Graco Global Privacy Notice

Last Modified: December 1, 2022

1. Introduction and Scope

Graco Inc. (“Graco”) and its affiliates and subsidiaries (together “we”, “our”, or “us”) is committed to protecting your privacy. This notice describes the categories of Personal Data we process in connection with your use of any of the websites available at www.graco.com (“Websites”) and the services, features or content we offer (“Services”), the purposes for which Personal Data is collected, the parties with whom we share it and the security measures we take to protect your data. It also informs you about your rights and choices with respect to your Personal Data, and how you can contact us to inquire about our data protection practices. Please read this notice carefully. In the event you disagree with any provision in this notice, please do not use Websites or provide any Personal Data. This notice may change from time to time, for more information about notice amendments see Section 13 below.

2. Data Controller

For the purpose of this notice

Graco Inc.
Attn: Legal-Privacy
88-11th Avenue Northeast
Minneapolis, MN 55413
USA

is responsible for the processing of your Personal Data as the data controller.

 

You can contact us by:

  • emailing privacy@graco.com;
  • calling either +1 612 379 3654 (US), +1 866 361 5924 (US, toll-free); or +32 (0) 89 770 860 (EU);
  • or mailing

Graco Inc.
P.O. Box 1441
Minneapolis, MN 55440-1441
USA

3. Personal Data We Collect About You and How We Collect It

“Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

When visiting our Websites you have the option to provide us with Personal Data relating to you. Additionally, when you use our Services we automatically collect certain information about you and your internet usage. The specific categories of Personal Data concerned and the sources from which we obtain them are linked to the way you interact with our Websites and Services. More information about the categories of Personal Data and the ways in which we collect it are described below.

(1) Personal Data You Give to Us. Our Websites offer you the possibility of (i) contacting us via an online request form; (ii) signing up to receive email alerts; and (iii) registering for a Customer Information System (“CIS”), Graco Partner Portal ("Partner Portal"), or a Graco External Distributor Interface (“GEDI”) account. The Personal Data thereby collected includes:

If you are a Graco distributor (“distributor”):

Contact information about you such as your first and last name, email address, your phone and fax number, your zip/postal code, your state and country of residence;

Professional information related to you and to those of your employees with access to the CIS, Partner Portal, or GEDI account consisting of your company name, first and last name, (function) title, email address, the company’s general manager’s name, the company’s website, the company’s address, the shipping address and your Graco account number;

Your and your employee’s CIS, Partner Portal, or GEDI passwords; and

Contract information (provided the contract party is the end consumer) such as bank account information, creditworthiness, terms of payment and financing.

The obligatory fields are marked as such on the interface. The use of and the interaction with our Websites or Services is subject to the provision of this information.

If you are a general user (“general user”):

Contact information such as your first and last name, email address, your phone number, your zip/postal code, your city, state and country of residence; and

Professional information such as your company name.

(2) Personal Data We Automatically Collect. As you navigate through our Websites or when you interact with our Services, we use automatic data collection technologies to collect certain Personal Data about your device, browsing activity, and patterns, including:

Log usage data of your visits to our Websites and use of our Services, including technical session and connection information, resources that you access, traffic data, location data, date and time of access and frequency;

Personal Data about your computer and internet connection, hardware and software, including your IP address, operating system, host domain, browser type, language settings, web pages you viewed on our Websites, search terms and times of your visit; and

Details of referring websites (URL) and web pages you visited prior to ours.

(3) Cookies Used On Our Websites. We use cookies, beacons and similar technologies on our Websites. Cookies are small data files that are stored on a user’s computer for record keeping purposes. We use them in public areas of our Websites, as well as on the CIS and GEDI areas of the Websites.

Our Websites use single-session (temporary) and multi-session (persistent) cookies. Temporary cookies last only as long as your web browser is open, and are used for technical purposes such as enabling better navigation on our Websites. Once you close your browser, the cookie disappears. Persistent cookies are stored on your computer for longer periods and are used for purposes which include tracking the number of unique visitors to our Websites and Personal Data such as the number of views a page gets, how much time a user spends on a page, and other pertinent web statistics. This Personal Data identifies your browser to our servers when you visit the Websites.

