Returns on Demand is owned and operated by Returns on Demand, Inc. As explained below, we collect information from you (“you” “your” “consumer” or “visitor”) in various ways when you interact with the Returns on Demand application,website, and our other online services (collectively “Returns on Demand”).
As a consumer, you are free to explore Returns on Demand without providing any personal information, as defined below, about yourself, however, this may limit your ability to receive certain information from Returns on Demand and may limit access to Returns on Demand. To access certain features of Returns on Demand – you must first complete the sign up portion of the application where we may ask for certain personal information, as defined below.
When signing up for a Returns on Demand account you will be asked first to submit personal information such as location, age, and gender. Returns on Demand may also request, at your election, further information, including, without limitation, product photos, a profile picture, app usage reports, purchase history, and return history.
ii. What Types of Information does Returns on Demand Collect
Personal information refers to any information that you voluntarily submit to Returns on Demand that directly or indirectly relates to, identifies, could reasonably be linked to, or describes a particular individual. Personal information includes, but is not limited to; name, e-mail address, physical address, phone number, birth date, etc. Returns on Demand collects personal information when you sign up for an account, send us an email, or engage in a transaction through Returns on Demand, as well as information to which may also be contained on server logs, such as your internet protocol (“ip”) address.
Personal information can also include information about any transactions that you enter into with Returns on Demand, and information about you that is available on the internet, such as from Facebook, Linkedin, Twitter, and Google, or publicly available information that we acquire from service providers.
“Non-Personally Identifiable Information”
Returns on Demand may also collect non-personally identifiable information when you use Returns on Demand. Non-personally identifiable information is information which, by itself, cannot be used to identify or contact you. Non-personally identifiable information which we store may include, without limitation, website pages viewed, site visited before coming to the Returns on Demand website, browser type, operating system, device type (mobile, tablet or desktop), organization name, articles, presentation, and videos viewed, time spent viewing Returns on Demand website or using certain features of the website, demographic data such as server locations clickstream data, cookies existing on your computer, search criteria used and results, date and time of access or visits to the website, frequency of visits to the website, connection speed, and other information through automated tracking technologies, some of which are discussed below, and Returns on Demand may combine this automatically-collected information with other information Returns on Demand collects about you. Returns on Demand does this to improve the services it offers and to improve Returns on Demand services.
Information collected automatically through Returns on Demand can directly or indirectly identify an individual. Navigational information refers to information about your computer and your visits to Returns on Demand such as your ip address, geographical location, browser type, referral source, length of visit, and pages viewed.
“Third Party Information”
Returns on Demand may at times collect information and/or personal information from a third-party company that you have ordered from and are returning to. We may at times transfer information we have collected about and from you to third parties.
iii. How Returns on Demand Collects Information
Returns on Demand collects information about you, as a consumer, when you voluntarily provide it through the app and website, or in the manner such as those described below:
Web beacons. Some pages of the Returns on Demand may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs) that permit us, for example, to count users who have visited those pages of Returns on Demand and for other related website statistics (for example, recording the popularity of certain website content and verifying system and server integrity).
iv. How Returns on Demand Uses Information
Returns on Demand may process personal information relating to you if one of the following applies:
You have given your consent to Returns on Demand for one or more specific purposes. Under some legislations, Returns on Demand may be allowed to process personal information until you object to such processing (“opt-out”), without having to rely on consent or any other of the following legal bases. This, however, does not apply, whenever the processing of personal information is subject to European data protection law, where you must explicitly agree to the processing of your personal information.
Provision of personal information is necessary for the performance of an agreement with you and/or for any pre-contractual obligations;
Processing is necessary for compliance with a legal obligation to which Returns on Demand is subject;
Processing is related to a task that is carried out in the public interest or in the exercise of official authority vested in Returns on Demand;
Processing is necessary for the purposes of the legitimate interests pursued by Returns on Demand or by a third-party.
In any case, Returns on Demand will gladly help to clarify the specific legal basis that applies to the processing, and in particular whether the provision of personal information is a statutory or contractual requirement, or a requirement necessary to enter into a contract.
v. Purpose of Processing Personal Information
Personal information concerning you is collected in order to allow Returns on Demand to provide its services, as well as for the following purposes: Contacting you, analytics and managing contacts and sending messages, and processing and fulfilling your order(s).
Analytics. The services contained in this section enable Returns on Demand to monitor and analyze web traffic and can be used to keep track of visitor behavior.
