XIMBLE

Data Processing and Security Terms

1.            INTRODUCTION:

Ximble (or “we”) value and respect the privacy of individuals. We have therefore put forth this Data Processing and Security Terms (the “DPST”) to align with applicable data protection legislation (including the European General Data Protection Regulation (Regulation (EU) 2016/679) and the Privacy Act 2001 (Cth)) and any other legislation in force which applies relating to either or both (i) privacy and (ii) the handling of personal data (collectively the “Data Protection Law“).

The DPST aims to clearly outline our policies and procedures for collecting, using, storing and disclosing personal data of individuals. All of the different forms of data, content, and information described in this DPST are collectively referred to as “personal data.”

Ximble’s offering involves providing organizations and individuals with access to and use of the Ximble Service (the “Service“) as defined in the Terms of Service. Users may access the Service through their devices (which includes any computer used to access the Service, such as a desktop, laptop, smartphone, tablet, or other consumer electronic device (each a “Device“)).

This DPST explains what we do with personal data when:

  • an organization and/or individual signs up to the Service and accesses the Service via our website (www.ximble.com), subdomain (*.ximble.com), through applications on devices, through APIs, or through third-parties (together, the “Application Users“);
  • an individual leaves their organization and cease to access the Service using a business account attached to the organization (“Former Application User“);
  • an individual visits our website and subdomain (the “Website“) while browsing the Internet (together, the “Website Users“); and
  • an individual makes a call to our customer service team or sales team for any purpose (“Phone User“).

If you are an Application User, our primary purpose for using your personal data is to provide the Service to you and your organization. We may use your personal data to allow you access to Service and use of the Service, and we will do so on your instruction or the instructions of your organization and on their behalf. This makes us a “data processor” for the purposes of the Data Protection Law. However, there may be certain circumstances under which we use your personal data for purposes that are not directly on your behalf, on the behalf of your organization, or in accordance with instructions of your organization. For example, where we need to use such data for our own purposes or other purposes. Under these circumstances, we are a “data controller” for the purposes of the Data Protection Law. Please see the Section entitled “How do we use your personal data” for more details.

If you are a Former Application User, we may retain your personal data to maintain a limited version of your business account profile and for our own purposes, for example, where we wish to offer you services which we think you may be interested in. If you are a Website User, we use your information for our own purposes. If you are a Phone User, we may record your call for our own purposes. These activities make us a “data controller” for the purposes of the Data Protection Law. Please see the Section entitled “How do we use your personal data” for more details.

It is important to point out that we may amend this DPST from time to time. Please just visit this page if you want to stay up to date, as we will post any changes here.

2.            WHAT KIND OF PERSONAL DATA DO WE COLLECT?

a.            Application Users:

To provide the Service to you or to your organization, and for other purposes as described in this DPST, we need to use personal data about you. Depending on the relevant circumstances and requirements, we may collect some or all of the personal data listed below to help us with this:

  • Name
  • Phone number
  • Credit card details or other billing information
  • Email address
  • Home and business postal addresses
  • Profile photo
  • Contacts (if we are provided with access to your third party services (for example, your email account))
  • Social networking information (if we are provided with access to your account on social network connection services)
  • Any further personal data contained in any files that you upload, download, or create (“Files”) within the Ximble Application
  • Log data from your Device, its software, and your activity using the Ximble Application including the Device’s Internet Protocol (“IP”) address, browser type, locale preferences, geo-Location Information, identification numbers associated with your Devices, date and time stamps associated with transactions, system configuration information, metadata concerning your Files, and other interactions with the Ximble Application.

b.           Former Application Users:

For the purposes stated in this DPST, we may keep the following personal data of Former Application Users:

  • Email address
  • Profile photo
  • Log data from your Device, its software, and your activity using the Ximble Application including the Device’s Internet Protocol (“IP”) address, browser type, locale preferences, geo-Location Information, identification numbers associated with your Devices, date and time stamps associated with transactions, system configuration information, metadata concerning your Files, and other interactions with the Ximble Application.

c.            Website Users:

We collect personal data from Website Users which we use to help us to improve your experience when using our website and to help us manage the services we provide. This includes log data such as your Device’s Internet Protocol (“IP”) address, browser type, the web page visited before you came to our website, information you search for on our website, location preferences, identification numbers associated with your Devices, your mobile carrier, transaction associated date and time stamps, system configuration information, and other interactions with the Website. If you contact us via the website (including via any chat widget), we will collect any information that you provide to us, for example your name and contact details.

d.           Phone Users:

We collect a limited amount of personal data by recording and subsequently storing certain telephone calls. At the beginning of the call, you will be notified whether the call is being recorded. We record calls primarily to improve the quality of the services we provide and will collect limited categories of personal data including the caller’s name, phone number, and email address.

