150 California Street

Effective as of 10 October 2022.

This Privacy Policy describes how PPF OFF 150 California Street, LP a partnership with a place of business at 150 California Street, San Francisco, CA 94111 and our corporate subsidiaries and affiliates (collectively, “150 California”, “we”, “us”, or “our”) collects, uses and shares your personal information if you visit our property at 150 California Street in San Francisco, California, visit 150CaliforniaStreet.com or our other websites or services that link to this Privacy Policy (collectively, the “Services”), contact us, receive our communications, or attend our events.

This Privacy Policy does not address your relationship with your employer if your employer is a tenant of the building nor the Host App, which is developed by a service provider to us. You can learn more about how the Host app developer and host (CBRE, Inc.) uses data on connection with Host here.

Table of Contents (click to jump)

Personal Information We Collect

Building Management. The below contact information are used to manage the lease and for managing the building.

Tenant Contact Info: Name, Email, Phone Number(s).

Access Control. We use a variety of measures to control who can access the building. We do this for security and to protect the rights of the tenants and other lawful visitors.

For tenant employees or contractors: Mobile App Data from Blubox (see description below and privacy policy here); location data; identification details. Name, email, phone number.
For guests: first and last name; we inspect the guest's driver's license to verify name. As of the date of this policy, our practice is that if a contractor wants to check out a key to a part of the building, we write down the first and last name and hold the id in a locked box until the key is returned.
Deliveries: We collect license plate details of vehicles entering the loading dock. As of the date of this policy, our practice is that a security officer sits at the loading dock desk and writes the information down; it is then scanned and the papers are stored. Our policy is to not keep this for longer than 5 years.

Security. We collect personal information as part of our security programs.

We use closed circuit television cameras ("CCTV") as part of our security program. CCTV captures images only. In other words, we collect video only; no audio. The building has cameras internally and externally throughout the building and the larger property. We use CCTV footage to help secure the building and protect tenants and their employees and guests. We also use it to review past incidents. As of the date of this policy, our practice is that we do not use a facial recognition technology to match the images to names.
BOLO. As part of our security program, we may receive alerts to "Be On the Lookout" for a specified person considered to be a security threat, such as flagged terminated employees or those who have or have been accused of relationship violence or stalking ("BOLO"). We may receive a BOLO request from law enforcement or from tenants and their employees and contractors. The information often includes: first and last name, address, height/weight, photo, last alias, and where last located.

Tenant Amenities. We collect information about individuals seeking to use tenant amenities to provide those amenities.

Pet Guests: For building occupants that wish to bring a pet, our policy is to collect first and last name (in connection with a description of the pet and the pet's photo), company/employer name, floor number, and occupant's phone number; if the pet is a service animal, our policy is to also collect the license number of the service animal.
Bike Storage: if a building occupant wishes to bring a bike into the bike room, our policy is to collect the person's first and last name + company/employer name, floor number, occupant's phone number, and a description of the bike.
Shower rooms: name, phone number, company/employer.
Liability Waivers: Our policy is to collect liability waivers from each of the foregoing categories of occupants and then scan them into our electronic document retention system.

Emergency Procedures. We collect certain personal information for use in an emergency.

Emergency Contact List: We receive various information related to individuals to contact in the event of an emergency (e.g., phone numbers, names of contact, office/home/cell numbers, titles, floors, email; if offsite, physical address of notification person.)
Disabilities and Health Conditions

We collect various disability and health-related information so that we may use it if an evacuation occurs and to coordinate emergency responses. We may share it with emergency responders.

Contact Details for Tenant Occupants (e.g., employees and contractors): Name, address, email, telephone number.
Identification Data: Our driver’s license or passport ID scanner collects information from government-issued documentation (via the magnetic strip on the back of the ID card) to verify and store identity of various individuals in the building. Our policy is to set the preferences of the third-party electronic readers to pull from documentation the first and last name only. We have communicated this preference to the vendor we use for the scanners. You can review our current vendor's (i.e., Blusky/Blubox, which licenses this technology from a third party) privacy policy here.
Location Data: For building occupants using an app to access access-controlled building space, our service provider will collect from your phone GPS coordinates or similar location information regarding the location of your device. In particular, when have the app open, it detects where you are in the building. This information is used to identify the closest card reader location for mobile entry access. The service provider has indicated to us that this feature doesn't run in the background; it runs only while app is open. The privacy policy for our current service provider, Blubox, is here.
Mobile App Data for Building Access via MobileAccessHID (app) or a KeyCard: We use HID for key card access to building spaces and to apply access invitations to the users' mobile calendar. The mobile app collects: Wi-Fi SSID/Mac Address; user commands, voice commands, and transcriptions; text commands; user history; scheduled calendar events and attendees; in-app actions; device info; browser history; and user preferences. The key card also uses and holds the same information. So building occupants must either download the MobileAccessHID app or use a key card for access. HID's privacy policy is here.
Professional Information: An individual's professional information, for example, business title, position, organization, etc. is collected to create the users' profiles within building apps.
Written Signature- An individual's written signature, such as a signature on a contract, indemnity form, and/or lease contract are collected as part of building management (examples include security officers collecting it from contractors signing in, tenants needing to sign to get a property removal pass (such as when taking out boxes or computers)).