Contact you. Returns on Demand may use your information for notification and reminders such as:
Mailing lists or newsletters. By subscribing to the mailing list or for the newsletter, your email address will be added to the contact list of those who may receive email messages containing information of commercial or promotion nature concerning Returns on Demand. Your email address might also be added to this list as a result of signing up for an account with Returns on Demand or after making a payment to Returns on Demand.
Contact form or emails. By providing contact information on a contact form or email to Returns on Demand, you authorize Returns on Demand to use these details to reply to requests for information, quotes, or any other kind of request in your email and as indicated by the form’s header.
Managing contacts and sending messages. This type of service makes it possible to manage a database of email contacts, phone contacts, or any other contact information to communicate with you. These services may also collect data concerning the date and time when the message was viewed by you, as well as when you interacted with it, such as by clicking on the links included in the message.
Platform services and hosting. These services have the purposes of hosting and running key components of Returns on Demand, therefore allowing the provision of Returns on Demand from within a unified platform. Such platforms provide a wide range of tools to Returns on Demand e.g. analytics, consumer registration, commenting, database management, e-commerce, payment processing – which require the handling of personal information. Some of these services work through geographically distributed servers, making it difficult to determine the actual location where the personal information is stored.
Selling personal information. Returns on Demand may at times sell your personal information, and other gathered information on you, to third parties in an anonymized form. Returns on Demand’s purpose of selling such information is to provide a benefit and reward to you and other Returns on Demand users. We use this information to help improve our services. Any personal information we sell shall be information you have previously agreed to share with Returns on Demand. Any personal information you agree to share with Returns on Demand, you also agree to sell to third parties. If you wish to opt-out then please notify Returns on Demand at the following “do not sell my personal information” link here.
Aggregate consumer information. Returns on Demand may at times, sell “aggregate consumer information” which is information relating to a group or category of consumers, from which individual consumer identities have been removed and is not linked or reasonably linkable to any consumer or household. Returns on Demand may sell aggregate consumer information without your consent.
vi. Who does Returns on Demand Share Information with Returns on Demand may share your information, including personal information as follows:
Service providers. At times, Returns on Demand may disclose the information collected from you to a third party or other service provider. Returns on Demand utilizes third parties and service providers to help achieve our purpose and render services offered. The third parties and service providers, in order to benefit Returns on Demand, are allowed to access personal information stored with Returns on Demand in order to perform their functions and for no other purpose.
Commercial partners and third parties. Returns on Demand may, in connection with its services, disclose and sell your personal information you provide to us, such as demographic information, to commercial partners and third parties as well as other types of information collected. Returns on Demand will ensure that all safety steps are taken to ensure that your information is protected and kept secure.
Mergers. In the event of a merger with another company, or Returns on Demand is acquired by another company, we may transfer the information we have collected to the other company.
vii. Where Information is Processed and Stored
Your information may be stored and processed on our servers located in the United States. Data is processed at the operating office of Returns on Demand and any other places where the parties involved in the processing are located. Any corporate affiliates or third parties your information is provided or sold to may additionally store your information on their servers either in the United States or another country.
Depending on your location, data transfers may involve transferring your personal information to places other than your own. To find out more about the place of processing and storing of such transferred personal information, you can check the section containing details about the processing of personal information.
You are also entitled to learn about the legal basis of data transfers of personal information to a country outside the European Union or any international organization governed by public international law or set up by two or more countries, such as the UN, and about the security measures taken by Returns on Demand to safeguard your personal information.
If any such transfer takes place, you can find out more by checking the relevant sections of this document or inquire with Returns on Demand using the information provided in the contact section.
Retention of Personal Information
Returns on Demand may be allowed to retain personal information for a longer period whenever you have given consent to such processing, as long as such consent is not withdrawn. Furthermore, Returns on Demand may be obliged to retain personal information for a longer period whenever required to do so for the performance of a legal obligation or upon order of an authority.
Once the retention period expires, all personal information shall be deleted. Therefore, the right to access, the right to erasure, the right to rectification, and the right to data portability cannot be enforced after expiration of the retention period.
viii. Your Rights and Data Protection
You may exercise certain rights regarding your personal information processed and retained by Returns on Demand. In particular, you have the right to:
Be informed. You have the right to know what rights and protections are offered to you as a consumer and/or user of Returns on Demand.
Withdraw your consent at any time. You have the right to withdraw consent where you have previously given your consent to the processing of your personal information.
Object to processing of your data. You have the right to object to the processing of your personal information if the processing is carried out on a legal basis other than consent. Further details are provided in the dedicated section below.
