Privacy Policy

Last Updated: April 19, 2019

This Privacy Policy describes how Hyperproof, Inc. (“Hyperproof,” “we,” “us,” or “our”) collects, uses and shares information about you. This Privacy Policy applies to www.hyperproof.io and other Hyperproof websites (collectively, the “Sites”), the Hyperproof compliance platform and related services (the “Service(s)”), and other interactions (e.g. customer service inquiries, user events, etc.) you may have with Hyperproof.

What information we collect about you

Information You Provide to Us

We collect information about you when you input it into the Services or otherwise provide it directly to us.

  • At Account Creation. At a minimum, an email address is required to provision a new Hyperproof account (paid or trial). We ask for and may collect other information at account creation including contact information (first name, last name, phone number), and employment details (company name, job title).
  • When Enhancing Your Profile. In addition to the account-related information described above, other information can be added from within the Services to enhance your profile. You may choose to add a profile photo or address to your Hyperproof account or update the Hyperproof org with company information (phone number, address).
  • When Purchasing Services. If you purchase a paid subscription, you may need to provide us with billing and payment details including full name, company name, credit card or banking information, and billing/shipping address.
  • When Attending Events. We may collect or otherwise receive personal data such as your name, address, phone number, email, job title, or company name when you register for or attend an event where Hyperproof is a sponsor or participant.
  • In Online Submissions. We collect information through interactive features of our Sites – e.g., when you submit online forms; participate in surveys, contests, or promotions; join online chat discussions; request customer support; or respond to “Contact Us” invitations. Personal data gathered may include contact information (full name, phone number, email), employment details (company name/size, job title), information about your use of Hyperproof, and any other information you choose to share.
  • Through our Support Channels. When you submit a support request through our systems, we will collect company and contact data, and record activity related to your request. Information submitted as part of support tickets is processed by us in order to provide help to you in using the Service, to contact you about your request(s), and to improve our products and services.
  • Through our Services.
    • Customer Data. The Hyperproof Service allows users to connect to third-party applications, to periodically or on-demand pull data from those applications into Hyperproof’s servers, and to pass data from the Hyperproof Service onward to other third-party applications. These transfers are done only under the direction of, and under the sole control of, Hyperproof users. By using the Service, you warrant that Hyperproof has your permission to perform any such transfers on your behalf, notwithstanding that these may contain personal data, and may cross international borders. Hyperproof does not control the privacy practices of applications to or from which you may transfer data, and you warrant that when transferring Customer Data, you are accepting the privacy terms to which those applications subscribe. Customer Data is protected from interception or alteration using commercially feasible methods, and Hyperproof will not examine or distribute any Customer Data except as provided in our Terms of Service, or as required by law.
    • Connection Data. If you access our Site or Service through a third-party connection or log-in or connect an application to Hyperproof, that third-party you connected with may pass certain information about your use of its service to Hyperproof. This information could include, but is not limited to, the User ID associated with your account, an access token necessary to access that service, any information that you have permitted the third-party to share with us, and any information you have made public in connection with that third-party service. Connection Data is processed in order to provide application connectivity, which is part of the Service.

Information we receive from other sources

We receive information about you from other Service users, from third-party services, and from our business and channel partners.

  • From Your Employer. If you use the Services through an account provisioned by your employer, your employer may provide Hyperproof with your email address in order to provision your account. Your employer may choose to share additional information about you including your contact information (full name, phone number) and employment details (job title).
  • From Others Users. Other users of our Services may provide information about you when they submit content through the Services. For example, you may be mentioned in a support ticket opened by someone else. We also receive your email address from other Service users when they provide it in order to invite you to the Services. Similarly, an administrator may provide your contact information if they designate you as the billing admin or org administrator on your company’s Hyperproof account.
  • From Third Parties.
    • When Purchasing Services. A third-party intermediary is used to manage credit card processing. It is not permitted to store, retain, or use your billing information for any purpose except for credit card processing on our behalf.
    • Third-Party Sources. Subject to applicable laws, we may gather information about you from Hyperproof’s global resale and referral partners, as well as public information – including Internet searches relating to you or your company – in order to better service your account and to provide more relevant assistance and marketing.

