We provide a service that allows you and your team to be more productive in your product management processes.
|Data Type||Processing Location||Processor||GDPR Legal Basis||Retention Period|
|Customer Data||EU||CreateShift Ltd, AWS Inc||N/A||Until Hard Delete is requested|
|Personal Information||EU, US||CreateShift Ltd, AWS Inc, Zendesk Inc, Mailchimp Inc, Intercom Inc, HubSpot Inc||Legitimate Interest, Contractual||Varies (see Appendix A)|
|Billing Information||EU, US||Recurly Inc, Stripe Inc|
|6 years as required by UK statutory obligations|
Content and information submitted by users to the Services is referred to in this policy as “Customer Data”. As further explained below, Customer Data is controlled by the organization or other third party that created the account (the “Customer”). Where ProdPad collects or processes Customer Data, it does so on behalf of the Customer.
If you join an account and create a user profile, you are a “user,” as further described in the Terms of Service. If you are using the Services by invitation of a Customer, whether that Customer is your employer, another organization, or an individual, that Customer determines its own policies regarding storage, access, modification, deletion, sharing, and retention of Customer Data which may apply to your use of the Services. Please check with the Customer about the policies and settings it has in place.
CreateShift employees or contractors only access Customer Data at the request of Customer in order to provide support.
Customer Data is retained until a Hard Delete is requested by the Customer.
As part of providing Services to the Customer, CreateShift collects customer feedback and customer details (name, email, social media, telephone and avatar images) on behalf of the Customer and serves as a processor of that data for the Customer.
For the purposes of GDPR, we are a data processor of customer feedback on behalf of our clients. If you wish to exercise your data subject rights, you’ll need to contact the client who is the data controller. If you make a request of us in relation to this, we will redirect your request to the client and let you know we have done so.
Billing information is collected in order to fulfill the contract of providing Services to the Customer. The collected billing information includes credit card details, billing address and billing contact. According to UK law, we are obliged to retain these details for a period of 6 years.
The billing information is processed by Recurly Inc. and Stripe Inc. both of which process the data in the US. The data is transferred to the US under the US-EU Privacy Shield and US-Swiss Privacy Shield.
When creating a user account with the Services, you’ll be asked to provide your email and name. These are required in order to set up a unique account and for the transactional emails within the Services. Your email will also be used to help onboard you to the Services and provide you information about the Services. All of the emails can be opted out of by clicking on the link in the email or going to the notifications control center in the Services.
You can optional add an avatar image if you choose. During registration we check Gravatar to see if you have made an avatar available and if so, use that. At any time you can delete your avatar image from your profile.
Your email and name is also used with our in-application tracking for the legitimate interest of improving the Service. This tracking is used to identify issues, bugs and help us improve the product. We retain the information until you delete your account.
We also use your email and name for providing the legitimate interest of technical and sales support. We retain this information indefinitely. You can object to the processing of this information by contacting firstname.lastname@example.org.
If you sign up to our newsletter you are consenting to receiving newsletter and marketing communications about the Services from us. You can withdraw consent at any time by clicking unsubscribe in the emails.
If you request a resource (such as our handy guide) we require your name, email address and mailing address in order to fulfill the sending of the resource to you. When you request the resource you can opt-in to joining our newsletter as well. We only use the entered details to fulfill the request.
If you join one of our e-courses or webinars, we’ll ask for your name and email address in order to fulfill your request to receive the course materials or attend the webinar. When you sign up for the course or webinar, you can opt-in to joining our newsletter as well. We only use the details provided to deliver the course or webinar to you. You can opt-out of continuing to receive the course by clicking on the unsubscribe link in the email. You can unsubscribe from the webinar with the link provided in the email.
We use data processors to manage the delivery of resources, newsletters and e-courses. Those processors are based in the US and are covered by EU-US Privacy Shield, Swiss-US Privacy Shield along with Model Contract Clauses to regulate the transfer of data outside of the EU.
Pseudo-anonymised usage data
We use analytics services to produce aggregate and pseudo-anonymised usage data on the usage of the application and websites. This data is used to help us resolve issues and improve the website and Services to provide you with the best experience possible. As part of this tracking we capture details on your device (device type, os type & version, browser type & version) and location (city, country).
See Appendix B for ways of opting out of the tracking.
