Privacy Policy

We provide a service that allows you and your team to be more productive in your product management processes.

Our privacy policy is reviewed at regular intervals to ensure it meets the current statutory requirements.

This policy covers ProdPad and CreateShift websites (including www.prodpad.com, www.createshift.com) as well as the software and services made available through the ProdPad APIs. By using CreateShift services you are agreeing to this privacy policy.

For the purposes of this Privacy Policy CreateShift Ltd (a UK registered company with the registered office Kemp House, 152 City Road, London EC1V 2NX) is the data controller “CreateShift”.

Our cookie policy is detailed here.

General Policy

Data Type Processing Location Processor GDPR Legal Basis Retention Period
Customer Data EU CreateShift Ltd, AWS Inc N/A Until Hard Delete is requested
Personal Information EU, US CreateShift Ltd, AWS Inc, Zendesk Inc, Mailchimp Inc, Intercom Inc Legitimate Interest, Contractual Varies (see Appendix A)
Billing Information EU, US Recurly Inc, Stripe Inc Contractual 6 years as required by UK statutory obligations

Customer Data

Content and information submitted by users to the Services is referred to in this policy as “Customer Data”. As further explained below, Customer Data is controlled by the organization or other third party that created the account (the “Customer”). Where Slack collects or processes Customer Data, it does so on behalf of the Customer.

If you join an account and create a user profile, you are a “user,” as further described in the Terms of Service. If you are using the Services by invitation of a Customer, whether that Customer is your employer, another organization, or an individual, that Customer determines its own policies regarding storage, access, modification, deletion, sharing, and retention of Customer Data which may apply to your use of the Services. Please check with the Customer about the policies and settings it has in place.

CreateShift employees or contractors only access Customer Data at the request of Customer in order to provide support.

Customer Data is retained until a Hard Delete is requested by the Customer.

Customer Feedback

As part of providing Services to the Customer, CreateShift collects customer feedback and customer details (name, email, social media, telephone and avatar images) on behalf of the Customer and serves as a processor of that data for the Customer.

For the purposes of GDPR, we are a data processor of customer feedback on behalf of our clients. If you wish to exercise your data subject rights, you’ll need to contact the client who is the data controller. If you make a request of us in relation to this, we will redirect your request to the client and let you know we have done so.

Billing Information

Billing information is collected in order to fulfill the contract of providing Services to the Customer. The collected billing information includes credit card details, billing address and billing contact. According to UK law, we are obliged to retain these details for a period of 6 years.

The billing information is processed by Recurly Inc. and Stripe Inc. both of which process the data in the US. The data is transferred to the US under the US-EU Privacy Shield and US-Swiss Privacy Shield.

Personal Information

Application

When creating a user account with the Services, you’ll be asked to provide your email and name. These are required in order to set up a unique account and for the transactional emails within the Services. Your email will also be used to help onboard you to the Services and provide you information about the Services. All of the emails can be opted out of by clicking on the link in the email or going to the notifications control center in the Services.

You can optional add an avatar image if you choose. During registration we check Gravatar to see if you have made an avatar available and if so, use that. At any time you can delete your avatar image from your profile.

Your email and name is also used with our in-application tracking for the legitimate interest of improving the Service. This tracking is used to identify issues, bugs and help us improve the product. We retain the information until you delete your account.

We also use your email and name for providing the legitimate interest of technical and sales support. We retain this information indefinitely. You can object to the processing of this information by contacting help@prodpad.com.

Appendix A and Appendix B has more details about usage, lawful basis, processors and retention period.

Website

If you sign up to our newsletter you are consenting to receiving newsletter and marketing communications about the Services from us. You can withdraw consent at any time by clicking unsubscribe in the emails.

If you request a resource (such as our handy guide) we require your name, email address and mailing address in order to fulfill the sending of the resource to you. When you request the resource you can opt-in to joining our newsletter as well. We only use the entered details to fulfill the request.

If you join one of our e-courses or webinars, we’ll ask for your name and email address in order to fulfill your request to receive the course materials or attend the webinar. When you sign up for the course or webinar, you can opt-in to joining our newsletter as well. We only use the details provided to deliver the course or webinar to you. You can opt-out of continuing to receive the course by clicking on the unsubscribe link in the email. You can unsubscribe from the webinar with the link provided in the email.

We use data processors to manage the delivery of resources, newsletters and e-courses. Those processors are based in the US and are covered by EU-US Privacy Shield, Swiss-US Privacy Shield along with Model Contract Clauses to regulate the transfer of data outside of the EU.

Further details are available in Appendix A and Appendix B.

Other Information

Pseudo-anonymised usage data

We use analytics services to produce aggregate and pseudo-anonymised usage data on the usage of the application and websites. This data is used to help us resolve issues and improve the website and Services to provide you with the best experience possible. As part of this tracking we capture details on your device (device type, os type & version, browser type & version) and location (city, country).

