European Privacy Addendum

Privacy Notice Addendum for Europeans
(European Privacy Addendum)

Last Updated: June 18, 2026

1. INTRODUCTION AND SCOPE

This Privacy Notice Addendum for Europeans (the "European Privacy Addendum") supplements the information contained in DITA's Privacy Notice and applies solely to individuals located in the European Economic Area ("EEA") (including the European Union ("EU")) and/or the United Kingdom ("UK") who provide their information to us, directly or indirectly, in connection with their interactions with us, use of our Website, or otherwise (such as in the offline setting) ("you").

This European Privacy Addendum applies to information we collect in various contexts, both online and offline (including, but not limited to, when you use our Website, as defined and more fully described in our Privacy Notice), that relates to an identified or identifiable natural person ("Personal Data"). However, anonymized data (as defined in the GDPR) is not considered Personal Data and falls outside the scope of this European Privacy Addendum.

We adopt this European Privacy Addendum to comply with the EU General Data Protection Regulation, any laws implementing it by any member states of the EEA, and the UK data protection regime (including the UK Data Protection Act 2018 and the UK General Data Protection Regulation) (collectively, the "GDPR"). Unless otherwise defined in this European Privacy Addendum, any terms defined in the GDPR or our Privacy Notice have the same meaning when used in this European Privacy Addendum. When this European Privacy Addendum is applicable to you, it takes precedence over anything contradictory in our Privacy Notice.

2. DATA CONTROLLER

Dita, Inc. is the controller for the processing of Personal Data it collects about you as further described in our Privacy Notice. At this time, Dita, Inc. is not required to appoint a Data Protection Officer or representatives in either the EU or the UK and has elected not to do so. Dita, Inc. may be contacted in any manner set forth below in the Contact Information section of this European Privacy Addendum.

3. INFORMATION WE COLLECT ABOUT YOU AND HOW WE COLLECT, USE, AND DISCLOSE IT

Except as otherwise noted in this section, the Personal Data we collect and the ways in which we collect, use, and disclose it is described in our Privacy Notice.

Certain Personal Data we collect from you is required to enter into a contract with DITA, for DITA to perform under the contract, and to provide you with our products and services. If you refuse to provide such Personal Data or withdraw your consent to our processing of Personal Data (when appropriate), then in some cases we may not be able to enter into the contract or fulfill our obligations to you under it.

We only place non-essential cookies on your device and use other interaction and/or performance monitoring tools with your affirmative consent. You may withdraw or change your consent at any time by accessing our cookie consent manager on our Website. You may also set your browser to refuse all or some browser cookies (which may include essential cookies), or to alert you when cookies are being sent. However, if you do not consent to our use of cookies or select this setting you may be unable to access certain parts of our Website.

In addition, with the exception of certain marketing-related communications described below, we use your Personal Data in the same manner set out in our Privacy Notice and do not disclose your Personal Data other than to the entities and for the purposes discussed in our Privacy Notice.

More specifically, and except where we rely on your consent as described below, the recipients to whom we disclose your Personal Data fall into two groups: (a) service providers and processors that process Personal Data on our behalf and in accordance with our instructions; and (b) advertising and marketing partners who may use the Personal Data we disclose to them for their own purposes. Where a partner uses Personal Data for its own purposes, we disclose that Personal Data to it only on the basis of, and only to the extent of, your consent.