3.            HOW DO WE COLLECT YOUR PERSONAL DATA?

a.            APPLICATION USERS:

We collect your personal data in three primary ways:

  • Personal data you provide us;
  • Personal data we receive from your organization and other sources; and/or
  • Personal data we automatically collect

I              Personal data you provide us

  • The personal data you provide when you use the Service;
  • The personal data you provide when you contact us; and/or
  • The personal data you provide when you upload, download, or create Files within the Service

II            Personal data we receive from your organization and other sources

  • Where we receive personal data about you from your organization; and/or
  • Where we receive personal data (for example, your email address) through other 
Application Users, if they have invited you to their Ximble account.

III           Personal data that we collect automatically

  • When you use the Application, we automatically record personal data in the form of log data from your Device, its software, and your activity using the Service.
  • We collect your personal data automatically via cookies, in line with cookie settings in your browser. If you would like to find out more about cookies, including how we use them and what choices are available to you, please see the Section below on “Cookies”.

b.           FORMER APPLICATION USERS:

We will have collected your personal data during the period that you were an Application User in the manner described above.

c.            WEBSITE USERS:

When you visit our Website, we may automatically collect certain personal data in the form of log data, whether or not you use the Service.

We also collect some limited personal data automatically via cookies, in line with cookie settings in your browser. If you would like to find out more about cookies, please see the Section below on “Cookies”.

d.           PHONE USERS:

As described above, we collect some limited personal data by recording and subsequently storing phone calls. You will be notified at the start of the call with us whether the call is being recorded.

4.            HOW DO WE USE YOUR PERSONAL DATA?

a.            APPLICATION USERS:

Our primary purpose for using your personal data is to provide the Service to your organization. When we use your personal data to allow you to access and use the Service, we do so on your instructions or those of your organization and on behalf of your organization. As a result, we are a “data processor” for the purposes of the Data Protection Law.

We may carry out the following activities on this basis:

  • Allowing you to access and use the Service;
  • Providing you with assistance (including technical assistance) in relation to your use of 
the Service;
  • Personalizing and optimizing your experience of the Service and providing you with software updates; and
  • Ensuring compliance with the terms of our agreement with your organization.

In certain circumstances, we may use your personal data for purposes not on your or your organization’s behalf or in accordance with your organization’s instructions. We are a “data controller” for the purposes of the Data Protection Law in such circumstances. Activities that we may carry out on this basis include:

  • Making announcements to you regarding our products and service offerings (see the Section below on “Marketing”);
  • Providing you service offerings outside of the Service;
  • Ensuring our own compliance under applicable law and regulations;
  • Our own establishing, exercising, or defending legal claims; and
  • Analyzing log data/user statistics with the aim of improving the Service for all Application Users.

If we have a legal basis for doing so, we may use your personal data for these purposes. If you would like more information, please see the Section below entitled “Legal bases for processing your personal data”. In certain circumstances you have the right to object to these uses. For more information on how and when you can object, see the Section below entitled “How can you access, amend or take back the personal data that we hold about you”.

b.           FORMER APPLICATION USERS:

If we retain your personal data once you have left your organization and cease to use your account for our own purposes, we are a “data controller” for the purposes of the Data Protection Law. Activities that we may carry out on this basis include:

  • Making announcements to you regarding our products and service offerings (see the Section entitled “Marketing” below);
  • Providing you with any service offering outside of the Service directly;
  • Ensuring compliance with our own obligations under applicable law and regulations; and
  • Using your personal data to help us to establish, exercise or defend legal claims.

If we have a legal basis for doing so, we may use your personal data for these purposes. If you would like more information, please see the Section below entitled “Legal bases for processing your personal data”. In certain circumstances you have the right to object to these uses. For more information on how and when you can object, see the Section below entitled “How can you access, amend or take back the personal data that we hold about you”.

