Version 2020.1 | Last updated on January 31, 2020 |
1. Who We Are.
“You” refers to individuals who access and use the Sites and/or Services. For example, you may be a client of Hearken who accesses and uses the Sites and Services as the host or organizer of an event (“Client”), and with whom Hearken has entered into a Service Agreement or other agreement containing separate terms and conditions that govern delivery, access and use of the Sites and Services (a “Client Agreement”). You may be the employee or agent of a Client, who is authorized to access the Platform as an administrator; or a visitor submitting information through a Hearken module; or you may be a visitor to our Website who is interested in browsing and learning more about Hearken.
If you are invited to register for, check into, or receive information regarding a Client event or service through a Hearken Site or Service, you will be considered an “Event Attendee” and we will provide any Personal Information you submit through the Site or Service to the Client organizing that event. Hearken does not control the Client’s event registration or management process, or the Personal Information that a Client requests from Event Attendees. We are not responsible for any decisions or actions taken by the Client with respect to your information (or by any third party with whom the Client may share your information). Please read the applicable privacy policies of the Client who is organizing the event before submitting Personal Information in connection with that event.
When we collect information from you, we may be doing so on our own behalf (in which case we will be considered a “controller” of your data), or on behalf of a Hearken Client who is using the Services to organize an event and manage other event-related activities (in which case, the Client will be the “controller” and Hearken will be considered a “processor” of your data).
- Homepage: The site hosted at wearehearken.com which is used to provide information about the company, market our offerings, products and services.
- Services: Includes all work done by Hearken including consultation services, as well as online services provided via our Engagement technology products and sites.
- Products: Refers to our Engagement technology services.
- User or End-user: A person using our Services as an individual.
- Customer: Refers to an individual affiliated with an organization or organization that contracts with Hearken to use our services.
- Authorized User, Administrator, or Admin: A user who is signed in to Hearken systems and is expressly permitted to access all or a subset of information and data stored on Hearken’s systems.
- Personal Information, Personal Data, or Personally Identifiable Information (PII): Refers to the following types of information which may be identifiable to you when you register to use our Services, access various content or features, or directly contact the Site: (i) contact information, such as your email address and name; (ii) your age; and (iii) information for the purpose of authenticating yourself or your account if we have reason to believe, in our sole discretion, that you may be violating site policies or for any other reason we deem necessary.
- Data Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
- Data Controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
- Third-party service: A service that Hearken may use to process personal data.
- Data Protection Legislation or Laws: Means laws and regulations applicable to the processing of Personal Data under the Policy, the GDPR, the EU-U.S. Privacy Shield, the Swiss-U.S. Privacy Shield, the CCPA, PIPEDA, and the Nevada Act Relating to Internet Privacy (Senate Bill 220 or “SB 220”), to the extent applicable to such processing.
- “GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016); and until 25 May 2018, the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995; and any applicable legislation adopted by any Member State of the European Union, or by the United Kingdom post its ceasing to be a Member State of the European Union.
- The EU-U.S. and Swiss-U.S. Privacy Shields refer to the frameworks that were designed by the U.S. Department of Commerce, and the European Commission and Swiss Administration, respectively, to provide companies with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.
- The “CCPA” means the California Consumer Privacy Act of 2018, which is referred to as Assembly Bill No. 375. The CCPA became effective as of January 1, 2020.
- PIPEDA” means the Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5), a data privacy law enacted by the Parliament of Canada.
3. What data and information do we collect?
INFORMATION GIVEN TO US BY YOU
When you use Hearken’s products or services directly or through one of our client organization’s websites, you share some personal information with us such as name, email address, password, demographic information and other information that may be considered personal information by various privacy laws.
When you register to attend or attend an event hosted or managed by Hearken, you provide us name and contact information.
You share your name and contact information when you subscribe to our email newsletters or other marketing or corporate communications.
INFORMATION WE COLLECT FROM YOU
When you use our services and products, we may collect your IP address, device and browser information.
INFORMATION WE INFER FROM YOUR DATA
To provide better service to you and to safeguard our systems and clients from abuse and fraud, we may make some inferences from the data you give us and the data we collect about you.
The various categories of data we collect and why we collect them are listed below.
3. How we handle your data
Any data that can be attributed to a single user or a household is treated Personal Information or Personally Identifiable Information as designated by various privacy laws and take all standard security precautions while handling your data.
