As we continue to grow and scale up our platform, our commitment to data privacy and security still stands as our key priority. Therefore, we have developed and implemented policies and practices to comply with the General Data Protection Regulation (“GDPR”).
By using our services, you consent to the processing of data about you by us in the manner and for the purposes set out below.
WHO ARE WE?
To ensure better protection of your Personal Data, we have appointed a Data Protection team which comprises representatives from our Legal, Product and IT departments. These representatives act as your Data Protection Officers for 8x8 and will be your main point of contact for any matters relating to Personal Data.
Overall, our Data Protection Officers are in charge of:
- Ensuring our compliance with GDPR;
- Fostering a data protection culture within 8x8; and
- Managing your queries on Personal Data protection.
WHAT INFORMATION DO WE COLLECT?
Personal Data refers to:
“any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” (Article 4 (1) GDPR) (“Personal Data”)
As your cloud communications provider, 8x8 may process Personal Data on behalf of you, our client, and your customer. This Personal Data may include:
- Mobile phone numbers;
- User IDs (eg. for Chat Apps API);
- Location data / IP addresses;
- SMS or Chat message content;
- Customer responses in SMS Engage;
- Custom Field data uploaded to the Customer Portal;
- Customer first names;
- Customer last names;
- Customer email addresses;
- Customer phone numbers;
- Customer company names;
- Customer company addresses;
- Customer countries; or
- Invoice emails.
Personal Data revealing race, ethnicity, political opinion, religious and/or philosophical beliefs, trade union memberships, genetic data, biometric data, health data, sex life or sexual orientation are considered Sensitive Personal Data and are especially important to protect. Therefore, we do not collect or solicit Sensitive Personal Data. If we learn that we have collected such sensitive information, we will delete that information immediately. If you believe you may have provided us with Sensitive Personal Data, please contact us at email@example.com.
HOW DO WE USE PERSONAL DATA?
We process Personal Data:
- To provide our services to you. We process your Personal Data because it is necessary to perform our obligation to provide our services to you. We also need the Personal Data to communicate with you about our services.
- To manage payment, billing, account, credit checks and debt-recovery matters. We process your Personal Data because it is necessary for us to maintain our business operations and to communicate with you regarding the activities directly related to the performance of our services.
- To comply with legal and regulatory requirements.
- For other purposes for which we have obtained your consent and which are required for the provision of our services.
WHAT LEGAL BASIS DO WE HAVE FOR PROCESSING YOUR PERSONAL DATA?
All Personal Data we process must be done on one of the following lawful bases:
- Legal obligation;
- Vital interests;
- Public task; or
- Legitimate interests.
By using our services, you agree and acknowledge that we will use the Personal Data necessary to perform our services. Therefore, you will be asked to give your consent through our online registration process or by written Agreement.
WHEN DO WE SHARE PERSONAL DATA?
All Personal Data will be treated confidentially. Unless you give us your permission, we don’t share data we collect from you with third parties, except as described below:
- We may disclose your Personal Data with third-party service telecommunication providers or consultants who need access to the Personal Data to perform their work on 8x8l’s behalf. These third-party service providers are limited to only accessing or using your Personal Data to provide services to us and must be compliant with the GDPR.
- We may disclose your Personal Data with a third-party, such as governmental institutions and regulatory bodies, if that disclosure is necessary to comply with any applicable law, regulation, legal process or governmental request. In such cases, we will notify you of such disclosure.
- We may disclose your Personal Data with a partner in the event we go through a corporate sale, merger, reorganisation, dissolution or any similar event. Your Personal Data may be part of the assets transferred or shared in connection with due diligence for such transactions. Such partner will have to be compliant with the GDPR.
WHERE DO WE STORE AND PROCESS PERSONAL DATA?
Since we are currently established in Southeast Asia, your Personal Data will be processed and stored outside the European Economic Area (EEA). Your Personal Data will be stored in our cloud based storage, based in Singapore.
