Privacy Policy
This U.S. State Privacy Notice is an addendum to the main Privacy Policy and applies to individuals defined as “Consumers” under applicable U.S. state privacy laws. These laws include the California Consumer Privacy Act as updated by the California Privacy Rights Act, the Virginia Consumer Data Privacy Act, the Colorado Privacy Act, the Utah Consumer Privacy Act, Connecticut’s Act Concerning Personal Data Privacy and Online Monitoring, and any other similar state laws, including their amendments, regulations, and effective dates. Collectively, these are referred to as “U.S. Privacy Laws.” This notice supplements the main Privacy Policy, and if any part of that policy conflicts with this notice, this notice will control for Consumers exercising their rights under U.S. Privacy Laws.
This notice describes our personal data practices for the 12-month period leading up to the “Last Updated” date of the main Privacy Policy. It also serves as a current “notice at collection,” explaining what personal data we collect both online and offline, why we process it, and other information required by law. We will update this notice at least once a year. If we begin new or significantly different types of processing that are not yet described here, we will provide additional notice as required, either at the time of collection or through an earlier update to this notice. We may amend this notice at any time. For questions, please see the Contact Us section.
In general, we collect, use, retain, and share your personal data for business and commercial purposes. These are described throughout the main Privacy Policy, including in sections like “How We Gather & Use Personal Data” and “How We Disclose Personal Data,” which together are called our “Processing Purposes.” The sources of personal data are also described in the “How We Gather & Use Personal Data” section. Some of these purposes involve activities that certain U.S. Privacy Laws define as a “Sale,” “Sharing,” or “Targeted Advertising.” More details about these terms are in the “Do Not Sell/Share/Target” section of this notice.
The table in this notice organizes the categories of personal data we collect. The first column lists the category, such as identifiers or internet usage information. The second column gives examples of data types within that category. The third column shows who receives that data, including recipients for business purposes and recipients that may be considered a Sale or Share under certain laws. Not all data in the examples is sold. For instance, we may collect financial account data or government IDs to provide services, but we do not sell that data. However, we may sell unique IDs or account information to third parties. The fourth column lists the Processing Purposes that apply to each category, and the fifth column shows how long we keep each category of data.
We also collect sensitive personal data in some cases, such as financial account credentials, health data, precise geolocation, racial or ethnic origin, and inferences drawn from certain information. The second table in this notice covers sensitive personal data, including examples, recipients, purposes, and retention periods. In many cases, we do not sell or share sensitive personal data, and where we do, it is only as permitted by law.
We may also share each category of personal data with recipients in ways that do not constitute a Sale or Sharing. These include sharing with the consumer directly, sharing at the consumer’s direction, sharing for legal reasons, and sharing with vendors and subcontractors who are contractually bound to use the data only for our business purposes.
Consumer Rights Requests
We provide Consumers in certain states with the privacy rights described here, subject to verification. For residents of states without consumer privacy laws, we will consider requests but apply our discretion. For states with laws that are not yet effective, we may choose to apply those rights early at our discretion.
Making a Request and Scope of Requests
Some requests are subject to a Verifiable Consumer Request process. We will not fulfill those requests unless you provide enough information for us to reasonably verify your identity. To make a request, call us at (877) 701-0404, visit our Preference Center via the “Your Privacy Choices” link on our websites or the Settings menu in our mobile apps. You do not need to create a password-protected account to make a request. We will use information from your request only to verify your identity and track our response. We typically do not charge a fee unless a request is excessive, repetitive, unfounded, or overly burdensome.
Verifying Your Request
We verify your identity before granting access or considering deletion. After receiving your request, we will send you a verification form by email or postal mail. You may be asked to provide your name, email address, postal address, or date of birth. Verification standards vary by request type. For less sensitive requests, we match at least two data points. For more sensitive requests or requests for specific pieces of data, we match at least three data points and may ask for a signed declaration under penalty of perjury. If we cannot verify you for a deletion request, we will direct you to this notice for a general description of our practices. If we cannot verify a request for specific pieces of data, we will treat it as a request for categories of data.
