LAST UPDATED: October 14, 2021
Bank of America N.A. (“the bank,” “we”) collects personal data from participants for the Bank of America Shamrock Shuffle (the “Shamrock Shuffle”) offline and through the website operated by us from which you are accessing this Privacy Notice: https://www.shamrockshuffle.com/ (the “Website” and together with the Shamrock Shuffle, the “Services”). Participants can include event participants, volunteers, staff, and other event partners. This Privacy Notice explains how we collect, use, share and protect that Personal Data.
The bank works with Chicago Event Management (CEM), as an agency, to produce the Shamrock Shuffle. CEM develops, manages and produces the Shamrock Shuffle.
Personal Data We Collect
We collect Personal Data (information that identifies or relates to an identifiable individual), which may include:
- Postal address
- Email address
- IP address
- Phone number
- Date of birth
- Account and payment information
- Qualification details (including times and events) and
- Whether an individual wishes to participate in any disability designated events.
How We Collect Personal Data
We collect Personal Data which you provide when you sign up for a newsletter, or register to participate in the Shamrock Shuffle or visit the Shamrock Shuffle website.
Uses of Personal Data
We use Personal Data to facilitate your Shamrock Shuffle registration and participation, and ensure that all participants in the event have a safe and enjoyable experience. This Personal Data may be used for the following business purposes including:
- complete your registrations, process payment, and provide you with related customer service;
- provide notifications concerning the Shamrock Shuffle;
- provide the Services’ functionality to you, such as arranging access to your registered account, and providing you with related customer service, responding to your requests and inquiries;
- send administrative information to you, such as changes to our terms, conditions and policies;
- answer frequently asked questions, to ensure you have Shamrock Shuffle materials (including race bib, participant guide, results book, any ancillary purchases made at the time or registration, and digital coupons);
- enhance your experience of the event;
- track and record your event results; and
- ensure the health and safety of all participants.
We will engage in these activities to manage our contractual relationship with you and/or to comply with our legal obligations. In addition, the Shamrock Shuffle and its partners have a legitimate interest in using the data to ensure a safe event for all.
We may also use your Personal Data to send marketing communications such as by sending you newsletters and/or targeted advertising via social media channels. We will engage in this activity with your consent or where we have a legitimate interest.
We may also use your Personal Data to accomplish our business purposes, such as for:
- data analysis, for example, to improve the efficiency of our Services;
- audits, to verify that our internal processes function as intended and are compliant with legal, regulatory or contractual requirements;
- fraud and security monitoring purposes, for example, to detect and prevent cyberattacks or attempts to commit identity theft;
- developing new events;
- enhancing, improving, or modifying our current products and services;
- identifying usage trends, for example, understanding which parts of our Services are of most interest to users;
- determining the effectiveness of our promotional campaigns, so that we can adapt our campaigns to the needs and interests of our users; and
- operating and expanding our business activities, for example, understanding which parts of our Services are of most interest to our users so we can focus our energies on meeting our users’ interests.
We engage in these activities to manage our contractual relationship with you, to comply with a legal obligation, and/or because we have a legitimate interest.
Disclosure of Personal Data
We may disclose Personal Data to:
- Our affiliated third party service providers to facilitate services they provide to us and you. These services can include providers of services such as website hosting, data analysis, payment processing, order fulfillment, information technology and related infrastructure provision, customer service, email delivery, logistics, auditing, and other services; and third party payment processors. When required by applicable law, we will enter into contractual agreements with such providers; and
- Event vendors, organizers, volunteers, contractors, sponsors and vendors to facilitate the Shamrock Shuffle. When required by applicable law, we will enter into contractual agreements with such providers. Certain of these parties may receive Personal Data in the course of providing their services or as a component of their sponsorship agreement.
