., Verified Records) – in certain cases, you may upload sensitive Information to the Services, such as personal health information (e.g., vaccine cards) and personally identifiable information (e.g., driver’s license and passport information). Please note that BoomID does not have access to this Information in plaintext and cannot decrypt such Information at any time.

How We Disclose Your Information

• BoomID may disclose your Personal Information: (i) with third parties, who provide us with hosting and other infrastructure services, and who have agreements with us; (ii) if BoomID is required by law to do so, including laws outside your country of residence; (iii) if a transfer of ownership of BoomID, merger or other similar transaction (including one in connection with any bankruptcy or similar proceedings); or (iv) as otherwise set forth in this Privacy Policy. BoomID is not and cannot be responsible for any third party’s activities or privacy policies with whom your Personal Information is shared.
• Biometric data – we do not disclose, redisclose, or otherwise disseminate your palm image unless (i) you consent to the disclosure or redisclosure; (ii) the disclosure or redisclosure is required by State or federal law or municipal ordinance; or (iii) the disclosure is required pursuant to a valid warrant or subpoena. 

What Choices Do I Have About My Personal Information?

BoomID values your privacy and strives to provide you with choices regarding the handling of all Personal Information you choose to provide to us. You may choose not to provide us with your Personal Information if you are uncomfortable with our practices, as set forth in our Privacy Policy. If you wish to correct or delete inaccuracies within your personal information or request access to any personal information we obtain about you, please contact us at privacy@boomid.io.

If you sign up for marketing communications from us and you now wish to unsubscribe, you may do so by clicking on the “unsubscribe” link provided in the communication. Please also note that unsubscribing from future marketing-related messages do not prevent BoomID from sending you administrative messages, as applicable.

Security of Personal Data

We use appropriate security measures on the BoomID Sites, Applications, and Services designed to safeguard your Personal Information under our control. Any Verified Records will be securely stored by BoomID via blockchain, using industry-standard encryption protocols (i.e., AES 256, SSL, TLS 1.2). While BoomID protects your Personal Information, the confidentiality and security of any communication or material transmitted to or from the Sites or the Services cannot be guaranteed to be 100% secure at any time. Any transmission of your information is at your own risk. We strongly encourage all users to be careful and responsible about what they choose to provide online.

If you have any reason to believe that your interaction with BoomID through these Sites or the Services is no longer secure, please immediately notify us by email at security@boomid.io. 

Your Responsibilities for Protecting Your Data 

When you create a BoomID account, you will receive a private key and access to your vault, which will store the private key. It is your responsibility to protect and secure your vault and mobile device. You will have the option to securely store your personal vault in your personal file share drive. We encourage you to store a backup of your vault in your personal file share drive.  If you choose not to store your vault in your personal file share drive, BoomID will store your vault in a third-party secure storage service. BoomID is not responsible for any information compromised due to your failure to secure your vault and mobile device. BoomID does not have access to your vault or mobile device to decrypt your digital identity. If you lose your vault, you can only restore such data from your mobile device and phone number, which you used to register with BoomID.   

For Enterprise clients, end-users are responsible for choosing which “vault” to store each specific digital identity (Enterprise Vault or Personal Vault).

You may share your digital identity via the Services with your family, friends, or other third parties. If you share your digital identity, we are not responsible for any misuse of your digital identity.

California Privacy Practices

If you are a California resident, please see more information about our privacy practices and your rights under California law below.

Children

BoomID is intended for use only by individuals who are at least 16 years of age. By using the Sites, you confirm to us that you meet this requirement. If you are under the age of 18, you confirm you have received permission from your parent or guardian before using the Sites and Applications or sending us personal data.

Cookies and Tracking 

BoomID may place and store cookies on a user’s device. Cookies are small data files that are stored in your computer or mobile device by your web browser. We, our business partners, and service providers may set cookies when you visit the Sites or use the Services. Typically, cookies allow us to gather information about the device you are using and collect information, including click stream information, browser type, time and date you visited the Site, and other information about your interactions with the Site. 

Please see our descriptions below for a discussion of the technologies you could encounter on the Internet:

• Cookies.  We use both session cookies, which terminate when you close your browser, and persistent cookies, which remain on your computer until you manually delete them.
• Pixel tags. We may also track your movements through the Sites and its content through pixel tags (also called web beacons or clear gifs). When you access a page, email, or other content containing a pixel tag, the pixel tag generates a notice to us, our service providers, or our business partners. We use the Information gathered by the pixel tags to monitor the open rate of our communications and to improve and manage content on the Sites.
• Profiling. Although Information that we collect through these tracking technologies is not always personally identifiable when collected, we may combine such information with personally identifiable information like your name or email address. 

Google Analytics: We use Google Analytics as described here. You can prevent your data from being used by Google Analytics on our websites by installing the Google Analytics opt-out browser add-on. If you have accounts with third-party providers, you may be able to control your ad preferences through your account. 

