We take your privacy very seriously. That’s why we adhere to the US-EU Privacy Shield/US-Switzerland Framework Principles:
- Notice – We tell you what information we collect, how we use it, how our users and Customers use it and when and how we share it.
- Choice –We will offer individuals the opportunity to choose (opt-out) whether their Personal Data is (a) to be disclosed to a third party (other than our third party processors), or (b) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual.
- Accountability for Onward Transfers. We take steps to gain assurances from our processors that they will safeguard Personal Data consistent with this policy and take steps against to stop disclosure in violation of this policy. In cases of onward transfer to third parties of Personal Data received pursuant to the EU-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield, ContractSafe is potentially liable.
- Security. We will take reasonable precautions to protect Personal Data in our possession from loss, misuse and unauthorized access, disclosure, alteration and destruction.
- Data Integrity & Purpose Limitation. We will use Personal Data only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the individual. We will take reasonable steps to ensure that Personal Data is relevant to its intended use, accurate, complete, and current.
- Access. Upon request, we will grant individuals reasonable access to Personal Data that we hold about them, and we will take reasonable steps to permit individuals to correct, amend, or delete information that is demonstrated to be inaccurate or incomplete.
WHAT DO WE COLLECT:
The Site uses “cookies” to help you personalize your online experience. A cookie is a text file that is placed on your local storage by a Web page server. Cookies are useful to personalize your online experience.
Most web browsers automatically accept cookies, but if you prefer, you can edit and manage your browser options to block them in the future. The Help portion of the toolbar on most browsers will tell you how to disable and manage your cookies settings. If you disable cookies you may still browse public areas of the Site, but some features and Services may not function.
Personal Data Collected
“Personal Data” means any information relating to an identified or identifiable natural person. We collect Personal Data from users of the Services (“Customers”).
ContractSafe collects personally identifiable information, such as:
- First name
- Last name
- Institutional affiliation
- Email address
- Phone number
- User history
- Location (beacon)
- Time zone
- IP address
- User actions
- Credit card information by our third party processors for billing and invoice purposes
There is also information about your computer hardware and software that is automatically collected by ContractSafe on our website. This information can include your:
- IP address
- Browser type, domain names,
- Access times
- Referring Web site addresses
- User actions
This information, which does not identify individual users, is used by us for the operation of the Services, to maintain the quality of the Service, and to provide general statistics regarding use of the Site. We do not link this automatically-collected data to personally identifiable information except as set forth herein.
Data Provided by Customers Into ContractSafe’s Services
Data Collected through the ContractSafe Services via uploading of their contracts (“Content”) may include third party personally identifiable information collected and processed under the direction of our Customers, who are the controllers of that data. We have no ownership of this information of individuals whose personally identifiable information may be processed as part of the use of our Services.
An individual who seeks access to their data, seeks to correct, amend or delete inaccurate data or wishes to opt-out of or remove Personal Data provided by a ContractSafe Customer should direct his/her query to the ContractSafe Customer he/she interacts with directly (the data controller). If a ContractSafe Customer requests that we remove personally identifiable information on their behalf, we will respond to their request within 30 days.
ContractSafe may transfer personal information to other companies that help us provide our Services. Transfers to subsequent third parties are covered by the provisions in this policy regarding notice and choice and the service agreements with our Customers.
Customers who use the Services may submit the personal information of other individuals at their organization to register them as authorized users. It is the Customer’s obligation, as the data controller, to inform its authorized users about the purposes for which information about them is collected and may be used in the Services.
Customers who use the contractsafe.eu and contractsafe.ca services will have their Content stored within the European Union in Ireland. Customers who use contractsafe.com will have their Content stored in the United States.
Log Files – Tracking Data
We and our third-party service providers may collect certain tracking information about your use of our Site and Services. For example, we collect:
- Log information (including your dates/time of access and related data)
HOW DO WE USE YOUR PERSONAL DATA?
Providing the Services
ContractSafe collects and uses your personal information to operate the ContractSafe Site and deliver the services you have requested. ContractSafe may also use your personally identifiable information to inform you of other products or services available from ContractSafe and its affiliates.
ContractSafe both directly and through its third party processors Intercom and Hubspot, collect site analytics information detailed below and combine it with your email address and other information you provide using fields or sign-in for the purpose of providing customer service and follow up on the Services. ContractSafe may also access Content solely for the purpose of providing Customer Support.
ContractSafe collects certain information automatically and stores it in our log files. This information includes:
- IP addresses
- Browser type
- Internet service provider (ISP)
- Referring websites (e.g. search engines, Facebook, LinkedIn)
- Exit pages
- Operating system
- Date/time stamp
We use automated devices and applications, such as Google Analytics, to evaluate usage of our Site. We also may use other analytic means to evaluate our Services. We use these tools to help us improve our Services, performance and user experiences.
