Version 2020.4 | Last updated on June 29, 2020 | Archived versions
We at Hearken, Inc. (“Hearken”, “We”, “us”, “our”) take the responsibility of protecting your data and privacy very seriously.
This Policy applies to information that Hearken may collect about you in connection with your access and use of the following:
- The “Websites” located at any of the following domains or their subdomains:
- Other domains operated by us and from which you are accessing this Policy
- Our “Platforms” including the Hearken Engagement Management System Platform and Switchboard Community Management System
- Our social media pages, mobile apps, and any other products and Services offered by Hearken collectively referred to as “Services”
- Other communications including customer support requests, surveys, and SMS texts in which you may provide your information to Hearken.
In this Policy, the Websites, Platform, mobile apps, social media pages, emails, and other electronic locations through which you may interact with Hearken to provide your information are collectively referred to as the “Sites.”
- We collect only the minimum amount of personal information that is necessary to fulfill the purpose of your interaction with us.
- We don’t sell you data to third-parties or advertise to you on our platforms or Sites.
- We share your data with others under certain circumstances including aiding law enforcement, using third-party Services, etc. See more here.
- You may request to view, delete or change your personal data by sending a request to firstname.lastname@example.org
- We may be processing your data on behalf of one of our clients in which case we may direct your request to our client who controls the data.
See our full Policy below for more information
1. About “Us”
2. About “You”
“You” refers to individuals who access and use the Sites and/or Services.
For example, you may be a client of Hearken who accesses and uses the Sites and Services as the host or organizer of an event (“Client”), and with whom Hearken has entered into a Service Agreement or other agreement containing separate terms and conditions that govern delivery, access and use of the Sites and Services (a “Client Agreement”).
You may be the employee or agent of a Client, who is authorized to access the Platform as an administrator or an authenticated user.
You may be a visitor to our Website who is interested in browsing and learning more about Hearken or a visitor submitting information through our Platform or Services;
If you are invited to register for, check into, or receive information regarding a Client event or service through a Hearken Site or Service, you will be considered an “Event Attendee”
When we collect information from you, we may be doing so on our own behalf (in which case we will be considered a “Controller” of your data), or on behalf of a Hearken Client who is using the Services to solicit comments and feedback, from their stakeholders, manage communities, organize an event and manage other event-related activities (in which case, the Client will be the “Controller” and Hearken will be considered a “Processor” of your data).
Homepage: The site hosted at wearehearken.com which is used to provide information about the company, market our offerings, products and Services.
Services: Includes all work done by Hearken including consultation Services, as well as online Services provided via our Engagement technology products and Sites.
Products: Refers to our Engagement and Community technology Services.
User or End-user: A person using our Services as an individual.
Customer: Refers to an individual affiliated with an organization or organization that contracts with Hearken to use our Services.
Authorized User, Administrator, or Admin: A user who is signed in to Hearken systems and is expressly permitted to access all or a subset of information and data stored on Hearken’s systems.
Personal Information, Personal Data, or Personally Identifiable Information (PII): Refers to the following types of information which may be identifiable to you when you register to use our Services, access various content or features, or directly contact the Site: (i) contact information, such as your email address and name; (ii) your age; and (iii) information for the purpose of authenticating yourself or your account if we have reason to believe, in our sole discretion, that you may be violating site policies or for any other reason we deem necessary.
Data Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.
Data Controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Third-party service: A service that Hearken may use to process personal data.
Data Protection Legislation or Laws: Means laws and regulations applicable to the processing of Personal Data under the Policy, the GDPR, the EU-U.S. Privacy Shield, the Swiss-U.S. Privacy Shield, the CCPA, PIPEDA, and the Nevada Act Relating to Internet Privacy (Senate Bill 220 or “SB 220”), to the extent applicable to such processing.
“GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016); and until 25 May 2018, the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995; and any applicable legislation adopted by any Member State of the European Union, or by the United Kingdom post its ceasing to be a Member State of the European Union.
The EU-U.S. and Swiss-U.S. Privacy Shields refer to the frameworks that were designed by the U.S. Department of Commerce, and the European Commission and Swiss Administration, respectively, to provide companies with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.
“CCPA” means the California Consumer Privacy Act of 2018, which is referred to as Assembly Bill No. 375. The CCPA became effective as of January 1, 2020.
“PIPEDA” means the Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5), a data privacy law enacted by the Parliament of Canada.
4. What data and information do we collect?
4.1 Information Given to Us by You
When you use Hearken’s products or Services directly or through one of our client organization’s websites, you share some personal information with us such as name, email address, password, demographic information and other information that may be considered personal information by various privacy laws.
When you register to attend or attend an event hosted or managed by Hearken, you provide us name and contact information.
You share your name and contact information when you subscribe to our email newsletters or other marketing or corporate communications.
4.2 Information We Collect from You
When you use our Services and products, we may collect your IP address, device and browser information.
4.3 Information We Infer from Your Data
To provide better service to you and to safeguard our systems and clients from abuse and fraud, we may make some inferences from the data you give us and the data we collect about you.