I              Website Users:

We may use your personal data to improve your experience of using our website. As an example, we may analyze your recent searches and activity to help us to present information to you that we think you will be interested in. Under the Data Protection Law these uses make us a “data controller.”

II            Phone Users:

We may use your personal data to help us to improve our customer experience, for example by analyzing whether the personal data we collect is suitable for the purpose of verifying the identity of the caller. Under the Data Protection Law such uses make us a “data controller.”

c.            MARKETING

If you are an Application User or a Former Application User, we may use your personal data in order to let inform you and of invite you to new or existing products and service offerings.

We may need your consent for these activities (in particular, the delivery of direct marketing to you through digital channels), As a result, we may ask for such consent via opt-ins or soft opt-ins as explained in more detail below.

Soft opt-in consent means the type of consent which applies where you have already engaged with us, by signing up to the Service, requesting more information about our service offerings, or another such interaction, and we are marketing service offerings to you that are somewhat similar. Under these situations, we have your consent as given unless or until you explicitly opt-out, which you may at any time with written notice. When required by applicable law, we will obtain your explicit consent for any other types of marketing.

When sending marketing materials to a corporate email address, we will not typically obtain consent. You have the right to opt out of receiving marketing from us and can find out more about how to do so in the Section below entitled “How can you access, amend or take back the personal data that we hold about you?”

If you want to know more about how we obtain consent, please see the Section below entitled “Legal bases for us processing your personal data”. You may withdraw your consent at any time. To do so in the Section below entitled “How can you access, amend or take back the personal data that we hold about you?”

5.            INFORMATION SHARING & DISCLOSURE

As per applicable laws and other requirements, and when appropriate or necessary, such as when use your personal data as a data processor on behalf of your organization and under its instruction or as per legal agreement, we may share your personal data in the following ways:

Your Use: We will show you your personal data on your profile page, so you may see it and edit it. Such personal data may also be viewed and/or edited by other persons to within your organization depending on their role and/or authority. Any use of blogs, forums, wikis, and similar may result in your personal data that you provide in these areas to be read, collected, and used by other Application Users. Any such sharing may remain even after you close or cancel your account.

Service Providers, Business Partners, and third parties: We may use work with trusted 
third party companies and individuals to provide, analyze, and improve the Service. This includes data storage, maintenance services, database management, web analytics, payment processing, and other activities. These third parties may have access to your personal data only for purposes of performing these tasks on our behalf. If such third parties have access to your personal data, they will be under obligations similar to those in this DPST.

Other Service Providers, Business Partners and third parties: We may share your personal data with other parities who require your personal data to provide their services to Ximble. Any of these other parties will not be permitted to use your personal data for any other purpose and will only use your personal data as appropriate under applicable law.

Third-Party Applications: With your consent and at your direction, for example when you access Ximble through a third-party application, we may share your information with such third-party application. You agree and acknowledge that Ximble is not responsible for those parties and how they collect, store, and use your information. You should ensure that such applications are trustworthy and have acceptable privacy policies or DPSTs before allowing this feature to be employed.

Compliance with Laws and Law Enforcement Requests: We may disclose to other parties information stored in your Service and personal data about you that we collect, including your Files, when we have a good faith belief that disclosure is reasonably necessary to (a) comply with a law, regulation, or compulsory legal request; or (b) to protect Ximble’s intellectual property rights.

Business Transfers: If we are involved in a merger, acquisition, or sale of all or a portion of our assets, your personal data may be transferred as part of that transaction, but we will notify you and/or your organization (for example, via email and/or a prominent notice on our website) of any change in control or use of your personal data or Files, or if either become subject to a different Privacy Policy or DPST.

Non-private or Non-Personal data: We may disclose your non-private, aggregated, or otherwise non-personal data, such as usage statistics of the Service for a variety of purposes.

6.            HOW DO WE SAFEGUARD YOUR PERSONAL DATA?

We are committed to protecting your personal data from falling into the wrong hands and being misused, lost, destroyed, or accessed without authorization. We have in place a range of appropriate technical and organizational measures, including measures to deal with any suspected data breach. If you enter payment details onto our payment pages, we encrypt the transmission of that information using secure socket layer technology (SSL) which is PCI DSS compliant.

All call recordings are encrypted, whether we or a third-party service provider are storing them.

