It’s important to mention that Retently acts both as a Processor and Controller depending on the provenience on the data it handles:
- We control and process Clients’ Personal Data;
- We only process data controlled by the Client, such as the list of customers’ contact information Clients may import or upload to Retently.
In order to avoid confusion, the term of “Controller” should only be applied to the Client, unless we specify otherwise: “Retently acting as a data Controller.”
You can learn more about Retently’s responsibilities and obligations as a Processor and/or Controller in our GDPR compliance document, or below in this Policy (see 4. Data Controller and Data Processor).
This Policy also explains what measures we take to ensure Personal Data security and how you can access, edit or permanently delete such data.
“Personal Data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Data subject” means the individual to whom Personal Data relates.
“Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her;
“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
“Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the controller.
“Third-party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process Personal Data.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
2. Data we collect and/or process
2.1. Personal Data we collect and process:
Client Personal Data: When signing up and using the Service we may ask you to provide us with certain Personal Data that might include:
- Email address
- First name and last name
- Company name
- Phone number
- IP address
- Location (country and/or city)
You may decline to share certain Personal Data with us, in which case you will not be able to sign up and use the Service.
2.2. Personal Data we process on behalf of the Client:
Data Controlled by Client: While using the Service, you may upload or import into your account lists containing your customers’ Personal Data. When uploading or importing your customers’ Personal Data to the Service, we may ask you to provide the following information:
- Customer’s email address
- Customer’s first name and last name
- Customer’s company name
- Customer’s location (country and/or city)
The Service has no direct relationship with a Client’s Data Subjects (in this case, customers), and each Client, in their role as Data Controller, is solely responsible for notifying their Data Subjects about the reason behind the collection of their Personal Data and how this information is processed in or through the Service.
2.3. Personal Data from Other Sources.
We may also collect Personal Data using various opt-in forms such as:
- Ebooks download forms
- Newsletter sign up forms
- Meeting and call scheduling forms
While filling out any of the forms listed here, we may ask you to provide your email address, full name, phone number, company name, title or location (country and/or city).
2.4. Non-Identifiable Data (“Log Data”).
We may also collect information that the Client’s browser automatically sends whenever they visit our Service. This is called “Log Data”, and it may include information such as the Client’s operating system, browser type, browser version, the visited pages of the Service, the time and date of the visit, the time spent on those pages and other statistics.
In addition, we may use third-party services (see 7.1. Service Providers) that collect, monitor and analyze this type of information in order to increase our Service’s functionality.
We do not link this automatically-collected data to Personal Data.
3. Cookies and remarketing
4. Data Controller and Data Processor
The Service does not own or control the use of any of the Personal Data imported by the Client, which is controlled by the Client and processed by the Service based on the exact instructions specified in this Policy (see 5. How we use the Personal Data we collect and/or process and 7. How we share Personal Data). Only the Client can access, retrieve and control the use of the data they upload/import. Retently is not aware of what Personal Data is being stored or made available by a Client to the Service and does not directly access such data except as authorized by the Client, or as necessary to provide services to the Client.
Since the Service does not collect or control the use of any Personal Data contained in a Client’s account, and because it does not determine the purposes for which and how such Personal Data is collected or the uses of such Personal Data, the Service is not acting as a Data Controller for Clients’ Data Subjects in terms of the European Union’s General Data Protection Regulation (Regulation (EU) 2016/679, hereinafter “GDPR”)) and does not have the associated responsibilities under the GDPR. The Service should be considered only as the Processor of Personal Data, imported or uploaded by the Client, that is subject to the requirements of the GDPR. Except as specified in this Policy, the Service does not independently decide to transfer or make available Personal Data imported or uploaded by the Client to third parties.
5. How we use the Personal Data we collect and/or process
Retently handles two types of data: Clients’ Personal Data, and the Personal Data that is controlled by Clients and uploaded or imported to the Service. How we use any of the Personal Data we collect and/or process:
5.1. How we use Personal Data as Controller:
As a Controller, we collect and process our Clients’ Personal Data.
- Operations and Improvements: We use the Clients’ Personal Data we collect to analyze how the Service is being used by the Client, and identify trends and preferences of our Clients, which allows us to improve the Service and develop new functionalities.
- Communication: We may use Client Personal Data to contact them with newsletters, marketing or promotional materials, and other information that may be of interest to the Client. The Client may opt out of receiving any, or all, of these communications by following the instructions included in such communications or by contacting us (see section 16. Contact Us) and requesting to opt them out. Please note, however, that during your subscription period you may be unable to opt out of certain service-related communications, such as, but not limited to, security-related notifications, major Service updates, change of ownership announcements.
