Privacy Policy

Last Updated: August 19, 2024

This privacy policy (this “Privacy Policy”) describes how Granite Real Estate Investment Trust, Granite REIT Inc., Granite REIT Holdings Limited Partnership and their respective affiliates and subsidiaries (collectively referred to as, “Granite”, “we”, “us” or “our”) collects, uses and discloses personal information. “Personal Information” refers to information about an identifiable individual, as more particularly described under applicable privacy legislation. This Privacy Policy applies to our collection, use and disclosure of Personal Information, both offline and online in connection with your use of the website granitereit.com (the “Site”). By accessing the Site, or by participating in Granite’s offline activities, you agree to the terms and conditions of this Privacy Policy.

The Appendix A to this Privacy Policy is incorporated herein by reference and is intended to comply with the laws and regulations of the European Union or of a member state of the European Union to which we are subject.

COLLECTION AND USE OF PERSONAL INFORMATION

Granite and its agents or representatives collect Personal Information from you in a number of circumstances in the course of operating our business and Site. You may visit the Site without providing any Personal Information. However, in order to use certain features of the Site, you may be asked to provide Personal Information. The amount and type of Personal Information collected both offline and online varies depending on the nature of your relationship with us and may include the following:

a. Contact Us. If you choose to contact us through the Site, we will collect your name, email address and other information you choose to provide. We use this information to respond to your communication.

b. Email Alerts. If you choose to sign up for our email alerts, we will collect your name, email address, job title and company name. We use this information to send you the alerts that you have requested.

c. Business Purposes. We may also collect and use Personal Information to manage and improve our business and services, including maintaining business records for reasonable periods and conducting research and analysis.

d. Legal/Regulatory Purposes. We collect and use Personal Information to meet legal, regulatory, insurance, security and processing requirements.

e. Other Information. We may collect other Personal Information with your consent or as permitted or required by law.

COOKIES AND SIMILAR TOOLS

When you visit the Site, we automatically collect your IP address, the date and time of your visit, the pages you visit, the features you use, and the referring URL’s you came from. We use this information to improve our Site and services.

We also use technology called “cookies”, a tiny element of data that our Site sends to a user’s browser, and similar technologies to help our Site function. We use cookies to remember your preferences and to authenticate you. Cookies may be stored on the user’s hard drive so that we can recognize the user when they return to our Site. Remember your preferences and settings when you navigate through our Site, and for security purposes.

You may be able to control cookies using your browser settings. For example, you may be able to set your browser to block or delete cookies, or to notify you before a cookie is set. If you block cookies, you may not be able to use all of the features of our Site.

DISCLOSURE OF PERSONAL INFORMATION

Service Providers. We may use service providers to provide certain services on our behalf such as website hosting, data hosting and processing, analytics, marketing and advertising, communications and other services. Some of these service providers may be located outside of Canada, including in the United States.

Business Transactions. We may transfer Personal Information as an asset in connection with a prospective or completed merger, acquisition or sale (including transfers made as part of insolvency or bankruptcy proceeding) involving all or part of Granite or as part of a corporate reorganization or other change in corporate control.

Legal. We and our service providers may disclose Personal Information without consent in response to a search warrant or other legally valid inquiry or order (which may include lawful access by Canadian, US or other foreign governmental authorities, courts or law enforcement agencies) or as otherwise required or permitted by law. We may collect and use Personal Information for other purposes with your consent or as permitted or required by law.

YOUR RIGHTS

You may request access to or correction of your Personal Information in our control by contacting us as described in the “Contact Us” section below. You may also withdraw your consent to our processing of your Personal Information. Your right to access or correct your Personal Information, and withdraw consent, is subject to certain legal, contractual and notice restrictions and we take steps to verify identity before providing access or making corrections.

RETENTION AND SAFEGUARDS

We have implemented reasonable physical, organizational and technological measures in an effort to protect against unauthorized access, use, modification and disclosure of Personal Information in our custody and control. We limit access to Personal Information to our employees and service providers who require access in connection with their role or function. Each of our employees is responsible for maintaining the confidentiality of all Personal Information to which they have access. We keep our employees informed about our policies and procedures for protecting Personal Information. However, please be aware that no security measures can offer absolute security and therefore it is possible that your Personal Information may be lost, stolen, or accessed without authorization.

The file containing your Personal Information will be maintained on our servers or those of our service providers and will be accessible by authorized employees, representatives, and agents as necessary for the purposes described in this Privacy Policy. We retain Personal Information for as long as necessary for the purposes for which such information was provided or to otherwise meet legal and business requirements.

