Kaival Brands Innovations Group, Inc. | NASDAQ: KAVL

Kaival Brands Innovations Group, Inc.
Notice for Residents of the European Economic Area

This notice supplements the information contained in our online Privacy Policy and describes additional rights provided to residents of the European Economic Area (EEA) under the General Data Protection Regulation (EU) 2016/679 (“GDPR”) with regard to the personal information Kaival Brands Innovations Group, Inc. (“Data Controller”, “we,” “us,” or “our”) collects and processes, either online or offline.

The GDPR requires that we inform you of the legal bases we rely on to process your personal data (referred to herein and in our Privacy Policy as “personal information”). Personal information means any information about an identified or identifiable natural person. The legal bases for processing are set forth below.

  • Our legitimate interests. For example, to maintain system security, communicate with you and fulfill your requests, conduct surveys, improve our products and services, and protect your rights, our rights and our business and the rights of others.
  • Performance of a contract with you. For example, when wholesalers and retailers purchase products from us or when we provide our services to you in accordance with their terms and conditions.
  • Compliance with laws. For example, to comply with legal and regulatory requirements or respond to a court order or legal request, including when we need to verify your age or identity in order to provide our services in accordance with laws.
  • Consent. For example, we obtain consent to send you commercial email marketing messages, where we want to analyze your use of our services for purposes other than strictly necessary to provide our services or where we disclose your personal data to third parties for their own purposes (in case there is no other legal basis for such disclosure). Where we rely on consent to process your personal information, you can withdraw your consent at any time, however the withdrawal of consent does not affect the lawfulness of processing before the withdrawal.

The servers where personal information is stored may be located in the United States and/or other countries that have not been deemed by the European Commission to provide an adequate level of protection for personal information. In addition, we may share personal information with service providers and third parties located outside of the EEA. In particular, the servers where we store the data gathered through any of our websites are located in the United States – meaning that when you use our websites you also explicitly consent to the data being gathered, kept and further processed in the United States.

We will keep your personal information in a form which permits to identify you as a data subject for no longer than is necessary for the purposes for which the personal information were gathered, and in all cases no longer than until you withdraw your consent (in cases where consent is the legal basis for processing of data) or object to processing your data (in cases when you have such a right and we do cannot demonstrate compelling legitimate grounds to keep processing your personal information).

The GDPR provides residents of the EEA certain rights with respect to their personal information. You may:

  • Request access to your personal information (including to obtain confirmation as to whether or not personal data concerning you are being processed, to obtain additional information about the data being processed and to obtain a copy of such data);
  • Request correction of your personal information;
  • Request erasure of your personal information;
  • Object to processing of your personal information;
  • Request to restrict processing of your personal information; and
  • Request not to be subjected to automated decision-making or profiling.

You can exercise these rights by sending an email to privacy@kaivalbrands.com with a description of your request. We will endeavor to fulfill your request to exercise these rights, but sometimes, we may have legal grounds or obligations to reject your request. We will respond within one month after we have verified that you are the data subject or are authorized to make the request on behalf of the data subject. If necessary, we may extend our response time by an additional two months to respond properly, but we will notify you if that is the case within one month.

If we decide not to fulfill your request, we will tell you the reasons why. If you disagree with our response to your request, you have the right to lodge a complaint with a data protection regulator in Europe. Should you have any concerns, we request that you contact us first so we can investigate, and hopefully resolve, your concerns.