To learn more about cookies, please visit http://allaboutcookies.org/.  As of the “Last Updated” date below, there is no commonly accepted response for Do Not Track (DNT) signals initiated by browsers.  On the Site, BoomID retargets individuals back to its website using cookies and pixel tags for this service. To prevent the use of our cookies and technology, your browser may have a DNT option in its preferences.  If you turn tracking off, we can still identify a device, but we do not keep track of which websites it has been to. Although most web browsers are initially set up to accept Cookies, if you prefer, you may decline the placement of a cookie on your hard drive by using the appropriate feature(s) of your web browser software (if available) to delete the Cookie. Please understand that certain areas within this Site may not function properly if the web browser does not accept Cookies.  

Contact Us

BoomID welcomes your questions and comments about this Privacy Policy or the use of your Personal Information. Please call us at (525) 254-6966, or email us at privacy@boomid.io with any questions or comments.

---

CALIFORNIA-SPECIFIC ADDENDUM

At BoomID, we are mindful of our responsibilities under the California Consumer Privacy Act (together with its implementing regulations, “CCPA”) regarding the collection, use, and disclosure of your personal Information, both online and offline.  This Privacy Notice applies only to California residents who are subject to the CCPA.

How We Collect, Use, and Share Personal Information 

1. Personal Information of California Residents Collected in the Last Twelve Months 

We collect Information that identifies, relates to, describes, references, and is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household (“California Personal Information”).  We have obtained the following categories of California Personal Information within the last twelve months:

Category	Examples
A. Identifiers.	Identifiers such as a real name, alias, unique personal identifier, online identifier, IP address, email address, biometric Information, such as palm image, or other similar identifiers.
B. Information under the California Customer Records statute.	Personal Information described in subdivision (e) of Section 1798.80 (California Customer Records statute). This means any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, name, signature, physical characteristics or description, address, telephone number, education, employment, and employment history.
C. Commercial Information.	Commercial Information, including records of products or services you purchased, obtained, or considered from us.
D. Biometric Information	Biometric Information such as palm image.
E. Internet or other similar network activity.	Internet or other electronic network activity information, including, but not limited to, browsing history on our Sites, search history, Information on your interaction with us when you choose to visit our Sites, browser type, domain names, access times, and referring website addresses. This Information is not collected, analyzed, or maintained in a way that is traced back to a personal individual.
F. Geolocation data.	Geolocation data.
G. Inferences drawn from other personal Information.	Inferences drawn from any of the Information identified in this subdivision to enhance your online identity assurance score for identity verification when you use our services.

For each of these categories, we obtain California Personal Information from a variety of sources. These sources include: yourself, with respect to both online and offline interactions you may have with us, our service providers, and employer; the devices you use to access our websites and online services; and others consistent with this Privacy Notice.  For more Information, please see the “What Personal Information does BoomID Collect?” section of our Privacy Policy. 

This website uses cookies to improve functionality and performance. You can configure your browser to prevent the placement of cookies when using our Sites. Please see your browser help documentation for more Information.

Please note that California Personal Information does not include:

• Publicly available Information from government records; 
• Deidentified or aggregate consumer information; and
• Information exempted from the CCPA’s scope, including without limitation, the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act (“FCRA”), the Driver’s Privacy Protection Act of 1994, and certain Information associated with business-to-business transactions. 

2. Our Use of California Personal Information for Business Purposes in the Last Twelve Months

We use California Personal Information, identified in each of the above categories, for the business purposes listed below.

1. Audits and reporting relating to particular transactions and interactions, including online interactions, you may have with us or others on our behalf;
2. Detecting and protecting against security incidents, and malicious, deceptive, fraudulent or illegal activity, and prosecuting the same;
3. Debugging to identify and repair errors in our systems;
4. Short-term, transient use including contextual customization of ads;
5. Providing services on our behalf or on behalf of another, including maintaining or servicing accounts, providing customer service, fulfilling transactions, verifying identity information, processing payments, and other services. This includes:
   1. Delivering the Services you have requested; 
   2. Informing you of other products or services available from or to enhance use of BoomID;
   3. Contacting you via surveys to conduct research about your opinion of current Services or of potential new Services that may be offered; and 
   4. Delivering customized content and advertising.
6. Conducting internal research to develop and demonstrate technology;
7. Conducting activity to verify, enhance, and maintain the quality or safety of Services or devices which we may own, control, or provide;
8. Preparing statistics and performing analysis to support our operations; and
9. Receiving and responding to inquiries.

We may also use the Information we collect for our own or our service providers’ other operational purposes, purposes for which we provide you additional notice, or for purposes compatible with the context in which the California Personal Information was collected. For more Information, please see the “How we use your Personal Information” section of our Privacy Policy. 