LINKS TO THIRD PARTY SITES

This Site may contain links to third party websites and portions of this Site, including but not limited to the Investors section, may be operated by others whose information practices may be different than Granite’s. Granite is not responsible for these sites. Visitors should consult the other sites’ privacy statements as Granite does not have control over information that is submitted to, or collected by, these third parties.

UPDATES TO OUR PRIVACY POLICY

This Privacy Policy may be updated periodically to reflect changes to our Personal Information practices and any changes to this Privacy Policy will become effective upon posting of the revised Privacy Policy of our site. You can determine when this Privacy Policy was last revised by referring to the “Last Updated” legend at the top of this page. Your continued use of the Site or participation in Granite’s offline activities following any changes constitutes your acceptance of the revised Privacy Policy. We encourage you to reference this Privacy Policy often for the latest information about our Personal Information practices.

CONTACT US

If you have any questions or concerns about this Privacy Policy or if you would like to exercise any of your rights outlined above, please contact Lawrence Clarfield, Executive Vice President, General Counsel and Corporate Secretary at: lclarfield@granitereit.com.

APPENDIX A TO PRIVACY POLICY OF GRANITE REAL ESTATE INVESTMENT TRUST

1. PREAMBLE

1.1. The protection of individuals with regard to the processing of personal data is a fundamental right that we take very seriously. Any data processing is carried out in accordance with the relevant data protection laws.

1.2. This privacy policy (this “Privacy Policy”) describes how Granite Real Estate Investment Trust, Granite REIT Inc., Granite REIT Holdings Limited Partnership and their respective affiliates and subsidiaries (collectively, “Granite”, “we”, “us” or “our”) collects, uses and discloses Personal Data. “Personal Data” refers to information about an identifiable individual, as more particularly described under applicable privacy legislation. This Privacy Policy applies to our collection, use and disclosure of Personal Data, both offline and online in connection with your use of the website www.granitereit.com (the “Site”). By accessing the Site, or by participating in Granite’s offline activities, you agree to the terms and conditions of this Privacy Policy.

2. PURPOSE AND LEGAL BASIS OF DATA PROCESSING

2.1. In general we collect and use Personal Data to meet legal, regulatory, insurance, security and processing requirements. We may collect other Personal Data with your consent or as permitted or required by law.

2.2. On our Site https://granitereit.com/, we present our company to keep our investors and other stakeholders informed. The data we collect when you visit our website is used to provide you with appropriate information] and to further improve this Site. The legal basis for these processing operations is our legitimate interest, which is to be able to offer this Site.

2.3. To make it easier for you to contact us, we offer contact forms. The data we collect via this contact form is collected exclusively for the purpose of contacting us. The legal basis for this processing is your consent, which you give by sending the e- mail or the message via the contact form on the Site. In addition, this data may subsequently be processed for the performance of a contract that you conclude with us. In individual cases, it may be that storage of the messages is also required by law or we have a legitimate interest in storing the data (for example, for evidence purposes).

2.4. On this Site, we use Google Maps. This allows us to show you interactive maps directly in the Site and enables you to use the map function comfortably.

2.5. Furthermore, it is possible to subscribe to our Press Release Alerts and Stock Quote Alerts via our Site. The purpose of this service is to provide our visitors with regular news updates. To subscribe to our alerts, you must at least enter your e-mail address in the registration field and confirm that you wish to subscribe to the newsletter. The legal basis for this processing is your consent, which you give by submitting the registration form. Once you have completed the registration, you will receive a confirmation e-mail. You can revoke your consent at any time.

2.6. Google reCAPTCHA stands for "completely automated public Turing test to tell computers and humans apart". We use Google reCAPTCHA to distinguish humans from bots who visit our Site.

3. CATEGORIES OF RECIPIENTS AND RECIPIENTS

3.1. Service Providers. We may use service providers to provide certain services on our behalf such as website hosting, data hosting and processing, analytics, marketing and advertising, communications and other services. Some of these service providers may be located outside of Canada, including in the United States.

3.2. Business Transactions. We may transfer Personal Data as an asset in connection with a prospective or completed merger, acquisition or sale (including transfers made as part of insolvency or bankruptcy proceeding) involving all or part of Granite or as part of a corporate reorganization or other change in corporate control.