Other Uses and Disclosures
We may also use and disclose Personal Data as we believe to be necessary or appropriate to do so:
- to comply with applicable law including treaties or agreements with or between foreign or domestic governments (including in relation to tax reporting laws), which may include laws outside the country you are located in;
- to respond to requests from public and government authorities, which may include authorities outside your country;
- to cooperate with law enforcement, governmental, regulatory, or other similar agencies or authorities to which we or our affiliates are subject or submit;
- to courts, litigation counterparties and others, pursuant to subpoena or other court order or process or otherwise as reasonably necessary, including in the context of litigation, arbitration and similar proceedings to enforce our terms and conditions, and as reasonably necessary to prepare for or conduct any litigation, arbitration and/or similar proceedings; and
- to enforce our terms and conditions and protect our rights, privacy, safety or property, and/or that of our affiliates, you or others.
In addition, we may use, disclose or transfer Personal Data to a third party in the event of any reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or stock (including in connection with any bankruptcy or similar proceedings). Such third parties may include, for example, an acquiring entity and its advisors.
We do not collect medical or health data at the time of registration. Participants may, however, tell us that they would like to participate in the Athletes with Disabilities program. This information is used only to the extent necessary to facilitate any disability accommodations.
In the event a participant seeks medical attention during an event, personnel at medical aid stations may collect and store individually identifiable medical information during this encounter.
“Other Information” is any information that does not reveal a person’s specific identity or does not directly relate to an identifiable individual, such as:
- Browser and device information;
- App usage data;
- Information collected through cookies, widgets, pixel tags and similar technologies;
- Demographic information and other information provided by you that does not reveal a person’s specific identity;
- Information that has been aggregated in a manner that it no longer reveals a person’s specific identity; and
- Survey responses and similar information which reveals views and preferences, but which does not reveal a person’s specific identity.
If we are required to treat Other Information as Personal Data under applicable law, then we may use and disclose it for the purposes for which we use and disclose Personal Data as detailed in this Privacy Notice.
Collection of Other Information
We and our service providers may collect Other Information in a variety of ways, including:
- Through a browser or device: Certain information is collected by most browsers or automatically through devices, such as a Media Access Control (MAC) address, computer type (Windows or Mac), screen resolution, operating system name and version, device manufacturer and model, language, Internet browser type and version and the name and version of the Services (such as the App) being used. We use this information to ensure that the Services function properly;
- Using cookies and widgets: Cookies are pieces of information stored directly on the computer being used. Cookies allow us to collect information such as browser type, time spent on the Services, pages visited, language preferences, and other anonymous traffic data. A widget is a portable, embedded application which offers you certain third-party services which we believe may be of interest to you. We and our affilicated service providers use the information for security purposes, to facilitate navigation, to display information more effectively, and to facilitate and personalize the user’s experience. We also gather statistical information about use of the Services in order to continually improve their design and functionality, understand how they are used and assist us with resolving questions regarding them. We do not currently respond to browser do-not-track signals;
- Most browsers allow individuals to automatically decline cookies and widgets or be given the choice of declining or accepting a particular cookie (or cookies) from a particular website. Please refer to http://www.allaboutcookies.org/manage-cookies/index.html for more information. Declining cookies may cause certain parts of the Services to cease working;
- Using pixel tags and other similar technologies: Pixel tags (also known as web beacons and clear GIFs) may be used to, among other things, track the actions of users of the Services (including email recipients), measure the success of our marketing campaigns and compile statistics about usage of the Services and response rates; and
Uses and Disclosures of Other Information
We may use and disclose Other Information for any purpose, except where we are required to do otherwise under applicable law. In some instances, we may combine Other Information with Personal Data. If we do, we will treat the combined information as Personal Data as long as it is combined.
We seek to use reasonable organizational, technical and administrative measures to protect Personal Data within our organization. Unfortunately, no data transmission or storage system can be guaranteed to be 100% secure. If you have reason to believe that your interaction with us is no longer secure please immediately notify us in accordance with the “Contacting Us” section below.
We will retain Personal Data for as long as it is needed or permitted in light of the purposes for which it was obtained. The criteria used to determine our retention periods include: (i) the length of time we have an ongoing relationship with you; (ii) whether there is a legal obligation to which we are subject; and (iii) whether retention is advisable in light of our legal position (such as in regard to applicable statutes of limitations, litigation or regulatory investigations).
