Service Data Privacy Statement
Table of Contents1. Introduction 2. Definitions 3. Data We Process 4. Types of Service Data 5. Purposes for Processing 6. How We Protect Data 7. Transparency and Cooperation with Customers 8. Sharing and Disclosure 9. Data Subject Rights 10. Privacy Shield 11. Changes to This Statement 12. Contacting Smooch
Last Updated July 26, 2019
Smooch Technologies ULC ("Smooch", "we", "us", or "our") provides a Software as a Service (SaaS) based "Conversation Cloud" that allows our customers to store, manipulate, analyze and transfer messages between their business systems and their customers on a variety of Smooch-provided and third party messaging channels (the "Service").
- Agent: an individual who communicates within the Conversation Cloud on behalf of the Customer
- For example, a member of the Customer’s web support team, or a representative of a third party to whom support has been outsourced
- Chat Participants: Agents and Users who communicate within the Conversation Cloud
Customer: a legal entity with whom Smooch has an agreement to provide the Services
- For clarity, a Customer may be a Controller or a Processor of Personal Data. Where a Customer is a Processor of Personal Data, Smooch shall process Personal Data as sub-processor on behalf of the Controller. Instructions from the Controller regarding the processing Personal Data shall be given through the Processor.
User: an individual who communicates with a Customer or Agent within the Conversation Cloud
- For example, a member of the public on Facebook Messenger, a visitor to the Customer’s Website, the holder of an SMS number, or the user of a mobile app
The following terms are used as defined in the EU General Data Protection Regulation (GDPR):
- Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
- Personal Data: any information relating to an identified or identifiable natural person ("Data Subject")
- Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
- Third Party: a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data
3. Data We Process
Smooch Services are not directed to children under 16. If you learn that a child under 16 has provided us with Personal Data without consent, please contact us.
4. Types of Service Data
Smooch may process the following types of Service Data on behalf of Customers:
User Profile Information
The Smooch API enables Agents to communicate with Users via multiple platforms such as social media (e.g., Facebook Messenger), email, SMS, and web apps ("Messaging Channels"). Each Channel transmits certain data about the User. Some examples include: First Name, Last Name, Email Address, Phone Number, IP Address, Location, Avatar/Image, Username/Handle, Linked IDs, and others.
The types of Personal Data transmitted in the User profile depend on the data collected by the Controller, and the User’s privacy settings and preferences. The Controller may be the Messaging Channel (e.g. Facebook, WeChat); or the Customer, when messages are received via [technology platform] (e.g. SMS, email), or web apps created using Smooch’s Software Development Kit.
Agent Profile Information
Customers may enable the configuration of profiles for their Agents, including details such as Name and Image.
Message content may be structured or unstructured, and may or may not contain Personal Data. Smooch handles all messages in the Conversation Cloud as Personal Data.
Smooch servers automatically record some information when Services are used, including information sent by browsers or mobile apps.
Smooch may collect information about the devices Services are being used on, including what type of device it is, operating system, device settings, application IDs, unique device identifiers, and crash data.
5. Purposes for Processing
Smooch processes the Personal Data types outlined above for the following purposes:
- To provide and enhance our product and service offerings
- To provide insights and statistics on an aggregated basis to help our Customers measure their performance, better understand their customers and improve their product and service offerings
- To respond to Customer requests for support or assistance
This policy is not intended to place any limits on what we do with data that is aggregated and/or de-identified. It is no longer associated with an identifiable user or Customer of the Services and is therefore not Personal Data.
6. How We Protect Data
With regard to the Service and Service Data, Smooch acts as a Processor on behalf of Customers. Customers have primary responsibility for interacting with Data Subjects, and the role of Smooch is generally limited to assisting Customers as needed. Smooch processes Service Data only upon a Customer’s instruction and shall have a duty to respect the security and confidentiality of Personal Data, pursuant to the measures outlined in agreements with Customers and as required by applicable law.
Smooch maintains a managed privacy program to identify risks and implement preventative measures. Our Chief Privacy Officer, supported by a network of senior professionals throughout the business and development teams, is responsible for managing the privacy program. The privacy program is and will be reviewed on a regular basis to provide for continued effectiveness.
Smooch takes security seriously. We take various steps to protect information you provide to us from loss, misuse, and unauthorized access or disclosure. These steps take into account the sensitivity of the information we collect, process and store, and the current state of technology.
To learn more about current practices and policies regarding security and confidentiality of Customer Data and other information, please see our Security Notice, we keep that document updated as these practices evolve over time.
7. Transparency and Cooperation with Customers
Smooch undertakes to be transparent regarding its Personal Data processing activities and to provide Customers with reasonable cooperation to help facilitate their respective data protection obligations regarding Personal Data.
