Privacy
Privacy Policy
Version 1.0 · Effective 21 May 2026 · Last updated 21 May 2026
Plain-language summary
We're DigiTallyINC, a digital studio in Mumbai, India. This website (digitallyinc.positivafilms.com) has one contact form and nothing else that collects data — no analytics, no cookies, no tracking, no advertising, no AI training. If you write to us via the form, we keep your message to reply and delete it on request. We name every third party we work with in §7. You have detailed rights under GDPR, CCPA/CPRA, India's DPDP Act, and other laws — see §11. For anything privacy-related, contact us at tally@positivafilms.com. Each of our apps and products has its own separate privacy policy.
1. Introduction
This Privacy Policy (the "Policy") explains how DigiTallyINC ("we", "us", "our") collects, uses, stores, shares, transfers, and protects information that relates to identified or identifiable individuals ("you", "your") when you visit digitallyinc.positivafilms.com (the "Website") or otherwise interact with DigiTallyINC.
We are committed to handling your information lawfully, fairly, and transparently. This Policy describes the standards we apply and the rights you have. We have written it in plain English wherever possible; the Plain-language summary above gives you the essentials in one paragraph.
By using the Website, you acknowledge that you have read and understood this Policy. If you do not agree, please do not use the Website or submit information through it.
2. Key definitions
In this Policy, the following capitalised terms have the meanings given here:
- "Personal Information" / "Personal Data"
- Any information relating to an identified or identifiable natural person. Includes names, email addresses, IP addresses, and any data that can be linked to you.
- "Processing"
- Any operation performed on Personal Information, including collection, recording, storage, use, sharing, disclosure, erasure, or destruction.
- "Controller" / "Data Fiduciary"
- The entity that determines the purposes and means of Processing Personal Information. DigiTallyINC is the Controller / Data Fiduciary for this Website.
- "Processor" / "Data Processor"
- A third party that Processes Personal Information on the Controller's instructions and behalf (e.g. our form provider).
- "Sensitive Personal Information" / "Special Category Data"
- Categories of Personal Information requiring heightened protection — racial or ethnic origin, political opinions, religious beliefs, health, sexual orientation, biometric data, genetic data, financial account information, government-issued identifiers, precise geolocation, and similar. We do not collect any of these through the Website.
- "GDPR"
- Regulation (EU) 2016/679 (the General Data Protection Regulation) and the UK GDPR.
- "CCPA" / "CPRA"
- The California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020.
- "DPDP Act"
- The Digital Personal Data Protection Act, 2023, of India.
- "Data Principal" (DPDP)
- An individual to whom Personal Data relates, under India's DPDP Act. Equivalent to "Data Subject" under GDPR.
- "Sale" / "Sharing" (CCPA)
- Selling, renting, releasing, disclosing, disseminating, making available, or otherwise communicating a consumer's Personal Information to a third party for monetary or other valuable consideration; or sharing for cross-context behavioral advertising. We do neither.
3. Who we are
DigiTallyINC is a digital studio operating since 2013 from Mumbai, India. We are the legal entity behind a small group of brands and products including Positiva Films (cinematography and production), ClipEngine AI (Chrome extension), and software products published on the Apple App Store, Google Play, and the web.
Data Controller / Data Fiduciary: DigiTallyINC, Mumbai, India.
Grievance Officer (India / DPDP Act, Section 8(9)): Tally Talwar, DigiTallyINC, Mumbai, India. Submit privacy complaints via the contact form on this site. We acknowledge complaints within 7 days and aim to resolve within 30 days (or sooner where required by law).
Privacy contact: Send all privacy enquiries via the contact form on the homepage, or by post to DigiTallyINC, Attn: Grievance Officer, Mumbai, India.
4. Scope of this policy
This Policy applies only to digitallyinc.positivafilms.com. It does not apply to:
- Our mobile or desktop applications (each has its own privacy policy linked from the relevant App Store or product page)
- The ClipEngine AI Chrome extension (separate policy at clipengineai.positivafilms.com/privacy)
- The Positiva Films website (separate brand, separate policy at positivafilms.com)
- Third-party websites we link to (their own policies apply)
Cross-references to product-specific policies are listed in §18.
5. Information we collect (and what we don't)
5.1 Information you provide directly
We collect only what you submit through the contact form on this Website. Specifically:
- Name — provided by you, used to address you in our reply.
