Last Updated: July 3, 2025

Rampart Casino, Hawthorn Grill, ai Pazzi Italian Restaurant by Fabio Viviani and Spa Aquae (“Rampart” or “we” or “us”) has a strong commitment to providing excellent service to all of our customers (“users” or “you”), including respecting their concerns about privacy. We understand that visitors to our website may have questions about whether and how this website collects and uses information, and are committed to protecting your privacy. In support of this, we only use the personally identifiable information (“Personal Information”) that you provide in accordance with the terms outlined below.

This Privacy Policy (“Policy”) covers any Personal Information we obtain when you visit the resort, use our services, or access the features on the websites that Rampart and Hotspur Resorts Nevada, Ltd. own or control (today or in the future), including https://theresortatsummerlin.com/, https://www.hawthorngrilllv.com, https://aipazzi.com and https://spaaquaelv.com (the “Sites”). You can access the Sites in many ways, including from a computer or mobile phone, and this Policy will apply regardless of the means of access. This Policy also governs the use of Personal Information we obtain from you from any third party site or application where we post content or invite your feedback or participation (“Third Party Sites”). Rampart cannot control the privacy policies or practices of Third Party Sites or of companies Rampart does not own or control, and cannot control the actions of people Rampart does not employ or manage. You should always check the privacy policies of Third Party Sites and your privacy settings.

1. Information We Collect

Personal Information

You may be asked for, or we may automatically collect (described below), as appropriate, the following information, which may be considered personal information or personal data:

• name (first and last);
• gender;
• date of birth;
• contact information, including your mailing and billing addresses, email address and phone numbers;
• credit and debit card number and other payment data;
• government-issued identification information, such as social security or national identification number, driver’s license information, passport information or other government-issued documents;
• Anti-Money Laundering (AML)/Know Your Customer (KYC) information such as source of funds and proof of employment;
• membership or loyalty program data;
• language preferences;
• IP address;
• geolocation information.

In more limited circumstances, we may also collect:

• data about family members and companions, such as names and ages of children;
• images and audio/video information via security cameras located in public areas, such as hallways and lobbies, in our properties;
• gaming activity; and
• other information you may provide by interacting with us.

You may, however, visit our Sites anonymously. Doing so may limit the functionality of some features on the Sites.  

Usage Information

We may also use cookies and other technologies to automatically gather anonymous information about how you use the Sites (“Usage Information”), including:

• new or returning visitor;
• time of visit;
• duration of visit;
• pages viewed;
• where you found the Sites (search, direct, social media, etc.);
• country you’re visiting from;
• technology you’re using (browser, screen resolution, etc.); and
• gender and age range.

This Usage Information does not constitute Personal Information.

2. How We Collect Information

We may collect Personal Information from you in a variety of ways, including when you:

• visit our Sites;
• create an account;
• apply for a job;
• make a purchase;
• make a reservation;
• register for a rewards program;
• subscribe to the newsletter; 
• respond to a survey;
• use wireless internet (WiFi) while on our properties
• take part in our competitions or promotions
• communicate or correspond with us in person, on the phone or through letters or email; and
• fill out a form. 

We also collect Personal Information from you in connection with other activities, services, features or resources we make available on our Sites and at our properties.

Cookies

We also use cookies to collect information about you. A “cookie” is a small data file stored on your web browser or on your mobile device that allows us to recognize your computer or mobile device when you visit the Sites by associating identification numbers with other user information you have provided us. Some cookies will remain on the hard drive of your computer or mobile device for the duration of your browser or user session, while others will remain until deleted by you. You may also be able to configure your computer or mobile device to limit the collection of these “cookies,” but that limitation may also limit our ability to provide all the services or functionality of the Sites. For more information about cookies including how to set your internet browser to reject cookies please go to www.allaboutcookies.org.  

Pixel Tags 

We may use pixel tags (also called web beacons or clear gifs) on our Sites. They can help us analyze what our customers like to do on our Sites and the effectiveness of our features and advertising. They can also help us customize your browsing experience. We may use information collected through pixel tags or tracked links in combination with your Personal Information. We may also combine Personal Information you provide to us with other personal information (such as purchase history and demographic information). If we work with other companies to help us track, collect and analyze this information, they will be prohibited from using this information for any other purpose.