7.            HOW LONG DO WE KEEP YOUR PERSONAL DATA FOR?

We keep your personal data only as long as we are permitted or required to. For example, we may be required to preserve data because of a request by a tax authority, regulator, or in connection with an anticipated litigation.

When we are no longer permitted to keep your personal data or it is otherwise no longer necessary for us to do so, we will delete such personal data from our systems. Despite any efforts to permanently erase your personal data, some of your personal data may end up staying and existing within our systems, for example if it is waiting to be overwritten. For our purposes, this data has been put beyond use, meaning that, while it still exists in some form, our employees will not have any access to it or use it again.

8.            HOW CAN YOU ACCESS, AMEND OR TAKE BACK THE PERSONAL DATA THAT WE HOLD ABOUT YOU?

You have various rights in relation to the personal data that we hold about you.

To get in touch about these rights, please contact us or your organization.

If you are an Application User and you wish to make a request in relation to our use of your personal data for the purposes of providing the Service to your organization (and in respect of which we are a data processor), please contact your organization to handle your request first. If you contact us, we may have to refer your request to your organization.

Please contact us and we will handle your request in the following situations: (i) you are an Application User and you wish to make a request in relation to our use of your personal data that is unconnected to your organization, (ii) you are a Former Application User, (iii) you area Website User.

The Data Protection Law gives you the following rights in relation to your personal data:

  • Right to object: this right enables you to object to us processing your personal data
  • Right to withdraw consent: Where we have obtained your consent to process your 
personal data for certain activities (for example, sharing your information with a third party application), you may withdraw this consent at any time and we will cease to carry out that particular activity that you previously consented to unless we consider that there is an alternative legal basis to justify our continued processing of your personal data for this purpose, in which case we will inform you of this condition.
  • Data Subject Access Requests (DSAR): You may ask us to confirm what information we hold about you at any time, and request us to modify, update or delete such information. You may also request a copy of the information we hold about you.
  • Right to erasure: You have the right to request that we “erase” your personal data in certain circumstances. We will try to delete your personal data quickly upon request and if desired make it available to you. Despite any efforts to permanently erase your personal data, some of your personal data may end up staying and existing within our systems, for example if it is waiting to be overwritten. For our purposes, this data has been put beyond use, meaning that, while it still exists in some form, our employees will not have any access to it or use it again. We keep your personal data only as long as we are permitted or required to. For example, we may be required to preserve data because of a request by a tax authority, regulator, or in connection with an anticipated litigation. If you are an Application User connected with an organization, we shall not delete or edit your personal data without the approval of your organization.
  • Right to restrict processing: You have the right to request that we restrict our processing of your personal data in certain circumstances, for example if you dispute the accuracy of the personal data that we hold about you or you object to our processing of your personal data. If we have shared your personal data with 
third parties, we will notify them about the restricted processing unless this is impossible or involves an effort disproportionate to what is practicable. We will notify you before lifting any restriction on processing your personal data.
  • Right to rectification: You have the right to request that we rectify any inaccurate or incomplete personal data that we hold about you, including by means of providing a supplementary statement. If we have shared this personal data with third parties, we will notify them about the rectification unless this is impossible or involves effort disproportionate to what is practicable. You may request details of the third parties that we have disclosed any inaccurate or incomplete personal data to. Where we think that it is reasonable for us not to comply with your request, we will explain to you our reasoning.
  • Right of data portability: You have the right to request that we transfer your personal data to another third party. To allow you to do so, we will provide you with your personal data in a commonly used machine-readable format so that you can transfer the data. Alternatively, we may directly transfer the personal data for you. This right only applies to certain types of personal data.
  • Right to lodge a complaint with a supervisory authority: You also have the right to lodge a complaint with the relevant supervisory authority in your jurisdiction.

9.            HOW DO WE STORE AND TRANSFER YOUR PERSONAL DATA INTERNATIONALLY?

In order for us to carry out the functions described in this DPST (for more details, please see the Section below entitled “How do we use your personal data?”) your personal data may be processed by us (or our third party service providers) outside of the European Economic Area (EEA) and the relevant territories stated above in the Section entitled “Information Sharing and Disclosure.”