See Appendix B for ways of opting out of the tracking.

3rd party information

We use data enrichers to enrich the data about you to help us provide better sales and support. The enriched data includes job title, information about your company. You can opt-out of the enrichment by going here.

Children’s information

Our Services are not directed to children under 16. Our clients can use our Services to collect customer feedback from children on their products or services which can include children’s personal information. It is up to our clients to ensure they have appropriate lawful basis for collecting and processing that data.

If you feel that a child’s data is being processed without an appropriate lawful basis, you should contact the company or organization that collected the data in the first place with your concerns. You may contact us and we will redirect your enquiry to the company or organization concerned as required by the GDPR.

Data Security

We care about the trust you place in us in providing us with your company and personal information. While no one can guarantee 100% security, we have in place various methods of securing your data including:

  • Encryption-in-rest and in-transit
  • Minimization of personal data collected to what is required to deliver the Services and websites
  • Usage of firewalls, regular vulnerability scans and intrusion detection

You can get more information about our security here.

Your Individual Data Rights

You have various rights over your personal information. Those rights are:

  1. Being informed about data collected and how it is processed
  2. Access to the data we have on you
  3. Being able to correct and update the data we have on you
  4. Erasure of the data we have on you
  5. Restricting of the processing of the data we have on you
  6. Being able to move the data we have on you to another service
  7. Knowledge of what automated decision-making and/or profiling we do with your personal information

There are circumstances when your data rights can be overridden, such as in the case of billing information which is required to be maintained for 6 years under UK law.

We don’t do any automated decision-making or profiling.

We provide you with information about the data collected and how it is processed via this privacy policy and the privacy notices displayed when we collect the data.

You can access and update (rectify) the Personal Information we have on you by logging into the Service and Zendesk Inc. If you wish to rectify information in other services please email help@prodpad.com.

You can erase the data we have on you by closing and deleting your Service account. This will also anonymize the tracking data we have collected in the process of using the Service.

You can restrict various processing of your Personal Information by opting out of various services (see Appendix B).

Your Company Data Rights

You own the copyrights, IP and other similar rights to the Company Data entered into the Service.

If you wish to close your company account with us you can request to cancel the subscription within the app. At that time you can export the data from your company account using the various export tools provided within the Service.

Tracking and Targeted Advertising

We may allow service providers and other third parties to use cookies and other tracking technologies to track your browsing activity over time and across our Site and third party websites. We may also partner with a third party ad network to either display advertising on our Site, to manage our advertising on other sites, or to provide you targeted advertisements based upon your interests on our Site or on third party sites.

We will update our cookie policy of details on advertising/targeting cookies if they are implemented.

You may opt out of having your personal information used for targeted ads by clicking here or if you are in the European Union, here, but you may still receive untargeted ads.

Other companies’ use of their tracking technologies is subject to their own privacy policies. Some Internet browsers may be configured to send “Do Not Track” signals to the online services that you visit. We currently do not respond to do not track or similar signals. To find out more about “Do Not Track,” please visit http://www.allaboutdnt.com.

In some of our communications, we use tracking means, such as a “click-through URL” linked to content on the Site. We track this data to help us measure the effectiveness of our customer communications.

Disclosure

We will not disclose Customer Data or Personal Information to any government, except as necessary to comply with the law or a valid and binding order of a law enforcement agency (such as a subpoena or court order).

If a law enforcement agency sends us a demand for Customer Data or Personal Information, we will attempt to redirect the law enforcement agency to request that data directly from Customer or Individual. As part of this effort, we may provide Customer or Individual’s basic contact information to the law enforcement agency.

If compelled to disclose Customer Data or Personal Information to a law enforcement agency, then we will give Customer or Individual reasonable Notice of the demand to allow the Customer or Individual to seek a protective order or other appropriate remedy unless we are legally prohibited from doing so.

Change of Ownership or other Business Transaction

In the event that CreateShift enters into a business transition, such as a merger, acquisition, or the sale of all or part of its assets (a “Business Transition”), users’ data (including personally identifiable information and non-personally identifiable information associated with the ProdPad services) will likely be part of the assets transferred.

In this event, we will notify you of any Business Transition. We will also notify you of any subsequent material changes to this Privacy Policy as a result of a Business Transaction and give you the opportunity to opt-out for information that we have collected before, or may collect after, a new Privacy Policy containing material changes takes effect.

Supervisory Authority

For the purposes of the GDPR legislation our Supervisory Authority is the UK’s Information Commissioner’s Office. If you wish to lodge a complaint about your data subject rights or the lawfulness of processing about the you can do so by contacting the ICO.

Changes to this Privacy Policy

CreateShift may change this Privacy Policy from time to time. Laws, regulations and industry standards evolve, which may make those changes necessary, or we may make changes to our business. We will post the changes to this page and encourage you to review our Privacy Policy to stay informed.