Google Analytics

The Sites use Google Analytics (and in the future may use other similar sites or services), a web analytics service provided by Google, Inc. (“Google”), to better assist us in understanding how the Sites are used. Google Analytics will place cookies on your computer that will generate information that we select about your use of the Sites, including your computer’s IP address. That information will be transmitted to and stored by Google. The information will be used for the purpose of evaluating consumer use of the Sites, compiling reports on Sites’ activity for our use, and providing other services relating to Site activity and usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. You may refuse the use of cookies by selecting the appropriate settings on your browser. Please note that by doing so, you may not be able to use the full functionality of the Sites. The use of cookies by Google Analytics is covered by Google’s privacy policy.

You can learn more about Google’s practices at http://www.google.com/policies/privacy/partners   and view its currently available opt-out options at https://tools.google.com/dlpage/gaoptout.

3. How We Use Collected Information

Rampart collects and uses your Personal Information for the following purposes:

• to personalize user experience;
• to operate our rewards programs
• to facilitate purchases and transactions;
• to facilitate reservations;
• to improve our Sites;
• to ask for your participation in our internal market research;
• to improve customer service;
• to share your information with third parties (as described below);
• to perform background checks for any reason;
• to administer a contest, promotion, survey or other Site feature; 
• to comply with our legal obligations; and
• to send you information you agreed to receive about topics we think will be of interest to you (with consent when necessary).

We may also use information in the aggregate to understand how our users as a group use the services and resources provided on our Sites and at our properties.

If you apply for a job through our Sites, we may also use the information to:

• assess qualifications and personal experience to determine if it meets specific job requirements; and 

help us inform you of future openings at Rampart.

4. How We Protect Your Information

We take every reasonable precaution to keep your Personal Information secure. We have put in place appropriate physical, electronic and managerial procedures to safeguard the information we collect. Nevertheless, when disclosing any Personal Information, you should remain mindful that there is an inherent risk in the use of email and the internet. Your information may be intercepted without our consent, collected illegally and used by others without your consent. We cannot guarantee the security of any information you disclose online, and you do so at your own risk.

5. Sharing your Personal Information

For business purposes, we may share certain information we receive from you, and about your transactions with us, with our affiliates, including our owned, operated, and managed casinos, hotels, online and web based businesses, and other corporate entities or affiliates. Doing so allows us to provide the products and services you have requested and quickly respond to applications for credit or other financial services. We may also disclose your Personal Information to all our properties and other affiliates if you participate in our “responsible gaming” or “self-exclusion” programs. 

We may also share your information with the following third parties:

Third Party Service Providers. Your information may be shared with or collected by third party service providers who provide us with services, including but not limited to data hosting or processing, credit card processing, credit or background checks, or processing and fulfilling reservations or purchases. We require these providers to exercise reasonable care to protect your Personal Information and restrict the use of your Personal Information to the purposes for which it was provided to them.

Third Party Marketing Partners. We may share certain limited information about you with other companies with whom we have joint marketing or similar agreements, or other businesses with whom we have a contractual relationship (“Joint Marketing Partners”), who may contact you with marketing and promotional offers. These businesses generally include financial services companies, such as banks and insurance companies, other service providers, such as airlines, hotels and car rental agencies, and retailers, but may include others. If you would like us to stop providing your information to these Joint Marketing Partners, you may opt-out in accordance with Section 10 below.

Business Transfers; Bankruptcy. In the event of a merger, acquisition, bankruptcy or other sale of all or a portion of our assets, we may transfer or allow third parties to use information owned or controlled by us. We reserve the right, in connection with these types of transactions, to transfer or assign your information and other information we have collected from our customers to third parties or to authorize third parties to use any such information retained by us. Other than to the extent ordered by a bankruptcy or other court, the use and disclosure of all transferred user information will be subject to this Policy. However, any information you submit or that is collected after this type of transfer may be subject to a new privacy policy adopted by the successor entity.

