Privacy Policy

Effective date: March 1, 2025

1. Introduction

Carr Biosystems processes Personal Data that relates to the contact people of our customers, suppliers/vendors, and other stakeholders, as well as to people who browse our websites. This Privacy Notice describes what Personal Data is processed and how. The description of how we process Personal Data in recruitment can be found on our Careers site.

2. Definitions

• “Barry-Wehmiller”, “the Company”, “we” and “us” mean Barry-Wehmiller Group, Inc.¹, and its subsidiaries, affiliates and related companies.²
• “Stakeholders” mean our current, former or future customers, suppliers/vendors and other stakeholders.
• “Individuals” mean people who browse our websites or who represent the Stakeholders.
• “Personal Data” means any information relating to an identified or identifiable person.

3. How Personal Data is Used

Personal Data may be processed for the purposes described below, under the lawful bases listed below.

We collect Personal Data directly from Stakeholders and Individuals as well as through their interactions and use of our products and services. We do not knowingly collect Personal Data about Individuals who are minors. The Personal Data we collect depends on the context of the interactions.³ In limited circumstances we may also collect Personal Data from third parties, for example for lead generation, customer/supplier due diligence or credit checks.

3.1 Managing the Contractual Relationship

Personal Data may be processed for the following purposes:

1. providing or buying products and services;
2. sales and Stakeholder relationship management and communication;
3. logistics and customs;
4. billing and debt collection;
5. financial and tax reporting and analysis;
6. insurance.

For these purposes, categories of Personal Data may typically include the following: Individual’s name and contact details; preferred language; information about the role and job location; billing information (including credit card data); Stakeholder’s name and other information about the Stakeholder, their business and the machine/equipment/service they are using/providing.

The processing is considered necessary for the performance of a contract to which the Stakeholder is party, or in order to take steps at the request of the Stakeholder prior to entering into a contract.⁴

3.2 Marketing

Personal Data may be processed for marketing activities. This includes for example newsletters, tracking service or website usage for targeting purposes, and events at trade shows.

For this purpose, categories of Personal Data may typically include the following: Individual’s name, contact details and marketing preferences; the following information when using our websites or digital services: login details, information about how the Individual is using the service (for example when and which part of the service), Individual’s IP address, browser, network, device, web pages visited prior to coming to the service; preferred language; photos or videos (with prior written permission) in relation to some marketing activities; information about the role and job location; Stakeholder’s name and other information about the Stakeholder, their business and the machine/equipment/service they are using/providing.

Subject to applicable legislation, the processing is based on consent, or on the legitimate interests pursued by the Company.⁵ Individuals can withdraw their consent or object to marketing communication at any time by clicking the “Unsubscribe” link included in marketing e-mails.

When applicable, the consent for tracking technologies can be provided in the cookie settings of the website. More information can be found in the respective Cookie Policy on the website used.

3.3 Compliance

Personal Data may be processed for the following purposes:

1. corporate compliance;
2. compliance with contractual or legal obligations;
3. to protect the health and safety of our team members, external stakeholders and the public.

For these purposes, categories of Personal Data may typically include the following: Individual’s name and contact details; information about the role and job location; billing information; Stakeholder’s name and other information about the Stakeholder, their business and the machine/equipment/service they are using/providing.

The processing is considered necessary for compliance with legal obligations to which the Company is subject.⁶

3.4 Due Diligence and Protection of Company’s Rights and Interests

Personal Data may be processed for the following purposes:

1. stakeholder due diligence;
2. customer and Individual financial checks in relation to loans to customers;
3. to protect against legal liability;
4. to protect and defend the rights or property of the Company;
5. to prevent and investigate wrongdoings in connection with the property or services;
6. litigations;
7. privacy, information security and operational and information technology management.

For these purposes, categories of Personal Data may typically include the following: Individual’s name and contact details; information about the role and job location; billing information; financial information in relation to loans to customers; Stakeholder’s name and other information about the Stakeholder, their business and the machine/equipment/service they are using/providing.