Information We Collect Automatically

We collect information about you when you use our Services, including browsing our websites and taking certain actions within the Services.

  • Your Use of the Services. We keep track of certain information about you when you visit and interact with any of our Services. This information includes the features you use; the links you click on; the type, size and filenames of attachments you upload to the Services; frequently used search terms; and how you interact with others on the Services. We also collect information about the teams and people you work with and how you work with them, like who you collaborate with and communicate with most frequently.
  • Device and Connection Information. We collect information about your computer, phone, tablet, or other devices you use to access the Services. This device information includes your connection type and settings when you install, access, update, or use our Services. We also collect information through your device about your operating system, browser type, IP address, URLs of referring/exit pages, device identifiers, and crash data. We use your IP address and/or country preference in order to approximate your location to provide you with a better Service experience. How much of this information we collect depends on the type and settings of the device you use to access the Services.
  • Cookies and Other Tracking Technologies. Hyperproof and our third-party partners, such as our advertising and analytics partners, use cookies and other tracking technologies (e.g., web beacons, device identifiers and pixels) to provide functionality and to recognize you across different Services and devices. For more information about how we use these technologies, please see our Cookie Policy.

How we use information we collect

How we use the information we collect depends in part on which Services you use, how you use them, and any preferences you have communicated to us. Below are the specific purposes for which we use the information we collect about you.

  • To Provide the Services. To provide and operate our Services, fulfill your orders and requests, authenticate you when you log in, process your payments, for bug and error reporting and resolution, to perform upgrades and maintenance, to operate and maintain the Services, and for similar purposes.
    To Personalize Your Experience. We may tailor content we send or display to you in order to offer location customization and personalized help and instructions, and to otherwise personalize your experience using the Services.
  • Analytics and Improvement. We are always looking for ways to make our Services smarter, faster, more secure, better integrated, and of greater use to you. We use collective learnings about how people use our Services and feedback provided directly to us to troubleshoot and to identify trends, usage, activity patterns and areas for improvement of the Services. To better understand how users access and use the Services and for other research and analytical purposes, such as to evaluate and improve the Services and to develop additional products, services, and features.
  • To Communicate with You About the Services. We use your contact information to send transactional communications via email and within the Services, including confirming your purchases, reminding you of subscription expirations, responding to your comments, questions and requests, providing customer support, and sending you technical notices, updates, security alerts, and administrative messages. These communications are part of the Services and in most cases you cannot opt out of them. If an opt out is available, you will find that option within the communication itself or by contacting support@hyperproof.io.
  • To Market, Promote and Drive Engagement with the Services. We may use your contact information and information about how you use the Services for direct marketing and promotional purposes. For example, we may use contact information such as your email address to send promotional communications that may be of specific interest to you, including by email and by displaying Hyperproof ads on other companies’ websites and applications, as well as on platforms like Facebook and Google. These communications are aimed at driving engagement and maximizing what you get out of the Services, including information about new features and product offerings, special offers or promotions, events, newsletters, or to otherwise contact you about Hyperproof products. You may opt out of receiving marketing emails by following the opt-out instructions in the email or emailing privacy@hyperproof.io. We may still email customer service and transaction-related communications, even if you have opted out of receiving marketing communications.
  • Customer Support. To communicate with you about your use of the Services, respond to your communications, complaints and inquiries, provide technical support, and for other customer service and support purposes.
  • To Protect our Legitimate Business Interests and Legal Rights. Where required by law or where we believe it is necessary to protect our legal rights, interests and the interests of others, we use information about you in connection with legal claims, compliance, regulatory, and audit functions, and disclosures in connection with the acquisition, merger or sale of a business.
  • To Prevent Misuse. To protect the Services; prevent unauthorized access and other misuse; and where we believe necessary to investigate, prevent, or take action regarding suspicious or fraudulent activity, situations involving potential threats to the safety of any person, or violations of our Terms of Service or this Privacy Policy.
  • With Your Consent. Where you have given us consent to do so, we may use information about you for a specific purpose not listed above. For example, we may publish testimonials or feature customer stories to promote the Services, with your permission.
  • General Business Operations. Where necessary to the administration of our general business, accounting, recordkeeping, and legal functions.