We do not solicit individuals under the age of sixteen (16) to register for the Shamrock Shuffle, and we do not knowingly collect Personal Data from individuals under 16. We require parental consent for the processing of personal data for individuals under sixteen.
California Privacy Rights
Under the California Consumer Privacy Act (“CCPA”), California residents have certain rights regarding the personal information that businesses have about them. This includes the right to notice, access and/or deletion of your personal information, as well as the right to direct a business to stop selling your personal information.
Right to Notice. You have the right to be properly notified of the following:
Right to Access Your Information: You have the right to request the following covering the 12 months immediately preceding your request:
- The specific pieces of personal information we have collected about you
- The categories of personal information that we have collected about you
- The categories of sources from which we collected the personal information
- The purpose for collecting or selling the personal information
- The categories of personal information that we have disclosed about you, the purpose for disclosing such personal information and the categories of third parties with whom we disclosed such personal information
- The categories of personal information that we have sold about you, as well as the categories of third parties to whom we sold such personal information
Please note that we may still use aggregated and de-identified personal information that does not identify you or any individual.
Right to Deletion: You have the right to request that we delete any personal information about you that we have collected from you. Please note that there are exceptions where we do not have to fulfil a request to delete information, such as when the deletion of information would create problems with the completion of a transaction or compliance with a legal obligation.
How to Exercise Your Access and Delete Rights: To exercise your access and delete rights as described above, you may contact Bank of America by:
- Writing to us at:
Individual Rights Operations TX-041-02-08
16001 N. Dallas Pkwy Building 1
Addison, TX 75001
- Emailing us at Service Inquiries
Verifiable Consumer Requests: Only you, or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information. You may only make a verifiable consumer request for access to your personal information twice within a 12-month period. The verifiable consumer request must: 1) Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative of that person; and 2) Describe your request with sufficient detail that allows us to properly understand, evaluate and respond to it. We cannot respond to your request to exercise your access and/or deletion rights if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. Making a verifiable consumer request does not require you to create an account with us. However, we do consider requests made through your password-protected account sufficiently verified when the request relates to personal information associated with that specific account. We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.
Response Timing and Format: We attempt to respond to a verifiable consumer request within 45 days after we receive it. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing within 45 days after we receive your initial request. We will deliver our written response by mail or electronically, at your option. Any disclosures we provide will only cover the 12-month period immediately preceding the date we receive the verifiable consumer request. The response we provide will also provide the reasons we cannot comply with a request, if applicable. For access requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance. We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
Right to Opt-Out of Sale: While we do not sell personal information in exchange for any monetary consideration, we do share personal information for other benefits that could be deemed a “sale,” as defined by the CCPA (Cal. Civ. Code 1798.140(t)(1)). We support the CCPA and wish to provide you with control over how your personal information is collected and shared. If you would like to exercise your right to request opt-out of sale, please submit a request using this link: email@example.com.
Right to Non-Discrimination: We will not discriminate against you (e.g., through denying goods or services, or providing a different level or quality of goods or services) for exercising any of the California rights afforded to you.
Complaints: In compliance with the CCPA, we commit to resolve complaints about your privacy and our collection or use of your personal information. We ask that you kindly contact us at firstname.lastname@example.org, so that we have an opportunity to resolve your complaint.
Do Not Track. Some internet browsers – like Internet Explorer, Firefox, and Safari – include the ability to transmit “Do Not Track” or “DNT” signals. Since uniform signals have not been adopted, we do not current process or respond to “Do Not Track” or “DNT” signals.
California’s Shine the Light law. California residents with an established business relationship with us can request information once a year about sharing their personal information with third parties for the third parties’ direct marketing purposes. If you are a California resident and would like to request more information under the California Shine the Light law, you can email us at email@example.com.
European Economic Area (EEA), United Kingdom (UK), Switzerland Data Subjects
Personal Data may be stored and processed in any country where we have facilities or in which we engage service providers, including the United States, and by using the Services you understand that your information will be transferred to countries outside of your country of residence, including the United States. The United States does not have an adequacy decision from the European Commission, which means that the European Commission has determined that the laws of the United States do not provide legal protection that is equivalent to EU data protection laws. This means that in, certain circumstances, courts, law enforcement agencies or regulatory agencies in those countries may be entitled to access your Personal Data. Nevertheless, we have implemented appropriate safeguards to protect the Personal Data we collect.
