Your California Privacy Rights

This document supplements the information contained in our Privacy Notice and applies solely to California Consumers, as defined by the California Consumer Privacy Act of 2018 (“CCPA”).

Coronavirus / COVID-19 Update.

To protect you, your fellow visitors, and our employees and their families, Iron Mountain may collect limited health information to grant or deny access to our facilities, and/or to inform stakeholders of exposure to or positive testing for Covid-19. Information collected will be handled, as applicable, in accordance with this document and the Privacy Notice referenced above.

Information We Collect, Use, and Disclose.

Iron Mountain collects, uses, and discloses Personal Information about California Consumers for business purposes only, and which are consistent with applicable laws.  Where Iron Mountain discloses Personal Information to third parties, it requires that they only use the personal information for the business purposes described below.  It also requires that such parties maintain the personal information’s confidentiality, and that appropriate systems and processes are in place to ensure its security.  Iron Mountain does not and will not sell your Personal Information.

We collect, use, and where indicated, disclose the following categories of Personal Information:

Note that under the CCPA, Personal Information does not include:

• Publicly available information from government records.
• De-identified or aggregated consumer information.
• Information excluded from the CCPA’s scope, like:
  • Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA);
  • Personal Information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), Gramm-Leach-Bliley Act (GLBA), California Financial Information Privacy Act (FIPA), and Driver’s Privacy Protection Act of 1994.

Additional Purposes for Using Personal Information.

In addition to the uses set forth above, Iron Mountain may use and share the categories of Personal Information identified:

• To comply with applicable legal and regulatory requests and obligations (including investigations).
• To establish or defend legal claims and allegations.
• For security or the prevention, detection, or investigation of fraud, suspected or actual illegal activity, or other misconduct.
• To seek advice from lawyers, auditors and other professional advisers.

Do Not Track.

Do Not Track (DNT) is a privacy preference that users can set in some web browsers, allowing users to opt out of tracking by websites and online services. At the present time, the World Wide Web Consortium (W3C) has not yet established universal standards for recognizable DNT signals and therefore, Iron Mountain and the Website do not recognize DNT.

Your Rights and Choices.

In certain circumstances, in addition to the information provided above about the collection, use, and disclosure of Personal Information, the CCPA provides California Consumers with the following rights regarding their Personal Information:

• Access to Specific Pieces of Personal Information
  • You have the right to request the specific pieces of personal information we (and any third parties which are Service Providers to Iron Mountain) have collected about you over the past 12 months.
• Request for Deletion of Personal Information
  • You have the right to request that we (and any third parties which are Service Providers to Iron Mountain) delete your Personal Information, subject to certain exceptions.  These exceptions include:
    • Completing the transaction for which we collected the personal information, providing a good or service that you requested, taking actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise performing our contract with you;
    • Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, or prosecuting those responsible for such activities;
    • Debugging products to identify and repair errors that impair existing intended functionality;
    • Exercising free speech, ensuring the right of another consumer to exercise their free speech rights, or exercising another right provided for by law;
    • Complying with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.);
    • Engaging in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent;
    • Enabling solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us;
    • Complying with a legal obligation;
    • Making other internal or lawful uses of that information that are compatible with the context in which you provided it.

Exercising Your Access and Deletion Rights.

To exercise the rights described above, please submit a Verifiable Consumer Request via the following interactive web form: https://www.ironmountain.com/contact/ccpa-opt-out.  You may also call 1 (800) 934-3453.  Note that under the CCPA, you may only make such a request twice within a 12 month period.  Iron Mountain will respond appropriately within the required timeframes of the CCPA.

When you exercise these rights and submit a request to us, we will verify your identity by asking you to log in to your account if you have one with us.  Or if you do not, we may ask for your email address and an order number from a previous order.  We also may use a third party verification provider to verify your identity.

Marketing Opt-Out Requests.

If you wish to opt out of receiving marketing related communications from us, please send a request to www.ironmountain.com/optout.

Non-Discrimination.

We will not discriminate against you for exercising your rights under the CCPA.  Unless permitted by the CCPA, we will not:

• Deny you goods or services.
• Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
• Provide you a different level or quality of goods or services.
• Suggest that you may receive a different price or rate for goods or services or a different level of quality of goods or services.

Changes.

We reserve the right to amend this notice at our discretion and at any time.  When we make changes to this notice, we will post the updated notice on the Website and update the notice’s effective date.  Your continued interaction with Iron Mountain following the posting of changes constitutes your acceptance of such changes.

Questions.

If you have questions concerning this notice, or to request this notice in another format, please contact our Global Privacy Officer at 1-800-935-6966, ext. 8477 (if calling from within the USA) or 1-617-535-8477 (if calling from outside the USA) or via e-mail at global.privacy@ironmountain.com or by writing to the Global Privacy Officer, Iron Mountain, 1 Federal Street, Boston, MA 02110, U.S.A.

This notice was last updated December 31, 2019.