3.3. Legal. We and our service providers may disclose Personal Data without consent in response to a search warrant or other legally valid inquiry or order (which may include lawful access by Canadian, US or other foreign governmental authorities, courts or law enforcement agencies) or as otherwise required or permitted by law. We may collect and use Personal Data for other purposes with your consent or as permitted or required by law.

3.4. Granite and its service providers utilize Amazon Web Services (“AWS”) servers located in Canada to host Granite’s website. Granite further employs a security, firewall and caching technology provided by GoDaddy Media Temple, Inc. doing business as Sucuri, a subsidiary of GoDaddy Operating Company, LLC (“GoDaddy”). The items described in section 4.1. below may be processed or stored on the Canadian AWS servers and by GoDaddy/Sucuri when you visit Granite’s website.

3.5. On this Site we use Google Maps, this is a map service of Google LLC, 601 N. 34Th Street Seattle Washington 98103 ("Google").

3.6. We use Constant Contact, Inc, 10 Corporate Drive, Burlington, Massachusetts 01803, USA ("Constant Contact") platform to manage our e-marketing services.

3.7. We use Mailgun, 112 E. Pecan St San Antonio, Texas, 78205 (“Mailgun”) platform to manage our e-marketing services.

3.8. In certain instances, your data may be passed on to third parties, who provide us with legal advice (e.g. legal and tax advisors).

4. WHAT PERSONAL DATA IS PROCESSED

4.1. During the informational use of our Site, i.e. the mere viewing of it without otherwise providing us with information, we process the personal data that your browser transmits to our server. The data described below is technically necessary for us to display our Site to you and to ensure its stability and security and must therefore be processed by us ("technically required data"):

IP address
Date and time of the request
Time zone difference from Greenwich Mean Time (GMT)
Content of the request (page visited)
Access status/HTTP status code
Data volume transferred in each case
Previously visited page
Browser
Operating system
Language and version of the browser software
Type and the settings of the terminal device.

4.2. This data, which we process due to the technical processing operations on our Site, is automatically collected by our server when you visit our Site. If this data is not provided, it may not be possible to access our Site.

4.3. When you contact us by e-mail or via our contact form, your e-mail address and, if provided by you, your name and telephone number will be stored by us in order to answer your questions. If you do not provide this data, we may not be able to contact you. If you choose to sign up for our email alerts, we will collect your name, email address, job title and company name. We use this information to send you the alerts that you have requested. We may also collect and use Personal Data to manage and improve our business and services, including maintaining business records for reasonable periods and conducting research and analysis.

4.4. If you call up a sub-page where Google Maps is integrated, Google receives the information that you have called up on the corresponding sub-page of our Site. In addition, the above-mentioned technically required data such as IP address and timestamp are transmitted. This occurs regardless of whether Google provides a user account through which you are logged in or whether there is no user account. If you are logged into Google, your data will be directly assigned to your account. If you do not want the assignment with your profile at Google, you must log out before activating the button. Google stores your data as usage profiles and uses them for the purposes of advertising, market research and/or demand-oriented design of its website. Such an evaluation is carried out in particular (even for users who are not logged in) to provide needs-based advertising and to inform other users of the social network about your activities on our Site. You have the right to object to the creation of these user profiles, whereby you must contact Google to exercise this right. For more information on the purpose and scope of data collection and its processing by the plug-in provider, please refer to the provider's privacy policy. There you will also find further information on your rights in this regard and setting options for protecting your privacy: https://policies.google.com/privacy.

4.5. Constant Contact and/or Mailgun receive information directly from you when you interact with our sign up form to our email lists.

4.6. ShareThis collects information about how Internet users browse the Internet and interact with online content and advertisements through our ShareThis Icon, the ShareThis Publisher Applications and user interactions with advertisements on the Internet. Although the Usage Data listed below is not used by ShareThis to directly identify an actual person, it is considered to be personal data in many places. ShareThis collects data when your device visits our Site, uses or interacts with our services. This includes:

The unique IDs of the cookie(s) placed on your web browser (example: 37d387ca-f68a-11e5-b87d-0e58954c72b1) and/or a hashed version of an email address which help us recognize your browser or device over time;
Information about the user’s browser and device;
User agent string;
Webpages viewed (including the URL addresses of such pages and search parameters, which may include search terms and key words) and the previous web pages that referred the user to that webpage;
Time when webpages are viewed;
Search queries from which users are directed to a webpage;
Navigation from page to page;
Time spent on each webpage;
Interactions with the webpage, including items clicked or selected and content highlighted or copied;
Ads viewed or displayed to the user and the user’s interactions with those ads;
Shares of content including what content is shared and where – for example, the relevant social media site (e.g., Twitter, Facebook);
Geographic information such as country, city, state, or postal code;
IP addresses;
Device IDs.

