1. OVERVIEW AND SCOPE OF POLICY
3. DEFINITION OF TERMS
”personal data” means any data or information about an identifiable natural individual (as described under the GDPR).
“processing” or “process” means any activity carried out on your data, such as collection, use, disclosure, retention, marketing, security, deletion, correction, etc.
“client” is any company using our Services as a merchant.
“client’s customers” are the customers of our clients, whose data we may have access to.
4. WE ACT AS DATA CONTROLLER AND DATA PROCESSOR
We act as a data controller and data processor under different circumstances. Where we collect registration data, payment method data, and other data about our clients (merchants) in relation to our Services, we will be acting as a “data controller”. However, when we handle our clients’ customer data via their CRM or process data on behalf of clients, we act as a “data processor”. As a data controller, we will decide all processing activities about the data collected. As a data processor, we act on our clients’ instruction on any processing activity.
Chief Technology Officer / Data Protection Officer
5. THE DATA WE COLLECT FROM CLIENTS (YOU)
When you access the Website and use our Services (as a visitor or client), we collect personal data and non-personal data in various ways. Some of this data is submitted by you willingly, while the others are obtained via other methods, which are all categorised and discussed below:
- The data you submit willingly: You may submit certain personal data willingly when you create a client account on the Website; subscribe to our email newsletter; contact us for support, help, and other issues; take part in our surveys, sweepstakes, and promotions; submit your payment method information; invite your co-workers; etc. The personal data you may submit to us willingly – depending on the area of submission – may include, without limitation, your name, company name, company email address, phone number, credit card details, log-in credentials (your username and password), etc.
- The data we collect automatically: We may collect certain personal and non-personal data automatically when you access and take certain actions on our Website. We will collect this data automatically via certain third-party tools, such as Google Analytics, Mixpanel, Hotjar, Zendesk and Intercom, as well as via cookies and other tracking technologies. The data we collect automatically may include (i) your browser information, such as your browser type and IP Address; (ii) details about your transactions, including your current subscription plan and expiry date; (iii) information about how you use the Website, including the features you click, the amount of time spent, how you use your website, and how you navigate around; and (iv) information about crashes and other bug issues.
- The data we collect from other sources: We may also collect data about you from other websites, sources, and apps when you take certain actions. For example, when you sign-up or log-in to your client account via any social media plugin (such as Google, Slack, and Microsoft), we will obtain the personal data you have on such social media account. Depending on the permission you set, we will collect your name, image, email address, etc. Please, note that your activities on the applicable social media platforms are governed by their privacy policies.
- The data about your customers: Where you connect your website payment providers and other apps (such as PayPal, Stripe, HubSpot, Adyen, etc.) to your client account on our Website, we will obtain personal data about your customers, including their name, email address, payment method data, etc.
6. WE COLLECT THE DATA ON THE FOLLOWING LEGAL BASES
Under the GDPR, we are required to collect personal data for one or more of the following legal bases:
- Based on your consent: We will collect certain data because you have consented to provide them (for example, where you willingly subscribe to our newsletters). Where we process your data based on your consent, you have the right to withdraw your consent at any time.
- Where it satisfies our legitimate interest: We are allowed to collect certain data where it satisfies our interest and others. For example, where we collect data about how you use the Website, we will use such information to improve our Services, prevent fraud and improve your user experience.
- To comply with our legal obligations: We will collect certain data, such as details about your browser and transactions to enforce our Terms and Conditions and comply with applicable laws (for example, where we are required to maintain records of transactions for certain periods).
- To honour a contract: We will process some of your data in order to perform a contract we have with you. For example, where we are required to provide our Services, we will need access to information about your customers.