Google Analytics provides Us reports with website trends without identifying individual visitors.
Passwords and Logins (Unique Identifier)
Passwords and usernames are used for user authentication.
Direct Marketing and Opt-Out
We use User Personal Data to communicate with you regarding the provision of the Services, but also to let you know about additional features and services we provide that may be of interest to you. If you do not wish to receive marketing communications, you may opt out at any time.
You may also sign up for blog updates from our Web site. In both of these cases, we will use your name and email address to send these materials to you. You may choose to stop receiving these communications by following the unsubscribe instructions included in these emails or you can contact us at:
Phone: (310) 349-3193
Mail: 23823 Malibu Road, Suite 50-197, Malibu, CA 90265
Processing your payment
ContractSafe does not store your payment information. Customer subscription level is recorded in our application and passed to Intercom only to verify the account for customer support purposes.
Assisted credit card transactions, used when Customers provide us with their credit card payment; ContractSafe will record the subscription level and provide the subscription level to Stripe, which processes the payment and renewals. ContractSafe does not store credit card information separately from Stripe. Access to Stripe is limited to key ContractSafe personnel; such access is personally identifiable to specific individuals and password protected to maintain control over access and preserve accountability for misuse.
Payments information is collected by our banking service provider, Silicon Valley Bank, in the course of receiving payments made by check/ACH.
Law Enforcement and Internal Operations
Personal Data may be provided where we are required to do so by law, or if we believe in good faith that it is reasonably necessary
- to respond to claims asserted against ContractSafe or to comply with the legal process (for example, discovery requests, subpoenas or warrants);
- to enforce or administer our policies and agreements with users;
- for fraud prevention, risk assessment, investigation, customer support, product development and de-bugging purposes;
- or to protect the rights, property or safety of ContractSafe's users or members of the general public.
In addition, ContractSafe may share data with trusted partners to help us perform statistical analysis, send you email or postal mail, provide customer support, or arrange for deliveries. All such third parties are prohibited from using your personal information except to provide these services to ContractSafe, and they are required to maintain the confidentiality of your information.
The following third party processors collect personal data directly on our behalf.
We use Cloudmailin to collect your Content and transmit it to be analyzed and stored by us as part of the Services. Cloudmailin does not store your Content. Processing takes place in the United States and the European Union. We have executed a data processing addendum with EU Standard Contractual Clauses with Cloudmailin.
Stripe. We utilize Stripe as a payment gateway for payments. Data Processing takes place in the United States and Stripe is self-certified under the EU-U.S. and Swiss-US Privacy Shield. Users should review Stripe’s security policy before initiating transactions on the Site.
SECURITY OF YOUR PERSONAL INFORMATION
How is my data protected?
ContractSafe secures your personal information from unauthorized access, use or disclosure. We follow generally accepted standards to protect the personal information submitted to us, both during transmission and once we receive it. When sensitive information (such as log-in credentials) is submitted, it is protected through the use of encryption.
Reasonable administrative, technical, and physical security measures taken, include but are not limited to:
- SOC2 Type I certification
- Restricting access to Personal Data protected by passwords, which are restricted and revoked when staff departs
- Restricting access to Personal Data to key ContractSafe staff on a need to know basis
- Regular staff privacy and security training
- Requiring key contractors sign non-disclosure agreements (NDA’s)
- Continuous intrusion detection
- Daily vulnerability scans
- Regular penetration testing
- Regular backups at offsite location
- Web application firewall
- All data and passwords are encrypted
- Data is only available via SSL
- Data centers that are certified for ISO 27001, FedRAMP, DoD CSM.
- Malware detection
For more information on how we protect information, please go to our security statement.
No method of transmission over the Internet, or method of electronic storage, is 100% secure. Therefore, we cannot guarantee the security of any information we store, process, or transmit.
Right to Review or Change Your Data
If your personal information changes, you may correct, update, amend, remove, or ask to have it removed by making the change on your user account settings page or by contacting us by phone or email at the contact information available on our Web site.
We will retain your information for as long as your account is active, as needed to provide you the Services and as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.
If you are located in the European Economic Area (EEA) and you would like to review or change Personal Data that is not available through your profile, please contact us at:
Right to Withdraw Consent
You have the right to withdraw consent where such consent is required to share or use data and you may request that we delete your Personal Data.
If you receive communications from us and no longer wish to receive them, please follow the removal instructions in the email or change your account settings.