It is our goal that your personal data is stored and transferred in a secure manner. If you are based within the EEA we will only process and/or transfer data outside of the EEA where it is compliant with applicable law and the means of transfer provides adequate safeguards in relation to your personal data, including for example:

  • Through a data transfer agreement with your organization, incorporating the current Standard Contractual Clauses adopted by the European Commission for the transfer of personal data by controllers in the EEA to controllers and processors in jurisdictions without adequate data protection laws; or
  • Through a data transfer agreement with a third party, incorporating the current Standard Contractual Clauses adopted by the European Commission for the transfer of personal data by controllers in the EEA to controllers and processors in jurisdictions without adequate data protection laws; or
  • By transferring your personal data to an entity which has signed up to the EU-U.S. Privacy Shield Framework for the transfer of personal data from entities in the EU to entities in the United States of America or any equivalent agreement in respect of other jurisdictions; or
  • By transferring your personal data to a country where there has been a finding of adequacy by the European Commission in respect of that country’s levels of data protection via its legislation; or
  • Where it is necessary for the conclusion or performance of a contract between ourselves and a third party and the transfer is in your interests (for example, if we need to transfer your personal data to a benefits provider based outside the EEA); or
  • Where you have consented to the data transfer.

10.         COOKIES

We use “cookies” to collect information and improve our Services. A cookie is a small data file that we transfer to your Device. We may use “persistent cookies” to save your registration ID and login password for future logins to the Service. We may use “session ID cookies” to enable certain features of the Service, to better understand how you interact with the Service, and to monitor aggregate usage and web traffic routing on the Service. You can instruct your browser, by changing its options, to stop accepting cookies or to prompt you before accepting a cookie from the websites you visit. If you do not accept cookies, however, you may not be able to use the Service fully or at all.

Online Tracking: We may use analytic and product platforms to understand usage patterns on our website in order to improve our products. Some web browsers may transmit “do-no-track” signals to websites. Our website may not respond to these “do-not-track” signals.

11.         LEGAL BASES FOR US PROCESSING YOUR PERSONAL DATA

When acting as a data processor on behalf of and under the instructions of your organization, your organization is responsible for ensuring that there is a legal basis for us processing your personal data on their behalf. When acting as a data controller, we need to ensure that there is a legal basis for our controlling and processing your personal data.

These are the ways we are lawfully able to process and control your personal data:

a.            Where processing your personal data is necessary for us to carry out our contractual obligations

  • We process certain of your personal data where necessary for the performance of a contract to which you are a party.
  • If you enter into a contract with us in relation to any service offerings outside of the Service, we may process your personal data or other data in order to perform our obligations under such contract.

b.           Where processing your personal data is within our legitimate interests

  • We can process your personal data where necessary for the purposes of our legitimate interests, except where such interests are overridden by the interests or fundamental rights or freedoms of you which require protection of personal data.
  • We may process your personal data in order to enforce the terms of our website and to analyze log data/user statistics to improve the Service for you and for others.
  • Our data processing activities are not intended to prejudice individuals in any way. However, you may object to us processing your personal data on this basis. We have set out details regarding how you can go about doing this above.

c.            Where you give us your consent to process your personal data

In certain circumstances, we will seek your consent before we undertake certain processing activities with your personal data. In those situations:

  • You have to give us your consent freely, without us putting you under any type of pressure;
  • You have to know what you are consenting to – so we’ll make sure we give you enough information;
  • You will only be asked to consent to one processing activity at a time – we will avoid “bundling” consents together so that you don’t know exactly what you’re agreeing to;
  • You will need to make a positive and affirmative action to give your consent, for example, actively clicking or checking a box in a clear and unambiguous fashion; and
  • We will obtain your consent prior to sharing your personal data with third party applications and carrying out certain marketing activities.

As and when we introduce these particular processing activities, we will provide you with more information so that you can decide whether you want to opt-in.

You have the right to withdraw your consent from the above activities at any time. To do so, follow the instructions in the Section above entitled “How can you access, amend or take back the personal data that we hold about you”.

12.         WHO IS RESPONSIBLE FOR PROCESSING YOUR PERSONAL DATA AND CONTACT INFORMATION

Please contact us at privacy@ximble.com if you are in need of further information about how our handling your personal data, you have any concerns regarding this DPST, or you wish to exercise your rights as provided herein or by applicable law. Please be sure to outline your concerns in your message, and we will contact you to address your concerns.