3.  Our Sharing of California Personal Information in the Last Twelve Months

1. Disclosure of California Personal Information

Within the last 12 months, we have disclosed California Personal Information identified in Categories (A)-(G) above only (i) at your express request; (ii) as part of an exempt business-to-business commercial transaction; or (iii) to our service providers for the business purpose(s) described above.  To learn more about the categories of third parties with whom we share such Information, please see the “How we share your Personal Information” section of our Privacy Policy.  We may share California Personal Information with trusted providers to perform payment functions, offer collaborative workspaces, or provider other business functions. 

2. No Sales of Personal Information

We do not sell California Personal Information within the meaning of the CCPA nor do we plan to sell California Personal Information. If that changes, we will let you know in advance and provide you with Information so that you may understand and exercise your right to opt-out of the future sale of your California Personal Information.

We do not disclose personal Information of individuals we know to be under the age of 16 to third parties for monetary or other valuable consideration as a “sale” under California law, without affirmative authorization.

3. Your California Rights

If you are a California resident, you have certain rights related to your California Personal Information. You may exercise these rights free of charge except as otherwise permitted under applicable law.

As discussed above, the CCPA does not apply to Information we obtain, use, or share in connection with certain business-to-business transactions. We will, however, continue to evaluate our business-to-business activities and update our Privacy Policy consistent with California laws and regulations, where applicable.

Right to Access/Know. You may request that we disclose to you:

• the categories of California Personal Information we have collected about you in the last 12 months;
• the categories of sources from which the California Personal Information is collected;
• our business or commercial purpose for collecting or selling California Personal Information; 
• the categories of third parties with whom we share California Personal Information;
• the specific pieces of Information we have collected about you;
• the categories of your California Personal Information we have sold in the last 12 months, and the categories of third parties to whom the California Personal Information was sold, by category or categories of California Personal Information; and 
• the categories of your California Personal Information we have disclosed for a business purpose in the last 12 months, and the categories of third parties to whom the California Personal Information was disclosed, by category or categories of California Personal Information.

Right to Delete. You have the right to request that we delete and direct our service providers to delete California Personal Information about you which we have collected from you. We may deny your deletion request if retaining the Information is necessary for us or our service provider(s) to:

• complete the transaction for which we collected the California Personal Information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you;
• detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities;
• debug products to identify and repair errors that impair existing intended functionality;
• exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law;
• comply with the California Electronic Communications Privacy Act;
• engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the Information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent;
• enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us;
• comply with a legal obligation; or
• make other internal and lawful uses of that Information that are compatible with the context in which you provided it.

Right to Opt-Out.  The CCPA provides you with the right to direct us to not sell your California Personal Information. However, as discussed above, we do not engage in the sale of Personal Information as contemplated by the CCPA.

Non-Discrimination.  Subject to applicable law, we may not discriminate against you because of your exercise of any of the above rights, or any other rights under the CCPA. This means that we may not deny you goods or services, charge you different prices or rates for services, or provide you with a different level or quality of services (or suggest that we will do so), in response to a request made under the CCPA.

You, or someone you authorize, may request to exercise these rights by:

• Calling us at (525) 254-6966
• Completing our rights request form
• Emailing us at privacy@boomid.io

Please note that we are not responsible for notices that are not labelled or sent properly, or that do not have complete Information.  If applicable, we will provide you with Information on how to submit the request or remedy any deficiencies with the request.  Responses to your CCPA request will be delivered in the same manner that we received it.  

Residents of the State of California may also request a list of all third parties to whom we have disclosed certain personal Information (as defined by California law) during the preceding year for those third parties’ direct marketing purposes. If you are a California resident and would like such a list, please contact us via the Contact Us section provided below.

4. Verification 

As required under applicable law, please note that we may take steps to verify your identity before granting you access to Information or acting on your request to exercise your rights.  You must provide us with enough Information to allow us to reasonably verify you are the person about whom we collected California Personal Information, or an authorized representative, and describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it. Please include the statement “Attention: California Privacy Rights Request” in the subject line and body of your written request. We may limit our response to your exercise of the above rights as permitted under applicable law. We will review each request carefully and respond accordingly within the timeframe established by the CCPA. 

5. Agent Authorization and Disability Access

Under California law, you may designate an authorized agent to make a CCPA request for California Personal Information on your behalf. To designate an authorized agent to act on your behalf, you must provide the agent with signed permission to do so, verify your identity with us directly, and confirm you authorized the agent to submit the request.  

To access this Privacy Policy by an alternative method, please contact us at (525) 254-6966.

6. Contact Information 

You may contact us with questions or concerns about our privacy policies or practices by emailing us at privacy@boomid.io, or by calling us at (525) 254-6966. 

This California-specific addendum was last updated: October 17, 2021.