- Email address — provided by you, used to send our reply.
- Project field (optional) — free-text describing what you're contacting us about.
- Message — free-text content of your enquiry.
- Submission timestamp — automatically attached so we know when you wrote.
All form fields are voluntary — you choose what to write. We collect only what you explicitly send.
5.2 Information collected automatically by our service providers
Standard internet logs maintained by our hosting and form providers (see §7) may include:
- IP address — logged briefly by our form processor for spam prevention and abuse detection, and by our host for security purposes. We do not access or store IP addresses ourselves.
- Browser user agent — recorded in server logs for security and debugging.
- Request timestamps — standard web server logs.
These are operational logs maintained by our service providers under their own privacy practices. Retention is governed by their policies. We do not use this information for any purpose beyond ensuring the Website operates and is not abused.
5.3 Information we explicitly do not collect
For full transparency, the Website does not use, collect, or process any of the following:
- Cookies of any kind (essential, functional, analytics, advertising, or otherwise)
- Web analytics (no Google Analytics, Plausible, Fathom, Mixpanel, Hotjar, or similar)
- Tracking pixels, beacons, or web beacons
- Session recording or replay tools (no FullStory, LogRocket, Hotjar Recordings, etc.)
- Advertising scripts or ad networks
- Cross-site or cross-app tracking
- Cross-context behavioral advertising
- Social-media trackers (no Facebook Pixel, LinkedIn Insight Tag, Twitter conversion tracking, etc.)
- Browser fingerprinting techniques
- Geolocation data (precise or approximate) beyond IP-derived country at the network level
- Device sensor data
- Biometric data
- Government identifiers (Aadhaar, PAN, SSN, passport, etc.)
- Financial account information, payment card data, or bank details
- Health, medical, or genetic information
- Information used to train artificial-intelligence or machine-learning models
- Inferences about you (e.g. interests, preferences, demographics)
- Information about your contacts, address book, or social graph
- Audio or video recordings
If at any point in the future we add any of the above, we will update this Policy and obtain your consent where required by law.
6. How we use your information and legal bases
6.1 Purposes of processing
We use the information you submit through the contact form only for these purposes:
- Replying to your enquiry. We read your message and respond by email to the address you provided.
- Maintaining a record of correspondence. We keep your message so we can refer back to it during any continued exchange, and so we have a record of who contacted us and when.
- Protecting our Website and inbox from abuse. Detecting and preventing spam, automated submissions, and security threats.
- Complying with applicable law. Retaining, disclosing, or producing information only where legally required (e.g. response to a valid subpoena, court order, or government request).
We do not use your information for any other purpose. We do not use it for marketing without your explicit opt-in consent, do not sell it, do not share it for cross-context behavioral advertising, and do not feed it into AI training systems.
6.2 Legal bases for processing (GDPR / UK GDPR)
Where the GDPR or UK GDPR applies, the lawful bases on which we rely are:
- Consent — GDPR Article 6(1)(a). When you submit the contact form, you give explicit consent for us to use the information to respond to you. You can withdraw consent at any time by contacting us.
- Legitimate interests — GDPR Article 6(1)(f). Our legitimate interests include maintaining a record of correspondence, preventing abuse of the Website, and improving the Website. We have considered the impact on your rights and freedoms and concluded these interests do not override yours.
- Legal obligation — GDPR Article 6(1)(c). Where we must retain or disclose information to comply with applicable law.
6.3 Legal bases (DPDP Act, India)
Under the DPDP Act, we process your Personal Data on the following grounds:
- Consent — Section 6 of the DPDP Act. You consent by submitting the form after reading our notice (this Policy).
- Legitimate uses — Section 7 of the DPDP Act, where applicable, including compliance with law and protection of the Data Fiduciary's rights.
8. International data transfers
Our sub-processors (Formspree, Vercel, Google Fonts, GoDaddy) are based in the United States. When you submit the form, your information is transferred from your country (which may be in the EU, EEA, UK, India, Canada, Brazil, or elsewhere) to the United States.
Where required by law, these transfers rely on one or more of the following safeguards:
- EU Standard Contractual Clauses (SCCs). Module 2 ("controller-to-processor") with our processors who do not have a self-certified adequacy mechanism.