Feedback or correspondence, such as information you provide when you contact us with questions or feedback or otherwise correspond with us. Angus is the online system we currently use for submitting maintenance requests (and in the future we may use the Host app for this functionality). The system requires name, building floor, phone number, and tenant identity and work email. And you must be logged in to the system to make these requests.

Usage information, such as information about how you use the Services and interact with us, including information you provide when you use any interactive features of the Services, such as through the Host app.

Marketing information, such as your preferences for receiving communications about the building (e.g., we have a newsletter that is sent to tenant contacts) and details about how you engage with our communications.

Other information that we may collect which is not specifically listed here, but which we will use in accordance with this Privacy Policy or as otherwise disclosed at the time of collection.

Cookies and Other Information Collected by Automated Means

We, our service providers, and our business partners may automatically log information about you, your computer or mobile device, and activity occurring on or through the Services or your use of our website. The information that may be collected automatically includes your computer or mobile device operating system type and version number, manufacturer and model; device identifier; browser type; screen resolution; IP address; the website you visited before browsing to our website; general location information such as city, state or geographic area; and information about your use of and actions on the Services, such as pages or screens you viewed, how long you spent on a page or screen, navigation paths between pages or screens, information about your activity on a page or screen, access times, and length of access. Our service providers and business partners may collect this type of information over time and across third-party websites and mobile applications.

How and Why We Use Your Personal Information

We use your personal information for the following purposes and as otherwise described in this Privacy Policy or at the time of collection:

To manage the building. We use your personal information as provided above and generally to:

provide, operate, and improve the facilities;
establish and maintain your occupant profile;
communicate with you about the building, including by sending you announcements, updates, security alerts, and support and administrative messages;
provide support and maintenance for the building; and
respond to requests, questions, and feedback.

To comply with law. We use your personal information as we believe necessary or appropriate to comply with applicable laws, lawful requests, and legal process, such as to respond to subpoenas or requests from government authorities.

For compliance, fraud prevention, and safety. We may use your personal information and disclose it to law enforcement, government authorities, and private parties as we believe necessary or appropriate to: (a) protect our, your, or others’ rights, privacy, safety, or property (including by making and defending legal claims); (b) enforce the terms and conditions that govern the Services; and (c) protect, investigate, and deter against fraudulent, harmful, unauthorized, unethical, or illegal activity.

With your consent. In some cases, we may specifically ask for your consent to collect, use, or share your personal information, such as when required by law.

To create anonymous data. Our service providers may create aggregated and other anonymous data from your personal information and other individuals whose personal information we collect. They may make personal information into anonymous data by removing information that makes the data personally identifiable to you. They may use this anonymous data and share it with third parties for lawful business purposes, including to analyze and improve the Services and promote our business.

How Long We Retain Your Personal Information

We retain personal information as long as necessary to provide the Services. Our policy is that when a person is terminated, they become inactive in our systems. When a tenant leaves, our policy is to delete the personal data related to their employees and contractors. Our current vendor allows us to identify and request deletion of personal data in 90 days and our policy is to do that when a person becomes inactive due to their or their employer's termination.

How We Share Your Personal Information

We do not share your personal information with third parties without your consent, except in the following circumstances or as otherwise described in this Privacy Policy

Affiliates. We may share your personal information with our corporate subsidiaries and affiliates for purposes consistent with this Privacy Policy.

Service providers. We may share your personal information with third-party companies and individuals that provide services on our behalf or help us operate the Services (such as CBRE). These third parties may use your personal information only as authorized by their contracts with us. As of the date we wrote this policy, we use CBRE to manage the building and provide the Host App (privacy policy is here); Avigilon as our surveillance company for CCTV; Blubox/Blusky for access control (privacy policy is here); Allied Universal PP0 14417 Security Services (physical, electronic security contractor with a privacy policy here).