- Support: We may use Client Personal Data to respond to requests, questions or concerns and send updates about the Service.
5.2. How we use Personal Data as Processor:
As a Processor, we process Personal Data controlled by our Clients.
- Send surveys on behalf of the client: Retently requires access to Personal Data imported or uploaded by the Client in order to identify respondents and send surveys (email or web surveys). Personal Data will also be used to connect respondents’ feedback to a specific data subject and display the response in the Client’s account.
- Allow direct Clients-customer communication: Retently requires access to Personal Data imported or uploaded by the Client to give them the possibility to start and follow-up on email conversations within the Client’s account.
- Troubleshooting: We may require specific Personal Data for troubleshooting only based and for the purposes specified in this Policy.
6. Information Access, Correction, Deletion and Opt-Out
6.1. Access, Correction, and Deletion. The Service gives the Client the possibility to review and edit the Personal Data that was provided to us by signing up for the Service.
The Client can update or correct the Personal Data at any time by accessing the account settings page on the Service. Please note that while any changes the Client makes will be reflected in active user databases instantly or within a reasonable period of time, we may retain all information the Client submits for backups, archiving, prevention of fraud and abuse, analytics, satisfaction of legal obligations, or where we otherwise reasonably believe that we have a legitimate reason to do so.
Although most changes may occur immediately, information may still be stored in a web browser’s cache. We take no responsibility for stored information in the Client’s cache, or in other devices that may store information, and disclaim all liability of such.
Permanently deleting Personal Data is a process that must be handled by our team. We will acknowledge your deletion request within seventy-two (72) hours and handle it promptly, and as required by law. We will retain Clients’ Personal Data for as long as their account is active in order to provide our services, and we may retain a Client’s Personal Data for up to ninety (90) days after they have canceled their subscription to the Service, to make sure that no data generated and obtained via the Service is lost and can be accessed by the Client at subscription renewal, unless requested to delete Personal Data at subscription cancellation. We will retain and use the Client’s Personal Data as necessary to comply with our legal obligations, resolve disputes and enforce our agreements.
The Client may decline to share certain Personal Data with us, in which case we may not be able to provide the functionality of the Service to them.
6.2. Data Processing Opt-Out. We may provide the Client with the opportunity to “opt out” of having the Personal Data used for certain purposes. If the Client decides to opt out, we may not be able to provide the functionality of the Service to the Client.
At any time, the Client may object to the processing of their Personal Data, on legitimate grounds, except if otherwise permitted by applicable law. If the Client believes their right to privacy granted by the applicable data protection laws has been infringed upon, the Client can contact Retently’s Data Protection Officer at email@example.com. The Client also has a right to lodge a complaint with data protection authorities.
7. How we share Personal Data
We do not disclose, share, sell or transfer the Client’s Personal Data except in the following limited circumstances as described in this Policy.
7.1. Service Providers. We work with third-party service providers in order to optimize certain processes in our Service such as communication with users, marketing, payment processing, analytics, troubleshooting, and maintenance.
The third party services we use may have access to process Clients’ Personal Data and Personal Data controlled by Clients in order to provide their services to us. We make sure to limit the information third party services may collect from the Service and provide only what’s necessary for them to operate.
These third party service providers have their own privacy policies addressing how they use such information. To ensure that Clients’ Personal Data is stored and processed securely by third parties, we require every third party service provider to give proof of GDPR compliance, and/or sign a contract to ensure the confidentiality of your information.
Therefore, to be able to use the Service, the Client hereby agrees to grant the third party services we use the same rights to use and process their Personal Data that the Client affords the Service.
The Client also agrees not to hold us liable for the actions of our third party services providers, and that the Client will take legal actions against them directly if they commit any illegal actions or disclose the Client’s Personal Data. Retently can be held liable only for the reasons specified in our Data Processing Agreement.
- Intercom: Our main channel of communication with users. We use it to respond to users’ questions, send automated announcements and customer lifecycle emails.
- Chargebee: We use it to manage subscriptions and billing operations.
- Stripe: We use it for secure payment processing.
- MailChimp: Used for newsletters, digest emails, announcements, and offers.
- Mandrill: Email delivery service provider which we use to send and deliver our users’ email surveys and conversations with their customers.
- Bouncer: We use it to verify email addresses deliverability before sending email surveys.
- Google Analytics: Our main source of insights about our website, web app traffic source, and customer behavior.
- Mouseflow: We use it to analyze users’ usage patterns, customer behavior, and troubleshooting.
- Clearbit: Allows us to automatically identify a user’s campaign name to pre-populate survey templates. We also use Clearbit in user validation.
- Acuity Scheduling & Calendly: Used to schedule calls with customers.
- Trello: Another task management and workflow optimization service Retently team is using.