7. WE USE THE DATA WE COLLECT FOR THE FOLLOWING PURPOSES
- To prepare you with a client account on our Website and give you access to our Services;
- To process your payments for any of our subscription plans;
- To access your CRM and provide our Services as described to you;
- To monitor your violations of our Terms and Conditions or any applicable law and secure our Website;
- To facilitate your movements around the Website and display our Website content;
- To identify you from other clients who use our Services;
- To gather how you use our Website in order to identify how we are doing and how we can improve;
- To market our Services to you via our Services and on other platforms based on your interest;
- To detect crashes and bugs and provide solutions or upgrades where possible;
- To secure our Website and its content or data; and
- To keep records and history of transactions so as to comply with applicable laws.
8. WE WILL ONLY DISCLOSE YOUR DATA UNDER THESE CIRCUMSTANCES
- Disclosure to third-party service providers: We hire service providers who help us with different services, such as payment processing, website analytics, customer support, web hosting and email sending, and we may disclose or share certain data with them to help us with such services. For example, we use different payment processors, such as Stripe, Recurly, and Chargebee, with which we are required to share your payment method data to enable them to process your payments for our Services.
- Disclosure to ad partners and agencies: We work with ad partners and agencies who help us target you with adverts on other websites, apps, and platforms based on your use of our Website. We will share anonymous analytics and other related data with these ad partners and agencies for this purpose.
- Disclosures within the WHEN THEN LTD group of companies: We will share personal data about you within our company, including to employees, directors, subsidiaries and parent company in relation to customer support, business audits, and other internal meetings.
- Disclosure to law enforcement: We may share your data with any law enforcement or government agency in response to an ongoing investigation or legal requests, such as a court order, subpoena or other lawful summonses.
- Disclosure to protect rights: We will disclose personal data if such disclosure will protect our rights or other clients or if it will help us enforce our Terms and Conditions and other agreements. This may be an exchange of data with other companies to prevent fraud.
- Disclosure to other companies during a business transfer: We will disclose personal data to another company if we are involved in any business transfer activity, such as a sale of an asset, a merger, an acquisition, or a consolidation.
10. WE PROTECT YOUR DATA ADEQUATELY
We take it as our mission to protect your data and do it in compliance with set laws. We do not share personal data about you unless such sharing is necessary. We do not share data with third parties for their marketing goals – nor do we use the services of third parties whose data protection practices are not up to standard. We let our payment processors process and store any payment method data you share with us in relation to your payments.
Furthermore, we use SSL/TLS to securely transfer data and any web requests. Also, we encrypt all personal data (and sensitive personal data) in our database using AES256. It gets better – we do not share data with any employee or anybody within the WHEN THEN LTD group unless it’s on a need-to-know basis.
However, even though we care about your privacy and try our best to secure your data from aunthorised third-party access, use or alteration, we cannot guarantee you that your data will always be secure, as there exists no 100% security for any data transmission over the internet. Therefore, we will not be liable for any data breach that is not caused by our negligence. You also have an obligation to keeping your log-in credentials private, and you should always notify us if you get a hint someone else – whom you do not permit – has access to your client account.
11. WE MARKET TO YOU VIA THESE MEANS
- Email Newsletter: When you subscribe to our email newsletter upon signing up and account, you consent to our marketing via email. We will send marketing messages about our products, services and things we think match your interest. Where you have subscribed, you have the right to unsubscribe at any time. You can unsubscribe from our email newsletters by following the unsubscribe instructions provided at the bottom of any email newsletter sent to you by WHEN THEN LTD.
- Personalise (interest-based) Advertising: We may work with ad partners and ad agencies who help us to target you with ads about our products and Services on other websites and apps. Where we target you with our ads on any website or app, you have the right to opt-out on such channels. However, opting out does not stop you from seeing ads; it will only stop ads based on your interest. You can learn more about personalised advertising and how to opt-out here (if you are located outside the EU or UK, visit here). Some of these ad partners and agencies may also be members of the Network Advertising Initiative (NAI) and Digital Advertising Alliance (DAI). You may click on these links to learn more and opt-out.
- Push Notifications: Where you give us permission to send you notices through your browser push notifications, we will send notices about system and connection issues and marketing. You may deny us permission by going through the settings available on your Google chrome browser.