- EU–US Data Privacy Framework (DPF). Where the processor is self-certified to the DPF, this serves as an adequacy mechanism for EU/EEA personal data transferred to the US.
- UK Addendum to SCCs / UK International Data Transfer Agreement. For UK personal data, equivalent safeguards.
- Your explicit consent (GDPR Article 49(1)(a)) — by submitting the form with knowledge of these transfers, you consent to them.
For Indian users: Cross-border transfer is permitted under Section 16 of the DPDP Act except to countries notified as restricted by the Central Government of India. We monitor and comply with all such notifications.
You can request a copy of the safeguards we have in place by contacting us.
9. Data retention
We retain Personal Information only for as long as necessary to fulfil the purposes for which it was collected, to comply with legal obligations, or to defend or pursue legal claims.
Specific retention periods:
- Contact form submissions in our inbox: retained for up to 24 months from the date of last contact, then deleted or anonymised — except where longer retention is required by law or to defend against a legal claim.
- Formspree side: submissions are stored on Formspree's servers per their retention policy, which we configure to be no longer than necessary. We delete submissions from the Formspree dashboard within 30 days of receiving them in our inbox.
- Server logs (Vercel): retained by Vercel per their policies, typically 30 days for raw logs.
- Legal hold: if we receive a valid legal preservation request, we will retain relevant information for as long as required to comply.
You can ask us to delete your information sooner at any time (see §11). We will comply unless we have a lawful basis to retain it.
10. Data security and breach notification
10.1 Technical and organisational measures
We apply reasonable and appropriate measures, including:
- The Website is served over HTTPS with TLS 1.3 encryption; HTTP is permanently redirected to HTTPS.
- The TLS certificate is auto-renewed by our host (Let's Encrypt via Vercel).
- The Website is statically rendered with no server-side database — there is no application database for an attacker to exploit.
- Form submissions are transmitted to Formspree over HTTPS and stored by Formspree using industry-standard encryption at rest.
- Our inbox (tally@positivafilms.com) is protected by strong passwords and two-factor authentication.
- Access to our inbox follows the principle of least privilege — only authorised personnel who need to read enquiries do so.
- Our hosting (Vercel) maintains its own SOC 2 Type II compliance and other security certifications.
- We do not store backups of contact form submissions outside the systems described above.
- We review our security posture periodically and after any incident.
10.2 No system is perfectly secure
Despite our measures, no transmission over the internet or method of electronic storage is completely secure. We cannot guarantee absolute security. By using the Website, you acknowledge that you assume this residual risk.
10.3 Data breach notification
If we become aware of a Personal Data Breach (as defined under GDPR Article 4(12) or equivalent under other laws) that is likely to result in a risk to the rights and freedoms of natural persons, we will:
- Notify the relevant supervisory authority without undue delay, and where feasible within 72 hours (GDPR Art. 33; DPDP Section 8(6)).
- Where the breach is likely to result in a high risk to your rights and freedoms, notify you directly without undue delay, by email or other appropriate means.
- Provide information on the nature of the breach, the categories and approximate number of individuals affected, the categories and approximate number of records affected, the likely consequences, and the measures taken or proposed to address the breach.
- Document the breach internally, including the facts, effects, and remedial action taken.
11. Your privacy rights
You have rights with respect to your Personal Information. The specific rights available to you depend on where you live and the applicable law. We honour the rights described below for all users regardless of location, to the extent we can do so consistent with our legal obligations.
11.1 Universal rights
- Right of access — request a copy of the Personal Information we hold about you.
- Right to rectification — request that we correct inaccurate or incomplete Personal Information.
- Right to erasure — request that we delete your Personal Information.
- Right to withdraw consent — withdraw any consent you have given, at any time.
- Right to non-discrimination — exercise your rights without us treating you unfavourably.
- Right to lodge a complaint — file a complaint with the relevant supervisory authority in your jurisdiction (see §11.6, §19, §20, §21).
11.2 Additional rights under GDPR / UK GDPR
- Right to restriction of processing — ask us to limit how we use your Personal Information in certain circumstances (Article 18).
- Right to data portability — receive your Personal Information in a structured, commonly-used, machine-readable format, and transmit it to another controller (Article 20).
- Right to object — object to processing based on legitimate interests or direct marketing (Article 21).