If we make changes that materially alter your privacy rights, CreateShift will provide additional notice, such as via email or through the Services. If you disagree with the changes to this Privacy Policy, you should deactivate your Services account. Contact the Customer if you wish to request the removal of Personal Data under their control.

You understand and agree that if you use the CreateShift services after the effective date of the updated Privacy Policy, CreateShift will consider your use as acceptance of the updated Privacy Policy.

Learn more

Access to your information. If you wish to see the personal information we hold about you, please log in to the Settings section. If you have any further queries or concerns, please contact us at privacy@prodpad.com.

Last Updated: April 24, 2018.


Appendix A – Personal Information Collected

Application

Personal Information Processing Lawful Basis of Processing Retention Period
Email Stored and used to provide a unique account. Used to send transactional emails and product related updates Contractual, Various Legitimate Interests Until you request the deletion of your account
Name Storage and display in the application and transactional emails sent to you and other account users Contractual, Various Legitimate Interests Until you request the deletion of your account
Profile Image Storage and display in the application 6.1(a) Consent based on your upload of an image either via Gravatar or manual upload Until you request the deletion of your account or you change your profile image
IP address Storage and usage in application tracking Legitimate interest of security Indefinite
Analytics Cookies Pseudo-anonymous id cookie used to aggregate session statistics Legitimate interest of improving the application for your benefit Up to 2 years

Website

Personal Information Processing Lawful basis of processing Retention Period
Email Used to send product newsletter, e-courses and provision of other resources to you (including webinars) Consent for the product newsletter and Contractual for the provision of resources and e-courses Until you unsubscribe from the newsletter, 6 months after completion of a course or 6 months after a resource is delivered
Name Used to send product newsletter, e-courses and provision of other resources to you (including webinars) Consent for the product newsletter and Contractual for the provision of resources and e-courses Until you unsubscribe from the newsletter, 6 months after completion of a course or 6 months after a resource is delivered
Mailing Address Used to send resources to you Consent 6 months after delivery of the resource
IP address Website tracking Legitimate interest in improving the website for your benefit 2 years after collection
Analytics Cookies Pseudo-anonymous id cookie used to aggregate session statistics Legitimate interest in improving the website for your benefit Up to 2 years

Appendix B – Personal Information Processors

Application

Processor Information Processed Location of Processing Privacy Protections Opt-out
Amazon Web Services, Inc. Email, Name, IP address, Profile Image, IP address EU GDPR, Privacy Shield, Data Processing Addendum Delete your account
Zendesk, Inc Email, Name to provide customer support US Privacy Shield, Data Processing Addendum N/A
FullStory, Inc Email, Name, IP, analytics cookie for customer support and analytics US Privacy Shield, Data Processing Addendum Opt-out
The Rocket Science Group, LLC d/b/a MailChimp Email, Name for product newsletter US Privacy Shield, Data Processing Addendum Unsubscribe
Avenue 81, Inc. d/b/a Leadpages Email, Name for product operations US Privacy Shield, Data Processing Addendum Click on unsubscribe link in emails
Salesmachine, Inc Email, Name for customer success EU GDPR, Data Processing Addendum Click on unsubscribe link in emails
Segment.io, Inc. Email, Name for product analytics US Privacy Shield, Data Processing Addendum Delete your account
Recurly, Inc Name, Email for billing purposes US Privacy Shield, Data Processing Addendum N/A
Stripe, Inc Name, Email for billing and fraud purposes US Privacy Shield, Data Processing Addendum N/A
Google LLC Analytics Cookie for anonymous tracking US Privacy Shield, Data Processing Addendum Opt-out with browser add-on
APIHub, Inc d/b/a Clearbit Enrichment with non personal information (job title, company details) US Privacy Shield, Data Processing Addendum Opt-out

Website

Processor Information Processed Location of Processing Privacy Protections Opt-out
Google, Inc (G Suite) Email, name when contact us US/EU Privacy Shield, Data Processing Addendum
Google, Inc (Google Analytics) Google analytics tracking cookie US Privacy Shield, Data Processing Addendum Opt-out with browser add-on
Pipedrive, Inc Email, Name for sales purposes US Privacy Shield, Data Processing Addendum Email sales to have your profile removed
FullStory, Inc Analytics Cookie for website operations US Privacy Shield, Data Processing Addendum Opt-out
Webinar service Email, Name for signup to the webinar and also to receive notifications about the webinar US Privacy Shield, Data Processing Addendum Click on emails sent by service
Sent Well LLC Name and mailing address in order to send resources to you US Privacy Shield, Data Processing Addendum Email help@prodpad.com to have your details removed. If you email before we have sent your the resource you’ve requested we won’t be able to send it to you
Zendesk, Inc Name and email when you email our support emails US Privacy Shield, Data Processing Addendum Email us requesting your profile to be deleted