Data Breach Notification
In the event that Smooch becomes aware of any unauthorized access to or disclosure of Personal Data, Smooch will promptly notify affected Customers to the extent such notification is permitted by applicable law.
Upon a Customer’s request, and subject to appropriate confidentiality obligations, Smooch shall make available to the Customer (or such Customer’s independent, third-party auditor) information regarding Smooch and third-party sub-processors’ compliance with the data protection requirements set forth in our agreements.
Smooch made the acquisition of relevant compliance certifications a priority in 2017, obtaining Privacy Shield certification and as of July 2019, obtaining SOC 2, Type II certification. If you require a particular certification for your business, please let us know your specific needs so we can include it in our certification prioritization and roadmap.
Obligations Upon Termination
Upon termination of the Services, Smooch shall, at the request of the Customer, delete, render un-identifiable, or return all Personal Data to the Customer. Smooch will certify that it has done so, unless legislation prevents it from returning or destroying the data. In that case, Smooch will protect the data in accordance with its commitments and will not actively process the personal data transferred anymore.
8. Sharing and Disclosure
There are times when information described in this privacy statement may be shared by Smooch. This section discusses how Smooch may share such information. Customers determine their own policies for the sharing and disclosure.
Smooch reserves the right to disclose or use aggregate or de-identified information for any purpose. For example, we may share aggregated or de-identified information with our partners or others for business or research purposes like telling a prospective Smooch Customer the average number of messages sent within a day.
Sub-processing by Third Parties
Smooch may retain third party sub-processors, and depending on the location of the third-party sub-processor, processing of Personal Data by such sub-processors may involve transfers of Personal Data. Such third-party sub-processors shall process Personal Data only in accordance with the Customer’s instructions.
As of the date hereof, these third party providers include technical operations such as database monitoring, data storage and hosting services and customer support software tools.
Such third-party sub-processors have entered into written agreements with Smooch in accordance with the applicable requirements.
Compliance with Laws
Smooch may share or disclosed data to comply with legal or regulatory requirements and to respond to lawful requests, court orders and legal process.
Enforcing Our Rights, Preventing Fraud, and Safety
Smooch may share or disclose data to protect and defend the rights, property, or safety of us or third parties, including enforcing contracts or policies, or in connection with investigation and preventing fraud.
Changes to our Business Structure
Smooch may share or disclose data if we engage in a merger, acquisition, bankruptcy, dissolution, reorganization, sale of some or all of Smooch’s assets, financing, acquisition of all or a portion of our business, a similar transaction or proceeding, or steps in contemplation of such activities (e.g. due diligence).
9. Data Subject Rights
Smooch acts as a data Processor on behalf of Customers. Customers have primary responsibility for interacting with Data Subjects, and the role of Smooch is generally limited to assisting Customers as needed.
Access, Correction, Amendment or Deletion Requests
Smooch shall promptly notify a Customer if Smooch receives a request from a Data Subject for access to, correction, amendment or deletion of that person’s Personal Data. Smooch shall not respond to any such Data Subject request without the Customer’s prior written consent except to confirm that the request relates to that Customer.
Smooch shall provide Customers with cooperation and assistance in a reasonable period of time and to the extent reasonably possible in relation to any request regarding Personal Data to the extent Customers do not have access to such Personal Data through their respective uses of the Services.
Handling of Complaints
Data Subjects may lodge a complaint about processing of their respective Personal Data by contacting the relevant Customer or the Smooch Privacy department at the email address email@example.com. Smooch shall promptly communicate the complaint to the Customer to whom the Personal Data relates.
Customers shall be responsible for responding to all Data Subject complaints forwarded by Smooch, except in cases where a Customer has disappeared factually or has ceased to exist in law or become insolvent. Where Smooch is aware of such a case, it undertakes to respond directly to Data Subjects’ complaints within thirty (30) days, including the consequences of the complaint and further actions Data Subjects may take if they are unsatisfied by the reply.
Regulatory Inquiries and Complaints
Smooch shall, to the extent legally permitted, promptly notify a Customer if it receives an inquiry or complaint from a data protection authority in which that Customer is specifically named. Upon a Customer’s request, Smooch shall provide the Customer with cooperation and assistance in relation to any regulatory inquiry or complaint involving Smooch’s processing of Personal Data.
10. Privacy Shield
11. Changes to this Statement
We may change this statement from time to time, and if we do we will post any changes on this page. If you continue to use the Services after those changes are in effect, you agree to the revised policy.
This document was last updated in June 2018.
12. Contacting Smooch
Please feel free to contact us if you have any questions about Smooch’s Privacy commitments or practices. You may contact us at firstname.lastname@example.org or at our mailing address below:
Smooch Technologies ULC
1201 5333 Casgrain
Montreal, QC, H2T 1X3