Effective Date: May 30, 2019
We may ask you to provide us, or third parties may provide us, with certain Personal Information that can be used to contact or identify you. Personal Information may include, but is not limited to, your name, postal address, email address, and employer. We collect Personal Information for the purpose of providing the Services, identifying and communicating with you about the Services, responding to your requests/inquiries, servicing your purchase orders, improving our Services, and communicating with you about our Services, discounts, and promotions.
How long we keep information we collect about you depends on the type of information, as described in further detail below. After such time, we will either delete or anonymize your information or, if this is not possible (for example, because the information has been stored in backup archives), then we will securely store your information and isolate it from any further use until deletion is possible.
We retain your account information for as long as your account is active and a reasonable period thereafter in case you decide to re-activate the Services. We also retain your information as necessary to comply with our legal obligations, to resolve disputes, to enforce our agreements, and to continue to develop and improve our Services. Where we retain information for Service improvement and development, it will be anonymized and used to uncover collective insights about the use of our Services, not to specifically analyze personal characteristics about you.
If the Services are made available to you through an organization (e.g., your employer), we retain your information as long as required by your employer under our agreement with your employer as required by the administrator of your account. If your account is deactivated, your information and conversations you may have had and actions you may have taken on the Services will remain in order to allow your team members to make full use of the Services.
If you have elected to receive marketing emails from us, we retain information about your marketing preferences for a reasonable period of time from the date you last expressed interest in our Services. Every marketing email we send will provide you with the option to opt out of receiving future emails.
We collect information about you when you provide it to us and automatically when you use the Services.
We collect information that your browser sends whenever you visit our website or use our Services (“Log Data”). This Log Data may include information such as your computer’s Internet Protocol (“IP”) address, browser type, browser version, the pages of our Services that you visit, the time and date of your visit, the time spent on those pages and other statistics. In addition, we use third party services such as Google Analytics that collect, monitor and analyze this type of information in order to increase our Services’ functionality. These third-party service providers have their own privacy policies addressing how they use such information. When you access the Services by or through a mobile device, we collect certain information automatically, including the type of mobile device you use, your mobile device’s unique device ID, the IP address of your mobile device, your mobile operating system, the type of mobile Internet browser you use, and your general location information as described further below.
We use and store information about your general location. We use this information to provide features of our Services and to improve and customize our Services.
We do not support Do Not Track (“DNT”). Do Not Track is a preference you can set in your web browser to inform websites that you do not want to be tracked. You can enable or disable Do Not Track by visiting the “Preferences” or “Settings” page of your web browser.
We will enrich your Personal Information with additional Personal Information received from publicly accessible sources. We may also receive your information from services you integrate with Drift, from other users of Drift, or from our partners.
Other users of our Services may provide information about you when they use the Services. For example, we receive your email address from other Service users when they provide it in order to invite you to the Services.
We work with partners who may market, sell, or support our Services. These partners may provide us your Personal Information so that we can contact you. We also may receive your Personal Information from advertising, market research, or data enrichment partners with whom we engage to identify prospective customers.
The Application will only use access to read, write, modify or control Gmail message bodies (including attachments), metadata, headers, and settings to provide a web email client that allows users to compose, send, read, and process emails and will not transfer this Gmail data to others unless doing so is necessary to provide and improve these features, comply with applicable law, or as part of a merger, acquisition or sale of assets.
The Application will not use this Gmail data for serving advertisements.
The Application will not allow humans to read this data unless we have your affirmative agreement for specific messages, doing so is necessary for security purposes such as investigating abuse, to comply with applicable law, or for the App’s internal operations and even only when the data have been aggregated and anonymized.
Notwithstanding such legal and contractual obligations between us and such service providers, we remain potentially liable for any misuse of your Personal Information. We will only disclose Personal Information when we are required to do so in response to a lawful request by public authorities, including to meet national security or law enforcement requirements.
We may use your Personal Information to contact you with newsletters, marketing or promotional materials and other information that may be of interest to you. You may opt out of receiving any, or all, of these communications from us by following the unsubscribe link or instructions provided in any email we send, or by emailing firstname.lastname@example.org.
The security of your Personal Information is important to us, and we strive to implement and maintain reasonable, commercially acceptable security procedures and practices appropriate to the nature of the information we store, in order to protect it from unauthorized access, destruction, use, modification, or disclosure. However, please be aware that no method of transmission over the internet, or method of electronic storage is 100% secure and we are unable to guarantee the absolute security of the Personal Information we have collected from you.