Your rights: European data protection laws give you certain rights regarding your Personal Data. You may ask us to take the following actions in relation to your Personal Data that we hold:
- Right of access.The right to obtain access to your personal data.
- Right to rectification. The right to obtain rectification of your personal data without undue delay where that personal data is inaccurate or incomplete.
- Right to erasure. The right to obtain the erasure of your personal data without undue delay in certain circumstances, such as where the personal data is no longer necessary in relation to the purposes for which it was collected or processed.
- Right to restriction. The right to obtain the restriction of the processing undertaken by us on your personal data in certain circumstances, such as where the accuracy of the personal data is contested by you, for a period enabling us to verify the accuracy of that personal data.
- Right to portability.The right to portability allows you to move, copy or transfer personal data easily from one organization to another.
- Right to object. You have a right to object to processing based on legitimate interests and direct marketing.
How to exercise your rights: You can submit these requests by email at firstname.lastname@example.org. We may request specific information from you to help us confirm your identity and process your request. Applicable law may require or permit us to decline your request. If we decline your request, we will tell you why, subject to legal restrictions.
EEA Representative: You may contact our EU Data Protection Officer at BAML.EUDPO@baml.com
Complaints: If you have a complaint about how we handle your personal information or respond to your request, you may be able to complain to your data protection authority. A list of data protection authorities is available at http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080. We ask that you kindly contact us first, so that we have an opportunity to resolve your complaint.
We may seek your consent to send communications regarding future races and events and marketing communications from sponsors. We will ask you to opt in to receiving these communications, which may be revoked by you at any time.
We give you choices regarding our use and disclosure of your Personal Data for marketing purposes.
You may opt-out from:
- Receiving electronic communications from us: If you no longer want to receive marketing-related emails from us on a going-forward basis, you may opt-out by clicking the unsubscribe link located at the bottom of each email message; an
- Our sharing of your Personal Data with unaffiliated third parties, such as sponsors, for their direct marketing purposes: If you would prefer that we discontinue sharing your Personal Data on a going-forward basis with unaffiliated third parties for their direct marketing purposes, you may opt-out of this sharing by: contacting office@com or, in the case of text messages, texting “STOP”.
We will try to comply with your request(s) as soon as reasonably practicable. Please note that if you opt-out of receiving marketing-related emails from us, we may still send you important administrative messages, from which you cannot opt-out.
How You Can Access, Change or Suppress your Personal Data
If you would like to request to review, correct, update, suppress, restrict or delete persona data that you have previously provided to us, object to the processing of Personal Data, or if you would like to request to receive an electronic copy of your Personal Data for purposes of transmitting it to another company (to the extent this right of portability is provided to you by applicable law), you may contact us as described in the “Contact Us” section below. We will respond consistent with applicable law.
In your request, please make clear what Personal Data you would like to have changed, whether you would like to have the Personal Data suppressed from our database or otherwise let us know which of the above limitations you would like to put on our use of the Personal Data. For your protection, we may only implement requests with respect to the Personal Data associated with the particular email address that you use to send us your request, and we may need to verify your identity before implementing your request. We will try to comply with your request as soon as reasonably practicable.
Please note that we may need to retain certain information for recordkeeping purposes and/or to complete any transactions that you began prior to requesting a change or deletion.
Updates to this Privacy Notice
We may change this Privacy Notice from time to time. The “LAST UPDATED” legend at the top of the Privacy Notice indicates when it was last revised. Any changes will become effective when we post the revised Privacy Notice. Continued use of the Website signifies acceptance of the revised Privacy Notice.
If you have any questions regarding this Privacy Notice or the Bank of America Shamrock Shuffle, please e-mail us at email@example.com or call 312.904.9800 during regular business hours.
Bank of America Shamrock Shuffle
110 N. Wacker
Floor 5 – Marathon Suite
Chicago, IL 60606
Because email communications are not always secure, please do not include credit card or other sensitive information in your emails to us.