Most web browsers are set to accept cookies by default. If users prefer, they can usually choose to set their browsers to remove and reject cookies. In some cases, removing or rejecting cookies may affect certain features or services on our Websites. If you want to disable the use of cookies or remove them from your computer, you can disable or delete them at any time using your browser (consult your browser's "Help" menu to learn how to delete cookies).

 (4) Social Media Plugins. When using our Websites we allow you to share information with social media sites and to access our social media profiles through so-called plugins. Social networks are able to retrieve Personal Data through those plugins, even if you don’t interact with them. Moreover, if you are logged onto a social network while visiting our Websites with social plugins imbedded in them, the network can collect and store information about such visit and link it to your social network user account. As we have no control over the data collected by social media networks through their plugins, we encourage you to read their applicable data privacy policies to learn more about them.

Once you choose to share information from our Websites on social media or when you connect with our social media profiles through the plugins, those social media sites allow us to automatically access Personal Data retained by them about you consisting of content viewed by you, content liked by you and information about the advertisements you have been shown or have clicked on. You can restrict our access to your Personal Data by changing your privacy setting on the respective social media site.

Lastly, you can access our Websites via a third-party service, e.g. from our profiles on social networks. In those cases, we collect Personal Data from your social media user account consisting of your first and last name, email address and phone number and any other information you have made public.

If you use Graco’s ecommerce site (e.g., shop.graco.com) to order Graco Product (“ecommerce user”):

When you use a Graco ecommerce site, such as shop.graco.com, we collect the same information as a “general user” of a Graco website, including cookies and contact information such as your first and last name, email address, your phone number, your zip/postal code, your city, state and country of residence; and professional information such as your company name.  Such information you provide as an ecommerce user is stored, used, and managed through the same Customer Relationship Management (CRM) process as a general user.

You cannot create an account with Graco’s ecommerce site; product purchase and checkout is only available as a “guest” account.

We connect you with a third party payment processor, Cybersource, a Visa Solution, for the processing of your payment: Cybersource, P.O. Box 8999, San Francisco, CA, 94128. You should also carefully review the Cyber Source Privacy Policy (https://www.cybersource.com/en-us/about/dpa.html) before placing an order for Graco Products.  Graco does not collect, use, share, or retain your financial information.

4. How We Use Your Personal Data

We will only process your Personal Data for specific, explicit and legitimate purposes. We will not process your Personal Data for any further purposes than the ones the data was originally intended for, unless the new purpose is compatible with the original one. In the absence of compatibility, the processing of data for further purposes is subject to your prior explicit consent.

We process the Personal Data you provide us with for the purposes listed below:

If you are a Graco distributor:

Evaluate your eligibility for a CIS, Partner Portal, or GEDI account and manage your account;

Communicate with you upon a request for information, support or customer service; and

Inform you about our products and services, events, newsflashes, newsletters, surveys, purchases of services and/or products.

If you are a general user or an ecommerce user:

Inform you about our products and services, events, newsflashes, newsletters, surveys, purchases of services and/or products;

Communicate with you upon a request to offer information, product support or for the purpose of customer service;

Log the Graco products you have purchased, if applicable (e.g., a Product Registration Form submitted by you, your ecommerce purchase on shop.graco.com, etc.); and

Send you email alerts to inform you about publications on your investors’ domain.

The Personal Data we collect automatically is statistical data that helps us improve our Websites’ features and functionalities in order to deliver a better and more personalized service, including by enabling us to:

Determine website traffic patterns;

Count web visits;

Determine traffic sources so we can measure and improve the performance of our site;

Observe site search patterns to provide more intuitive navigation cues;

Determine user frequency and time between user visits; and

Prevent and detect misuse and malfunction of our Websites including troubleshooting.

The processing of all the Personal Data we collect relating to you is either based (i) on your consent; (ii) necessary to provide you with our products and services at your request prior to entering into a contract with you or necessary for the performance of a contract to which you are party; (iii) necessary to comply with a legal obligation; or (iv) based on our legitimate interests in ensuring the functionality of our Websites and Services and that they are tailored to your needs, unless these are overridden by your interests and rights.