  • Service Providers and Processors. We disclose Personal Data to service providers and processors that act on our behalf, process Personal Data only in accordance with our instructions, and are bound by contractual confidentiality and data-protection obligations. These providers are engaged by function, including: e-commerce platform infrastructure (Shopify); server-side conversion-data routing (Elevar); international order fulfillment (Global-e); fraud prevention (Signifyd); buy-now-pay-later payment processing (Affirm); returns and exchanges management (Loop); customer service (Zendesk); tax compliance (Avalara); internal data pipeline (Fivetran/Airbyte); enterprise resource planning (ERP) integration (NetSuite/Celigo); consent management (OneTrust); internal business intelligence (Domo); internal automation (Zapier); internal data management (Matrixify); post-purchase survey collection and marketing-attribution insights (Fairing); and landing-page builder (Shogun).
  • Advertising and Marketing Partners. We disclose Personal Data to advertising and marketing partners that may use that Personal Data for their own purposes. For individuals located in the EEA and the UK, disclosures to these partners (and the placement of any related cookies, pixels, and similar technologies) take place only on the basis of your consent. These partners include: Google (GA4 analytics and Google Ads conversion tracking); Meta/Facebook (Conversions API and advertising); Pinterest (ad tracking and conversion measurement); Klaviyo (email marketing); Trade Desk (programmatic advertising); Dstillery (lookalike audience modeling); and Shopify Audiences (cross-merchant lookalike audience building, which is then routed downstream to Meta and Google).
  • Cookie and Tracking Technology Data Flows. For individuals located in the EEA and the UK, the following advertising and analytics data flows are consent-gated and operate only where you have provided your prior consent: (i) client-side Google Analytics 4 (GA4) tracking deployed through Google Tag Manager, which is consent-gated through our OneTrust consent manager and does not fire for users who have not consented; (ii) server-side conversion data routed via Elevar to GA4, which operates in a confirmed consent mode such that, where a user has not consented, only anonymized or modeled data containing no personal identifiers is transmitted; and (iii) the Meta Conversions API via Elevar, which operates under the same consent-mode framework. We have removed Hotjar, which is no longer active on our Website.
  • Marketing and Non-Essential Cookies (EEA/UK). Consistent with the UK Privacy and Electronic Communications Regulations (PECR) and equivalent requirements in the EEA, for individuals located in the UK and the EEA we send marketing communications and place non-essential cookies, pixels, and similar technologies (including advertising and analytics technologies) only with your prior opt-in consent. You may withdraw your consent at any time, including through the cookie consent manager on our Website, via our online webform (available here), sending us an email with your request to privacy@dita.com, and/or by using the unsubscribe mechanisms in our marketing communications.

4. SPECIAL CATEGORIES OF PERSONAL DATA

We do not ask you to provide, and we do not knowingly collect, any special categories of Personal Data from you.

5. LAWFUL BASIS FOR PROCESSING YOUR PERSONAL DATA

The processing of your Personal Data is lawful only if it is permitted under the GDPR. We have a lawful basis for each of our processing activities (except when an exception applies as described below):

  • Consent. By using our Website, you consent to our collection, use, and disclosure of your Personal Data as described in our Privacy Notice. If you do not consent to the terms of the Privacy Notice or this European Privacy Addendum, please do not use our Website. We will also ask for or otherwise obtain your consent to process your Personal Data in certain circumstances, such as to: (i) send you marketing-related communications; and (ii) place optional, non-essential cookies, pixels, and other technologies (that are not necessary for the operation of our Website) onto your device when you visit our Website.
  • To Fulfill Our Obligations to You under Our Contract. We process your Personal Data as necessary to perform our responsibilities under our contract with you (for example, to communicate with you in relation to a product you requested or purchased from us).
  • Compliance with Legal Obligations. To meet our regulatory and legal obligations, we may need to process some of your Personal Data (e.g., accounting, recordkeeping, etc.).
  • Legitimate Interests. We will process your Personal Data as necessary for our legitimate interests. Our legitimate interests are balanced against your rights and freedoms, and we do not process your Personal Data if your rights and freedoms outweigh our legitimate interests. We process your Personal Data only so far as is necessary to achieve the purposes outlined in our Privacy Notice. Our processing activities will not unreasonably intrude on your privacy and ultimately benefit you by optimizing our provision of our Website, products, and services to you. Specifically, we rely on several legitimate interests for processing your Personal Data, including, but not limited to: (i) facilitating communications with you and managing our customer, vendor, and business partner relationships, including CRM and account administration; (ii) providing, supporting, troubleshooting, personalizing, and improving our Website, products, and services, and enabling interactive features; (iii) processing and fulfilling your orders, transactions, shipments, returns, exchanges, and related requests; (iv) responding to your inquiries and providing customer support, including quality assurance and customer service training; (v) administering surveys, sweepstakes, promotions, and other contests; (vi) verifying your identity and the accuracy of your information, and detecting and preventing fraud; (vii) understanding how visitors use and engage with our Website, measuring performance and traffic, and identifying opportunities to improve the user experience; (viii) measuring and evaluating the effectiveness of our advertising, including ad impressions, positioning, and quality; (ix) operating and optimizing our business and personalizing your experience, including identifying products and styles likely to be of interest to you; (x) providing you with marketing communications about our products and services through email, direct mail, and similar channels; (xi) maintaining the safety, security, and integrity of our Website, products, databases, and other technological and business assets, including detecting security incidents and protecting against malicious, deceptive, fraudulent, or illegal activity; (xii) notifying you of changes to our Website, terms, or products, and conducting internal testing, research, analysis, and product development; (xiii) developing, training, testing, and improving automated customer service tools, including artificial intelligence and machine learning models that support our customer service operations; (xiv) evaluating or carrying out a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets; and (xv) carrying out our contractual obligations, conducting internal audits and investigations, exercising or defending legal claims, and responding to legally binding requests from law enforcement, regulatory authorities, or other third parties.