All Personal Data, regardless of its origin and destination, will be subject to the highest level of security as described in the following section.
HOW DO WE SECURE PERSONAL DATA?
We have implemented the following physical, technical and organizational safeguards in order to protect the Personal Data that we process and store:
- Secured Access to your Personal Data: Our employees will treat with the utmost importance the access to your Personal Data. All of our employees are subject to our internal Data Protection Policy providing processes and safeguards to follow in order to prevent any data breach, such as secured passwords, Two Factor Authentication or Software updates.
- Restricted access to your Personal Data: Your Personal Data is only accessible by a restricted amount of employees who have been designated by the necessity of their functions and the performance of the services, such as your account manager.
- Managed third party risk: Our third party providers are subject to strict obligations related to the protection of your Personal Data through Data Processing Agreements and security reviews.
HOW LONG DO WE KEEP YOUR PERSONAL DATA FOR?
Your Personal Data is not kept any longer than it is necessary for the purpose of the performance of the services.
Unless express request from you to anonymise or delete the Personal Data immediately, we will automatically redact your Personal Data in all of our databases 6 months after their creation, as follows:
- The last 4 digits of the Mobile phone numbers will be anonymised and replaced by the following XXXX;
- The SMS body messages will be replaced by the following symbols: “<>”;
- The customer responses in SMS Engage will be redacted; and
- The custom field data uploaded to the Customer Portal will be redacted.
Any other Personal Data stored in our databases will be deleted once they are no longer reasonably necessary for the performance of our services. You can activate the immediate anonymisation or deletion of your Personal Data by contacting us at firstname.lastname@example.org.
YOUR RIGHTS IN RELATION TO PERSONAL DATA
Although we process and store your Personal Data to perform our services, you remain in control of your Personal Data and can choose what you want to do with it at any time. Indeed, you have various rights you can use in order to access and control your Personal Data, as follows:
- The right of access: At your request, we will provide you a copy of your data processed and stored and any relevant additional information regarding the reason your Personal Data was processed and stored, how long it has been kept or whether it has been disclosed to a third party. Unless requested otherwise, you will be provided a copy of your data electronically via email.
- The right to rectification: You have the right to amend and modify your stored Personal Data if this Personal Data is incorrect, incomplete or inaccurate.
- The right to restrict processing: Under certain circumstances, you have the right to request us to stop using or limit the use of your Personal Data. For example, if your Personal data is no longer necessary for the performance of the services but cannot be deleted because of legal obligations, you can require us to restrict the processing of this Personal Data.
- The right to erasure: You have the right to ask us to delete your Personal Data when your Personal Data is no longer necessary for the performance of the services or when your Personal data is being used unlawfully.
- The right to object: You have the right to object to the processing and storage of your Personal Data when your Personal Data is being used for:
- direct marketing;
- automated decision making;
- scientific or historical research and statistics; or
- an entity’s legitimate interest or in carrying out a task in the public interest.
HOW TO CONTACT US?
If you have any questions about our collection, use and/or disclosure of your Personal Data, request or complaint, please contact our Data Protection Officers at email@example.com.
Cookies are files that web browsers place on a computer’s hard drive. You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.
We may use third-party advertising technology to serve ads when you visit our website and sites upon which we advertise. This technology uses information about your visits to this website and the sites upon which we advertise, to serve our ads to you. In the course of serving our advertisements to you, unique third-party cookies may be placed or recognized on your browser.
In addition, we may use web beacons, provided by our third-party ad server, to help manage and optimize our online advertising. These web beacons enable our ad server, on our behalf or on behalf of our agent, to recognize a browser’s cookie when a browser visits this site, and to learn which banner ads bring users to our website. Our third-party ad server is performing its functions on our behalf or on behalf of our agent, and we may, directly or indirectly, instruct such ad server to enable other service providers to receive information about our site related to our online advertising.