As an ecommerce user, you are providing the same information as a general user. For example, the contact information you provide as an ecommerce user during checkout is stored and used through the same Customer Relationship Management (CRM) process as a general user that provides their contact information, such as in the “Contact Us” form.

5. How We Share Your Personal Data

Due to the international scope of our business, your Personal Data can be shared or accessed by Graco-affiliated entities within the company group. You can find more information on data transfers to affiliates based outside of the EU in Section 6 below.

Subject to applicable law and regulations, we share your Personal Data with:

Public authorities, including law enforcement;

Graco distributors;

Service providers acting on our behalf for the purposes listed above in Section 4, wherein we require these service providers to only process Personal Data in accordance with our instructions and only as long as necessary to perform the requested services or in compliance with applicable law (e.g., invitation mailing and newsletter distribution providers, website and app administration providers); and

In connection with a merger, joint venture, sale or transfer of all or a portion of our assets or stock, or other similar corporate transactions involving a change of ownership or control.

For payment processing, we connect you via our ecommerce site with our retained third party payment processor, Cybersource, a Visa Solution.  They collect your financial information (e.g., credit card information) for paying for your Graco Product.  Graco does not collect, use, share, or retain your financial information.

6. International Transfers of Personal Data

International data transfers refer to transfers of Personal Data outside of the European Economic Area (“EEA”). We are a company with operations around the world. Accordingly, our business requires the transfer of Personal Data to and from other group companies or third parties, which may be located outside the EEA, including the United States of America. A list of our worldwide Graco-branded group companies can be obtained here. Our non-Graco-branded subsidiaries include White Knight Fluid HandlingQED Environmental Systems HandlingGraco Fluid Handling (I) Inc. doing business as Imtec Aculine Inc., Graco Fluid Handling (H) Inc. doing business as Heateflex Corporation, HiP, and Gema Powder Coating and its subsidiary SAT S.p.A. We will only transfer Personal Data to countries that provide for an adequate data protection standard meeting the requirements as set out by the European Commission. Data transfers to countries not meeting that threshold will only occur in accordance with international data transfer agreements based on EU Standard Contractual Clauses.

If you are a resident of a country in the EEA or the UK, the European Commission (“EC”) recognizes some non-EEA countries as providing an adequate level of data protection according to EEA standards. For transfers from the EEA to countries not considered adequate by the EC, as well as for transfers from the UK to countries not considered adequate by a competent authority with jurisdiction over such transfers, we have put in place measures deemed adequate the EC, such as the EC’s standard contractual clauses, to protect your personal information. You may obtain a copy of these measures by contacting us at privacy@graco.com.

Graco commits to resolve complaints about our collection or use of your personal information. EEA and Swiss individuals with inquiries or complaints regarding our policy should first contact privacy@graco.com, calling either +1 612 379 3654 (US) or +32 (0) 89 770 860 (EU), or mailing

Graco Inc.

Attn: Legal-Privacy

88-11th Avenue Northeast

Minneapolis, MN 55413

USA

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our third party dispute resolution provider (free of charge) at https://www.jamsadr.com/eu-us-privacy-shield.

Graco is a company with operations around the world. Accordingly, personal information received by Graco may be used globally in connection with employment or business operations within Graco. Personal information may be transferred between Graco entities located in North America, South America, Europe, the Middle East, Africa, Asia-Pacific and elsewhere. Personal information may also be transferred to third parties acting as agents and performing tasks on behalf of and under the instructions of Graco. Graco will transfer personal information received from the EU or Switzerland to a third party agent only if Graco first ascertains that the third party agent subscribes to the Principles, is subject to the European Commission’s Directive on Data Protection or another adequacy finding, or agrees in writing to provide at least the same level of privacy protection as is required by the Principles.

7. Data Retention

As a general rule, we will not retain your Personal Data for longer than is allowed under the applicable data protection laws or for longer than is necessary in relation to the purposes for which it was originally collected or otherwise processed. In the event of inactivity of your CIS, Partner Portal, or GEDI account for the duration of a period of 2 years we will delete your Personal Data, unless statutory retention periods apply.

