Effective Date: January 1, 2019. In case of new sign ups or first use of the Site, April 1, 2019.
2. Scope of this policy
If you use our Services or Site
3 How is your data being processed?
3.1. Who processes personal information? (who is the ‘Data controller’)
Personal information is processed by us, an entity incorporated in accordance with the laws of Sweden and with following contact details:
3.2. What are we processing your data for and why are we processing it? (‘Purposes of data processing’, ‘legal basis of the data processing’ and ‘storage periods’)
We will process your data when we have to perform a contract, and we will be processing your data as long as the contractual relationship with you is in force and during the five years following the end of said relationship.
Subject to obtaining your consent, and as long as you do not withdraw any such consent, we may also process your data for the following purposes:
a) To send you electronic commercial communications (if you subscribe to a newsletter) or to answer the requests you may address us when contacting us;
c) If you opt to sign in by means of a third party social media platform, we may obtain ID confirmation and other information from that third party, as mentioned in each case;
d) We may enrich the data we have about you by obtaining information from a select third party for data enrichment purposes, provided that you have given us prior permission. Enriching data allows us to analyze a deeper subset of data from which we may present personalized content.
When we have to comply with a legal obligation applicable to us from time to time, such as those set forth in tax and anti-money laundering laws and regulations (such as Act no. 58/2003, dated December 17, on Taxes; Act no. 27/2014, dated November 27, on corporate taxes; Act no. 10/2010, dated April 28, for the prevention of money laundering and financing or terrorism; or Organic Act no. 10/1995, dated November 23, on Criminal Code). In any such cases, the data will be processed only during the periods set forth by said laws, being deleted thereafter.
Finally, we may also process your data to protect our legitimate interests, as long as said data is strictly necessary to fulfil the goals set forth below, namely:
a) Besides any commercial electronic and non-electronic commercial communication sent when we have obtained your consent as mentioned above, we may also send you those kinds of communications when you are our client. In this last case, we will only send you information belonging to us and concerning services and/or products identical or similar to the ones you have contracted with us. In these cases, we have a legitimate interest in processing your contact information to keep you informed about any of our products and services, prevailing this interest over your right to personal data given the non-sensitive nature of the data in question and the fact that the contractual relationship built with our clients results in those clients expecting these kinds of communications; and
b) Upon dissociating the data we have so as to be impossible to be associated to you or any other person, to perform statistical and other analysis on information we collect (technical and metadata) to analyze and measure user behavior and trends, to understand how people use our services, in order to improve and optimize our performance of such services.
3.3. To which extent do we require to have access to your personal data?
We need to process your personal data to perform the legal and contractual obligations mentioned in section 3.2 above. Otherwise, we are not able to provide you with the Services and/or access to the Site. On the other hand, for data processing which depends on your consent or on our legitimate interests, the data processing is not legally required.
3.4. Which companies will have access to your personal information?
We may also share your information with competent courts and authorities, when we are legally required to do so (for instance, to allow such bodies to investigate, prevent, or take action against illegal activities), or we have to take action to protect our rights or any third party rights.
3.5. In which territories may your personal information be processed?
3.6. Your rights
You have the right to withdraw your consent at any time. You also have the right to request access to, and rectification of, or erasure of your personal data, or restriction of processing, or to object to processing, as well as the right to data portability. Please note that if you choose to cancel your data, your account will be deleted and all data in your account will be permanently deleted from our systems. You may lodge a complaint at any time with the The Swedish Data Protection Authority (DPA).
We allow you to exercise the above-mentioned rights at any time by contacting our Support Center ([email protected]), or by sending a letter to Rörstrandsgatan 24, 113 40, Stockholm, Sweden.
3.7. Updating your information. Emails and commercial communications.
You can update any information we may have from you by means of the account settings area or by sending us a written communication as described in section 3.6 above. Please remember that it is your duty to keep information updated so we can correctly provide you with the Services, and you undertake to verify the information you have handed us from time to time to make sure that it is accurate.
As explained in section 3.6 above, you are entitled to ask us, now or at any moment, not to send you any kind of emails or commercial communications. To that extent, you can contact us as described in section 3.6 above. Note that this will not prevent the sending of emails or other communications related to the Services, as those communications are necessary to perform the relationship we have with you.
4. How is the data we collect on your behalf being processed?
4.1. In order to provide you with the Services, we may need to process on your behalf third parties’ personal data. This is the case, for instance, when you fill out a form (the forms we made available to you in the Services), in which case the data is collected, stored, and processed on your behalf. For clarification purposes, the subject-matter of the processing is the provision of said Services, and the type of personal data and categories of data subjects depends on the information uploaded into the Service.
4.2. We will only process any personal data we may have access to as a result of the provision of the Services in accordance with the instructions included in the Service Terms and Conditions and any other that you may provide us from time to time in writing. Should we have reasonable grounds to believe that any of your documented instructions infringes European data protection laws, we will inform you punctually, so that you can confirm in writing that instruction. Please note that in case of any such reconfirmation, you shall bear any consequences arising out of that instruction being contrary to law, and you shall defend, indemnify, and hold us harmless of any and all costs (including attorney’s fees), fines, or sanctions, or any damages deriving from our performance of the challenged instruction.