Access to such data is restricted to authorized personnel or services only. (See section on our third party services for more information).
We take industry-standard precautions to secure the data. The data is stored encrypted. This ensures that even in the event of a data breach, we protect your private information to the best of our abilities.
We store your data in the following places:
- Relational databases: We store your data on a persistent storage that is encrypted at multiple levels.
- Log files: We may record events that occur when you use our products or services in one or more files collectively known as log files.
- Other files: We may store your data in other forms of transient or persistent storage on our infrastructure.
- Caches: To effectively scale our services, we store your information in multiple caching services.
- Third-party services: When applicable, we use third-party services to store and process your information. (See third-party services section for more information)
- Backups and code repositories: We store information backup for business continuity.
4. Third-party services
- Amazon Web Services who we use to host and process our data and services.
- Heroku who we use to process data and host our services.
- HubSpot who we use for marketing and for scheduling calls with prospective or current partners associated with our Customer Relationship Management objectives. By signing up for a discovery call or requesting any gated content on Hearken’s Site, your information will be passed Hubspot for these purposes.
- SquareSpace, who hosts our Site www.wearehearken.com; We use Squarespace to provide a platform for ticket sales for events.
- Google Analytics who we use to collect usage data about how you use our services.
- Slack who we use to communicate within our team as well as to some third party services.
- Eventbrite, who manage sign-ups for our events and webinars so that we may keep in touch with attendees before and after an event. Any information provided to Eventbrite may also be added to our Hubspot CRM system.
- Zoom, who provide our video conferencing platform for video meetings and webinars. We use the Zoom sign up function to allow participants in meetings and webinars to keep in touch before and after an event. Any information provided to Zoom may be added to our Hubspot CRM system.
- Delve, who we use to transcribe our discovery and service calls. Any information in Delve may also be shared with Hubspot CRM system.
- OtterAi, who we use to transcribe our discovery, service and sales calls.
- Intercom, who we use to provide support to our users. There may be data shared between Intercom and Hubspot CRM.
- Gmail, who provide our emailing platform.
- PandaDoc, who we use to manage contracts with our clients and third parties.
- Google Drive, who we use to store and collaborate on documents.
- Zapier, who we use to connect our services with other third party services.
- MailChimp and Mandrill, who we use to send emails and newsletters to our users.
- Github, who we use to host our code repositories.
- Mapbox, who we use to geocode and display maps.
- Google Maps, who we use to geocode and display maps.
- Google Hangouts, whoprovide our video conferencing platform for video meetings and webinars.
- Gusto, who provide our payroll platform for employees and contractors or Hearken.
- Stripe, who provide our payment platform for events and memberships.
- AirTable, who we use to track our client contracts and invoices.
- QuickBooks, who we use to track our accounting information including invoices and payments from our clients.
- Switchboard, who we use to provide additional engagement technology and consultancy.
- Notion, who we use for internal documentation.
- Google Calendar, who we use to schedule our meetings, calls and webinars with clients.
- Harvest, who we use to track time consultants spend on client calls.
- Trello, who we use to track our work items and support tickets from our Users and Customers.
- Bonsai, who we use to host our data indices to enable searching.
- 1Password, who we use to store account credentials and generate strong, secure passwords.
- DNSimple, who we use to manage our domain registration and SSL certificates.
- Typography.com, who provides our custom fonts.
5. Sharing your information
Hearken is not in the business of selling your information. We consider the information you shared with us to be a vital part of our relationship with you. There are, however, certain circumstances in which we may share your Personal Data with certain third parties without further notice to you, as set forth below:
We often enter into agreements with third-party companies and providers. Our current list of providers are listed in the section above. In addition to that list, we may also employ short-term contractors or consultants to perform services or audit our systems.
As we develop our business, we might sell or buy businesses or assets. In the event of a corporate sale, merger, reorganization, dissolution or similar event, Personal Data may be part of the transferred assets.
Hearken may disclose your Personal Data if required to do so by law or in the good faith belief that such action is necessary to
(i) comply with a legal obligation,
(ii) protect and defend the rights or property of Hearken,
(iii) act in urgent circumstances to protect the personal safety of users of the Services or the public, or
(iv) protect against legal liability.
4. 1 Hearken’s role as data controller or processor
As set forth in privacy laws, a company that has access to your data may be considered a data controller or processor.