The processing is considered necessary for the purpose of the legitimate interests pursued by the Company, including security, effective financial and administration management, and protection of property and rights.⁷

3.5 Customer Support

Personal Data may be processed for the following purposes:

1. Machine/equipment installation;
2. machine/equipment monitoring, diagnostics, fault analysis and debugging in order to optimize machine operations and to reduce support response times and costs;
3. production and service team management (including applying for visas that are needed in customer’s location) and training;
4. customer care and support activities;
5. analysing data for offering predictive and preventive maintenance;
6. to facilitate spare parts ordering;
7. backups and recovery as part of normal maintenance practice for the service;
8. providing notifications internally and/or to the customer for certain alarm conditions or status/fault updates;
9. auditing the machine/equipment remotely to verify the condition of the machine/equipment to determine if changes or adaptations are needed.

For these purposes, categories of Personal Data may typically include the following: Individual’s name and contact details; video/sound recordings or photos that may include the Individual in addition to machine/equipment related data; Stakeholder’s name and other information about the Stakeholder, their business and the machine/equipment/service they are using. Operator identifier (i.e. identifier that is created by the customer and that the machine operator uses to log in to the machine) may be linked with machine related data in order to understand how the machine is used and how operator behaviour may affect the machine, in order to better utilise the machine and make it run better.

The processing is considered necessary for the performance of a contract to which the Stakeholder is party, or in order to take steps at the request of the Stakeholder prior to entering into a contract.⁸

3.6 Services (Including Digital Services and Websites)

Personal Data may be processed for the following purposes:

1. access permission control (to provide and manage access to the service);
2. tracking usage to monitor how service is used and to develop it;
3. technical and security management and handling issues;
4. providing a contact form and communicating to users;
5. to enable ordering of machines, services, equipment or spare parts.

For the above purposes, categories of Personal Data may typically include the following: Individual’s name and contact details; preferred language; the following information when using our websites or digital services: login details, information about how the Individual is using the service (for example when and which part of the service), Individual’s IP address, browser, network, device, and web pages visited prior to coming to the service; Stakeholder’s name and other information about the Stakeholder, their business and the machine/equipment/service they are using/providing.

The processing is considered necessary for the performance of a contract to which the Stakeholder is party, or in order to take steps at the request of the Stakeholder prior to entering into a contract.⁹

When applicable, the consent for tracking technologies can be provided in the cookie settings of the website. More information can be found in the respective Cookie Policy on the website used.

3.7 Product Development

Personal Data may be processed for the following purposes:

• Analysis and improvement of machines, equipment and services.

For these purposes, information about machines, equipment and services is mainly used. However, if necessary for the purposes, Personal Data may also be used. Categories of Personal Data may typically include the following: Individual’s name; login details; information about how the Individual is using the service (for example when and which part of the service); Individual’s IP address, browser, network, device, and web pages visited prior to coming to the service.

The processing is considered necessary for the purpose of the legitimate interests pursued by the Company, including the improvement of its products and services.¹⁰

3.8 Cookies

Our websites utilize cookies (small text files that a website, when visited by a user, asks the user’s browser to store on the user’s device in order to remember information about the user) as well as other tracking technologies. More information about how these are used can be found in the respective Cookie Policy on the website used.

3.9 Consulting and IIoT Services

Further, we may provide services, for example in relation to consulting or IIoT (Industrial Internet of Things), where we process Personal Data as the “data processor” on behalf of our customer. In these situations, the customer is the “data controller” and carries the responsibilities under applicable legislation, including providing a privacy notice to individuals describing how their Personal Data is processed.

4. Sharing and Transfer

Personal Data may be shared within the Company. Personal Data may be accessed and processed, when necessary for the purposes described above, by our relevant team members.

When necessary, Personal Data may also be shared with external parties, for example with external advisors (including, but not limited to, legal, tax and insurance advisors), auditors, creditors, banks, credit insurance partners or relevant authorities. Further, we may use IT third party service providers (including, for example, ERP software and application providers and cloud providers) sales agents or debt collection agencies to process Personal Data on our behalf. In some cases, Personal Data may be shared with companies specialized in services to assess Stakeholders’ reliability and to screen for risk and compliance.