Legal Bases for Processing (for EEA Users)

If you are an individual in the European Economic Area (EEA), we collect and process information about you only where we have legal bases for doing so under applicable EU laws. The legal bases depend on the Services you use and how you use them. This means we collect and use your information only where:

  • We need it to provide you the Services, including to operate the Services, provide customer support and personalized features and to protect the safety and security of the Services;
  • It satisfies a legitimate interest (which is not overridden by your data protection interests), such as for research and development, to market and promote the Services and to protect our legal rights and interests;
  • You give us consent to do so for a specific purpose; or
  • We need to process your data to comply with a legal obligation.

If you have consented to our use of information about you for a specific purpose, you have the right to change your mind at any time, but this will not affect any processing that has already taken place. Where we are using your information because we or a third-party (e.g. your employer) have a legitimate interest to do so, you have the right to object to that use though, in some cases, this may mean no longer using the Services.

How we share information we collect

We make collaboration tools, and we want them to work well for you. This means sharing information through the Services and with certain third parties. We may share information we collect about you in the ways discussed below, including in connection with possible business transfers, but we are not in the business of selling information about you to advertisers or other third parties.

Sharing with Corporate Users

  • Content and Usage. Hyperproof is a data processor with respect to Customer Data and certain other user information we collect in providing the Services to our customers. This means: (a) the customer controls the information and determines how it may be used, and (b) we will process this information only under the written instructions of our customer or where otherwise required by applicable laws. So, if you use the Services under a corporate account, Customer Data and other information associated with your account (e.g., who has accessed, shared, amended, created, edited, or deleted Customer Data) may be disclosed to the corporate customer or an administrator on for the corporate customer’s account.
  • Account Discovery. If the email address which you used to register with us belongs to a corporate entity (with the exception of known ISP email providers such as Gmail), we may disclose your email address and account information to (a) users associated with that entity if you are a plan administrator in order to help those users contact you, and (b) the entity and its Hyperproof plan administrators in order to help them understand who in the organization is using Hyperproof.

Sharing with Other Service Users

When you use the Services, we share certain information about you with other Service users.

  • For Collaboration. Customer Data you choose to share with, or make available to, other users is shared as designated by you, and you should consider that it may be further shared by your collaborators; we are not responsible for, nor does this Privacy Policy apply to, the collection, use, processing, or sharing of Content by other users in this manner. Examples of Content we may collect and store on your behalf include: evidence for individual controls, conversations, and activity feeds.
  • Managed Accounts and Administrators. Some of the features and functionality of the Services involve disclosure of your personal data to other users of the Services; for example, your name, email address, and job title may be displayed when a user views members of an organization.
  • Community Forums. Our Sites may include interactive features, including forums, online communities, bulletin boards and publicly accessible blogs. You should be aware that any information that you provide on these Sites might be read, collected, and used by any member of the public who accesses these Sites. Your posts and certain profile information may remain even after you terminate your account so we urge you to consider the sensitivity of any information you input into these Services. To request removal of your information from publicly accessible Sites operated by us, please contact us as provided below. In some cases, we may not be able to remove your information, in which case we will let you know if we are unable to and why.

Sharing with Third Parties

We share information with third parties that help us operate, provide, improve, integrate, customize, support and market our Services.