- Right not to be subject to automated decision-making — including profiling that produces legal effects (Article 22). We do not engage in any such automated decision-making.
11.3 Additional rights under CCPA / CPRA (California)
- Right to know — what categories of Personal Information we have collected, the sources, purposes, third parties with whom we share it, and specific pieces of information we have collected about you.
- Right to delete — Personal Information we have collected from you.
- Right to correct — inaccurate Personal Information.
- Right to opt out of sale and sharing — note: we do not sell or share your Personal Information (as those terms are defined under the CCPA/CPRA).
- Right to limit use of sensitive Personal Information — note: we do not collect Sensitive Personal Information as defined under the CPRA.
- Right to non-discrimination — we will not deny services, charge different prices, or provide a different level of service for exercising your rights.
- Authorised agent — you may designate an authorised agent to make requests on your behalf. We will verify the agent's authority before fulfilling the request.
We honour the Global Privacy Control (GPC) signal as an opt-out request under the CCPA/CPRA, even though we do not engage in any practice that would otherwise require such an opt-out.
See §19 for additional California-specific disclosures.
11.4 Rights under India's DPDP Act 2023
- Right to access information about Personal Data processing (Section 11).
- Right to correction and erasure of Personal Data (Section 12).
- Right of grievance redressal through the Grievance Officer (Section 13).
- Right to nominate another individual to exercise rights in the event of death or incapacity (Section 14).
- Right to withdraw consent at any time, with the same ease as giving it (Section 6(4)).
- Right to lodge a complaint with the Data Protection Board of India.
See §21 for additional India-specific disclosures.
11.5 Rights under other jurisdictions
We acknowledge and honour rights granted by other privacy laws where they apply to you, including:
- PIPEDA (Canada) — Personal Information Protection and Electronic Documents Act.
- LGPD (Brazil) — Lei Geral de Proteção de Dados Pessoais.
- PIPL (China) — Personal Information Protection Law.
- POPIA (South Africa) — Protection of Personal Information Act.
- State privacy laws in Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and other US states with comprehensive privacy laws.
If you live in one of these jurisdictions and would like to exercise a right specific to your local law, please contact us.
11.6 How to exercise your rights
Submit a request via the contact form on the homepage of this Website. In your message, please:
- Identify yourself by name and the email address you used to contact us originally (so we can locate your information).
- State clearly which right you want to exercise.
- Where applicable, specify what information you are referring to.
11.7 Identity verification
To protect against fraudulent requests, we may need to verify your identity before fulfilling a rights request. We will do this in the least intrusive way possible — typically by confirming you can receive email at the address used in your original submission. We will not require you to create an account.
11.8 Response timeframes
We will acknowledge your request promptly and respond within:
- 30 days under GDPR / UK GDPR (extendable by up to 60 days for complex requests, with notice to you).
- 45 days under CCPA / CPRA (extendable by 45 days with notice).
- 30 days under the DPDP Act (per the Grievance Officer obligations).
- Other jurisdictions: within the period required by applicable law, or 30 days, whichever is sooner.
11.9 No fee — but exception for unfounded or excessive requests
Exercising your rights is free of charge. We reserve the right to charge a reasonable fee, or refuse to act, on requests that are manifestly unfounded, excessive, or repetitive (as permitted under GDPR Article 12(5) and equivalents).
13. Children's privacy
This Website is not directed at children. We do not knowingly collect Personal Information from:
- Children under 13 in the United States (COPPA).
- Children under 16 in the EU/EEA and UK (GDPR / UK GDPR, unless a member state has set a lower age of digital consent down to 13).
- Children under 18 in India (DPDP Act, which requires verifiable parental consent for processing children's data and forbids behavioural monitoring or targeted advertising directed at children).
If you are a parent or guardian and you believe a child has provided Personal Information to us through this Website, please contact us immediately at tally@positivafilms.com. We will delete the information promptly.
14. Sensitive personal information
We do not collect, use, store, share, or process any Sensitive Personal Information through this Website. Sensitive Personal Information includes (without limitation):
- Racial or ethnic origin
- Religious or philosophical beliefs
- Political opinions or trade-union membership
- Health, medical, or genetic data
- Biometric data used to uniquely identify a person
- Sexual orientation or sex life
- Financial account information, payment card data, or bank details
- Precise geolocation
- Government-issued identifiers (passport, driver's licence, SSN, Aadhaar, PAN, etc.)