Your Personal Information may be transferred to — and maintained on — computers located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ from those in your jurisdiction. If you are located outside the United States and choose to provide Personal Information to us, please note that we transfer Personal Information to the United States and process it there pursuant to our Privacy Shield Certification.
Only persons who are age 18 or older have permission to access our Services. Our Services are not intended to be used by anyone under the age of 13 (“Children”). We do not knowingly collect personally identifiable information from children under 13. If you are a parent or guardian and you learn that your Children have provided us with Personal Information, please contact us. If we become aware that we have collected Personal Information from a child under age 13 without verification of parental consent, we take steps to remove that information from our servers.
As a last resort and under certain limited and prescribed circumstances and conditions, you have the right to invoke a “last resort” binding arbitration process between you and us to resolve a dispute related to our collection, use or disclosure of your Personal Information.
Accountability for Onward Transfer
If we transfer your Personal Information to another country, we may remain liable and will take appropriate measures to protect your privacy and the Personal Information we transfer.
We’ll take appropriate physical, technical, and organizational measures to protect your Personal Information from loss, misuse, unauthorized access or disclosure, alteration, and destruction.
Data Integrity and Purpose Limitation
We’ll collect only as much Personal Information as we need for specific, identified purposes, and we won’t use it for other purposes without obtaining your consent. We’ll take appropriate steps to make sure the Personal Information in our records is accurate.
Recourse, Enforcement and Liability
This section applies only to Users located in the European Union.
This paragraph pertains only to individuals for whom Drift is a “controller” within the meaning of Regulation (EU) 2016/679 of the German Parliament and of the Council of 27 April 2016 (“GDPR”):
Controller of your Personal Information:
222 Berkeley Street, Suite 600
Boston, MA 02116
Phone: +1 855-266-1567
BusinessBrew Marketing Ltd
7 Sea Haven
Wicklow Town, Wicklow
Attn: Evelyn Wolf
222 Berkeley Street, Suite 600
Boston, MA 02116
Legal Bases for Processing EU Users’ Personal Information
We only process your information when we have the legal basis to do so. That is, we will only process your Personal Information when:
- We need it to provide you the Services;
- You give us consent for a specific purpose; or
- It satisfies Drift’s legitimate interests (which are not overridden by your data protection interests), such as for improving, marketing, and promoting the Services and protecting our legal rights;
- We need to process your data to comply with our legal obligations.
Transfer of EU Users’ Personal Information Outside the EU
We may transfer your Personal Information to Drift-affiliated entities in third parties in the United States or other countries that may not have equivalent privacy and data protection laws to the country in which you reside. When we transfer Personal Information of customers in the European Economic Area or Switzerland to any such country, we make use of the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks, European Commission-approved standard contractual data protection clauses, binding corporate rules, or other appropriate legal mechanisms to safeguard the transfer. Please refer to the Section “EU-US and Swiss-US Privacy Shield” below.
EU Users’ Rights to Control Personal Information
You have control over your Personal Information. Below are the rights you have and the steps you can take to exercise them. Please note that your rights may be limited in certain cases: for example, if fulfilling your request would reveal information about another person, or if you ask to delete information which we or your employer are permitted by law or have compelling legitimate interests to keep, and it may take time for us to investigate your request. If you believe that we are not respecting your rights with regard to your Personal Information, you may lodge a complaint with your local supervisory authority.
Right to Access
You have a right to request a copy of the Personal Information that Drift holds. To request this information, please email us at email@example.com.
Right to Rectification
If you believe that any Personal Information that Drift holds is incorrect, you have the right to correct that information. You can change your Drift account information on the “Settings” page, and if you have any further concerns regarding the accuracy of your information, please email us at firstname.lastname@example.org.
Right to Erasure, Restriction, or Objection to Processing
If you believe we do not have the right to process your information or you object to our processing for a particular purpose, or if you want us to erase your Personal Information altogether, please email us at email@example.com.
Right to Withdraw Consent
If you gave us consent to process your Personal Information for a particular purpose, you have the right to withdraw that consent by emailing us at firstname.lastname@example.org. Your withdrawal of consent does not affect the lawfulness of our processing of your Personal Information prior to the withdrawal.
You have the right to obtain the Personal Information that you have directly submitted to Drift in a format you can transfer to another service provider. If you want to exercise this right, please email us at email@example.com.