The various categories of data we collect and why we collect them are listed below.
|Name or Username||We use it to identify your interactions.|
|Email address||We use it to contact you with our newsletters, offers, and updates you consented to receive. We may also use it to verify your identity and to send you notifications about anything that needs your attention on our Services.|
|IP address||We may collect your IP address when you use our systems. We use it to safeguard our systems and clients from abuse and fraud.|
|Other contact information such as phone numbers||Our clients may use our Services and products to collect your contact information other than email so that they can reach you regarding your submission.|
|Location information including country, city, postcode, and geocode stored as latitude and longitude.||We use the location information you provide to generate anonymized aggregate statistics of usage. We may convert it to geolocation information such as latitude, longitude precise only up to a neighborhood or zip code to prevent personal identification.|
|Device and browser information||We use device and browser information collected when you reach out to us via our support channels to diagnose issues and resolve them. We may also use device and browser information to provide you better service by checking for compatibility with our code. We use anonymized aggregate device information to prioritize features and device support. For instance, we may prioritize fixing bugs affecting a particular browser based on aggregate usage statistics of the browser used by our users to access our Services or Products .|
|Content you submit including posts, votes, images and queries||All text, votes and files submitted by you are used to provide support and service. We share information collected via our Platforms, forms and embeds created by our client organizations on our service with that client organization. We do not share your activity with one of our clients with other clients. We may share anonymized aggregate data to detect trends and to market our Services.|
|Usage audit and analytics||When you use our systems as an Authorized User or User with access to our administrative interface, we store an audit of your activities in our database. This is used to prevent any unauthorized access, provide accountability and to prevent misuse of the system. We collect usage information when you use our websites or platforms to help us prioritize features and troubleshoot issues.|
|Payment information||We may collect payment information from you when applicable. Such data is only used for purposes that you explicitly consent when giving us or our designated service provider the information.|
|Transcript and recordings of calls||When you engage our Services, your calls may be recorded and transcribed for record keeping. This data is used to tailor our Services to best fit our needs and for quality assurance purposes.|
5. How we handle your data
Any data that can be attributed to a single user or a household is treated as Personal Information or Personally Identifiable Information as designated by various privacy laws and we take all standard security precautions while handling your data.
Access to such data is restricted to authorized personnel or Services only. (See section on our third-party Services for more information).
We take industry-standard precautions to secure the data. The data is stored encrypted. This ensures that even in the event of a data breach, we protect your private information to the best of our abilities. See our information security policy for more information
The data infrastructure is located in North America. We store your data in the following systems:
- Relational databases and document stores: We store your data on a persistent storage that is encrypted at multiple levels.
- Log files: We may record events that occur when you use our products or Services in one or more files collectively known as log files.
- Other files: We may store your data in other forms of transient or persistent storage on our infrastructure.
- Caches: To effectively scale our Services, we store your information in multiple caching Services.
- Third-party Services: When applicable, we use third-party Services to store and process your information. (See third-party Services section for more information)
- Backups and code repositories: We store information backup for business continuity.
We do not intentionally collect protected or sensitive personal information, such as social security numbers, genetic data, health information, etc.
We realize that you might share this information on our Platform, such as in posts, messages or comments. If you store any sensitive personal information on our servers, you are consenting to our storage of that information on our servers, which are in North America.
Information in your posts, comments, messages, and stories belongs to you, and you are responsible for it, as well as for making sure that your content complies with our Terms of Service.
We do not access your private messages exchanged with other users unless required for security or maintenance, or for support reasons. In such cases, we will do so only with your consent.
6. Who We Share Data With
Hearken is not in the business of selling your information.
We consider the information you shared with us to be a vital part of our relationship with you. There are, however, certain circumstances in which we may share your data with certain third parties without further notice to you, as set forth below:
6.1. Third-Party Services
We may share your information with these Services, only to the extent required to perform the function we use them for. These Services are permitted to use your personal data only to the extent required to perform their Services for us.
Hosting and technical infrastructure
We do not share any PII explicitly with these Services. However due to the nature of their use, these Services may have access to some PII such as your IP
|Amazon Web Services||Hosts and processes our data and Services for our Platforms Sends transactional emails for Switchboard Community Management Service(“CMS”)|
|Heroku||Hosts and processes our data and Services for Engagement Management Service(“EMS”)|
|Google Cloud Platform||Hosts some Services and code for related Services|
|Square Space||Hosts some Hearken operated websites Provides a platform for ticket sales for events.|
|Kinsta||Hosts wearehearken.com website|
|Github||Hosts code and repositories. We do not store any user data in Github|
Hosts public code samples and developer wiki.
|New Relic||Stores and process events and error reports for EMS|
|Sentry||Stores and process event and error reports for CMS|
Analytics and usage
We share information with the analytics platforms only if you have consented to accepting cookies. For signed in users, we may share your name and contact information to be able to serve you when you reach out to us for support.