Access your data. You have the right to learn if your data is being processed by Returns on Demand, obtain disclosure regarding certain aspects of the processing and obtain a copy of the data undergoing processing.
Verify and seek rectification. You have the right to verify the accuracy of your personal information and ask for it to be updated or corrected.
Restrict the processing of your data. You have the right, under certain circumstances, to restrict the processing of your data. In this case, Returns on Demand will not process your data for any other purpose than storing it.
Have your personal information deleted or otherwise removed. You have the right, under certain circumstances, to obtain the erasure of your personal information from Returns on Demand.
Receive your data and have it transferred to another controller. You have the right to receive your data in a structured, commonly used, and machine-readable format and, if technically feasible, to have it transmitted to another controller without any hindrance. This provision is applicable provided that the data is processed by automated means and that the processing is based on your consent, on a contract which Returns on Demand is part of, or on pre-contractual obligations thereof.
Lodge a complaint. You have the right to bring a claim before their competent data protection authority.
Not to be subject to automated decision-making including profiling.
Details about the right to object to processing.
Where personal data is processed for a public interest, in the exercise of an official authority vested in the Returns on Demand or for the purposes of the legitimate interests pursued by Returns on Demand, you may object to such processing by providing a ground related to their particular situation to justify the objection.
You must know that, should your personal information be processed for direct marketing purposes, they can object to that processing at any time without providing any justification. To learn whether Returns on Demand is processing personal information for direct marketing purposes, you may refer to the relevant sections of this document.
How to exercise these rights
Any requests to exercise your rights can be directed to Returns on Demand through the contact details provided in this document. These requests can be exercised free of charge and will be addressed by Returns on Demand as early as possible and always within one month. However, Returns on Demand may refuse or charge for any request that is unfounded or excessive. Returns on Demand will notify you of the refusal and the basis of that refusal and that you will have the right to complain to the supervisory authority and seek a judicial remedy within one month of the request.
ix. Data Breaches and Data Security
Returns on Demand takes appropriate security measures to prevent unauthorized access, disclosure, modification, or unauthorized destruction of data. Data processing is carried out using computers and/or its enabled tools, following organizational procedures and modes strictly related to the purposes indicated. In addition to Returns on Demand, in some cases, data may be accessible to certain types of persons in charge involved with the operation of Returns on Demand (administration, sales, marketing, legal, system administration) or external parties (such as third-party technical service providers, mail carriers, hosting providers, it companies, communications agencies) appointed, if necessary as data processors by Returns on Demand. The updated list of these parties may be requested from Returns on Demand at any time.
Returns on Demand safely secures personal information from misuse, unauthorized access, and disclosure and loss by ensuring a level of security appropriate to the risk of information. Such levels of security include encrypting and pseudonymization of personal data wherever possible and considering all other technical and administrative procedures, generally accepted practices in the industry. Personal information is additionally stored on secured servers.
However, despite Returns on Demand’s best efforts, nothing can guarantee 100% security of your information. If you have any questions concerning the protection of your personal information, please contact Returns on Demand.
In the event of a data breach, Returns on Demand will notify the corresponding supervising authority within seventy-two (72) hours of learning of the breach or after 72 hours with an explanation for the delay, to the supervising authority.
x. Sensitive and Restricted scopes for Google and other Similarly Situated Hosts
Certain web hosts, such as Google, require the use of scopes in order to access user data hosted on their platforms (“restricted scope data”). In order for the Returns on Demand application to function at its best, Returns on Demand uses restricted scope with Google and other similarly situated hosts. Accordingly, Returns on Demand:
Limits the use of data and does not use or transfer data for ads, in any way, and will not use the restricted scopes data for serving advertisements.
Returns on Demand will only transfer restricted scopes data if that transfer is: (a) necessary to provide or improve user-facing features that are prominent from the Returns on Demand app interface, (b) to comply with applicable laws or (c) a part of a merger, acquisition or sale of assets of Returns on Demand.
Only uses the data gathered from restricted scopes to improve user-facing features, such as managing returns.
Will not allow humans to read the data unless first obtaining a user’s affirmative agreement (i.e. tech support); it is necessary for security purposes; necessary to comply with applicable law or the use of such data is limited to internal operations and data has been aggregated and anonymized.
Returns on Demand adheres to strict security practices and agrees to pass an annual security assessment as well as obtain a letter of assessment from a designated third party.
Returns on Demand agrees that it will not engage in any activity that may deceive or mislead either users of the Returns on Demand platforms or web host, such as google.com, as to the Returns on Demand services.
Disclosure: “(Returns on Demand's) use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.”