As a company, Hearken is sometimes a data controller and sometimes the processor. The following section details when we are considered a controller and when we are a processor.
As it relates to our marketing website, Hearken is a data controller.
When Hearken collects your information when you register for or attend an event, we are the controller.
When we enter into an agreement with a client organization, Hearken assumes the role of a data processor as it pertains to user submissions. We process data as stipulated by the organization. However, we retain the right to use some of the information entered by the end-users for business continuity purposes.
Hearken is the controller of any activity by an end-user that affects more than one of our client organizations. We also own usage audit, analytics and similar information about how the users engaged with our platform and services. Such data may include user’s contact information and anonymized statistics on the content submitted to our services.
4.2 Responsibilities as a controller
We provide mechanisms for our users to access, amend or delete their personal data as long as the request is reasonable and in accordance with the laws. See section on data requests for more information.
4.3 Responsibilities as a processor
We will process the data as stipulated by the data processor in our agreement. We may share data through our APIs or webhooks with other services as directed by the data controller. The responsibility for such transfers reside with the controller.
We will respond to reasonable requests from the controller to access, amend or delete data for an individual user or collective user set as required by the law. Any additional cost incurred to perform such requests will be borne solely by the client in such cases.
5. Data retention
We will not hold your personal information for any longer than is necessary for the uses outlined above, unless we are required to keep your personal data longer to comply with the law and any regulatory requirements. Where Hearken is the controller of personal data we will retain your data for up to 3 years after your last active interaction with our Site and Services.
Where Hearken is the processor, we will hold your personal information until told otherwise by the controller. For more information on how your information is used by controllers, please refer to their respective Privacy Policies.
6. Data breach response
On becoming aware of a Data Incident, Hearken will:
- notify any authorities as required by laws;
- notify Customer of the Data Incident without undue delay;
- make reasonable efforts to identify the cause of such Data Incident; and,
- where the Data Incident was not caused by Customer or any Authorized User, take necessary steps that Hearken deems reasonable in order to remediate the cause of the Data Incident.
7. Do not track Signal handling
Most popular browsers provide mechanisms for the users to send a “Do Not Track” signal to websites they visit. There is no consensus on what such signals mean in user privacy context. Hearken does not respond to Do Not Track signals and/or other similar mechanisms that provide consumer choice about tracking.
8. Your rights as a User
If you are a user to whom certain data protection laws apply, you may have the following rights regarding your personal information.
8.1 RIGHT TO KNOW, RECTIFY AND DELETE PERSONAL DATA
You have the right to know and delete information on you collected by us. You have the right to request the following:
- The categories of personal information we have collected about you;
- The categories of sources from which the personal information was collected;
- The categories of personal information about you we disclosed for a business purpose or sold;
- The categories of third parties to whom the personal information was disclosed for a business purpose or sold;
- The business or commercial purpose for collecting or selling the personal information; and
- The specific pieces of personal information we have collected about you.
Under some laws, you may also have rights to do the following:
- The right to have your personal data rectified if it is inaccurate or incomplete;
- The right to request to have your personal data deleted in certain specific circumstances as set out in the Data Protection Legislation;
- The right to request to restrict the processing of your personal data in certain specific circumstances as set out in the Data Protection Legislation;
- The right to ask us not to process your personal data for marketing purposes or for purposes based on our legitimate interests;
- The right to ask us to not undergo automated decision making; and
- Where you have provided consent, to request to withdraw such consent at any time.
Data collected on you over the last 12 months or other period of time specified by Data Protection Laws is subject to the above provisions and rights.
8.2 RIGHT TO OPT-OUT
If you have consented to receiving marketing communications regarding products and services that we believe may be of interest to you and you later decide that you no longer want to receive this type of marketing or promotional information, you may opt-out at any time by clicking the “Unsubscribe” button at the bottom of the marketing communication, or contacting us at firstname.lastname@example.org.
You may also submit requests to access, update, correct or delete your Personal Information, to no longer receive communications, or to “opt-out” of certain Services, by contacting us at the above email address.
8.3 RIGHT TO NON-DISCRIMINATION
You have the right not to receive discriminatory treatment by us as a result of exercising any of your privacy rights.
Our ability to verify your identity is important to us being able to detect spam submissions and bots. If you chose to not verify your email address, we may be unable to provide the same level of service.
9. Responding to data access requests
You can send us a request to email@example.com to view, rectify or delete information about you collected and held by us.