In the absence of statutory retention periods, alternatively after completion of those periods, we will erase your Personal Data. Further, we will erase your Personal Data where one of the following applies: (i) when you withdraw your consent (where lawfulness of processing was based on your consent) and there is no other legal ground for the processing; (ii) when you object to the processing and there are no overriding legitimate grounds for the processing; (iii) when your Personal Data has been unlawfully processed; and (iv) when it is necessary to comply with legal obligations.

8. Your Rights with Regard to Your Personal Data

You have certain rights regarding the Personal Data we maintain about you and certain choices about what Personal Data we collect from you, how we use it, and how we communicate with you.

The right to request access to and receive information about the Personal Data we maintain about you.

The right to rectification or erasure of your Personal Data.

The right to restriction of processing of your Personal Data.

The right to data portability in order to transfer your Personal Data easily to another company.

Where Personal Data processing is based on your consent, the right to withdraw your consent at any time. You can tell us not to send you any further marketing emails by clicking on the unsubscribe link within the marketing emails you receive from us or by contacting us as indicated below.

The right to lodge a complaint with a supervisory authority.

The right to object to processing concerning your Personal Data.

You can submit a request to exercise these rights at any time by contacting our DPC at privacy@graco.com, calling either +1 612 379 3654 (US) or +32 (0) 89 770 860 (EU), or mailing

Graco Inc.

Attn: Legal-Privacy

88-11th Avenue Northeast

Minneapolis, MN 55413

USA

9. Data Security

We have implemented appropriate technical and organizational measures designed to secure your Personal Data from accidental loss and from unauthorized access, use, alteration, and disclosure. These precautions include the use of physical, electronic and organizational measures. Physical security measures are intended to prevent unauthorized access to database equipment and hard copies of Personal Data. Electronic security measures, such as firewalls, restricted access and/or encryption are intended to monitor access to our servers and protect against hacking and other unauthorized access from remote locations. Organizational security measures are intended to limit access to Personal Data to only those employees and service providers who have a specific purpose for maintaining, using, and processing such information.

10. Third-Party Websites

Our Websites may contain links or references to other websites outside of our control. Please be aware that this notice does not apply to these websites. We encourage you to read the Data Privacy Policies and terms and conditions of linked or referenced websites you enter. These third-party websites may send their own cookies and other tracking devices to you, log your IP address, and otherwise collect data or solicit Personal Data.

11. Children

Our Websites are not intended for children and we have no intention of collecting Personal Data from individuals under eighteen years of age. If a child has provided us with Personal Data, a parent or a guardian of that child may contact us to request to have such information deleted by emailing privacy@graco.com, calling either +1 612 379 3654 (US) or +32 (0) 89 770 860 (EU), or mailing

Graco Inc.
Attn: Legal-Privacy
88-11th Avenue Northeast
Minneapolis, MN 55413
USA

12. California Residents - Your California Privacy Rights

Pursuant to the California Consumer Privacy Act, California residents may have the right to opt-out of the "sale" of your Personal Data.  As described above, Graco uses third party cookies in operating its internet presence.  The data collected by such third party cookies may be considered the sharing of data between Graco and the third party cookie provider.  In certain jurisdictions, such sharing may be considered a "sale" of your Personal Data and you may have the right under applicable law to opt-out of or object to such sharing.  To exercise this right, contact us at privacy@graco.com or 866-361-5924.  Please note "CA Opt-out Request" in the subject line of your email. To protect your privacy and security, we will need to verify your identity before acting on a request. For additional information about our data processing practices related to the California Consumer Privacy Act 2018, see CALIFORNIA CONSUMER PRIVACY RIGHTS ("California Rights").  These California Rights do not apply to Graco applicants, employees, contractors, owners, directors, or officers where the Personal Data we collect about those individuals relates to their current, former, or potential role at Graco.

13. Revisions to our Data Protection Notice

We reserve the right to amend this notice from time to time consistent with applicable data protection laws and regulations. Any changes to this notice will be posted on this page. If we make material changes to how we treat your Personal Data, we will notify you through a notice on the Website home page via a separate banner related to this Data Protection Notice. The date this notice was last revised is identified at the top of the page.

14. Graco IoT Device Data Protection Notices

The following URLs provide Data Protection Notices for relevant Graco products, which may be updated from time to time.

Graco