Right to Remove
You can delete your Personal Data by logging into your account and deleting your account. However, since your Personal Data is required for us to provide the Services to you, deleting it will also terminate your access to the services. Deleting your Personal Data does not mean that all of it will be removed. We take steps to delete Personal Data and Content that is no longer necessary in relation to provide the Services by deleting it within 12 months of you terminating your account.
If you are located in the EEA and wish to make a request for removal (Right to Be Forgotten), you may contact us at:
If we are legally required to comply with such a request, we will confirm your identity and delete your personal data in such time frame as required by law.
We may be required by law or to retain it to exercise or defend legal claims, or contractual obligations with our customers to retain some information in connection with our obligation to provide the Services. We may de-identify and anonymize some data for purposes of retaining it.
If you are located in the EEA and you would like us to transmit your Personal Data to another company providing similar services, we will work with them to do so upon request and verification of such request with both the requestor and the company receiving the Personal Data.
Right to Redress
If you are located in the European Economic Area (EEA) and you believe we have violated any data protection laws, If you are located in the European Economic Area (EEA) and you believe we have violated any data protection laws please contact us immediately at firstname.lastname@example.org We will investigate and attempt to resolve complaints and disputes regarding use and disclosure of Personal Data in accordance with the principles contained in this policy within forty-five (45) days of receiving a complaint. For complaints that cannot be resolved between us and the complainant, we have agreed to participate in the dispute resolution procedures pursuant to the Privacy Shield Principles, which includes dispute resolution through means such as FTC enforcement, alternative dispute resolution process and binding arbitration.
We have further committed to refer unresolved privacy complaints under the EU-US and Swiss-US Privacy Shield Principles JAMS, Inc., a non-profit alternative dispute resolution provider located in the United States. Click on the link to file an EU-U.S. Privacy Shield or Swiss-U.S. Privacy Shield Claim with JAMS.
Please be advised that individuals may have the option to seek binding arbitration to resolve disputes regarding our privacy and data protection practices. An individual who decides to invoke this arbitration option must take the following steps prior to initiating an arbitration claim: (1) raise the claimed violation directly with the organization and afford the organization an opportunity to resolve the issue within the timeframe set forth in Section III.11(d)(i) of the Principles (2) make use of the independent recourse mechanism under the Principles, which is at no cost to the individual; and (3) raise the issue through their Data Protection Authority to the Department of Commerce and afford the Department of Commerce an opportunity to use best efforts to resolve the issue within the timeframes set forth in the Letter from the International Trade Administration of the Department of Commerce, at no cost to the individual.
We are subject to the investigatory and enforcement powers of the Federal Trade Commission (“FTC”). Should an individual be unable to resolve a complaint with us, they may contact the FTC at the following address:
Federal Trade Commission
Attn: Consumer Response Center
600 Pennsylvania Avenue NW
Washington, DC 20580
European Economic Area subjects may also have the right to file complaints with the Data Protection Authorities located in the jurisdiction they are located in.
Transnational Transfer of Data
If you are using the contractsafe.eu service, your Content will be stored in Ireland but may be processed in the United States. If you are providing your Personal Data to us directly to use our Services, we will transmit your data, including your Personal Data, to the United States in order to fulfill our contractual obligations to you.
US-EU Privacy Shield Certification Information
The United States Department of Commerce has worked with the European Commission to develop the EU-U.S. Privacy Shield Framework and Swiss-US Privacy Shield Framework (“Privacy Shield”) to allow U.S. companies to meet the European Union (“EU”) law requirements that Personal Data transferred from the EU to the United States be adequately protected. Consistent with its pledge to protect personal privacy, we adhere to the Privacy Shield Principles. If there is any conflict between the policies in this Personal Data Protection Policy (this "Policy") and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield Principles, and to view our certification page, please visit https://www.privacyshield.gov.
This Policy applies to all Personal Data received by us in the United States from the EU, Switzerland and/or other applicable countries, recorded in any form (including electronic, paper or verbal).
The following definitions shall apply throughout this Policy:
- "Agent" means any third party that uses Personal Data provided to us to perform tasks on behalf of and under the instructions of us.
- "Personal Data” means Information or a set of information that identifies or could be used by or on behalf of us to identify an individual. Personal Data does not include information that is encoded, anonymous, aggregated or publicly available information that has not been combined with non-public Personal Data.
- "Sensitive Personal Data" means Personal Data that reveals racial, ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership or information that specifies the health or sex life of the individual. In addition, we will treat any information as Sensitive Personal Data which received from a third party where that third party treats and identifies the information as sensitive.