Response to Subpoenas or Court Orders or to Protect Rights and to Comply with Our Policies. To the extent permitted by law, we will disclose your information to government authorities or third parties: (a) if required to do so by law, or in response to a subpoena or court order, search warrant or other valid legal process, (b) to comply with legal, regulatory or administrative requirements of any governmental authorities, including but not limited to gaming regulators, (c) in connection with any legal action, claim or dispute, including but not limited to the collection of debts, or (d) if we believe in our sole discretion that disclosure is reasonably necessary to protect against fraud, to protect the property or other rights of us or other users, third parties or the public at large. You should be aware that, following disclosure to any third party, your information may be accessible by others to the extent permitted or required by applicable law.

6. Rampart Casino App

Protecting your private information is our policy. This Statement of Privacy applies to Rampart Casino mobile app (hereinafter “The Rampart Casino”) and governs data collection and usage. By using the Rampart Casino mobile app, you consent to the data practices described in this statement.

Collection of Personal Information and Location Data. The Rampart Casino mobile app collects personal information and location data to better serve you as a customer. This mobile app may also collect anonymous information, which is not unique to you, such as your location, usage data, diagnostics, contact info and identifiers. We may request or gather similar additional information that is personal or non-personal to enhance our service to you. Information about your software may be automatically collected such as your IP address, browser type, domain names, access times and referring websites. This information is used to enhance the operation of this service, to maintain the quality of this service, and to provide general statistics regarding use of the Rampart Casino mobile app.

Use of Your Personal Information and Location Data. The Rampart Casino collects and uses your personal information and location data to operate its mobile app and deliver the services you requested. The Rampart Casino may also use your personally identifiable information to inform you of other products and services available from the The Rampart Casino and its affiliates. The Rampart Casino may also contact you via surveys to conduct research and get your opinion about current services or potential new services that may be offered. The Rampart Casino does not sell, rent, or lease its customer lists to third parties. The Rampart Casino may, from time to time, contact you on behalf of external business partners about a particular offering that may be of interest to you. In those cases, your unique personal information is transferred to the third party. The Rampart Casino may share data with trusted partners to help perform statistical analysis, send you email or postal mail, provide customer support or arrange for deliveries. All such third parties are prohibited from using your personal information except to provide services to The Rampart Casino, and they are required to maintain the confidentiality of your information. The Rampart Casino will disclose your personal information, without notice, only if required to do so by law or in good faith that such action is necessary to conform with the law or defend the property rights of The Rampart Casino or the personal safety of users or the public.

7. Video Surveillance

We use surveillance systems to monitor all gaming areas and other public or sensitive areas of our properties. Video surveillance cameras may be used for security purposes and to protect us, our customers and employees against potential violations of criminal or civil laws. Surveillance camera output is monitored by our employees and contractors and may be viewed by law enforcement and regulatory authorities.

8. Third Party Websites

You may find advertising or other content on our Sites that link to the sites and services of our partners, suppliers, advertisers, sponsors, licensors and other third parties. We do not control the content or links that appear on these sites and are not responsible for the practices employed by websites linked to or from our Sites. In addition, these sites or services, including their content and links, may be constantly changing. These sites and services may have their own privacy policies and customer service policies. Browsing and interacting with any other website, including websites which have a link to our Sites, is subject to that website’s own terms and policies.

9. Advertising

Ads appearing on our Sites may be delivered to you by advertising partners, who may set cookies. These cookies allow the ad server to recognize your computer each time they send you an online advertisement to compile non personal identification information about you or others who use your computer. This information allows ad networks to, among other things, deliver targeted advertisements that they believe will be of most interest to you. This Policy does not cover the use of cookies by any advertisers.

10. Age Policy

The Sites are intended only for users over the age of 21. Please leave the Sites if you are under the age of 21. By continuing, you hereby release Rampart, our subsidiaries and affiliates, and the creators of the Sites from any and all liability for your use or access to the Sites.

Under penalty of law, persons under 21 years of age will not be allowed to loiter on casino or slots property or participate in any gaming activity and persons under the permissible age will not be allowed to loiter on the property or participate in any racing or pari-mutuel activity. We have the right to ask for proper ID from individuals while they are on the property.

We will not rent hotel rooms to persons under the age of 21. Any contests, activities, or programs promoted are strictly limited to people over 21, unless otherwise indicated.

If we learn that, despite these measures, Personal Information of any person under the age of 13 has been collected on the Sites without verifiable parental consent, then we will take the appropriate steps to delete this information. If you are a parent or guardian and discover that your child under the age of 13 has obtained an account on the Sites, please alert us at privacy@theresortatsummerlin.com and request that we delete that child’s Personal Information from our systems. 