4.3. We will ensure that all employees authorized to process personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.4. To provide you with the Services, we may need to use some service providers we already rely on, as well as hire new ones in the future. Those companies will only process the data to the extent necessary to render the Services, and we will enter into written agreements with them to make sure that said companies comply with the obligations included in this section 4 and implement all necessary security measures to ensure adequate protection of the data.
In this respect, by entering into the Service Terms and Conditions you accept that we seek the assistance of our supplier’s affiliate TYPEFORM US LLC, having registered address at 370 Brannan Street, San Francisco, CA 94107 (United States of America). Additionally, Typeform will also continue to engage other service providers for carrying out the Services, as those subprocessors are listed here.
In the event that we want to change any of those service providers by another, or that we need to hire new companies, you will have the right to reasonably oppose to such changes or new appointments in the non-extendable term of 15 calendar days. ‘Reasonably oppose’ shall be interpreted as any challenge based on the failure to meet the legal requirements set forth by the European data protection laws by the new entity to be hired. In any event, we reserve the right to terminate the relationship with you should we cannot hire a subprocessor which is essential or needed for providing the service.
The Company shall enter into written agreements with any subprocessors engaged in the provision of the Services including the safeguards and guarantees required by the General Data Protection Regulation (EU Regulation no. 679\2016, the “GDPR”), particularly in respect of implementing the security measures required in the GDPR. For those subprocessors not part of the Privacy Shield scheme or located in a country considered by European authorities as having the same level of protection than European data protection laws, you agree to comply with the requirements set forth in 4.10 below.
4.5. At your request and expense, we shall assist you by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of your obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR, if applicable. For avoidance of doubt, we shall convey you any request data subjects may address directly to us together with all relevant information, if any, so that you can contact and answer to data subjects, but we shall not take care of responding data subjects.
4.6. We will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. At your request and expense and taking into account the nature of processing and the information available to us, we shall reasonably assist you in compliance with the security obligations set forth by Article 32 of the GDPR.
4.7. We will also provide, at your request and expense and subject to the nature of processing and information available to us, assistance in complying with obligations set forth in Articles 33 to 36 of the GDPR, if applicable.
With respect to data breaches, we will notify you without undue delay upon we confirm that a data breach affecting personal data has taken place. We will provide you with sufficient information to allow you to meet any obligations to report or inform competent authorities or data subjects. We will reasonably cooperate with you and take such reasonable commercial steps as are directed by you to assist in the investigation, mitigation, and remediation of each such data breach. For avoidance of doubt, you shall be responsible for both filing any reports required under applicable law and notifying data subjects, and you shall defend, indemnify and hold us harmless of any and all costs (including attorney’s fees), fines, or sanctions, or any damages that lack of action on your side may cause.
4.8. Upon termination of the Service Terms and Conditions, we shall delete personal data, unless otherwise required by law.
4.9. We will make available to you all information necessary to demonstrate compliance with the obligations laid down in this Section 4 and allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you who is not any of our competitors. You accept that you may only conduct up to one (1) audit per year, except if there are reasonable grounds to believe that we are not performing the obligations included in this section 4. Audits shall only be carried out during normal business hours, and you shall bear all costs except that we are found to be in a material breach of this section 4.
4.10. For the provision of the Services or because you want to process data from a given location or hand it to another company, data may be transferred outside the European Economic Area to an entity not part of the Privacy Shield scheme or to a country which has not been declared to offer a level of protection equal to the one provided by European data protection regulations.
In those cases, you shall ensure that said transfer is possible in accordance with European data protection regulations or any other requirements set forth by law without having to sign Standard Contractual Clauses. Should this not be possible—and only to this extent—and with respect to any subprocessors hired by us, you (as ‘data exporter’) and we (as ‘data importer’) hereby agree to enter into the Standard Contractual Clauses in respect of any such transfers of data. You fully agree with the contents of the Standard Contractual Clauses and—given that the contractual relationship set forth in the Service Terms and Conditions cannot exist without international transfers of data—you further warrant and represent that you will not question the execution of Standard Contractual Clauses in the future, being their signature a mere act evidencing their agreement to the same as set forth herein.
Cowrite | CCPA Notice – How are we processing your data?
Effective Date: January 1, 2020.
Personal Information Disclosures
When we use the term “personal information” in these CA Disclosures, we mean information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
For the purposes of these CA Disclosures, personal information does not include:
• Publicly available information from government records.
• Deidentified, aggregated or anonymized data (not capable of being associated with or linked to you).
• Information relating to our job applicants, employees, contractors and other personnel of Typeform, which is not governed by these CA Disclosures.
• Certain information that we process solely on behalf of our business customers as a “service provider,” which includes information relating to respondents that fill out typeforms sent to them by our customers – please refer to CCPA Notice – Cowrite as a Service Provider section.