Professional advisors. We may disclose your personal information to professional advisors, such as lawyers, bankers, auditors, and insurers, where necessary in the course of the professional services that they render to us.

For compliance, fraud prevention and safety. We may share your personal information for the compliance, fraud prevention, and safety purposes described above.

Business transfers. We may sell, transfer, or otherwise share some or all of our business or assets, including your personal information, in connection with a (potential) business transaction such as a corporate divestiture, merger, consolidation, acquisition, reorganization or sale of assets, or in the event of bankruptcy or dissolution.

Your Choices

In this section, we describe the rights and choices available to all users.

Access or update your information. If you have registered for an account with us, you may review and update certain personal information in your account profile by logging into your account. Tenant contacts, please contact us to do this. Tenant employees can do this in the Host app or by contacting us and for other purposes (bike agreement, showers, property checkout, etc.) please contact us.

Do Not Track. Some Internet browsers may be configured to send “Do Not Track” signals to the online services that you visit. We currently do not track users and hence do not respond to “Do Not Track” or similar signals. To find out more about “Do Not Track,” please visit www.allaboutdnt.com.

Choosing not to share your personal information. Where we are required by law to collect your personal information, or where we need your personal information to provide the Services to you, if you do not provide this information when requested (or you later ask to delete it), we may not be able to provide you with the Services. We will tell you what information you must provide to receive the Services by designating it as required at the time of collection or through other appropriate means.

Other Sites, Mobile Applications, and Services

The Services may contain links to, or content or features from, other websites and online services operated by third parties such as Host. These links are not an endorsement of, or representation that we are affiliated with, any third party. In addition, our content may be included on web pages or in mobile applications or online services that are not associated with us. We do not control third-party websites, mobile applications, or online services, and we are not responsible for their actions. Other websites and services follow different rules regarding the collection, use, and sharing of your personal information. We encourage you to read the privacy policies of the other websites and mobile applications and online services you use.

Security Practices

The security of your personal information is important to us. We employ a number of organizational, technical and physical safeguards designed to protect the personal information we collect. However, security risk is inherent in all internet and information technologies and we cannot guarantee the security of your personal information. As of the date of this policy, it is our policy to use the following security practices:

Examples of the types of steps we take: Only employees who need the information to perform a specific job (provide record of person arrival/departure time or verifying status of employment by searching status of access badge) are granted access to personally identify information. The computers and servers in which we store personal identity information are kept in a secure environment.
We use MFA (2-factor authentication) for any networks with personal info.
CBRE has assured us that its employees and contractors use an intranet and a secure firewall.

International Data Transfer

We are headquartered in the United States and have service providers in other countries, and your personal information may be transferred outside of your state, province, or country to the United States or other locations where privacy laws may not be as protective as those in your state, province, or country.

Children

The Services are not directed to, and we do not knowingly collect personal information from, anyone under the age of 16. If we learn that we have collected personal information of a child without the consent of the child’s parent or guardian, we will delete it. We encourage parents with concerns to contact us.

Changes to this Privacy Policy

We may amend this Privacy Policy at any time by posting the amended version on the Services and indicating the effective date of the amended version. We may announce any material changes to this Privacy Policy through the Service or Host and/or via email if we have your email address. In certain circumstances, we may also provide an email blast to tenant contacts and post it wherever else the new terms apply (and maybe highlight the changes in our newsletter). In all cases, your continued use of the Services after the posting of any modified Privacy Policy indicates your assent to the amended Privacy Policy.

How to Contact Us

If you have any questions or comments about this Policy or 150 California Street’s privacy practices, email us at privacy-notices@onemaritimeplaza.com. You may also write to us via postal mail at:

Property Manager On Site, Attn: Legal – Privacy, 150 California Street, San Francisco, CA 94111

Your California Privacy Rights

Under California law, California residents are entitled to ask us for a notice identifying the categories of personal customer information that we share with certain third parties for marketing purposes, and providing contact information for such third parties. If you are a California resident and would like a copy of this notice, please submit a written request to us via email at privacy-notices@onemaritimeplaza.com. You must put the statement "Your California Privacy Rights" in your request and include your name, street address, city, state, and ZIP code. We are not responsible for notices that are not labeled or sent properly, or do not have complete information.

We do not collect personal information for direct marketing purposes. As a result, California's Shine Your Light law does not apply.

PRIVACY POLICY