11. Managing Your Information

You may decline to share certain information with us, in which case we may not be able to provide to you some of the features and functionality found on the Sites.

To protect your privacy and security, we take reasonable steps to verify your identity before granting you account access or making corrections to your information. You are responsible for maintaining the secrecy of your unique password and account information at all times. 

Email Opt Out

From time to time (and with your consent when required), you may receive periodic mailings, or e-mails from us with news or other information on events, products, services, discounts, special promotions, upcoming events or other offers from or on our behalf. If at any time you wish to stop receiving emails or mailings from us please send us an email to privacy@theresortatsummerlin.com with the phrase “Privacy Opt-out: Rampart Social Mailings” in the subject line, or write to us at the address provided below, and we will remove you from our mailing list. 

Alternatively, for e-mail communications, you may opt out of receiving such communications by following the unsubscribe instructions set forth in most promotional e-mail messages from us. Your unsubscribe request or e-mail preferences change will be processed promptly, though this process may take several days. During that processing period, you may receive additional promotional emails from us.

Marketing/Joint Marketing Opt Out

If you wish to opt-out of receiving solicitations from us, or do not want us to share your Personal Information with partners for marketing purposes, you may email us at privacy@theresortatsummerlin.com, call (702) 507-5935, or write to:

Hotspur Resorts Nevada Ltd.
Attn: Marketing Opt Out
221 N Rampart Blvd
Las Vegas, NV 89145 

If you do not want us to share your Personal Information among the Rampart Sites and affiliates for marketing purposes, you may email us at privacy@theresortatsummerlin.com or call (702) 507-5935.

Behavioral Advertising Opt Out

If you prefer to not receive targeted advertising, you can opt out of some network advertising programs that use your information. To do so please visit the NAI Opt-Out Page: http://www.networkadvertising.org/choices. Please note that even if you choose to remove your information (opt out), you will still see advertisements while you are browsing online. However, the advertisements you see may be less relevant to you and your interests. Additionally, many network advertising programs allow you to view and manage the interest categories they have compiled from your online browsing activities. These interest categories help determine the types of targeted advertisements you may receive. The NAI Opt-Out Page provides a tool that identifies its member companies that have cookies on your browser and provides links to those companies.

12. Notice to EU Residents

Legal Basis for Processing Information

If you are located in the EU or Switzerland, we rely on several legal bases to process your Personal Information. These legal bases include where: 

• The processing is necessary to perform our contractual obligations, such as to provide you with our services; 
• You have given your prior consent, which you may withdraw at any time (such as for marketing purposes or other purposes we obtain your consent for from time to time);
• The processing is necessary to comply with a legal obligation, a court order or to exercise or defend legal claims;  
• The processing is necessary for the purposes of our legitimate interests, such as in improving, personalizing, and developing our services, marketing new features or products that may be of interest, and promoting safety and security as described above. 

If you have any questions about, or would like further information concerning, the legal basis on which we collect and use your Personal Information, please contact us by emailing privacy@theresortatsummerlin.com.

Data Retention

If you are a Rampart customer, we will retain your Personal Information as long as we are providing the services to you. If you have consented to receive marketing materials from us, we will retain your Personal Information as long as we have your consent to send you marketing materials. We retain Personal Information after we cease providing services to you for the purpose of fraud monitoring, detection and prevention. We also retain Personal Information to comply with our tax, accounting, and financial reporting obligations, where we are required to retain the data by our contractual commitments to our financial partners, and where data retention is mandated by the payment methods that we support. Where we retain data, we do so in accordance with any limitation periods and records retention obligations that are imposed by applicable law.

Rights Under the General Data Protection Regulation

If you are located in the EU or Switzerland, you have the following rights in respect of your Personal Information that we hold:

• Right of access. The right to obtain access to your Personal Information.
• Right to rectification. The right to obtain rectification of your Personal Information without undue delay where that Personal Information is inaccurate or incomplete. 
• Right to erasure. The right to obtain the erasure of your Personal Information without undue delay in certain circumstances, such as where the Personal Information is no longer necessary in relation to the purposes for which it was collected or processed.
• Right to restriction. The right to obtain the restriction of the processing undertaken by us on your Personal Information in certain circumstances, such as where the accuracy of the Personal Information is contested by you, for a period enabling us to verify the accuracy of that Personal Information.
• Right to portability. The right to portability allows you to move, copy, or transfer Personal Information easily from one organization to another. 
• Right to object. You have a right to object to processing based on legitimate interests and direct marketing. 