- Contents of communications other than the message you choose to send us
- Children's data
- Criminal-conviction data
If we ever change our practices and need to collect any such information, we will update this Policy and obtain your explicit consent.
15. Automated decision-making and profiling
We do not engage in automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you, within the meaning of GDPR Article 22 or equivalent laws.
We do not use any algorithm, machine-learning model, or artificial-intelligence system to evaluate, score, classify, categorise, or make decisions about you based on Personal Information collected through this Website.
If this changes, we will update this Policy and ensure the necessary legal basis, transparency, and safeguards are in place — including the right for you to obtain human intervention.
16. Marketing communications
We do not currently send marketing communications. We will not add you to any mailing list, newsletter, or marketing communication channel without your explicit opt-in consent.
If we ever launch marketing communications, you will be able to:
- Opt in only by clearly indicating your consent at the time we ask.
- Opt out (unsubscribe) at any time, free of charge, via a link in every marketing email and on request to tally@positivafilms.com.
- Withdraw consent with the same ease with which you gave it (GDPR Article 7(3); DPDP Section 6(4)).
17. Third-party websites
The Website may contain links to third-party websites (for example, Positiva Films, the Chrome Web Store, our sub-processors' privacy policies, social networks). Those websites are not controlled by us and have their own privacy policies. We are not responsible for the privacy practices of any third-party website.
We encourage you to read the privacy policy of any third-party website you visit before providing them with information.
18. Privacy policies for our products
DigiTallyINC's products and apps have their own privacy policies that cover their specific data practices. Each product's policy governs that product's processing of Personal Information; this Policy does not apply to them.
iOS, macOS, and Android apps published under DigiTallyINC will each have their own app-specific privacy policy linked from their App Store or Google Play listing and from within the app. Those policies will detail the specific data each app collects (which may include data we explicitly do not collect on this Website, such as device identifiers, app usage data, crash reports, etc., as applicable to each app).
19. California-specific disclosures (CCPA / CPRA)
19.1 Categories of Personal Information collected
In the past 12 months, we have collected the following categories of Personal Information (as defined by Cal. Civ. Code §1798.140):
- Identifiers — name, email address, IP address (briefly, via sub-processors).
- Customer records (Cal. Civ. Code §1798.80(e)) — contents of communications you send us (your message).
- Internet activity — only IP address and browser user agent logged briefly by sub-processors for security purposes.
We do not collect: commercial information; biometric information; geolocation data (beyond IP); audio, electronic, visual, thermal, olfactory, or similar information; professional or employment-related information; education information; inferences; or any category of Sensitive Personal Information.
19.2 Sources
We collect Personal Information directly from you (when you submit the contact form) and from our service providers (server logs, see §5.2).
19.3 Business and commercial purposes for collection
See §6. We use Personal Information solely to respond to your enquiry, maintain a record of correspondence, prevent fraud and abuse, and comply with law.
19.4 Categories shared with third parties
We share Personal Information only with the sub-processors listed in §7 (Formspree, Vercel, Google Fonts, GoDaddy). We do not "sell" or "share" Personal Information as those terms are defined under the CCPA/CPRA.
19.5 California "Shine the Light" (Cal. Civ. Code §1798.83)
California residents may request, once per calendar year, a list of categories of Personal Information disclosed to third parties for those third parties' direct marketing purposes during the previous calendar year, and the names and addresses of those third parties. Our answer: we have not disclosed any Personal Information to third parties for their direct marketing purposes in the preceding year, and we do not plan to.
19.6 Retention
We retain each category of Personal Information per the schedule in §9.
20. EU / EEA / UK-specific information (GDPR / UK GDPR)
20.1 Data Protection Officer
Given the limited scope of our processing on this Website (no large-scale processing, no Special Category Data, no automated decision-making, no systematic monitoring), we are not required to appoint a Data Protection Officer under GDPR Article 37. The Grievance Officer named in §3 handles all privacy enquiries.
20.2 EU representative
We do not currently maintain an EU representative under GDPR Article 27. We will appoint one if and when our processing activities trigger that requirement, and update this Policy accordingly.
20.3 Supervisory authorities
If you believe we have processed your Personal Information in violation of GDPR or UK GDPR, you have the right to lodge a complaint with a supervisory authority — typically the one in your country of residence, place of work, or place of the alleged infringement.