  • Service Providers. We may share information about you with third-party vendors, consultants and other service providers (data processors) who are working on our behalf or providing services to us. We obtain appropriate contractual protections to limit these service providers’ use and disclosure of any information about you that we share with them. If a service provider needs to access information about you to perform services on our behalf, they do so under close instruction from us, including policies and procedures designed to protect your information.
  • Infrastructure Processors. We use certain third parties for some of the infrastructure used to host data that is submitted to the Hyperproof platform, including cloud providers.
  • Service Processors. We use third-party service providers to process your personal data to assist us in business and technical operations. Hyperproof has data processing agreements with such service providers, and their use of and access to personal data is limited to specific purposes. They provide services relating to: billing, customer support, marketing (direct mail, email, lead generation), and user experience.
  • Subcontractors, Independent Contractors. We may employ the assistance of independent contractors to work on specific projects. We train these independent contractors on applicable Hyperproof policies and they are required to adhere to substantially the same data security practices as are Hyperproof employees.
  • Hyperproof Partners. We work with third parties who provide consulting, sales, and technical services to deliver and implement customer solutions around the Services. We may share your information with these third parties in connection with their services, such as to assist with billing and collections, to provide localized support, and to provide customizations. If you purchase access to the Services through a reseller (regardless of location), we may share certain information about your account and feature usage with the reseller (or their affiliate) in furtherance of their relationship with you. If you use a third-party to facilitate your payment obligations, we may share certain account-usage and billing-related information about your account with such third-party for billing and business administration purposes. Resellers and payment processors are independent data controllers of your personal data.
  • Links to Third-Party Sites. The Services may include links that direct you to other websites or services whose privacy practices may differ from ours. If you submit information to any of those third-party sites, your information is governed by their privacy policies, not this one. We encourage you to carefully read the privacy policy of any website you visit.
    With Your Consent. We share information about you with third parties when you give us consent to do so. For example, we often display personal testimonials of satisfied customers on our public websites. With your consent, we may post your name alongside the testimonial.
  • Compliance with Enforcement Requests and Applicable Laws. In exceptional circumstances, we may share information about you with a third-party if we believe that sharing is reasonably necessary to comply with any applicable law, regulation, legal process or governmental request, including to meet national security requirements.
  • Enforcement of Our Rights. We may disclose information about you to a third-party to enforce our agreements, policies and terms of service, to protect the security or integrity of our products and services, and to protect Hyperproof, our customers or the public from harm or illegal activities.
  • Business Transactions. If Hyperproof is involved in a merger, acquisition, or sale of all or a portion of its assets, your information may be transferred to the acquiring entity as part of the transaction. You will be notified via email and/or a prominent notice on the Services if a transaction takes place, as well as any choices you may have regarding your information.

How we store and secure information we collect

Information Storage and Security

We use data hosting service providers in the United States to host the information we collect, and we use technical measures to secure your data. While we implement safeguards designed to protect your information, no security system is impenetrable and due to the inherent nature of the Internet, we cannot guarantee that data, during transmission through the Internet or while stored on our systems or otherwise in our care, is absolutely safe from intrusion by others.

How Long We Keep Information

How long we keep information we collect about you depends on the type of information, as described in further detail below. After such time, we will either delete or anonymize your information or, if this is not possible (for example, because the information has been stored in backup archives), then we will securely store your information and isolate it from any further use until deletion is possible.

  • Account Information. We retain your account information for as long as your account is active and a reasonable period thereafter in case you decide to re-activate the Services. We also retain some of your information as necessary to comply with our legal obligations, to resolve disputes, to enforce our agreements, to support business operations, and to continue to develop and improve our Services. Where we retain information for Service improvement and development, we take steps to eliminate information that directly identifies you, and we only use the information to uncover collective insights about the use of our Services, not to specifically analyze personal characteristics about you.
  • Information You Share on the Services. If your account is deactivated or disabled, some of your information and the content you have provided will remain in order to allow your team members or other users to make full use of the Services. For example, we continue to display conversations regarding individual controls to other team members that were granted access to those conversations.
  • Managed Accounts. If the Services are made available to you through an organization (e.g., your employer), we retain your information as long as required by the administrator of your account. For more information, see “Managed Accounts and Administrators” above.
  • Marketing Information. If you have elected to receive marketing emails from us, we retain information about your marketing preferences. If you have chosen to opt out of marketing communications, or when we have no ongoing legitimate business need to process your Personal Information, we securely delete the information or anonymise it or, if this is not possible, then we will securely store your Personal Information and isolate it from any further processing until deletion is possible. We will delete this information from the servers at an earlier date if you so request, as described in “How to Access and Control Your Information” below. We retain information derived from cookies and other tracking technologies for a reasonable period of time from the date such information was created.