If you wish to exercise one of these rights, please email us at privacy@theresortatsummerlin.com. You also have the right to lodge a complaint to your local data protection authority. Further information about how to contact your local data protection authority is available at http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm.

Obligations to Data Protection Authorities (DPAs)

We will respond diligently and appropriately to requests from DPAs about this Policy or compliance with applicable data protection privacy laws and regulations. We will, upon request, provide DPAs with names and contact details of the individuals designated to handle this process. With regard to transfers of Personal Information, we will (a) cooperate with inquiries from the DPA responsible for the entity exporting the data, and (b) respect its decisions, consistent with applicable law and due process rights. With regard to transfers of data to third parties, we will comply with DPAs’ decisions relating to it and cooperate with all DPAs in accordance with applicable legislation.

Contacting Our Data Protection Officer

To contact our designated Data Protection Officer, please send an email to: privacy@theresortatsummerlin.com.

13. California Privacy Rights 

If you are a California resident, you have the right to request information from us regarding the manner in which Rampart shares certain categories of Personal Information with third parties for their direct marketing purposes, in addition to the rights set forth in Section 10 above. Under California law, you have the right to send us a request at the designated address listed below to receive the following information:

• The categories of information we disclosed to third parties for their direct marketing purposes during the preceding calendar year;
• the names and addresses of the third parties that received the information; and
• if the nature of the third party’s business cannot be determined from their name, examples of the products or services marketed.

This information may be provided in a standardized format that is not specific to you. The designated email address for these requests is: privacy@theresortatsummerlin.com.

Also, please note that we have not yet developed a response to browser “Do Not Track” signals, and do not change any of our data collection practices when we receive such signals. We will continue to evaluate potential responses to “Do Not Track” signals in light of industry developments or legal changes.

California residents also have the right to opt out of certain marketing practices. For more information, see Section 10 above. 

14. Your Consent and Updates to this Policy 

You acknowledge that this Policy is part of the Terms of Use for your use of the Sites, and you agree that using the Sites signifies your assent to this Policy. Rampart reserves the right to change this Policy at any time. If we decide to change our Policy, we will post those changes on this page so that you are always aware of what information we collect, how we use it and under what circumstances we disclose it. As we may make changes from time to time without notifying you, we suggest that you periodically consult this Policy. Your continued use of the Sites after the effective date of any modification to the Policy will be deemed to be your agreement to the changed terms.

If you have any questions about your privacy or security on our Sites, please contact us using the following information: 

Hotspur Resorts Nevada Ltd.
Attn: Privacy
221 N Rampart Blvd
Las Vegas, NV 89145
privacy@theresortatsummerlin.com 

Anti-SPAM Policy

Effective: August 1^st 2019

1. Overview

This policy provides guidance for sending commercial or marketing emails and is important for avoiding liability and retaining consumers. This is especially true given the distinct rules in place depending on whether a recipient resides in the United States, Canada, or the European Union. The implementation of this uniform policy and adherence to this policy by Rampart Casino, Hawthorn Grill, ai Pazzi, Spa Aquae and their employees, officers, directors, contractors, agents and others working on their behalf (“Rampart”) will ensure that Rampart is able to provide commercial or marketing content to the largest possible audience without infringing on their rights.

2. Purpose

The purpose of this policy is to establish the minimum requirements for sending commercial or marketing emails. It provides guidance related to the CAN-SPAM Act in the United States, Canada’s Anti-Spam Legislation (“CASL”), and the requirements imposed by the European Union General Data Protection Regulation (“GDPR”). 

3. Collecting Email Addresses

The requirements set forth in this Section are required by law with respect to the collection of email addresses for individuals located in Canada, the European Union or Switzerland. Notwithstanding the foregoing, it is a best practice to adhere to the requirements in this Section for the collection of all email addresses.