12. WE RETAIN YOUR DATA TILL YOU ARE NO MORE A CLIENT
We are required to keep personal data with us for no longer than we need it. When you share personal data with us, we will keep it for as long as you use our Services or otherwise keep a client account with us. Upon your request to exercise your right to delete your data or client account, we will delete your data to the extent permitted by law and if it does not override our interest. For example, where we are required to retain records of transactions for a certain period or where your data is needed in an ongoing investigation or violation, we will not delete such data until it is no more needed.
13. WE MAY TRANSFER YOUR DATA ACROSS BORDERS
To simplify our compliance with the GDPR, we have provided a Data Processing Agreement (DPA), which governs the relationship between WHEN THEN LTD (as a data processor or subprocessor) and Customer (as defined under the DPA) acting as a data controller.
14. CLIENTS HAVE THE FOLLOWING CHOICES AND RIGHTS
General Rights: Generally, clients have certain choices and rights in relation to how we process their data:
- Withdrawing your consent: You may decide to not provide us with any personal data as required on the Website or via other electronic means. However, if you do not provide us with such data, we may not be able to provide you with the Service such data was requested for. For example, if you do not provide us with access to your customer’s data, we may not be able to provide you with insights.
- Data access and correction: You have the right to request access to and edit, correct or update the personal data you have submitted to us. You may request to exercise this right by going through the settings section of your client account area or directly emailing us using the ‘contact us’ section of the Website or via firstname.lastname@example.org.
- Data deletion requests: You have the right to request the deletion of your data or client account at any time. To request the deletion of your personal data or client account, go through the settings of your client account or directly email us using the ‘contact us’ section on the Website or via email@example.com. Please, note that we will only delete certain data to the extent permissible by law or where it does not override our legitimate interest (for example, where we are required by applicable law to retain records of transactions).
Rights under the GDPR: If you are in the EU, UK, or any countries under the GDPR law, you have additional rights, which will only be granted after verifying your location. These rights include:
- The right to request access to the personal data we hold about you, including requesting for it in a printable JSON format;
- The right to request that we move your data from our Services to another IT environment without affecting its usability;
- The right to object to or restrict the processing of certain data about you;
- The right to know which third parties we have shared your data with; and
- The right to report us to any data authority in your location if you believe we are processing your data unlawfully.
You may exercise any of the above rights by reaching out to us via firstname.lastname@example.org or using the ‘contact us’ section on the Website.
Rights under the CCPA: Under the California Consumer Privacy Act (CCPA), users from California have the below rights (in addition to the general rights above) in relation to their personal information (as defined under the CCPA):
- Right to know about the personal information WHEN THEN LTD collected, sold or shared about you: This right includes the ability to request that we disclose the categories of personal information we collected, used, sold or and disclosed in the past 12 calendar months.
- Right to opt-out of the sale of your information: WHEN THEN LTD is not in the business of buying, selling or renting personal information.
- Right to non-discrimination: WHEN THEN LTD shall not discriminate against you if you opt-in to exercise any of the rights above.
To exercise any of the rights above, please reach out to us via our email address at email@example.com.
15. WE DO NOT TARGET PEOPLE UNDER 18 YEARS OF AGE
WHEN THEN LTD does not target people who are under 18 years of age. We do not directly solicit personal data from you if you are below 18 years of age. If you submit personal data to us, you warrant to us that you are 18 years or above and that you are authorised to use our Services.
16. WE DO NOT RESPOND TO DO NOT TRACK SIGNALS
A ‘Do Not Track’ signal is a browser setting that allows website users to send a signal to website owners not to track their online activities. At this moment, WHEN THEN LTD does not respond to Do Not Track signals. Please, visit www.allaboutdnt.com to find out more about Do Not Track.
17. WE ARE NOT LIABLE FOR ANY THIRD-PARTY CONTENT
19. YOU MAY CONTACT US