The privacy principles in this Policy are based on the Privacy Shield Principles and the EU General Data Protection Directive 95/46/EC, on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
When we collect Personal Data directly from individuals in the EU, Switzerland and/or other applicable countries, we will inform them about the purposes for which we collect and use their Personal Data, the types of third parties (other than Agents), if any, to which we disclose that information, and the choices and means, if any, that we offer individuals for limiting the use and disclosure of their Personal Data. Notice will be provided in clear and conspicuous language when individuals are first asked to provide Personal Data to us, or as soon as practicable thereafter, and in any event before we use the information for a purpose other than that for which it was originally collected. If we receive Personal Data from our affiliates or other entities in the EU, Switzerland and other countries with which we do business, we will use such information in accordance with the notices such entities provided and the choices made by the individuals to whom such Personal Data relates.
We will offer individuals the opportunity to choose (opt-out) whether their Personal Data is (a) to be disclosed to a third party (other than an Agent), or (b) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual.
For Sensitive Personal Data, we will give individuals the opportunity to affirmatively and explicitly (opt-in) consent to (a) the disclosure of the information to a third party, or (b) the use of the information for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. We will provide individuals with reasonable methods to exercise their choices. We may disclose personal information to third parties in the following instances:
Website Consultants and Service Providers. We may disclose personal information to third party consultants and service providers (such as providers of hosting services, support, maintenance and remedial and repair services) to the extent that they require access to our databases, or the information contained in our databases, to service us and our customers under the conditions set out in the Privacy Shield Principles.
Enforcement of Rights / Security. We reserve the right to release personal information (i) when we are under legal compulsion to do so (e.g. we have received a subpoena) or we otherwise believe that the law requires us to do so, (ii) when we believe it is necessary to protect and/or enforce the rights, property interests, or safety of us, our customers or others, or (iii) as we deem necessary to resolve disputes, troubleshoot problems, prevent fraud and/or enforce the Privacy Shield Principles.
Reorganization or Sale. In the event that our company is merged with or becomes part of another organization, or in the event that our company is sold or it sells all or substantially all of its assets or is otherwise reorganized, the information you provide may be one of the transferred assets to the acquiring or reorganized entity.
As Otherwise Allowed by Law. We may transfer personal information to third parties where we are expressly authorized by applicable law and the Privacy Shield Principles to do so. We also may be required to disclose an individual's personal information in response to a lawful request by public authorities, including meeting national security or law enforcement requirements.
- Accountability For Onward Transfers
We will obtain assurances from our Agents that they will safeguard Personal Data consistently with this Policy. If we have knowledge that an Agent is using or disclosing Personal Data in a manner contrary to this Policy, we will take reasonable steps to prevent or stop the use or disclosure. In cases of onward transfer to third parties of Personal Data received pursuant to the EU-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield, ContractSafe LLC is potentially liable.
We will take reasonable precautions to protect Personal Data in our possession from loss, misuse and unauthorized access, disclosure, alteration and destruction.
- Data Integrity & Purpose Limitation
We will use Personal Data only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the individual. We will take reasonable steps to ensure that Personal Data is relevant to its intended use, accurate, complete, and current.
Upon request, we will grant individuals reasonable access to Personal Data that we hold about them, and we will take reasonable steps to permit individuals to correct, amend, or delete information that is demonstrated to be inaccurate or incomplete.
- Resource, Enforcement And Liability
We will conduct compliance audits of our relevant privacy practices to verify adherence to this Policy. Any employee that we determine is in violation of this Policy will be subject to disciplinary action up to and including termination of employment.
YOUR CALIFORNIA PRIVACY RIGHTS
California residents who have an established business relationship with ContractSafe may make a written request to ContractSafe about whether ContractSafe has disclosed any Personal Information to any third-parties for the third-parties' direct marketing purposes during the prior calendar year. To make such a request, please send an email, call or write us:
Phone: (310) 349-3193
Mail: 23823 Malibu Road, Suite 50-197, Malibu, CA. 90265
THIRD PARTY LINKS
Our Site includes links to other Web sites whose privacy practices may differ from ContractSafe’s practices. If you submit personal information to any of those sites, your information is governed by their privacy policies. ContractSafe is not responsible for the privacy statements or other content on Web sites outside of the ContractSafe web site.
This policy may be amended from time to time, consistent with applicable data protection and privacy laws and principles including, but not limited to the requirements of the EU General Data Protection Directive and/or Privacy Shield Principles. We will notify you of changes to this policy either through email, posting on our website, via our Services, or other means. We will notify Customers if we make changes that materially affect the way we handle Personal Data that we previously collected, and we will allow them to choose whether their Personal Data may be used in any materially different manner.
If you believe that ContractSafe has not adhered to this Statement or have questions, please contact us at:
Phone: (310) 349-3193
Mail: 23823 Malibu Road, Suite 50-197, Malibu, CA. 90265
February 18, 2019