How to Access and Control Your Information

You have certain choices available to you when it comes to your information. Below is a summary of those choices, how to exercise them and any limitations.

  • Deactivate Your Account. If you no longer wish to use our Services, you or your administrator may be able to deactivate your Services account. If you can deactivate your own account, that setting is available to you in your account settings. Otherwise, please contact your administrator. If you are an administrator and are unable to deactivate an account through your administrator settings, please contact Hyperproof support. Please be aware that deactivating your account does not delete your information; your information remains visible to other Service users based on your past participation within the Services.
  • Delete Your Information. Our Services give you the ability to delete certain information about you from within the Service. For example, you can remove certain profile information within your account settings. If you would like to have your data deleted from the Services entirely, you can contact privacy@hyperproof.io to request deletion of all your data. For anyone that requests this, we will work with you to ensure minimal impact to other members of your Hyperproof organization(s). Hyperproof will use reasonable efforts to process requests within 30 days. Please note, however, that we may need to retain certain information for record keeping purposes, to complete transactions or to comply with our legal obligations.
  • Access and Correct Your Information. Our Services give you the ability to access and update certain information about you from within the Service. For example, you can access your account settings from within the Service and update your profile information or account (org) information.
  • Request That We Stop Using Your Information. In some cases, you may ask us to stop accessing, storing, using and otherwise processing your information where you believe we don’t have the appropriate rights to do so. For example, if you believe a Services account was created for you without your permission or you are no longer an active user, you can request that we delete your account as provided in this Privacy Policy. Where you gave us consent to use your information for a limited purpose, you can contact us to withdraw that consent at privacy@hyperproof.io, but this will not affect any processing that has already taken place at the time. You can also opt-out of our use of your information for marketing purposes by contacting us, as provided below. When you make such requests, we may need time to investigate and facilitate your request. If there is delay or dispute as to whether we have the right to continue using your information, we will restrict any further use of your information until the request is honored or the dispute is resolved, provided your administrator does not object (where applicable). If you object to information about you being shared with a third-party application, please disable or remove the connection or contact your administrator to do so.
  • Opt Out of Communications. You may opt out of receiving promotional communications from us by following the opt-out instructions located within the email, or by contacting us at privacy@hyperproof.io to have your contact information removed from our promotional email list or registration database. Please note that if you opt out of marketing communications, Hyperproof will continue to send you transactional or service-related communications, such as service announcements and administrative messages. If you do not wish to receive these, you have the option to cancel your account by logging in and using the Account Administration settings or by emailing us at support@hyperproof.io.

Users in the European Economic Area

How long we keep information we collect about you depends on the type of information, as described in further detail below. After such time, we will either delete or anonymize your information or, if this is not possible (for example, because the information has been stored in backup archives), then we will securely store your information and isolate it from any further use until deletion is possible.