Personal Data may be stored, transferred to, and processed in any country where we have team members or facilities or in which we engage service providers, including in the United States of America. The list of Barry-Wehmiller Group, Inc.’s subsidiaries and affiliates and relevant contact details can be found here: https://www.barrywehmiller.com/business.

Transfers of Personal Data to third countries in the context of the activities of an establishment of a data controller or a data Processor in the European Union are mainly based on either adequacy decision¹¹ under art. 45 EU Reg. n. 2016/679 and/or standard data protection clauses¹² under art. 46.2. (c) EU Reg. n. 2016/679.

5. Retention

Personal Data will be retained in accordance with applicable records retention policies of the Company, or as long as reasonably necessary for the purposes in accordance with applicable legislation, whichever is longer. The criteria used to determine our retention periods include:

• The length of time there is an ongoing relationship with the Stakeholder, and we provide services for the Stakeholder, and the length of time thereafter during which we may have a legitimate need to reference Personal Data to address issues that may arise;
• Whether there is a legal obligation to which we are subject to (for example, certain laws require us to keep records for a certain period of time before we can delete them);
• Whether Individual has withdrawn their consent or has objected to the processing;
• Whether retention is advisable in light of our legal position (such as in regard to applicable statutes of limitations, litigation or regulatory investigations); or
• The length of time of time necessary to ensure mitigating IT security threats.

6. Security

We implement and maintain industry standard technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access. We make reasonable efforts to ensure a level of security appropriate to the risk of the processing, taking into account the costs of implementation and the nature, scope, context and purposes of processing of Personal Data.

7. More Information and Privacy Rights

Individuals may contact us for more information on how their Personal Data is collected, used, and disclosed. Individuals may also request to opt out from marketing messages, when applicable. Individuals may also exercise the following privacy rights, subject to applicable legislation:

• obtain confirmation from the Company as to whether or not personal data concerning them are being processed, and, where that is the case, obtain access to the personal data (right to access);
• update, amend and/or correct their personal data (right to rectification);
• obtain from the Company the erasure of personal data concerning them without undue delay (right to erasure);
• where applicable, receive the personal data concerning them, provided to the Company, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Company to which the personal data have been provided (right to portability);
• withdraw their consent at any time, where provided;
• object to the processing on grounds relating to their particular situation (right to object);
• obtain from the Company the restriction of the processing, if applicable, e.g. where the accuracy of personal data is contested or the processing is unlawful (right to restriction on processing);
• lodge a complaint with applicable supervisory authority. In case the applicable supervisory authority is in Europe, the contact details can be found here: https://edpb.europa.eu/about-edpb/board/members_en, https://ico.org.uk/ and www.edoeb.admin.ch/en. Individuals located outside of Europe are encouraged to check with their country/state governments to retrieve the contact details of the relevant authorities.

Contact details for more information and to exercise the rights described above:

• By email: dataprotection@barry-wehmiller.com
• By post: Group Data Protection Officer
  Legal Team
  Barry-Wehmiller Group
  8027 Forsyth Blvd
  St. Louis, MO 63105-1707
  United States of America

8. Changes to this Privacy Notice

We may update this Privacy Notice from time to time. Any changes will be posted on the applicable websites.

California Addendum

1. Introduction

This California Addendum to the Barry-Wehmiller Group, Inc. (the “Company”) Privacy Notice describes the Company’s practices regarding the collection, use, and disclosure of the personal information of Individuals who are California residents (“California Individuals”), describes the rights of California Individuals under the California Consumer Privacy Act (“CCPA”), and explains how California Individuals may contact the Company to exercise their rights, if applicable (the “Addendum”). This Addendum supplements the Privacy Notice above.

California Individuals who have a disability may be able to use a screen reader or other assistive device to review the contents of this Privacy Notice. If you require additional disability assistance, please reach out to your contact person in the Company, or call the Barry-Wehmiller company that you have a relationship with (contact details listed at https://www.barrywehmiller.com/business). You may also contact us through the “Contact us section” of our website, advise of a request for disability assistance and request a call back.