• Information excluded from the CCPA’s scope, such as: (i) Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data; (ii) Information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994.
Collection and Use of Personal Information
In the last 12 months we have collected the following categories of personal information:
• Identifiers, such as name, address, email address, account information or other similar identifiers. These are collected directly from you, our business partners and affiliates , your browser or device and third parties you direct to share information with us .
• California Customer Records (Cal. Civ. Code § 1798.80(e)), such as financial information. These are collected directly from you, our business partners and affiliates and third parties you direct to share information with us .
• Commercial Information, such as information about products or services purchased or considered and your use of our services. These are collected directly from you, and third parties you direct to share information with us .
• Internet/Network Information, such as log data and analytics data (including your usage and activity on our website). These are collected from your browser or device.
• Geolocation Data, such as your general geographic location based on the log data. These are collected from your browser or device.
• Sensory Information, such as audio recordings (i.e. if you use VideoAsk) of phone calls you have with us or photographs and video footage you choose to provide or we otherwise record as permitted by law. These are collected directly from you.
• Professional/Employment Information, such as current occupation, job title, company/employer, industry and employment history. These are collected directly from you and third parties you direct to share information with us .
• Other Personal Information, such as messages or requests you provide to us directly or through a third-party service, such as social media. These are collected directly from you, our business partners and affiliates , and third parties you direct to share information with us.
• Inferences, including information generated from your use of our websites reflecting your preferences. These are collected from your browser device, and form information generated or derived from the personal information described above.
The business purpose for the information collected as above is as follows:
(i) To provide you with and manage access to our products and services, audit the transactions in our platform and manage the relationship with our users;
(ii) To communicate with you, including via email, push notification and/or social media;
(iii) To operate, evaluate, secure and improve our business;
(iv) To enhance our products and services;
(v) To recognize you and remember your information when you return to our website and services;
(vi) To develop and carry out marketing campaigns and activities;
(vii) For debugging existing intended functionality;
(viii) For testing, training, research, analysis and product development, including to develop and improve our products and services;
(ix) To detect and protect against security events;
(x) To defend, protect or enforce our rights or applicable terms of service;
(xi) To comply with legal process and our legal obligations; and
(xii) As otherwise provided in our agreements with you.
Disclosure of Personal Information
In the last 12 months, we have not sold personal information about you.
Your California Privacy Rights
As a California resident, you may be able to exercise the following rights in relation to the Personal Information about you that we have collected (subject to certain limitations at law):
The Right to Know
You have the right to request any or all of the following information relating to the personal information we have collected about you or disclosed in the last 12 months, upon verification of your identity:
• The specific pieces of personal information we have collected about you;
• The categories of personal information we have collected about you;
• The categories of sources of the personal information we have collected about you;
• The categories of personal information (if any) that we have disclosed about you to third parties for a business purpose, and the categories of recipients to whom this information was disclosed;
• The categories of personal information we have sold about you (if any), and the categories of third parties to whom this information was sold; and
• The business or commercial purposes for collecting or, if applicable, selling personal information about you.
The Right to Request Deletion
You have the right to request the deletion of personal information that we have collected from you, subject to certain exceptions.
The Right to Opt Out of Personal Information Sales
You have the right to direct us not to sell personal information we have collected about you to third parties now or in the future.
If you are under the age of 16, you have the right to opt in, or to have a parent or guardian opt in on your behalf, to such sales.
The Right to Non-Discrimination
You have the right not to receive discriminatory treatment for exercising any of the rights described above.
However, please note that if the exercise of the rights described above limits our ability to process personal information (such as in the case of a deletion request), we may no longer be able to provide you our products or services or engage with you in the same manner.
How to Exercise Your California Privacy Rights
To Exercise Your Right to Know or Right to Deletion
To exercise your right to know and/or right to deletion, please submit a request by: (i) emailing [email protected] with the subject line “California Rights Request”.
We will need to verify your identity before processing your request. In order to verify your identity, we will generally either require the successful login to your account or the matching of sufficient information you provide us to the information we maintain about you in our systems. Although we try to limit the personal information collected in connection with a request to exercise the right to know and/or the right to deletion to that personal, certain requests may require us to obtain additional personal information from you. In certain circumstances, we may decline a request to exercise the right to know and/or right to deletion, particularly where we are unable to verify your identity.
Updates to These CA Disclosures
We will update these CA Disclosures from time to time. When we make changes to these CA Disclosures, we will change the “Last Updated” date at the beginning of these CA Disclosures. If we make material changes to these CA Disclosures, we will notify you by email to your registered email address, by prominent posting on our online services, or through other appropriate communication channels. All changes shall be effective from the date of publication unless otherwise provided in the notification.
If you have any questions or requests in connection with this Notice or other privacy-related matters, please send an email to [email protected].
Cowrite | CCPA Notice – Cowrite as a Service Provider
Effective Date: January 1, 2020.