  • Access. You can ask us to confirm whether we are processing your personal data; give you a copy of that data; and provide you with other information about your personal data such as what data we have, what we use it for, who we disclose it to, whether we transfer it abroad, how we protect it, how long we keep it for, what rights you have, how you can make a complaint, where we got your data from and whether we have carried out any profiling, to the extent that such information has not already been provided to you in this Privacy Policy.
  • Rectification. You can ask us to rectify inaccurate information. We may seek to verify the accuracy of the data before rectifying it.
  • Erasure. You can ask us to erase your personal data, but only where it is no longer needed for the purposes for which it was collected; you have withdrawn your consent (where the data processing was based on consent); following a successful right to object (see ‘Objection’ below); it has been processed unlawfully; or to comply with a legal obligation to which we are subject. We are not required to comply with your request to erase your personal data if the processing of your personal data is necessary for compliance with a legal obligation or for the establishment, exercise, or defense of legal claims. There are certain other circumstances in which we are not required to comply with your erasure request, although these two are the most likely circumstances in which we would deny that request.
  • Restriction. You can ask us to restrict (i.e., keep but not use) your personal data, but only where its accuracy is contested (see ‘Rectification’ above), to allow us to verify its accuracy; the processing is unlawful, but you do not want it erased; it is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise, or defend legal claims; you have exercised the right to object, and verification of overriding grounds is pending. We can continue to use your personal data following a request for restriction where we have your consent; to establish, exercise, or defend legal claims; or to protect the rights of another natural or legal person.
  • Objection. You can object to any processing of your personal data which has our ‘legitimate interests’ as its legal basis, if you believe your fundamental rights and freedoms outweigh our legitimate interests. Once you have objected, we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms. In addition, you can object to the processing of your personal data for direct marketing purposes, which includes profiling to the extent that it is related to such direct marketing without providing any reason. We will then cease the processing of your personal data for direct marketing purposes.
  • Portability. You can ask us to provide your personal data to you in a structured, commonly used, machine-readable format, or you can ask to have it ‘ported’ directly to another Data Controller, but only where our processing is based on your consent and the processing is carried out by automated means.
  • Withdrawal of Consent. You can withdraw your consent in respect of any processing of personal data which is based upon a consent which you have previously provided.

How we transfer information we collect internationally

  • International Transfer of Data. We are based in the United States and the information we collect is governed by U.S. law. The information we collect may be transferred to, used from, and stored in the United States or other jurisdictions where our third-party service providers may be located. Whenever we transfer your information, we take steps to protect it; however, these jurisdictions (including the United States) may not guarantee the same level of protection of personal data as the jurisdictions in which you reside. By using the Services, you acknowledge and agree to any such transfer of information outside of the jurisdiction in which you reside.

 

Other important privacy information

Our Policy Towards Children

The Services are not directed toward children and we do not encourage children to participate in providing us with any personally identifiable information. We do not knowingly collect any personal data from children under the age of 13. We encourage parents and legal guardians to monitor their children’s Internet usage and to help enforce this Policy by instructing their children never to provide personal data through the Services. If you have reason to believe that a child under the age of 13, without a parent or guardian’s consent has provided personal data to us through the Services, please contact us at privacy@hyperproof.io, and we will use commercially reasonable efforts to delete that information.

Changes to This Privacy Policy

We may change this Privacy Policy from time to time to reflect changes to our privacy practices. If you are an Hyperproof customer and we make any material changes that affect the way we treat information that we have previously collected from you, we will notify you by email (sent to the email address specified in your account) or by means of a notice through the Services prior to the change become effective. We will also keep prior versions of this Privacy Policy in an archive for your review. We encourage you to periodically review our Privacy Policy to stay informed about our privacy practices and the ways you can help protect your privacy. If you disagree with any changes to this Privacy Policy, you will need to stop using the Services and deactivate your account(s), as outlined above.

Contact Us

We commit to resolve complaints about your privacy and our collection or use of your personal information. If you have any questions or concerns regarding the way in which your personal data is being processed or you want to exercise your rights above, please reach out to Hyperproof using the following details:

By Post

Attn: Hyperproof, Inc.

WeWork ℅ Hyperproof

10400 NE 4th Street

Bellevue, WA 98004 U.S.A

 

By Email

privacy@hyperproof.io

Important Information: If you are located in the EEA, Hyperproof, Inc. is the data controller of your personal information.