2. Personal Information Collected

Within the last 12 months, we have collected the following categories of personal information from California Individuals:

• Identifiers: an individual’s name, contact details, IP address, government identifiers;
• Customer records: a signature, billing and financial information, credit card data, employment history;
• Commercial Information: records of Stakeholders, including their business and the machine/equipment/service being used;
• Internet or other similar network activity: browsing history, search history, interactions with websites, applications or advertisements;
• Geolocation data: IP address;
• Professional or employment-related information: current or past job history.

We do not use or disclose sensitive personal information to “infer” characteristics as defined under the CCPA, or for any purpose other than that which is necessary to provide you with our services as specific in the CCPA.

3. Sales and Sharing of Personal Information

We do not sell personal information, including within the preceding 12 months.

We may share your personal information for purposes of cross-context, targeted behavioral advertising, including with the preceding 12 months.

4. Retention Periods

Personal Data will be retained in accordance with applicable records retention policies of the Company, or as long as reasonably necessary for the purposes in accordance with applicable legislation, whichever is longer. The criteria used to determine our retention periods include:

• The length of time we have an ongoing relationship with you and provide services to you (for example, for as long as you are a client with us or keep using our services) and the length of time thereafter during which we may have a legitimate need to reference your personal information to address issues that may arise;
• Whether there is a legal obligation to which we are subject (for example, certain laws require us to keep records for a certain period of time before we can delete them);
• Whether Individual has withdrawn their consent or has objected to the processing;
• Whether retention is advisable in light of our legal position (such as in regard to applicable statutes of limitations, litigation or regulatory investigations), or
• The length of time of time necessary to ensure mitigating IT security threats.

5. Your Rights and Choices

The CCPA provides Consumers (California residents) with specific rights regarding their personal information. This section describes your CCPA rights and explains how to exercise those rights.

• Right to Know - In certain circumstances, you have the right to request the Company disclose certain information to you about our collection and use of your personal information over the past 12 months.
• Right to Delete - You may have the right to request the Company delete your personal information that we collected from you and retained, subject to certain exceptions.
• Right to Correct – You may have the right to request the Company to correct any inaccurate personal information we may hold about you. We will use commercially reasonable efforts to correct inaccurate personal information, taking into account the nature of the personal information and the purpose for our processing.
• Right to Opt-Out of Targeted Advertising - You may opt-out of the processing your personal information obtained from your activities on nonaffiliated websites for the purposes of targeted advertising. To opt-out of targeted advertising, you must toggle “off” the Targeting Cookies in our center for managing consent preferences, found here, or enable global privacy control settings on your browser. Note that this right to opt-out does not apply where we have appropriately limited our partners to be our “service providers” or “processors” as these terms are defined under the CCPA.
• Right to Non-Discrimination – We will not discriminate against your for exercising any of your rights.

California’s “Shine the Light” Law – In addition to the rights described above, California's "Shine the Light" law (Civil Code Section §1798.83) permits California residents that have an established business relationship with us to request certain information regarding our disclosure of certain types of personal information to third parties for their direct marketing purposes during the immediately preceding calendar year.

6. Exercising Your Rights

To exercise the right to opt-out of targeted advertising (or “sales” of personal information as that term is defined in state law), please visit the “Do Not Sell or Share My Personal Information” section, here to learn more about and to exercise this right.

To exercise any of the remaining rights described above, please submit a request to us by one of the following methods:

• By email: dataprotection@barry-wehmiller.com
• By post: Group Data Protection Officer
  Legal Team
  Barry-Wehmiller Group
  8027 Forsyth Blvd
  St. Louis, MO 63105-1707
  United States of America

7. Changes to this Addendum

We may update this Addendum from time to time. Any changes will be posted on the applicable websites.

8. Questions About This Notice

If you have any questions about this Addendum, the ways in which the Company collects and uses your information described herein and in the above Privacy Notice, your choices and rights regarding such use, or if you wish to exercise your rights under California law, please do not hesitate to contact via email at dataprotection@barry-wehmiller.com or via post as noted above.