4.7. We also use technology called “cookies”, a tiny element of data that our Site sends to a user’s browser, and similar technologies to help our Site function. We use cookies to remember your preferences and to authenticate you. Cookies may be stored on the user’s hard drive so that we can recognize the user when they return to our Site. Remember your preferences and settings when you navigate through our Site, and for security purposes. You may be able to control cookies using your browser settings. For example, you may be able to set your browser to block or delete cookies, or to notify you before a cookie is set. If you block cookies, you may not be able to use all of the features of our Site.

5. YOUR RIGHTS

5.1. You have the following rights with respect to us regarding the personal data concerning you:

Right to information
Right of access your data,
Right to rectification,
Right to erasure (‘right to be forgotten’)
Right to restriction of processing,
Right to object to processing,
Right to data portability.

5.2. If you reside within the European Union, you also have the right to lodge a complaint with a data protection supervisory authority in your place of residence about the processing of your personal data by our company.

6. STORAGE DURATION

6.1. Upon request, technical required data will be deleted from our server after 12 months.

6.2. Upon request, we delete data that we receive by e-mail or via our contact forms. If data is connected to a contract, we will delete such at the expiry of the applicable time limits. If there are other legal obligations to retain data, we delete data after the storage is no longer required, or restrict the processing. If the lawfulness of the storage is based solely on your consent (and on no other legal basis) we will delete the data immediately, as soon as we receive notice to revoke such consent. If the lawfulness of the storage is based solely on your consent and this consent is revoked, we will delete the data immediately, unless the data processing is based on another legal basis.

6.3. In individual cases, data may be stored for a longer period of time (e.g. for the purpose of providing evidence for legal proceedings). In this case, the data will only be deleted once the purpose of the extended storage period has been achieved.

7. PLACE OF STORAGE, TYPE OF DATA COLLECTION

7.1. Granite and its service providers utilize AWS servers located in Canada to host Granite’s website. Granite further employs a security, firewall and caching technology provided by GoDaddy Media Temple, Inc. doing business as Sucuri, a subsidiary of GoDaddy. The items described in section 4.1. above may be processed or stored on the Canadian AWS servers and by GoDaddy/Sucuri when you visit Granite’s website.

7.2. In addition to technically required data (such as the IP address of your terminal device), only data that you consciously enter is processed. We do not collect any data from persons who have not given any reason for their storage.

8. RETENTION AND SAFEGUARDS

8.1. We have implemented reasonable physical, organizational and technological measures in an effort to protect against unauthorized access, use, modification and disclosure of Personal Data in our custody and control. We limit access to Personal Data to our employees and service providers who require access in connection with their role or function. Each of our employees is responsible for maintaining the confidentiality of all Personal Data to which they have access. We keep our employees informed about our policies and procedures for protecting Personal Data. However, please be aware that no security measures can offer absolute security and therefore it is possible that your Personal Data may be lost, stolen, or accessed without authorization.

8.2. The file containing your Personal Data will be maintained on our servers or those of our service providers and will be accessible by authorized employees, representatives, and agents as necessary for the purposes described in this Privacy Policy. We retain Personal Data for as long as necessary for the purposes for which such information was provided or to otherwise meet legal and business requirements.

9. LINKS TO THIRD PARTY SITES

9.1. This Site may contain links to third party websites and portions of this Site, including but not limited to the Investors section, may be operated by others whose information practices may be different than Granite’s.

9.2. Granite is not responsible for third party sites. Visitors should consult the other sites’ privacy statements as Granite does not have control over information that is submitted to, or collected by, these third parties.

10. UPDATES TO OUR PRIVACY POLICY

10.1. This Privacy Policy may be updated periodically to reflect changes to our Personal Data practices and any changes to this Privacy Policy will become effective upon posting of the revised Privacy Policy of our Site. You can determine when this Privacy Policy was last revised by referring to the “Last Updated” legend at the top of this page.

10.2 Your continued use of the Site or participation in Granite’s offline activities following any changes constitutes your acceptance of the revised Privacy Policy. We encourage you to reference this Privacy Policy often for the latest information about our Personal Data practices.