Lawful Bases and Purposes by Category of Personal Data. The following describes, by category of Personal Data, the lawful basis or bases on which we rely and the corresponding purposes of our processing. Where we rely on consent, you may withdraw it at any time as described in this European Privacy Addendum; where we rely on legitimate interests, those interests are balanced against your rights and freedoms as described above.

  1. Identifiers (name, contact details, IP address, device and advertising IDs).
    • Lawful bases: performance of a contract (creating and administering your account and processing and fulfilling your orders); legitimate interests (fraud prevention, security, customer relationship management, and service improvement); compliance with a legal obligation (recordkeeping); and consent (disclosures of device and advertising identifiers to advertising and analytics partners and the placement of non-essential cookies and pixels).
    • Purposes: identifying and communicating with you, fulfilling your orders and administering your account, securing our Website, and – where you have consented – advertising and analytics.
  2. Commercial and transaction information.
    • Lawful bases: performance of a contract (processing your orders, payments, returns, and exchanges); compliance with a legal obligation (tax, accounting, and recordkeeping); and legitimate interests (fraud prevention and business analytics).
    • Purposes: completing and managing your transactions, meeting our tax and accounting obligations, and detecting and preventing fraud.
  3. Internet or network activity (cookies and pixels, browsing activity).
    • Lawful bases: consent (non-essential cookies and pixels and disclosures to advertising and analytics partners); and legitimate interests (essential analytics, general site performance, and security).
    • Purposes: operating and securing our Website, understanding how visitors use our Website, and – where you have consented – advertising and analytics.
  4. Geolocation (general location).
    • Lawful bases: legitimate interests (estimating your general location from IP address to operate and secure our Website and tailor content); and consent (precise geolocation, where you opt in through a browser prompt).
    • Purposes: providing location-relevant content and services and maintaining the security of our Website.
  5. Audio and visual information (call recordings and CCTV).
    • Lawful bases: legitimate interests (quality assurance, training, and the safety and security of our retail premises); and compliance with a legal obligation (where applicable).
    • Purposes: handling and improving customer service interactions and protecting the safety and security of our stores and personnel.
  6. Professional or business-contact information (B2B representatives).
    • Lawful bases: legitimate interests (managing our customer, vendor, and business-partner relationships); performance of a contract (administering our business relationship); and compliance with a legal obligation.
    • Purposes: managing and administering our B2B relationships and related communications.
  7. Inferences and profile data.
    • Lawful bases: legitimate interests (understanding your preferences to operate, personalize, and improve our products, services, and Website); and consent (where inferences are derived from, or used for, advertising and analytics involving our partners).
    • Purposes: personalizing your experience and improving our products and services, and – where you have consented – advertising and analytics.

6. AUTOMATED DECISION MAKING

DITA does not use your Personal Data with any automated decision making process, including profiling, which may produce a legal effect concerning you or similarly significantly affect you.

7. YOUR GDPR RIGHTS

The GDPR provides you with certain rights with regards to our processing of your Personal Data. These rights replace the similar rights provided in our Privacy Notice or are supplemental to such rights.

  • Access and Update. You can review and change your Personal Data we have about you by notifying us through the Contact Information below of any required changes or errors to ensure that it is complete, accurate, and as current as possible. We may not be able to accommodate your request if we believe it would violate any law or legal requirement or cause the information to be incorrect.
  • Restrictions. You have the right to restrict our processing of your Personal Data under certain circumstances. In particular, you can request we restrict our use of it if you contest its accuracy, if the processing of your Personal Data is determined to be unlawful, or if we no longer need your Personal Data for processing but we have retained it as permitted by law.
  • Portability. To the extent the Personal Data you provide to DITA is processed based on your consent or contractual necessity and we process it through automated means, you have the right to request that we provide you with a copy of, or access to, all or part of such Personal Data in structured, commonly used and machine-readable format. You also have the right to request that we transmit this Personal Data to another controller, when technically feasible.
  • Withdrawal of Consent. To the extent that our processing of your Personal Data is based on your consent, you may withdraw your consent at any time by notifying us through the Contact Information below. In addition, where you have consented to (i) our use of non-essential cookies, you may withdraw your consent at any time by accessing the cookie consent manager on our Website or adjusting your browser's settings to refuse those cookies, or (ii) receive newsletters or other marketing-related communications from us, you may withdraw your consent at any time by clicking the "unsubscribe" link at the bottom of any email you receive from us. Withdrawing your consent will not, however, affect the lawfulness of the processing based on your consent before its withdrawal, and will not affect the lawfulness of our continued processing that is based on any other lawful basis for processing your Personal Data.
  • Right to be Forgotten. You have the right to request that we delete all of your Personal Data. We will only delete your Personal Data when we no longer have a lawful basis for processing your Personal Data or after a final determination that your Personal Data was unlawfully processed. We may not accommodate a request to delete information if we believe the deletion would violate any law or legal requirement or cause the information to be incorrect. In all other cases, we will retain your Personal Data as set forth in this European Privacy Addendum.
  • Complaints. You have the right to lodge a complaint with a supervisory authority, in particular in the EU or EEA member state of your habitual residence, your place of work, or the place of the alleged infringement of your rights under applicable data protection laws. If you are located in the UK, you may lodge a complaint with the Information Commissioner's Office (the "ICO"). We would, however, appreciate the opportunity to address your concerns before you approach the ICO or another supervisory authority, so please contact us in the first instance.
  • How You May Exercise Your Rights. You may exercise any of the above rights by contacting us through any of the methods listed under Contact Information below. If you contact us to exercise any of the foregoing rights, we may ask you for additional information to verify your identity. We reserve the right to limit or deny your request if you have failed to provide sufficient information to verify your identity or to satisfy our legal and business requirements. Please note that if you make unfounded, repetitive, or excessive requests (as determined in our reasonable discretion) to access your Personal Data, you may be charged a fee subject to a maximum set by applicable law.