California Civil Code section § 1798.83 permits users of Returns on Demand that are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. You make two requests per 12-month calendar year. To make such a request please see below contact information for Returns on Demand. Please allow up to a thirty (30) day response.
Returns on Demands complies with all applicable laws, codes, and regulations related to the protection of children’s privacy, including, but not limited to the children’s online privacy protection act of 1998 (coppa). Returns on Demand is not intended for children under sixteen (16) years of age. No one under such age may provide information to Returns on Demand. We do not knowingly collect personal information from anyone under the age of 16. If you are under the age of 16 please do not provide any personal information to Returns on Demand. If we learn that we have collected or received personal information from an individual under 16 without verification of parental consent, we will delete that information. Please feel free to contact us if you believe we may have any information from or about an individual under the age of 16.
xii. Contact Information
Returns On Demand, Inc. Incident Response Policy;
Policy Owner: Chief Financial Officer
Effective Date: August 23, 2022
Purpose: This document establishes the plan for managing information security incidents and events, and offers guidance for employees or incident responders who believe they have discovered, or are responding to, a security incident.
Scope: This policy covers all information security or data privacy events or incidents.
Incident and Event Definitions:
A security event is an observable occurrence relevant to the confidentiality, availability, integrity, or privacy of company controlled data, systems or networks.
A security incident is a security event which results in loss or damage to the confidentiality, availability, integrity, or privacy of company controlled data, systems or networks.
Incident Reporting & Documentation.
If a Returns on Demand, Inc., employee, contractor, user, or customer becomes aware of an information security event or incident, possible incident, imminent incident, unauthorized access, policy violation, security weakness, or suspicious activity, then they shall immediately report the information using one of the following communication channels:
Email firstname.lastname@example.org information or reports about the event or incident.
Reporters should act as a good witness and behave as if they are reporting a crime. Reports should include specific details about what has been observed or discovered.
The Executive Team consisting of the CEO, CFO and CTO are responsible for monitoring reports of security incidents or events, the Returns on Demand, Inc., Executive Team shall monitor incident and event tickets and shall assign a ticket severity based on the following categories.
S3/S4 - Low and Medium Severity
Issues meeting this severity are simply suspicions or odd behaviors. They are not verified and require further investigation. There is no clear indicator that systems have tangible risk and do not require emergency response. This includes lost/stolen laptop with disk encryption, suspicious emails, outages, strange activity on a laptop, etc.
S2 - High Severity
High severity issues relate to problems where an adversary or active exploitation hasn’t been proven yet, and may not have happened, but is likely to happen. This may include lost/stolen laptop without encryption, vulnerabilities with direct risk of exploitation, threats with risk or adversarial persistence on our systems (e.g.: backdoors, malware), malicious access of business data (e.g.: passwords, vulnerability data, payments information), or threats that put any individual at risk of physical harm.
S1 - Critical Severity
Critical issues relate to actively exploited risks and involve a malicious actor. Identification of active exploitation is required to meet this severity category.
Escalation and Internal Reporting
The incident escalation contacts can be found below in Appendix A.
S1 - Critical Severity: S1 issues require immediate notification to The CEO, CTO and Director of IT., on the S1 issues.
S2 - High Severity: A High Security ticket will be created in the event of a S2 incident by the Director of IT and completed/reviewed by the CTO. The team must inform via email the CEO and CFO with a reference to the ticket number of the high severity incident.
S3/S4 - Medium and Low Severity: A S3 ticket will be created by the Director of IT that will be reviewed by the CTO and assigned to the IT managers department for resolution.
All reported security events, incidents, and response activities shall be documented in response ticketing systems.
A root cause analysis may be performed on all verified S1 security incidents. A root cause analysis report shall be documented and referenced in the incident ticket. The root cause analysis shall be reviewed by the Director of IT and the CTO with an IT briefing/post mortem of the incident called by the CTO.
Incident Response Process
For critical issues, the response team led by the Director of IT will follow an iterative response process designed to investigate, contain exploitation, eradicate the threat, recover system and services, remediate vulnerabilities, and document a post-mortem with the lessons of an incident.
● Event reported
● Triage and analysis
● Containment & neutralization (short term work)
● Recovery & vulnerability remediation
● Hardening & Detection improvements (lessons learned, long term work)
Director of IT will manage the incident response effort:
● A central “War Room” will be designated, which may be a physical or virtual location using Google meets and a Slack channel
● A recurring Incident Response Meeting will occur at regular intervals until the incident is resolved.