Authorizing an Agent
You may designate an authorized agent to submit a request on your behalf. We will ask for proof that you gave the agent signed permission, and we may require you to verify your own identity or confirm the agent’s authority directly with us.
Appeal Rights
If we deny your request, you may appeal by following the instructions provided in our response or by using the appeal link in this notice.
Right to Know and Access
You have the right to request, twice in a 12-month period, the categories of personal data we have collected about you, the sources of that data, the purposes for collection or sale, the categories of third parties to whom we sold or shared data, and the categories of data disclosed for business purposes. You also have the right to request a transportable copy of specific pieces of personal data we collected about you in the prior 12 months.
Right to Delete
You have the right to request deletion of certain personal data we have collected from you. We may not delete data when retention is required for internal business purposes, fraud prevention, legal compliance, or as otherwise permitted by law.
Right to Correct
You have the right to request correction of inaccuracies in your personal data that we maintain, subject to verification and applicable legal standards.
Right to Limit Sensitive Personal Data Processing
Depending on your state of residence, you have the right to revoke consent or direct us to limit our use and disclosure of sensitive personal data beyond certain internal business purposes.
Automated Decision-Making and Profiling
We do not carry out profiling or automated decision-making that would require opt-out rights under applicable laws.
Do Not Sell, Share, or Target
You have the right to opt out of Sales, Sharing, and Targeted Advertising. Our opt-out process combines all of these into a single request. For non-cookie personal data, such as your email address, submit an opt-out request through the link in this notice. For cookie-based personal data, use our cookie management tool by clicking “Do Not Sell or Share My Personal Information / Opt-Out of Targeted Advertising” in the footer of each website or in the Settings menu of each mobile app. You must exercise your preferences separately on each website, each mobile app, each browser, and each device. If you clear or block cookies, your preferences will no longer be effective.
Global Privacy Control
We process Global Privacy Control signals as required by law. When you visit our website with GPC enabled on your browser, we apply the opt-out to cookie data collected on that browser. If you log into your account on that same browser, we also apply the opt-out to non-cookie data associated with your account. If you use a different browser without GPC enabled, we cannot apply the prior opt-out unless you log into your account on that browser. We process GPC signals in a frictionless manner, with no fees, no changes to your experience, and no pop-ups or interstitials.
Incentive and Loyalty Programs
We operate Rewards Programs that may be considered financial incentives or loyalty programs under U.S. Privacy Laws. We use most categories of personal data to administer these programs, and some of that data may be sold or used for targeted advertising. You may opt in to a Rewards Program by signing up on the applicable page, and you may withdraw at any time. The value we assign to personal data in these programs is based on the benefit provided, and we believe that value is reasonably related to the rewards you receive.
Non-Discrimination
We will not discriminate against you for exercising your privacy rights. However, if you request deletion of your personal data, you may no longer be able to participate in Rewards Programs because we need that data to operate the programs.
Other California Notices
For minors under 18 who post content on our interactive services, you may remove or delete that content at any time by following the instructions on our sites. We also provide a separate “Shine the Light” opt-out for sharing personal information with third parties for their own direct marketing purposes. California residents may submit a Shine the Light request by mail to the address in this notice, attesting to California residency and providing a current California address.
International and Country-Specific Sections
For residents of the EEA, UK, Switzerland, and Serbia, additional information is provided regarding data controllers, retention, and transfers. Different P&G entities act as data controllers depending on the country. For Brazil, we provide information under the LGPD, including rights of data subjects, international transfer details, and contact information for the Data Protection Officer. For Colombia, we provide information under Law 1581 of 2012, including rights of data subjects, authorization requirements, and procedures for inquiries and complaints. For Malaysia, Nigeria, Saudi Arabia, Vietnam, and Ecuador, we provide country-specific addenda that supplement the main Privacy Policy and include local legal requirements, data controller information, and instructio