This Statement applies solely to residents of California or individuals whose information has been collected in California. Drift has adopted and included this notice to comply with the California Consumer Privacy Act of 2018 (“CCPA”). Any terms used in this Statement that are defined in the CCPA have the same meaning given therein.
INFORMATION WE COLLECT
In the past twelve (12) months, Drift has collected from individuals, and may have shared or sold (as defined in the CCPA), certain categories of Personal Information (as defined in the CCPA) as follows:
Name, alias, postal address, unique personal identifier, online identifier, Internet Protocol (IP) address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers
|2||Personal information categories under the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).
A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some personal information included in this category may overlap with other categories.
Only name, signature, address, telephone, employment.
|3||Protected classification characteristics under California or federal law.
Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).
Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.
|6||Internet or other similar network activity.
Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement.
In website only
Physical location or movements.
Audio, electronic, visual, thermal, olfactory, or similar information.
|9||Professional or employment-related information.
Current or past employment history or performance evaluations.
|10||Education Information under California Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99)
Information that is not “publicly available personally identifiable information” as defined in the California Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99). Includes education records directly related to a student maintained by an educational institution or party acting on its behalf, like grades, transcripts, class lists and student schedules, identification codes, financial information, or disciplinary records.
Conclusions that could be used to create a profile reflecting an individual’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, aptitude.
Under the CCPA, Personal information does not include:
- Publicly available information from government records;
- Personal Information that has been de-identified or aggregated such that it cannot be used to identify an individual;
- Information excluded from the CCPA’s scope, like: (a) health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data; and (b) personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994. Please note that Drift does not collect any such sensitive personal information.
Drift obtains the categories of personal information listed above from the following categories of sources:
- Directly and indirectly from Drift’s site visitors and activity on the Drift website (www.drift.com). Examples: from site visitors, by interacting with the Drift chat bot and providing information to the chatbot; by cookies from the Drift or Customer website; and by event registration forms or pages
- Directly from Drift’s Customers or their agents. Examples: the information that our clients provide to us related to the services or products that Drift provides them (such as contact or profile or user profile information).
- Directly and Indirectly from third-parties, such as partners or collaborators, that interact with Drift in connection with Drift marketing activities and the services we perform. Examples: leads and sales activities from partners, leads from co-marketing campaigns; event registration; or lead generation.
USE OF PERSONAL INFORMATION
We may use or disclose the personal information we collect for one or more of the following business purposes: (i) to provide you with information, products or services that you request from Drift; (ii) to provide you with email alerts, event registrations and other notices concerning our products or services, events or news; (iii) to seek feedback on the Drift products, services or your experience with Drift, a Drift event, a Drift publication or the Drift website; (iv) to carry out our obligations and enforce our rights arising from any contracts entered into between us, including renewals, professional services, billing, collections or other notices; (v) to improve our website or interactions with you; (vi) for Drift product or service development; (vii) as necessary or appropriate to protect the rights, property or safety of Drift, Drift customers and other third parties; (viii) to respond to law enforcement requests and as required by applicable law, order, or regulation; or (ix) as may be described to you when collecting your personal information or as otherwise set forth in the CCPA. We will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without reasonable notice.
SHARING PERSONAL INFORMATION
We may disclose your personal information for a business purpose to the third parties, including service providers (as defined under the CCPA), our affiliates (to the extent applicable), and third parties to whom you or your agents authorize us to disclose your personal information in connection with the Drift products and services we provide you. When we disclose personal information for a business purpose, we enter a contract that describes the purpose and requires the recipient to not use it for any purpose except performance of the contract and, if confidential, maintain its confidentiality. In the preceding twelve (12) months, Drift has disclosed the categories of Personal Information for a business purpose as provided in the table above.
Drift does not sell any Personal Information or any other data collected or created by its customers in their use of the Drift platform, services, application or otherwise.
Drift may sell your Personal Information only to the extent that Drift has collected your personal information for its own purposes (not by, in or through the provision of its Services to a Drift Customer). In the preceding twelve (12) months, Drift may have sold, as defined in the CCPA, the following categories of data: Identifiers (#1); Personal information categories under the California Customer Records statute (Cal. Civ. Code § 1798.80(e)) (#2); Geolocation data (#7); and Professional or employment-related information (#9).
FOR AVOIDANCE OF DOUBT, DRIFT DOES NOT SELL THE INFORMATION THAT ITS CUSTOMERS OR USERS COLLECT, GENERATE OR STORE THROUGH THEIR USE OF THE DRIFT PLATFORM AND/OR SERVICES. DRIFT DOES NOT USE OR PROCESS SUCH INFORMATION FOR ITS OWN PURPOSES. ANY PROCESSING OR SHARING OF PERSONAL INFORMATION COLLECTED BY OR BELONGING TO CUSTOMER IS FOR THE PURPOSE OF PERFORMING THE SERVICES ONLY. SUCH INFORMATION IS AT ALL TIMES THE PROPERTY OF THE CUSTOMER AND DRIFT DOES NOT SELL IT.
YOUR RIGHTS AND CHOICES
The CCPA provides individuals residing in California or whose Personal Information was collected in California with specific rights regarding their Personal information. The below describes your rights and how you may exercise them.
Access to Specific Information and Data Portability Rights
You have the right to request that Drift disclose certain information to you about our collection and use of your Personal Information over the past twelve (12) months. Once Drift receives and confirms your verifiable information access request, Drift must disclose to you: (i) the categories of Personal Information we collected about you; (ii) the categories of sources for the Personal Information we collected about you; (iii) our business or commercial purpose for collecting or, if applicable, selling that Personal Information; (iv) the categories of third parties with whom we share that Personal Information; (v) the specific data points or pieces of Personal Information we collected about you. If we disclosed for a business purpose or sold your Personal Information, Drift must also provide separate lists that: (x) identify the personal information categories that were sold to each category of recipient in connection with sales of your Personal Information; and (y) identify the personal information categories that were provided to each category of recipient in connection with business purposes disclosures of your Personal Information..
Deletion Request Rights
You have the right to request that Drift delete any of your Personal Information that we collected from you and/or retained. Unless subject to a certain limited exception, once Drift receives and confirms your verifiable data deletion request, we will delete (and direct our service providers to delete) your personal information from our records. Drift will notify you promptly if it determines it must deny your deletion request and will provide reasons why retention of your information is necessary to Drift and permissible under the CCPA in such case.
Do Not Sell Opt-Out Rights
You have the right to opt-out of any sales, as defined by the CCPA, of Personal Information by Drift. You must request that Drift not sell any information you provide to Drift as an individual, either upon the provision of Personal Information to Drift or any time thereafter. Once Drift receives and confirms your request, Drift will refrain from selling your Personal Information.
EXERCISING YOUR RIGHTS
To exercise your access, data portability, and deletion or do not sell opt-out rights described above, you may submit a verifiable consumer request by any of the following means:
|Information Access and Data Deletion: https://preferences.drift.com/privacy|
|Do Not Sell My Personal Information: https://preferences.drift.com/dont_sell|
|By Email: firstname.lastname@example.org||By Phone: 855-266-1567|
You may only make a verifiable consumer request for access or data portability up to two times within a 12-month period. You may make a verifiable do not sell opt-out request at any time. Any such request must: (i) provide sufficient information that allows Drift to reasonably verify that you are the person about whom we collected personal information or an authorized representative thereof; and (ii) describe your request with sufficient detail such that we may understand, evaluate, and respond to it. Drift cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. Making a verifiable consumer request does not require you to create an account with Drift. Drift will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request. Only you or a person registered with the California Secretary of State that you authorize to act on your behalf may make a verifiable consumer request related to your Personal Information. You may also make a verifiable consumer request on behalf of your minor child.
Response Timing and Format
We endeavor to respond to a verifiable consumer request within 45 days of its receipt. If we require more time (up to 90 days), we will inform you in writing of the extension period and the reason for it. Drift will deliver any required or requested responses or other communications in writing to you by email. Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. If applicable, the response we provide will also explain any reasons we cannot comply with a request. For data portability requests, Drift will provide your personal information in a format that is readily usable and transferable. Drift does not charge a fee to process or respond to your verifiable consumer request unless such requests become excessive, repetitive, or manifestly unfounded or as otherwise permitted by the CCPA. If we determine that a request warrants charging a fee, we will notify you and provide you with a cost estimate before completing your request.
We will not discriminate against you or any other individual for exercising any of your CCPA rights. Unless and only to the extent permitted by the CCPA, Drift will not (i) deny you goods or services; (ii) charge you different prices or rates for goods or services; (iii) provide you a different level or quality of goods or services; or (iv) suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.