● Legal and Executive Management will be informed as needed
Incident Response Meeting Agenda
● Update Incident Ticket and timelines
● Document new Indicators of Compromise (IOCs)
● Perform investigative Q&A
● Apply emergency mitigations
● Plan long term mitigations
● Document Root Cause Analysis (RCA)
● Additional items as needed
Issues where the malicious actor is an internal employee, contractor, vendor, or partner requires sensitive handling. The incident manager (Director of IT or CTO) shall contact directly and will not discuss with other employees. These are critical issues where follow-up must occur.
Incident responders must communicate with a slack channel or Google meets arranged before listing themselves as incident members. If there are IT communication risks, an out of band solution will be chosen, and communicated to incident responders via one to one call either on a landline or private cell phone.
Additional Requirements Marker
Suspected and reported events and incidents shall be documented.
Suspected incidents shall be assessed and classified as either an event or an incident.
Incident response shall be performed according to this plan and any associated procedures.
All incidents shall be formally documented, and a documented root cause analysis shall be performed.
Suspected and confirmed unauthorized access events shall be reviewed by the Incident Response Team. Breach determinations shall only be made by the CTO and the legal counsel in coordination with executive management.
Returns on Demand, Inc. shall promptly and properly notify customers, partners, users, affected parties, and regulatory agencies of relevant incidents or breaches in accordance with Returns on Demand, Inc. policies, contractual commitments, and regulatory requirements.
This Incident Response Plan shall be reviewed and tested by the assigned personal at least every 12 months.
Roles & Responsibilities
Every employee and user of any Returns on Demand, Inc., information resources has responsibilities toward the protection of the information assets. The table below establishes the specific responsibilities of the incident responder roles.
Response Team Members
Role and Responsibility
The Incident Manager is the primary and ultimate decision maker during the response period. The Incident Manager is ultimately responsible for resolving the incident and formally closing incident response actions. See Appendix A for Incident Manager contact information.
These responsibilities include:
● Ensuring the right people from all functions are actively involved at all times
● Status updates are communicated to the appropriate persons at regular intervals
● Incidents are resolved in the immediate term
● Determining necessary follow-up actions
● Assigning follow-up activities to the appropriate people
● Promptly reporting incident details which may trigger breach reporting, in writing to the Director of IT or the CTO.
Incident Response Team (IRT)
The individuals who have been engaged and are actively working on the incident. All members of the IRT will remain engaged in incident response until the incident is formally resolved, or they are formally dismissed by the Incident Manager.
Engineers (Support and Development)
Qualified engineers will be placed into the on-call rotation and may act as the Incident Manager (if primary resources are not available) or a member of the IRT when engaged to respond to an incident. Engineers are responsible for understanding the technologies and components of the information systems, the security controls in place including logging, monitoring, and alerting tools, appropriate communications channels, incident response protocols, escalation procedures, and documentation requirements. When Engineers are engaged in incident response, they become members of the IRT.
Employees and contractors of Returns on Demand, Inc. Users are responsible for following policies, reporting problems, suspected problems, weaknesses, suspicious activity, and security incidents and events.
Customers are responsible for reporting problems with their use of Returns on Demand, Inc., services. Customers are responsible for verifying that reported problems are resolved.
Responsible, in conjunction with the CEO and executive management, for determining if an incident shall be considered a reportable breach. Counsel shall review and approve in writing all external breach notices before they are sent to any external party.
Responsible, in conjunction with the CEO and legal counsel, for determining if an incident shall be considered a reportable breach. An appropriate company officer shall review and approve in writing all external breach notices before they are sent to any external party.
Returns on Demand, Inc. shall seek stakeholder consensus when determining whether a breach has occurred. The Returns on Demand, Inc. CEO shall make a final breach determination in the event that consensus cannot be reached.
Returns on Demand, Inc. management has approved this policy and commits to providing the resources, tools and training needed to reasonably respond to identified security events and incidents with the potential to adversely affect the company or its customers.
Requests for an exception to this Policy must be submitted to and authorized by the CEO and executive management for approval. Exceptions shall be documented.
Violations & Enforcement
Any known violations of this policy should be reported to the CEO and Executive Management. Violations of this policy may result in immediate withdrawal or suspension of system and network privileges and/or disciplinary action in accordance with company procedures up to and including termination of employment.
Version 1.0/Date 8/23/2022/Description-RoD_Incident-Response-Plan_08-23-2022
Author/ Approved by
CEO & Executive Management
Appendix A – Contact Information
Contacts for IT and Engineering Management as well as executive staff and can be found here: