Effective from April 17th, 2023

EON is an industry leader in its approach to supporting data privacy and personal data rights. As a pioneering force in the creation of product digital identities and the circular economy, EON has led the fight to revolutionize how data is used to enable its clients and partners to move beyond their historical boundaries while creating new industry best practices that safeguard the rights of data owners and data subjects.

Managing hundreds of different data privacy laws is increasingly challenging and promotes inequality in how data subjects are treated.  Our approach to data privacy and personal data rights is to apply the most stringent interpretation of relevant legislation and to apply it to all data subjects unless explicitly forbidden, even to residents of countries with weak or no data privacy or rights protections.  As global legislation on data privacy and rights continues to be enacted, and new case law clarifies obligations of controllers and processors, EON’s support of data privacy, protection, and data subjects’ rights will continue to evolve.

From inception, EON’s purpose-built technology and services have been highly focused on product data, not personal data.  Where EON processes personal data, we have embraced and developed new standards in support of the principles of data minimization and privacy by design, and implemented encryption which is optional under most data privacy legislation such as the GDPR.  We also apply supplementary measures, such as pseudonymization, and have automated erasure processes (erasure by design), which reduces the compliance burden and risk to our clients, partners, and consumers.

Our Privacy Principles

Data subjects’ personal data privacy and rights are very important to us. EON is committed to providing safe, secure, and trustworthy experiences within our sites and platforms.

EON’s Privacy Principles and What They Mean

  • Transparency about the information we collect:  We want those who share their personal data with us to understand what information we collect and why we collect it.  We do our best to explain to our users what personal data we collect from them and what we do with it.  We will be transparent where personal data is collected about an individual without their direct input, and whenever possible, we will provide them with options to limit this collection.
  • Be constant in our privacy commitments:  We take our data protection and privacy commitment seriously.  Our privacy and protection programs address legal requirements, best practices, and reflect our commitments to our clients, partners, and users to deliver a trusted experience when interacting with EON.
  • Constant protection of personal data and privacy:  We work to protect the personal data and privacy of those who share their personal data with us regardless of whether they are protected by legislation or not.  Users, clients, partners, and prospects trust us with their personal data and expect us to protect and use it in an appropriate manner.  Our policies and processes cover personal data management from collection to erasure.  Our data privacy and information security programs are based on best practices and reflect an interpretation of data privacy laws based on the data subjects’ best interest, not ours.
  • Easy to access and update their personal data:  Having accurate information from those we interact with helps us create a better experience.  We provide mechanisms to give those who share their personal data with us access to information related to their account, their interactions with EON, and the ability to correct any information that is incorrect or out of date.
  • Minimization by design:  EON only collects the personal data necessary to meet obligations we have to those who share personal data with us, such as fulfilling contractual obligations. For more detail, please see our Privacy Policy here.  Through our policies and automated processes, we continually remove personal data (by design) that is no longer necessary or that meets time-based requirements for its permanent erasure.
  • Limit personal data sharing & access:  We limit who has access to personal data within our systems and only share it externally with those who have a legitimate purpose for such access, where consented to by the data subject, or required by law.  Data sharing outside of EON is minimal, and only with 3rd parties who meet our personal data security standards.  To see where personal data may be shared and what is shared, click here.
  • No Selling of Personal Data: We never sell any personal data we collect.  This is not permitted under our Privacy Policy nor is it part of any business we currently engage in or are contemplating.
  • No Acceptance of Special Categories of Personal Data:  As a company principally focused on physical products, there should never be a reason for us to collect, store, or process any data referred to as a “special category of personal data” under GDPR and other data privacy legislation from clients, partners, prospects, or users.  Special categories of personal data refer to data related to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetics or biometrics, health, sex life or sexual orientation, or criminal convictions and offenses.  In accordance with our policies and agreements with clients, partners, and prospects any such data that is submitted to EON will be erased without prior notice.
  • Build and maintain secure products & services:  We work hard to provide clients, partners, prospects, and other users with a safe and trustworthy place to interact with our platforms and services.  We have implemented several programs to protect those who use our websites, platforms, and services.  However, no system is perfect, so we have developed issue resolution and escalation processes to help resolve problems in a fast, fair, and consistent manner.

Data Privacy Legislation

In the wake of the European Union’s GDPR going into effect in 2018, data privacy legislation has spread throughout the globe and directly impacted businesses and consumers alike.  Through case law and guidance provided by supranational, national, and state level authorities, interpretation of these laws continues to evolve, as do businesses’ efforts to comply.  EON regularly monitors changes to these laws and in turn, evolves its practices accordingly.  The laws and regulations listed below represent the main data privacy laws to which EON is commonly subject, based on the location of those who share personal data with us.  This is not meant to be a complete list and it will change as countries pass new legislation and consolidate related legislation.  This list is for reference only and should not be considered legal guidance.


EU General Data Protection Regulation (“GDPR”; text):  The European Union’s data privacy law that came into effect on May 25, 2018.

UK Data Protection Act 2018 (“DPA” inc. “UK GDPR”; text; ):  The United Kingdom’s version of the EU GDPR legislation.

The Swiss Data Protection Act 2020 (“DPA”; text-fr, text-de):  The Swiss data protection law with updates that come into force later in late 2022 or early 2023.


Canadian Consumer Privacy Protection Act (“CPPA”; text):  The successor to the Personal Information Protection and Electronic Documents Act (PIPEDA; text), the CPPA aims to simplify consent, while maintaining it as a central part of Canadians' data privacy rights.

California Consumer Privacy Act of 2018 (USA, California; “CCPA”; text):  The CCPA data privacy law came into effect on Jan 1, 2020.  The California Privacy Rights Act (“CPRA”; text) expands on the rights included in CCPA and went into full effect on January 1st, 2023.  The CPRA expands on the rights protected under the California Consumer Privacy Act (CCPA), closing most of the gap between CCPA and GDPR.  Compared to regulations in other U.S. states, the CCPA and CPRA grant California residents significantly more control over their personal data and require the highest level of compliance obligations on affected companies.

Consumer Data Protection Act (USA, Virginia; text):  The VCDPA went into effect on Jan. 1st, 2023.

Colorado Privacy Act (USA, Colorado; text):  The CPA is effective as of July 1st, 2023.

Connecticut Data Privacy Act (USA, Connecticut; text):  The CDPA is effective as of July 1st, 2023.

Utah Consumer Privacy Act (USA, Utah; text):  The CPA is effective as of Dec. 31st, 2023.

Note: Several U.S. states including Nevada, Maine, and New York have passed bills offering consumers partial protections, but are not considered comprehensive data privacy and protection laws and are therefore not listed here.


Brazil Lei Geral de Proteção de Dados (“LGPD”; text):  The enforcement provisions of the LGPD came into effect as of August 2021, and provide a legal framework for the use of personal data in Brazil, covering both private and public sectors.  The law is largely similar to the EU’s GDPR.


China Data Security Law (“DSL”; text):  Effective as of September 2021, the DSL supplements China’s existing Cybersecurity Law (text).  The DSL regulates data-processing activities and business operations in China.  Compared to the EU’s GDPR, the DSL does not have the same level of consumer protections on how the government may access consumer data and has heightened requirements for data export out of China.


New Zealand Privacy Act 2020 (text):  Effective as of December 2020, this legislation replaces the Privacy Act 1993.

Australia Privacy Legislation Amendment Bill 2022 (“PLA”; text):  This bill amends the Privacy Act of 1988 (text) to more closely align with the EU’s GDPR and support an adequacy decision.

International Data Transfers

Depending on where you are located, some approved 3rd parties with access to your personal data may be located outside your country or have offices in countries where data protection laws may provide a different level of protection than the laws in your country.  When transferring personal data to such recipients, we contractually require appropriate safeguards.  These safeguards include technical, physical, and organizational ways in which we minimize their access to personal data and ways it can be misused, along with contractual obligations of the 3rd party recipient.

Prior to the Schrems II decision, EON had implemented, and continues to use, the following to comply with data transfer rules and regulations:  1) Standard Contractual Clauses (SCCs), 2) Data Processing Agreements (DPA), 3) Internal codes of conduct, 4) Exclusive use of encrypted transfer and storage means.

The European Union and the United States are currently negotiating a data privacy framework (text) that would provide the United States with an adequacy decision and we are closely monitoring these efforts.

We may transfer your personal data to approved 3rd party recipients, where and when it is legally permitted, who may be located anywhere in the world, except for counties under international embargo or where the data subjects’ data privacy rights cannot be reasonably guaranteed.  We only transfer personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to 3rd party countries, on the basis of model clauses or as otherwise authorized by applicable law.  Other than transfers to 3rd party countries providing an adequate level of data protection according to the European Commission, EON requires the necessary safeguards be in place (ex. with data protection contracts adopted by the European Commission (ex. standard contractual clauses) with the recipients, or through other measures provided for by law.  We regularly review the measures taken to assess requirements resulting from new regulatory guidance and case law, such as that from the Court of Justice of the European Union (CJEU) decisions.

EON as a Controller & Processor

EON is a processor for our clients and partners for all other means of personal data collection (e.g. client account platform access, client branded consumer experience, etc.).  As a solutions provider, any requests for data subjects’ rights where EON is the processor will be referred to the appropriate controller.

EON is a controller for personal data captured through its and domains (e.g. you signed up for an EON newsletter or EON webinar).

Use of the Services

The EON company responsible for the collection and processing of your personal data in connection with the provision of our Services or collected through our websites can be contacted at or by mail at:

EON Group Holdings, Inc.