3rd party information
We use data enrichers to enrich the data about you to help us provide better sales and support. The enriched data includes job title, information about your company. You can opt-out of the enrichment by going here.
Our Services are not directed to children under 16. Our clients can use our Services to collect customer feedback from children on their products or services which can include children’s personal information. It is up to our clients to ensure they have appropriate lawful basis for collecting and processing that data.
If you feel that a child’s data is being processed without an appropriate lawful basis, you should contact the company or organization that collected the data in the first place with your concerns. You may contact us and we will redirect your enquiry to the company or organization concerned as required by the GDPR.
We care about the trust you place in us in providing us with your company and personal information. While no one can guarantee 100% security, we have in place various methods of securing your data including:
- Encryption-in-rest and in-transit
- Minimization of personal data collected to what is required to deliver the Services and websites
- Usage of firewalls, regular vulnerability scans and intrusion detection
You can get more information about our security here.
Your Individual Data Rights
You have various rights over your personal information. Those rights are:
- Being informed about data collected and how it is processed
- Access to the data we have on you
- Being able to correct and update the data we have on you
- Erasure of the data we have on you
- Restricting of the processing of the data we have on you
- Being able to move the data we have on you to another service
- Knowledge of what automated decision-making and/or profiling we do with your personal information
There are circumstances when your data rights can be overridden, such as in the case of billing information which is required to be maintained for 6 years under UK law.
We don’t do any automated decision-making or profiling.
You can access and update (rectify) the Personal Information we have on you by logging into the Service and Zendesk Inc. If you wish to rectify information in other services please email email@example.com.
You can erase the data we have on you by closing and deleting your Service account. This will also anonymize the tracking data we have collected in the process of using the Service.
You can restrict various processing of your Personal Information by opting out of various services (see Appendix B).
Your Company Data Rights
You own the copyrights, IP and other similar rights to the Company Data entered into the Service.
If you wish to close your company account with us you can request to cancel the subscription within the app. At that time you can export the data from your company account using the various export tools provided within the Service.
Tracking and Targeted Advertising
Other companies’ use of their tracking technologies is subject to their own privacy policies. Some Internet browsers may be configured to send “Do Not Track” signals to the online services that you visit. We currently do not respond to do not track or similar signals. To find out more about “Do Not Track,” please visit http://www.allaboutdnt.com.
In some of our communications, we use tracking means, such as a “click-through URL” linked to content on the Site. We track this data to help us measure the effectiveness of our customer communications.
We will not disclose Customer Data or Personal Information to any government, except as necessary to comply with the law or a valid and binding order of a law enforcement agency (such as a subpoena or court order).
If a law enforcement agency sends us a demand for Customer Data or Personal Information, we will attempt to redirect the law enforcement agency to request that data directly from Customer or Individual. As part of this effort, we may provide Customer or Individual’s basic contact information to the law enforcement agency.
If compelled to disclose Customer Data or Personal Information to a law enforcement agency, then we will give Customer or Individual reasonable Notice of the demand to allow the Customer or Individual to seek a protective order or other appropriate remedy unless we are legally prohibited from doing so.
Change of Ownership or other Business Transaction
In the event that CreateShift enters into a business transition, such as a merger, acquisition, or the sale of all or part of its assets (a “Business Transition”), users’ data (including personally identifiable information and non-personally identifiable information associated with the ProdPad services) will likely be part of the assets transferred.
For the purposes of the GDPR legislation our Supervisory Authority is the UK’s Information Commissioner’s Office. If you wish to lodge a complaint about your data subject rights or the lawfulness of processing about the you can do so by contacting the ICO.
Access to your information. If you wish to see the personal information we hold about you, please log in to the Settings section. If you have any further queries or concerns, please contact us at firstname.lastname@example.org.
Last Updated: April 24, 2018.