• At any point in which an email address is collected by Rampart online or through a paper form, Rampart shall require that the individual provide an address or country of residence. Rampart shall establish and maintain a system by which it can easily reference and segregate email addresses from residents of the United States, Canada, and the European Union.
• Where Rampart intends to send any commercial or marketing messages to a collected email address, it shall provide an appropriate, prominent disclosure reviewed and approved by an attorney before collecting the email address. An example of such a disclosure would be:

By providing your email address, you are consenting to receive marketing emails from Rampart. You can unsubscribe at any time by emailing us at privacy@theresortatsummerlin.com or following the instructions at the bottom of any email. If you wish to contact us, please use the following information: Rampart Casino, Marketing Opt Out, 221 N Rampart Blvd, Las Vegas NV 89145, privacy@theresortatsummerlin.com.  

The disclosure can be provided to users through text, or, where possible, as a pop-up, or on a separate page in which the user confirms that he or she is subscribing. For example, if a user enters an email address, you can direct that user to a separate page with the disclosure and a button for her to confirm.

• If Rampart is collecting an email address for a non-marketing purpose but intends to send marketing communications to the email address, Rampart shall present the individual with an unchecked box with an appropriate, prominent disclosure reviewed and approved by an attorney. An example of such a disclosure would be:

Yes, I would like receive updates and alerts about Rampart’s products and services.

• If Rampart knows or reasonably believes that it will be sending marketing emails to individuals in Germany or Switzerland, Rampart will take efforts to obtain an additional form of consent before adding such individual to its marketing lists. This can be done by asking the user to confirm consent after they indicate consent through a checkbox or sending a follow up email asking the individual to click a link to confirm consent. In the event an individual does not provide such additional consent, that individual shall not be included on Rampart’s marketing lists.
• Rampart shall establish and maintain a system by which it can easily reference and segregate email addresses from users who have provided consent to receive marketing or commercial emails and those who have not consented.

4. Sending Emails

The requirements in this Section are required under CAN-SPAM, CASL and GDPR.  

All marketing or commercial emails must have an appropriate, prominent disclosure reviewed and approved by an attorney at the bottom of the email. An example of such a disclosure would be:

You are receiving this communication because you consented to Rampart sending you updates about our products and services. You can unsubscribe at any time by clicking this Unsubscribe link.

If you wish to contact us, please use the following information: Rampart Casino, Marketing Opt Out, 221 North Rampart Blvd., Las Vegas NV 89145, privacy@theresortatsummerlin.com. 

5. Deleting Email Addresses Upon Request

• Rampart shall establish and maintain a system that removes a user’s email address from its marketing email lists (a) within 48 hours of Rampart’s receipt of an unsubscribe request from a resident of, or individual located in, Canada, the European Union or Switzerland; or (b) within 10 business days of Rampart’s receipt of an unsubscribe request from a resident of the United States. This system shall account for individuals clicking the “unsubscribe” link the footer of commercial or marketing emails or if they directly email Rampart.
• Rampart shall test its system for unsubscribing on an annual basis to ensure it is working properly and purging emails in a timely manner.

Rampart European Union Data Policy

Effective: July 3, 2025

1. Overview

The European Union General Data Protection Regulation (the “Regulation” or “GDPR”) imposes significant penalties on companies that fail to appropriately handle the Personal Data of individuals located in the European Union. It is therefore imperative that Rampart Casino, Spa Aquae, Hawthorn Grill, ai Pazzi Italian Restaurant by Fabio Viviani and their employees, officers, directors, contractors, agents and others working on their behalf (“Rampart”) and all companies with which it shares Personal Data maintain substantial compliance with the Regulation and be able to present evidence of its compliance to third parties and regulators. 

2. Purpose

The purpose of this policy is to establish the requirements for collecting, processing, storing, and sharing Personal Data and ensure that Rampart remains in substantial compliance with the GDPR.

3. General

• “Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
• If Rampart collects Personal Data, it shall require that the user provide an address or country of residence where appropriate given the context and nature of the collection (e.g., when collecting Personal Data online or through forms). Rampart will establish and maintain a system by which it can easily reference and segregate Personal Data from residents of the European Union.
• Rampart shall designate one individual as their Data Protection Officer who shall be responsible for enforcing this policy and ensuring Rampart’s compliance with the GDPR.
• Rampart must follow the Anti-SPAM Policy and Privacy Analysis Policy as additional necessary components for compliance.
• Rampart shall provide training to new employees about the GDPR and this Policy, and offer supplemental courses for current employees on an annual basis. 