Attn: Data Privacy

11 West 30th Street, 6th FL

New York, NY 10001

United States of America

Your Rights as a Data Subject

Please refer to our current Privacy Policy (here) for the most up-to-date explanation of your rights.  Subject to restrictions on EON under supranational (e.g. the European Union), national, or state law, you as a data subject have the right to access, rectification (i.e. “correct”), restriction of processing, data portability, erasure, and not to have your data sold (we don’t sell personal data), with regard to your personal data.  In addition, you may withdraw your consent and object to our processing of your personal data on the basis of our legitimate interests.  You may also file a complaint with a supervisory authority.  Where EON is the controller, you may execute your rights directly with EON.  Where EON is the processor, rights requests will be directed to the controller.

Your personal data rights:

You may withdraw your consent to the processing of your personal data by EON at any time.  As a result, we may no longer process your personal data based on this consent in the future.  Such withdrawal of consent has no effect on the lawfulness of processing based on consent before its withdrawal and EON may reject this request if it is needed to fulfill a legitimate business need such as delivering a service you have contracted with us.

You may access your personal data that is being processed by us.  In particular, you may request: 

  • information on the purposes of the processing, 
  • the categories of personal data concerned, 
  • the categories of recipients to whom the personal data have been or will be disclosed, 
  • where possible, the planned period for which the personal data will be stored or the criteria used to determine that period, 
  • any available information as to the personal data’s source (where they are not collected from you), and
  • the existence of automated decision-making, including profiling and where appropriate, meaningful information on its details.

Your right to access shall not affect the rights and freedoms of others.  Your right to access may be limited by national or supranational law (e.g. the EU).

You may request from us, without undue delay, the rectification (e.g. “correction”) of inaccurate personal data concerning you.  Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

You have the right to request from us the erasure of personal data concerning you under certain conditions (e.g. when the personal data are no longer necessary in relation to the purposes for which they were processed or when they are no longer required for overriding legitimate grounds, such as the detection/prevention of fraud), unless processing is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, or for exercise or defense of legal claims.  The right to erasure may be limited by national or supranational law.

You have the right to request from us restriction of processing your personal data to the extent that:

  • the accuracy of the data is disputed by you,
  • the processing is unlawful, but you oppose the erasure of the personal data,
  • we no longer need the data, but you need it to assert, exercise, or defend legal claims, or
  • you have objected to the processing.

You have the right to request a copy of the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller ("right to data portability").  For client and partner users, this data may exclude any data to which the client or partner has Intellectual Property right or other rights.

You have the right to file a complaint with a supervisory authority.  You may contact the supervisory authority associated with your place of residence, your place of work, or the registered office of the controller.

If your personal data is processed on the basis of our legitimate interests, you have the right to object to the processing of your personal data on grounds relating to your particular situation.  This also applies to profiling.  If your personal data is processed by us for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Exercising your rights and managing your settings

You can exercise your rights as a data subject by contacting us via email at or by mail at:

EON Group Holdings, Inc.

Attn: Data Privacy

11 West 30th Street, 6th FL

New York, NY 10001

United States of America

In addition, you are free to contact the controller who is responsible for the processing of your personal data at any time (for further information, see section on Controller & Processor above).  A list of country specific EU/EEA/UK Data Protection Authorities can be found here.

Your exercise of the above rights (ex. right to access or erasure) is generally free of charge except where otherwise permitted or required by law.  Where requests are manifestly unfounded or excessive, in particular because of their repetitive nature, we may charge an appropriate fee (our actual costs), in accordance with the applicable statutory regulations, or refuse to process the application.  If refused, you will be notified and a reason will be provided.

As a product focused company, our processing of client and partner related consumer personal data is relatively limited and is solely done as permitted in writing by the respective client or partner.  Where we do process consumer personal data, in many cases we do not process enough personal data, only have an encrypted version without the ability to decrypt it, or do not retain it long enough to confirm the identity of any data subject.  As a processor for our client brands, your data rights requests will be referred to the controller in such cases.  Where EON is the controller, such as for those on our newsletter, you may have your rights executed directly by EON.

Managing your communication preferences

If you would like to change your preferences regarding EON marketing, you can do so at any time by clicking on the “update your preferences” and “unsubscribe” links contained in all of our marketing communications.  You may also contact us at EON Group Holdings, Inc., Attn: Data Privacy, 11 West 30th Street, 6th FL, New York, NY 10001, United States of America.  The implementation of changes or removal from communications platforms may take a few days as permitted by law. For information on how to manage your cookie and similar technology preferences, privacy policy and cookie policy.

Data Retention Period

Client and partner users’ personal data is generally retained for as long as the client or partner grants their individual approved users’ access to their client or partner account within EON’s services.  Upon data subject request or termination of the associated client or partner agreement, all personal data not necessary for closure of the account, completion of contractual requirements, or as required by law, will be deleted.  In some cases, a user who works for a client or partner may have their request rejected by the controller.  Resolution of data subjects’ rights will be at the direction of the controller, which for client or partner users will be the respective client or partner, not EON.

Archived Privacy Policies

Please refer to our previous privacy policies below: