DataGrail Privacy Policy

Effective Date: 2019-01-20

We recognize that your privacy is very important. This Privacy Policy covers DataGrail’s policies on the collection, use, and disclosure of Personal Data/Personally Identifiable Information (as defined by applicable law and hereinafter collectively referred to as “Personal Data”) each time you access and use the Services available at datagrail.io and/or DataGrail’s related mobile applications (collectively the “Platform”) or anytime you interact with DataGrail.

By accepting DataGrail’s Privacy Policy, you are consenting to the collection, use and storage of the Personal Data pursuant to the disclosures contained within this Privacy Policy. You may withdraw your consent at any time by contacting DataGrail at privacy@datagrail.io.

1. What Personal Data Does DataGrail Collect on the Platform?

Customer Communications

Customers may subscribe to DataGrail’s newsletters or other offers by opting-in on the Platform and providing their name, company name and job title (as applicable), email address. Users can opt-out of marketing communications through the unsubscribe link in emails received.

Account Information

In subscribing to its Services, DataGrail requires its Customer to provide account-based information, including Customer name, address, phone number, email and payment processing information. This information is necessary to facilitate account services and subscription and related purchases through the Platform. Account information may also be used to (i) provide information regarding our Services; (ii) communicate material changes to our Terms of Service and Privacy Policy; and/or (iii) help us maintain and improve Services offered.

Log-File Information

Log file information is automatically reported by your browser each time you access a web page. Server logs may include information such as your web request, Internet Protocol (“IP”) address, browser type, referring / exit pages and URLs, number of clicks, domain names, landing pages, pages viewed, and other such information. Log-File data will be used for debugging purposes and to improve our products and services. Log-file data will be encrypted using AES-256 (or equivalent).

Cookies

DataGrail’s site uses cookies to provide users with a better browsing experience – cookies are only collected with your express consent. In addition, by accepting DataGrail’s Privacy Policy upon purchase of the Services, you are consenting to DataGrail’s use of cookies in connection with the Services itself. DataGrail utilizes cookie technology to gather information on Internet use in order to serve you more effectively. Cookies are files with a small amount of data, which may include an anonymous unique identifier. Cookies are sent to your browser from a website and transferred to your device. You can set your browser to remove or reject cookies; however some Platform features or Services may not work properly without cookies.

How You Can Control Advertising Cookies

Cookies are also utilized to deliver advertising on our site. Among other uses, they allow us to show more relevant advertising to people who visit the site by showing you ads that are based on your browsing patterns and the way you have interacted with our sites. You can find information about how to opt out of the cookies provided by our advertising partners here:

Google Ads & Google Tag Manager. Google Ads utilizes search engine marketing to serve ads to target audiences. Google Tag Manager tracks Flash cookies, and social networking applications. Please see Google’s Data Privacy and Security Policy for more information on their data collection and processing. You can use Ads Settings to manage the Google ads you see and opt out of Ads Personalization. To manage privacy settings for Flash cookies, see Adobe Flash Player Help.

LinkedIn Ads. LinkedIn Ads uses cookies to track the success of LinkedIn advertising. Personal Data is processed in accordance with the LinkedIn Privacy Policy. To opt out of LinkedIn Ads, see manage your LinkedIn Advertising preferences.

Twitter Advertising. Twitter utilizes cookies to provide interest based advertising. See Twitter Privacy Policy for more information on its data collection and processing policies. Please See Twitter Privacy Controls for more information on how to adjust your privacy settings.

Even if you opt out of cookies/ads personalization, you may still see ads based on factors such as your general location derived from your IP address, your browser type, and your search terms. You can also manage cookies for any online advertising service via the consumer choice tools created under self-regulation programs, such as the US-based aboutads.info choices page or the European Union (“EU”)-based Your Online Choices.

2. Is Personal Data Collected by or Disclosed to Third Parties?

DataGrail does not sell Personal Data collected through your use of the Platform with any third party. Information is collected to facilitate the Services offered or for internal analysis relating to product improvements. Personal Data collected is processed by the following third parties to facilitate provision of the Services on the Platform as follows:

Two-Factor Authentication. DataGrail utilizes two-factor login authentication and authorization services to facilitate secure access to the Services. Two-factor authentication requires a user to input username, password and an additional method of verification, such as email or mobile phone number to authenticate access requests. Users should review the Twilio’s Privacy Policy and the Duo Security Privacy Policy for more information on their data collection and use practices.

Newsletters & Marketing Campaigns. DataGrail utilizes SendGrid to create and deliver DataGrail’s newsletters. Submission of data is optional and with a User’s consent. DataGrail shares contact information, such as name and email address, to process that data in accordance with our instructions regarding our marketing campaigns. Users should review SendGrid’s Privacy Policy for more information on their data collection and processing practices.

Social Plug-Ins. Users may optionally follow DataGrail Twitter and LinkedIn. Users should click on the hyperlinks for each site to review the applicable privacy policies for more detail about information collected and processed by these sites.

Notifications. DataGrail utilizes Slack to facilitate customer notifications. Users should review Slack’s Privacy Policy for more information on their data collection and use practices.

Customer Relationships Management. DataGrail utilizes services provided by Salesforce, inc. to manage its customer relationships and the information and data associated with those customers. Account information, including personal information such as customer’s account name, email, phone, mailing address, etc. with Salesforce.com. Data is collected and processed by Salesforce in accordance with the Salesforce.com Privacy Policy.

HubSpot. DataGrail utilizes HubSpot’s marketing software for automated marketing, content strategy and customer outreach. Data is processed by HubSpot in accordance with HubSpot’s Privacy Policy.

Drift. DataGrail utilizes Drift for automated chatbot support and conversational marketing purposes. Draft may collect a User’s name, contract information, IP address and cookies when a User opts to provide such information for customer support purposes. Personal Data is processed in accordance with the Drift GDPR Policy.

Calendly. DataGrail integrates Calendly to provide seamless demo and meeting scheduling. Calendly will only collect Personal Data optionally provided by Users, such as name and email address, for the purpose of scheduling requested meetings. Information is processed by Calendly in accordance with the Calendly Privacy Policy.

Amazon Web Servers. DataGrail hosts customer and services data through Amazon Web Services. Customers should click on the Amazon hyperlink for more information about their data collection and privacy policies.

UserCentrics. DataGrail utilizes UserCentrics for consent management purposes to facilitate compliance with GDPR and other mandatory consent requirements. DataGrail has entered into European Commission approved standard contractual clauses to ensure sufficient protection of Personal Data transferred internationally. Please also see UserCentrics Privacy Policy. Usercentrics collects consent data (consent yes/no, timestamp, data scope, data attributes, controllerID, processorID, consentID) through JavaScript. Users can permanently prevent the execution of JavaScript at any time by making the appropriate settings in your browser, which would also prevent Usercentrics from executing the JavaScript.

Google Analytics. DataGrail utilizes Google Analytics to access anonymised and/or pseudo anonymised data to help us understand how our Services are used. Google Analytics is a web analytics tool that helps us understand how users engage with our Platform, so that we can review and improve our Services. Google Analytics provides a report to us with website trends without identifying the Personal Data of individual users. Platform usage is tracked using Google Analytics in accordance with Google’s Data Privacy and Security Policy. However, if you decide to withdraw your consent to such data collection, you may opt-out by installing Google Analytics Opt-out Browser Add-on.

Payment Processing Information. DataGrail does not itself store debit or credit card information on its servers. DataGrail utilizes a third party payment processor, Stripe, to manage and process payments in order to guarantee the security of your information. Customers should review Stripe’s Privacy Policy for more information on their data collection practices.

Other Potential Third-Party Disclosures. Personal Data may also be disclosed to third parties (1) as required by law, such as to comply with a subpoena, or similar legal process; (2) when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request, or (3) if DataGrail is involved in a merger, acquisition, or sale of all or a portion of its assets.

We will use commercially reasonable efforts to notify users about law enforcement or court ordered requests for Personal Data unless otherwise prohibited by law.

3. How Does DataGrail Comply with the Children’s Online Privacy Protection Act and GDPR Regulations Relating to Children?

Only persons age 18 or older are authorized to create a DataGrail account. We do not knowingly collect Personal Data from anyone under the age of 18. If a parent or guardian becomes aware that his or her child (a) under the age of 16 in applicable EU Member Countries, or (b) under the age of 13 in the U.S. and applicable EU Member Countries, has provided us with Personal Data without their consent, he or she should contact DataGrail at privacy@datagrail.io. We will delete such Personal Data from our files within a commercially reasonable time, but no later than required under the applicable law relating the child’s country of residence.

4. How Long Does DataGrail Retain Personal Data Collected?

Unless erasure is otherwise requested by a Customer, DataGrail will retain Personal Data as long as it is necessary to provide the Services. When a user’s account is terminated or expires, Personal Data collected through the Platform will be deleted in accordance with applicable law.

5. Applicable EU GDPR Notices

Data Processor

DataGrail is the processor of all Customer Data (as defined in the applicable Terms of Service), including Personal Data input by a Customer, and its Authorized Users, in connection with a Customer’s use of the DataGrail Services.

Data Controller

The Personal Data input by (a) visitors in general, and (b) Customer for purposes of establishing a commercial account with Customer, is controlled by DataGrail, Attention: Privacy Department, DataGrail, 164 Townsend Street Suite 12, San Francisco, CA 94107, U.S.A. You may contact us at any time by emailing us at privacy@datagrail.io.

For applicable EU Users, we will only collect and process Personal Data about you where we have lawful bases. Lawful bases include consent (where you have given consent), contract (where processing is necessary for the performance of a contract with you, and “legitimate interests.” Where we rely on your consent to process personal data, you have the right to withdraw or decline your consent at any time and where we rely on legitimate interests, you have the right to object. If you have any questions about the lawful bases upon which we collect and use your personal data, please contact us at privacy@datagrail.io.

6. How Can I Review, Transfer, Restrict the Use of or Request Erasure of Personal Data?

IF YOU WOULD LIKE TO:

  • Access, review, restrict processing of, or otherwise request erasure of your Personal Data;
  • Obtain the identity of the source of any Personal Data collected;
  • Request correction of any errors contained within your Personal Data;
  • Request DataGrail transfer your Personal Data to another service provider;
  • Object to the manner in which your Personal Data is processed;
  • Lodge a complaint with a supervisory authority; or
  • Withdraw consent to the collection of your Personal Data

PLEASE EMAIL DATAGRAIL AT privacy@datagrail.io. WE WILL RESPOND AS REQUIRED UNDER APPLICABLE LAW.

7. California Privacy Rights

In addition, California law permits California-resident Customers to request and obtain from DataGrail once a year, free of charge, certain information about their Personally Identifiable Information (as defined by California law) disclosed to third parties for direct marketing purposes in the preceding calendar year (if any). If applicable, this information would include a list of the categories of PII that was shared and the names and addresses of all third parties with which we shared information in the immediately preceding calendar year. All of our Customers, regardless of their U.S. residency or country of domicile shall have the right to request and obtain a copy of such information in accordance with applicable law.

DataGrail shall provide a copy of requested Personal Data in a structured, commonly used and machine-readable format. Customers shall have the right to transmit such Personal Data to another service provider without restriction in accordance with applicable law.

8. What is DataGrail’s Security Policy?

We have implemented reasonable administrative, technical and physical security measures to protect your personal information against unauthorized access, destruction or alteration.

All data is securely encrypted utilizing AES-256-bit encryption. Please review the AWS Cloud Security Policy for more information on AWS’ security practices. DataGrail utilizes only PCI-DSS compliant third party payment processors to ensure the security of your personal information. Users should review Stripe’s Security Policy for more information on their security practices.

9. How Does DataGrail Respond to “Do Not Track” Signals?

“Do Not Track” is a feature enabled on some browsers that sends a signal to request that a web application disable its tracking or cross-Platform user tracking. At present, DataGrail does not respond to or alter its practices when a Do Not Track signal is received.

10. For EU and Swiss Individuals: Privacy Shield Notice for Personal Data Transfers to the United States

DataGrail complies with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland transferred to the United States pursuant to Privacy Shield. DataGrail has certified that it adheres to the Privacy Shield Principles with respect to such data. If there is any conflict between the policies in this privacy policy and data subject rights under the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov

With respect to personal data received or transferred pursuant to the Privacy Shield Frameworks, DataGrail is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission.

Pursuant to the Privacy Shield Frameworks, EU and Swiss individuals have the right to obtain our confirmation of whether we maintain personal information relating to you in the United States. Upon request, we will provide you with access to the personal information that we hold about you. You may also may correct, amend, or delete the personal information we hold about you. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data transferred to the United States under Privacy Shield, should direct their query to privacy@datagrail.io. If requested to remove data, we will respond within a reasonable timeframe.

We will provide an individual opt-out choice or opt-in choice for sensitive data before we share your data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized. To request to limit the use and disclosure of your personal information, please submit a written request to privacy@datagrail.io.

In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements

DataGrail’s accountability for personal data that it receives in the United States under the Privacy Shield and subsequently transfers to a third party is described in the Privacy Shield Principles. In particular, DataGrail remains responsible and liable under the Privacy Shield Principles if third-party agents that it engages to process the personal data on its behalf do so in a manner inconsistent with the Principles, unless DataGrail proves that it is not responsible for the event giving rise to the damage.

In compliance with the Privacy Shield Principles, DataGrail commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to Privacy Shield. European Union and Swiss individuals with Privacy Shield inquiries or complaints should first contact DataGrail by email at privacy@datagrail.io. or via post at:

DataGrail, Inc.
Attention: Privacy Department
164 Townsend Street, Suite 12
San Francisco, CA 94107
U.S.A.

DataGrail has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD, operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://www.bbb.org/EU-privacy-shield/for-eu-consumersfor more information and to file a complaint. This service is provided free of charge to you.

If your Privacy Shield complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See Privacy Shield Annex 1 at https://www.privacyshield.gov/article?id=ANNEX-I-introduction.

11. How Will I Be Notified of Changes to Your Privacy Policy?

If DataGrail makes material changes to its Privacy Policy, it will notify you by: (i) changing the Effective Date at the top of the Privacy Policy, (ii) sending an email to all active account holders, and (iii) adding a statement to the Platform. Express consent will be obtained for any material changes in DataGrail’s collection and use practices.

12. Additional Questions?

If you have any additional questions about our practices, please contact DataGrail as follows:

By Mail

DataGrail, Inc.
Attention: Privacy Department
164 Townsend Street, Suite 12
San Francisco, CA 94107
U.S.A.

By Email: privacy@datagrail.io.