- EU/EEA: Find your national Data Protection Authority at edpb.europa.eu/about-edpb/members_en.
- UK: Information Commissioner's Office (ICO) — ico.org.uk.
We would, of course, appreciate the chance to address your concerns before you approach the authority. Please contact us first.
21. India-specific information (DPDP Act 2023)
21.1 Data Fiduciary
DigiTallyINC is the Data Fiduciary for Personal Data processed on this Website, as defined under Section 2(i) of the DPDP Act.
21.2 Grievance Officer (Section 8(9), DPDP Act)
Tally Talwar serves as our Grievance Officer. Submit complaints via the contact form or by post to:
DigiTallyINC
Attn: Grievance Officer
Mumbai, India
We acknowledge complaints within 7 days and aim to resolve them within 30 days. If we cannot resolve a complaint to your satisfaction, you may approach the Data Protection Board of India (once operational).
21.3 Notice (Section 5, DPDP Act)
This Policy serves as the notice required under Section 5 of the DPDP Act. By submitting the contact form after reading this notice, you give your consent under Section 6.
21.4 Consent Manager
We do not currently use a registered Consent Manager service. If and when the Data Protection Board of India operationalises the Consent Manager framework, we will assess whether to integrate one and update this Policy accordingly.
21.5 Significant Data Fiduciary
We are not a Significant Data Fiduciary as defined under Section 10 of the DPDP Act, given the limited volume and sensitivity of data we process. If we are notified as one in future, we will comply with the additional obligations and update this Policy.
21.6 Language
This Policy is provided in English. We will provide a copy in the official language of any State of India on reasonable written request, in accordance with the Eighth Schedule of the Constitution of India.
22. Changes to this policy
We may update this Policy from time to time — to reflect changes in our practices, technology, legal requirements, or other factors. We will:
- Update the "Last updated" date and version number at the top of this Policy.
- For material changes (e.g. new categories of data collected, new purposes, new categories of third-party recipients, changes that reduce your rights), provide more prominent notice — which may include posting a notice on the Website, emailing you (if we have your email), or requesting renewed consent where required by law.
- Keep a record of prior versions of this Policy. Send us a request to receive a copy of any prior version.
Continued use of the Website after a change indicates acceptance of the updated Policy, except where applicable law requires renewed consent.
23. Governing law, severability, dispute resolution
23.1 Governing law
This Policy is governed by the laws of India, without regard to its conflict-of-laws principles. Mandatory provisions of any other law that apply to you because of your residence remain available to you and prevail over this clause to the extent required.
23.2 Jurisdiction
Subject to your mandatory consumer-protection rights and the jurisdiction of your local data-protection authority, the courts of Mumbai, India have exclusive jurisdiction over any disputes arising from this Policy.
23.3 Severability
If any provision of this Policy is held to be invalid, illegal, or unenforceable, the remaining provisions remain in full force and effect. The invalid provision will be deemed modified to the minimum extent necessary to make it valid and enforceable while preserving its intent.
23.4 No waiver
Our failure to enforce any right or provision of this Policy is not a waiver of that right or provision. A waiver of any provision is effective only if in writing and signed by us.
23.5 Entire understanding
This Policy, together with any other notices we provide at the time of collection, constitutes the entire understanding between you and DigiTallyINC regarding the processing of Personal Information through the Website.
24. Contact and complaints
For any privacy matter — questions, rights requests, complaints — please contact us:
DigiTallyINC
Attn: Grievance Officer
Mumbai, India
Use the contact form on our homepage. In privacy matters, write to the email address you used to originally contact us (so we can locate your information). Be specific about which right you are exercising.
If we cannot resolve your complaint, you may escalate to the relevant authority:
- India: Data Protection Board of India (DPBI) — once operational under the DPDP Act 2023.
- EU/EEA: Your national Data Protection Authority. List at edpb.europa.eu.
- UK: Information Commissioner's Office — ico.org.uk.
- California: California Privacy Protection Agency — cppa.ca.gov; or the California Attorney General — oag.ca.gov/privacy/ccpa.
- Canada: Office of the Privacy Commissioner of Canada — priv.gc.ca.
- Brazil: Autoridade Nacional de Proteção de Dados — gov.br/anpd.