Appendix A – Personal Information Collected
|Personal Information||Processing||Lawful Basis of Processing||Retention Period|
|Stored and used to provide a unique account. Used to send transactional emails and product related updates||Contractual, Various Legitimate Interests||Until you request the deletion of your account|
|Name||Storage and display in the application and transactional emails sent to you and other account users||Contractual, Various Legitimate Interests||Until you request the deletion of your account|
|Profile Image||Storage and display in the application||6.1(a) Consent based on your upload of an image either via Gravatar or manual upload||Until you request the deletion of your account or you change your profile image|
|IP address||Storage and usage in application tracking||Legitimate interest of security||Indefinite|
|Analytics Cookies||Pseudo-anonymous id cookie used to aggregate session statistics||Legitimate interest of improving the application for your benefit||Up to 2 years|
|Personal Information||Processing||Lawful basis of processing||Retention Period|
|Used to send product newsletter, e-courses and provision of other resources to you (including webinars)||Consent for the product newsletter and Contractual for the provision of resources and e-courses||Until you unsubscribe from the newsletter, 6 months after completion of a course or 6 months after a resource is delivered|
|Name||Used to send product newsletter, e-courses and provision of other resources to you (including webinars)||Consent for the product newsletter and Contractual for the provision of resources and e-courses||Until you unsubscribe from the newsletter, 6 months after completion of a course or 6 months after a resource is delivered|
|Mailing Address||Used to send resources to you||Consent||6 months after delivery of the resource|
|IP address||Website tracking||Legitimate interest in improving the website for your benefit||2 years after collection|
|Analytics Cookies||Pseudo-anonymous id cookie used to aggregate session statistics||Legitimate interest in improving the website for your benefit||Up to 2 years|
Appendix B – Personal Information Processors
|Processor||Information Processed||Location of Processing||Privacy Protections||Opt-out|
|Amazon Web Services, Inc.||Email, Name, IP address, Profile Image, IP address||EU||GDPR, Privacy Shield, Data Processing Addendum||Delete your account|
|Zendesk, Inc||Email, Name to provide customer support||US||Privacy Shield, Data Processing Addendum||N/A|
|FullStory, Inc||Email, Name, IP, analytics cookie for customer support and analytics||US||Privacy Shield, Data Processing Addendum||Opt-out|
|The Rocket Science Group, LLC d/b/a MailChimp||Email, Name for product newsletter||US||Privacy Shield, Data Processing Addendum||Unsubscribe|
|Avenue 81, Inc. d/b/a Leadpages||Email, Name for product operations||US||Privacy Shield, Data Processing Addendum||Click on unsubscribe link in emails|
|Salesmachine, Inc||Email, Name for customer success||EU||GDPR, Data Processing Addendum||Click on unsubscribe link in emails|
|Segment.io, Inc.||Email, Name for product analytics||US||Privacy Shield, Data Processing Addendum||Delete your account|
|Recurly, Inc||Name, Email for billing purposes||US||Privacy Shield, Data Processing Addendum||N/A|
|Stripe, Inc||Name, Email for billing and fraud purposes||US||Privacy Shield, Data Processing Addendum||N/A|
|Google LLC||Analytics Cookie for anonymous tracking||US||Privacy Shield, Data Processing Addendum||Opt-out with browser add-on|
|APIHub, Inc d/b/a Clearbit||Enrichment with non personal information (job title, company details)||US||Privacy Shield, Data Processing Addendum||Opt-out|
|Processor||Information Processed||Location of Processing||Privacy Protections||Opt-out|
|Google, Inc (G Suite)||Email, name when contact us||US/EU||Privacy Shield, Data Processing Addendum|
|Google, Inc (Google Analytics)||Google analytics tracking cookie||US||Privacy Shield, Data Processing Addendum||Opt-out with browser add-on|
|Pipedrive, Inc||Email, Name for sales purposes||US||Privacy Shield, Data Processing Addendum||Email sales to have your profile removed|
|HubSpot, Inc||Email, Name, and other contact information for sales, marketing, and support purposes||US/EU||Privacy Shield, Data Processing Addendum||Email sales to have your profile removed|
|FullStory, Inc||Analytics Cookie for website operations||US||Privacy Shield, Data Processing Addendum||Opt-out|
|Webinar service||Email, Name for signup to the webinar and also to receive notifications about the webinar||US||Privacy Shield, Data Processing Addendum||Click on emails sent by service|
|Sent Well LLC||Name and mailing address in order to send resources to you||US||Privacy Shield, Data Processing Addendum||Email email@example.com to have your details removed. If you email before we have sent your the resource you’ve requested we won’t be able to send it to you|
|Zendesk, Inc||Name and email when you email our support emails||US||Privacy Shield, Data Processing Addendum||Email us requesting your profile to be deleted|