You may make such requests yourself or via an agent authorized to contact us on your behalf.
We have a duty as the holder of certain personal information to verify your identity when responding to requests to know or delete information to ensure that we do not disseminate information to another person. To verify your identity, we will request and collect additional personal information from you to match it against our records. We may ask you to verify your email address or ask for additional information or documentation if we feel it is necessary to confirm your identity with the necessary degree of certainty. We may communicate with you through email, or other means of communication that is reasonable and appropriate.
We will respond to you within 30 days of verification of the request. If additional time is needed to fulfill your request or to determine our capability of fulfilling your request, we will notify you if such additional time is needed (but not more than an additional 60 days).
We will attempt to respond to and comply with all reasonable requests. However, we may charge a reasonable fee when a request is manifestly unfounded or excessive.
We retain the right to deny requests under certain circumstances. In such cases, we will notify you of the reasons for denial. We will not provide you with specific pieces of personal information if the disclosure creates a substantial, articulable, and unreasonable risk to the security of that personal information, your account with us, or the security of our systems or networks. We will not disclose, if we are in possession of, your Social Security number, driver’s license number or other government-issued identification number, financial account number, any health insurance or medical identification number, an account password, or security questions and answers.
If we are the processor of the information you requested us to delete. We may redirect your request to the controller of the information.
9.1 PROPAGATION AND PERSISTENCE OF REQUESTS
We will make reasonable attempts to notify any third-party services we may have shared your data with if your request requires making changes to or deleting the shared data. We are not responsible for making sure that such requests are completed.
Because of the nature of the infrastructure and redundancy built in, some data may persist for longer than intended.
10. Children’s privacy
Hearken does not knowingly collect Personal Data from children under the age of 13.
The Services are intended for a general audience and are not intended for and should not be used by children under the age of 13. We do not knowingly collect information from children under the age of 16.
Entering age information in fields of the form that is not intended for such purposes do not construe to us being aware of the user’s age.
11. Links to other websites
12 API, webhook usage or data downloads
We are not responsible for the data once it leaves Hearken systems. We do not hold responsibility for verifying the terms of services of the third party services or systems that the Authorized Users of our systems send the data to. When delivering data via webhooks, we are acting as the data processor complying with the instructions given to us by our clients who act as the data controller.
13.1 UNSOLICITED SUBMISSIONS
13.2 BUSINESS CRITICAL DATA
Any data that is reasonably and demonstrably required for our conduct of business or has a legitimate business purpose may be excluded from being deleted.
13.3 ANONYMIZED DATA
13.4 PUBLISHED OR PUBLICLY AVAILABLE DATA
13.5 DATA THAT IS NO LONGER ON HEARKEN CONTROLLED SYSTEMS
14. Cross-border transfer; Privacy Shield notice
We are part of a global network and interact with users and use third parties located in other countries to help us run our business. As a result, personal information may be transferred outside the countries where we and our clients are located. This includes transfers to countries outside the European Economic Area (“EEA”) and to countries that may not have laws that provide the same degree of protection for personal information as your home country. We have taken steps designed to facilitate adequate protection for any information so transferred.
Hearken, Inc. adhere to the EU – U.S. Privacy Shield Framework and the Swiss – U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use and retention of personal information that is transferred from the EEA, its Member States, the United Kingdom, and/or Switzerland to the United States.
Where we transfer personal information outside of the EEA to a country or framework not determined by the European Commission as providing an adequate level of protection for personal information, the transfers will be under an agreement which covers European Union requirements for such transfers, such as standard contractual clauses. The European Commission approved standard contractual clauses are available here.
15. Your California Privacy Rights
We update this Privacy Notice from time to time in our discretion and will notify our authenticated users of any material changes to the way in which we treat Personal Data by posting a notice on relevant areas of the Services. We will also provide notice to you in other ways in our discretion, such as through contact information you have provided. Any updated version of this Privacy Notice will be effective immediately upon the posting of the revised Privacy Notice unless otherwise specified. Your continued use of the Services after the effective date of the revised Privacy Notice (or such other act specified at that time) will constitute your consent to those changes. However, we will not, without your consent, use your Personal Data in a manner materially different than what was stated at the time your Personal Data was collected.
If you have any questions about this Privacy Notice, please feel free to contact us by email at: firstname.lastname@example.org .