4. Collecting Personal Data

• Under no circumstances shall Rampart collect Personal Data online or through mobile applications without providing users with a link to its Privacy Policy. Where Rampart collects Personal Data in a manner that does not allow for an active link to Rampart’s Privacy Policy (e.g., through a paper form), Rampart shall provide the individual providing the Personal Data with information about where and how he or she can obtain a copy of Rampart’s Privacy Policy. All online and offline forms that are used to collect Personal Data shall include a disclosure stating that the user or individual is “Consenting to Rampart collecting, using, processing, and sharing the personal information provided under Rampart’s Privacy Policy.” The disclosure should be presented to users in an overt manner – i.e. not in very small print or a font that blends into the background.
• In addition to the disclosure, users must take a proactive step to consent to the collection. Ideally this will be an unchecked box that the user must check before being allowed to proceed. However, a simple “Submit” or “I Agree” button would also be adequate.
• If a user’s email address is being collected for marketing purposes or may be used for marketing purposes, Rampart must follow the protocols in the Rampart Anti-SPAM Policy.
• Rampart must maintain some kind of record or evidence that a user provided at the time Personal Data was collected (if not sooner). This record can be automatically generated and does not have to be in any particular format. A record is sufficient as long as it allows Rampart to demonstrate that a specific user provided consent in a specific manner at a specific time. 

5. Processing and Sharing Personal Data

• Rampart may only process or use Personal Data consistent with the terms of its Privacy Policy. Rampart shall closely review its Privacy Policy on a regular basis to ensure that it is disclosing all the ways in which it is collecting, processing, storing, or sharing Personal Data. 
• If Rampart is going to send commercial or marketing email messages, it must follow the protocol in the Anti-SPAM Policy.
• If Rampart is going to share Personal Data with any third-party entity, it shall take steps to ensure that the information will be treated consistent with Rampart’s Privacy Policy. Rampart shall also ensure that the third-party entity will protect Personal Data using adequate and reasonable security and will not use Personal Data in a manner that violates the GDPR. Ideally these assurances will be made as part of a written agreement or Data Processing Addendum.
• If Rampart receives Personal Data from a third-party entity, it shall ensure that it treats that information consistent with the third-party entity’s Privacy Policy. It shall also obtain assurances from the third-party entity that the Personal Data was collected in a manner consistent with the GDPR and that Rampart’s receipt and use of the Personal Data will not violate the Regulation. 

6. Responding to Data Subject Requests

• Rampart is required to respond to requests from European Union residents concerning their Personal Data. Specifically, Rampart shall, upon request,:

1. allow EU residents and other individuals located in the EU to review their Personal Data;
2. allow EU residents and other individuals located in the EU to make corrections to their Personal Data;
3. provide EU residents and other individuals located in the EU with their Personal Data in a format that allows it to be transported; and
4. delete the Personal Data of EU residents and other individuals located in the EU.

• Rampart shall create and maintain a separate inbox that EU residents and other individuals located in the EU can send requests to, and ensure that the inbox is regularly monitored. Additionally, the email address that direct messages to this inbox must be linked to in Rampart’s Privacy Policy.
• If Rampart receives a request from an EU resident or other individual located in the EU, it shall provide a response to the requester within 48 hours indicating that it is processing the request.
• Rampart shall establish and maintain a system or process to facilitate all requests from European Union residents within 30 days of receiving any given request.
• If Rampart believes that it cannot facilitate a European Union resident’s request or that facilitating such a request would violate other laws or policies, the employee responsible for facilitating the request shall consult with Rampart’s legal team as soon as practicable.

7. Analysis and Development of New Products and Services

• Rampart shall follow the steps provided in the Privacy Analysis Policy whenever it develops a new product or service, updates a product or service in a manner that implicates Personal Data, begins collecting Personal Data in a new manner, begins collecting a new type of Personal Data that may be considered especially sensitive, or intends to share Personal Data with a new third-party entity.