8. CONSENT TO PROCESSING OF PERSONAL DATA IN OTHER COUNTRIES OUTSIDE THE EU/EEA AND UK

In order to provide our Website, products, and services to you, your Personal Data may be transferred to, stored, and/or otherwise processed in a country other than the one in which it was collected, including the United States. Accordingly, your Personal Data may be transferred outside the country where you reside or are located, including to countries that may not or do not provide an equivalent level of protection for your Personal Data. In limited circumstances, federal, state, and local governments, courts, or law enforcement or regulatory agencies in the United States may be able to obtain disclosure of your information through the laws of the United States.

Where we transfer Personal Data outside the EU, EEA or the UK (or receive Personal Data from those jurisdictions while in the United States), we do so only where the transfer is permitted under the GDPR and subject to appropriate safeguards. In particular, DITA relies on the Standard Contractual Clauses adopted by the European Commission and/or the UK ICO (the "SCCs"), supplemented, where our case-by-case assessment indicates it is necessary, by additional technical, contractual, and organizational measures intended to provide a level of protection essentially equivalent to that afforded within the EU, EEA or the UK (as applicable).

You may request a copy of the relevant SCCs and information about the safeguards in place by contacting us using the details in the Contact Information section below.

9. DATA RETENTION PERIODS

We will only retain your Personal Data for as long as necessary to fulfill the purposes for which we collected it (as described in our Privacy Notice) and in accordance with our legal (or contractual) obligations, our records retention practices, or as otherwise permitted or required by law. Where we are processing Personal Data based on:

  • our legitimate interests, we generally will retain the data for a reasonable period of time based on the particular interest, taking into account the fundamental interests and the rights and freedoms of data subjects;
  • contractual necessity, we generally will retain the information for the duration of the contract plus some additional limited period of time that is necessary to comply with law or that represents the statute of limitations for legal claims that could arise from the contractual relationship;
  • compliance with a legal obligation, we generally will retain the information once the legal obligation expires or after the period of time specified as part of our records retention practices; or
  • your consent, we generally will retain the information for the period of time necessary to carry out the processing activities to which you consented, subject to your right, under certain circumstances, to have certain of your Personal Data erased (see Your GDPR Rights).

We may also retain some or all of your Personal Data when your information is subject to one of the following exceptions:

  • When stored in our backup and disaster recovery systems. Your Personal Data will be deleted when the backup media your Personal Data is stored on expires or when our disaster recovery systems are updated.
  • When necessary to help ensure the security and integrity of our Website and IT systems. Your Personal Data will be deleted when we no longer require it for such purposes.

10. CHANGES TO THIS EUROPEAN PRIVACY ADDENDUM

We reserve the right to amend this European Privacy Addendum at our discretion and at any time. If we make material changes to how we treat our users' Personal Data, we will notify you by email to the email address we have on file for you, through the posting of a notice on the home page of our Website, or by using a similar method. The date this European Privacy Addendum was last updated is identified at the top of the first page. You are responsible for ensuring we have an up-to-date active and deliverable email address for you, and for periodically visiting our Website and this European Privacy Addendum to check for any changes. Your continued use of our Website following the posting of changes constitutes your acceptance of such changes.

11. CONTACT INFORMATION

If you have any questions about this European Privacy Addendum, you may contact us by calling (888) 245-2202, emailing privacy@dita.com, or writing to: Dita, Inc., Attn: Legal Department, 1 Columbia, Aliso Viejo, CA 92656, USA.