- Slack: Main team communication service. We have set up channels that automatically notify us of the new users’ messages, therefore some user personal information will be displayed.
- Zapier: We use it to automate specific workflows and scenarios within our service.
7.2. Law enforcement. We may disclose Client’s own and/or controlled Personal Data if required to do so by law, in response to a valid court order, if subject to subpoena or other legal proceedings. We may also disclose Personal Data that we believe, in good faith, is necessary to:
- Take precautions against liability
- Protect ourselves or others from fraudulent, abusive, or unlawful uses or activity
- Investigate and defend ourselves against any third party claims or allegations
- Protect the security or integrity of the Service and any facilities or equipment used to make the Service available
- Protect our property or other legal rights, enforce our contracts, or protect the rights, property, or safety of others.
7.3. Change of ownership. We may sell or transfer the company (including any shares in the company), or any combination of its products, services, assets and/or businesses. Clients’ own and/or controlled Personal Data may be among the items sold or otherwise transferred in these types of transactions. We may also sell, assign or otherwise transfer such information in the course of corporate divestitures, mergers, acquisitions, bankruptcies, dissolutions, reorganizations, liquidations, similar transactions or proceedings involving all or a portion of the company. The Client will be notified via email and/or a prominent notice on the Service of any change in ownership or usage of Personal Data, as well as any choices the Client may have regarding the Personal Data.
7.4. Testimonials. We may disclose Clients’ Personal Data such as name and company name, along with their testimonial or review about the Service, making them public. We will do so only after receiving a written consent from the Client.
7.5. Reference for prospects. We may share the Client’s Personal Data such as name, company name and email address to prospects that require a reference regarding the Service. We will do so only after receiving a written consent from the Client, and after obtaining a written assurance that the prospect will use their Personal Data only once and for this specific purpose.
The security of Client Personal Data is important to us, and we strive to implement and maintain reasonable, commercially acceptable security procedures and practices appropriate to the nature of the information we store, in order to protect it from unauthorized access, destruction, use, modification, or disclosure.
However, please be aware that no method of transmission over the internet, or method of electronic storage is 100% secure and we are unable to guarantee the absolute security of the Personal Data we have collected from the Client.
Please review our GDPR compliance document for more details on what we do to ensure Personal Data security.
9. Compromise of Personal Data
In the event that Personal Data is compromised as a breach of security, we will notify the Client in up to seventy-two (72) hours after the breach has been detected (unless the data is encrypted or anonymized), in compliance with applicable law.
We will also take any needed measure to mitigate the consequences of the Personal Data Breach.
10. GDPR compliance
Please review our dedicated GDPR compliance page to learn more about our approach to GDPR.
11. Data storage, processing and international transfer
The Client’s Personal Data and the Personal Data they control, which is collected through the Service will be stored, processed or transferred based on their location.
- USA. If the Client is located in the United States, the Personal Data will be stored and processed in the USA. Retently leases dedicated servers in SoftLayer’s data centers in the USA.
- EU. If the Client is located in the European Union, their Personal Data and the Personal Data they control will be stored and processed on our dedicated servers colocated in the Leaseweb data centers in Amsterdam, Netherlands.
- Other countries. The Client’s Personal Data may be transferred to — and maintained on — computers located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ than those from the Client’s jurisdiction.
- Personal Data transfer. Please note that in order to ensure full efficiency of our processes and to be able to provide you our service, your Personal Data, as well as the Personal Data you control, may be shared with third-party services that are located in the USA or another country. We take all required measures to make sure that our third-parties comply with GDPR and can also provide any other certifications to ensure a secure Personal Data transfer and storage.
12. Do Not Track Disclosure
We do not support Do Not Track (“DNT”). Do Not Track is a preference the Clients can set in the web browser to inform websites that they do not want to be tracked.
The Do Not Track option can be enabled or disabled by visiting the Preferences or Settings page of the web browser.
13. Links To Other Sites
We have no control over and assume no responsibility for the content, privacy policies or practices of any third party sites or services.
14. Children’s Privacy
Only persons age 18 or older have permission to access our Service. Our Service does not address anyone under the age of 13 (“Children”).
We do not knowingly collect Personal Data from children under 13. If the Clients as parent or guardian learn that their Children have provided us with Personal Data, please contact us. If we become aware that we have collected Personal Data from children under age 13 without verification of parental consent, we will take steps to remove that information from our Service.
16. Contact Us
The Client can address any questions or comments about this Policy, Personal Data aspects, use and disclosure practices, or consent choices by email at firstname.lastname@example.org.
For any concerns or complaints about this Policy or Personal Data, the Client should contact our Data Protection Officer by email at email@example.com.