|Google Analytics||Collects usage data about how you use our Sites and Services|
|reCaptcha||Protect system against bots and spam|
|Churnzero||Collects usage data about how Authorized Users and Admins use the EMS Admin platform|
|HubSpot||Provides support, for marketing and for scheduling calls with prospective or current partners. When you sign up for a discovery call or request any gated content on Hearken’s Site, your information will be passed to Hubspot.|
Support, Marketing and event management
These services have access to your contact information when you use Hearken features that process data through these services.
|EventBrite||Manages sign-ups for our events and webinars so that we may keep in touch with attendees before and after an event|
|HubSpot||Provides support, for marketing and for scheduling calls with prospective or current partners. When you sign up for a discovery call or request any gated content on Hearken’s Site, your information will be passed to Hubspot.|
|Intercom||Provides support via email, chat interface and documentation. We share Authorized Users’ name and email so we can identify you when you reach out to us|
These are services we use to communicate within Hearken team as well as with Users or clients. We do not explicitly share information with these services. But they may have access to the information we store on these services. For instance: Slack platform will have access to your email address if you are added as a Slack user or if our integration posts user information into our internal Slack
|Slack||We use Slack to communicate within our team as well as with some clients. We also add some third-party service integrations.|
|Zoom||Zoom provides our video conferencing platform for video meetings and webinars. We use the Zoom sign up function to allow participants in meetings and webinars to keep in touch before and after an event.|
|Gmail||Our main emailing platform|
|Google Hangouts||We use Google Hangouts as our video conferencing platform for some video meetings and webinars.|
|Google Calendar||Used to schedule our meetings, calls and webinars with clients.|
|MailChimp and Mandrill,||Send emails and newsletters to our users|
|Amazon Web Services||Send emails and newsletters to our CMS users|
|Whimsical||Used for strategic planning and consultation documentation|
|Notion||Used for internal documentation|
|Trello,||Used to track our work items and support tickets from our Users and Customers.|
|Google Drive||Used to store and collaborate on documents.|
|AirTable,||Used to store internal documentation including some information about our client contracts and invoices.|
Other data processing Services
These services are used for specific data processing tasks. Only data required to complete the task is shared with them. No PII is shared unless absolutely necessary
|Delve||Transcribes our discovery and service calls.|
|Harvest||Track time consultants spend on client calls.|
|OtterAi||Transcribe our discovery, service and sales calls.|
|PandaDoc||Manage contracts with our clients and third parties.|
|DocuSign||Manage contracts with our clients and third parties.|
|Zapier||Used to connect our Services with other third party Services|
|Mapbox,||Used to geocode and display maps|
|Google Maps||Used to geocode and display maps|
|Bonsai||Hosts elastic search data indices to enable search functionality for EMS|
|Elastic||Hosts elastic search data indices to enable search functionality for CMS|
|Typography.com||Provides custom fonts|
|Google Fonts||Provides custom fonts|
These services have access to financial information of Hearken employees or our contracts with our clients. They are integrated sparingly with other systems to isolate sensitive and protected information
|Quickbooks||Tracks our accounting information including invoices and payments from our clients.|
|Fathom||Used to supplement financial data in Quickbooks|
|Airtable||Used to store internal documentation including some information about our client contracts and invoices.|
|Paylocity||Payroll platform for employees and contractors or Hearken.|
|Stripe||Payment platform for events and memberships.|
6.2. Business Transfers
As we develop our business, we might sell or buy businesses or assets. In the event of a corporate sale, merger, reorganization, dissolution or similar event, Personal Data may be part of the transferred assets.
6.3. Related Companies
6.4. Legal Requirements
Hearken may disclose your Personal Data if required to do so by law or in the good faith belief that such action is necessary to
- comply with a legal obligation,
- protect and defend the rights or property of Hearken,
- act in urgent circumstances to protect the personal safety of users of the Services or the public, or
- protect against legal liability.
7. Hearken’s Role as Data Controller or Processor
As set forth in privacy laws, a company that has access to your data may be considered a Data Controller or Processor.
As a company, Hearken is sometimes the Data Controller and sometimes the Processor. The following section details when we are considered a Controller and when we are a Processor.
As it relates to our marketing website, Hearken is a Data Controller.
When Hearken collects your information when you register for or attend an event, we are the Controller.
When we enter into an agreement with a client organization, Hearken assumes the role of a Data Processor as it pertains to user submissions. We process data as stipulated by the organization and in accordance with applicable data protection laws. We retain the right to use some of the information entered by the end-users for business continuity purposes.
Hearken is the Controller of any activity by an end-user that affects more than one of our client organizations. We also own usage audit, analytics and similar information about how the users engaged with our platform and Services. Such data may include user’s contact information and anonymized statistics on the content submitted to our Services.
7.1. Responsibilities as A Controller
We provide mechanisms for our users to access, amend or delete their personal data as long as the request is reasonable and in accordance with the laws. See section on data requests for more information.
7.2. Responsibilities as A Processor
We will process the data as stipulated by the Data Processor in our agreement. We may share data through our APIs or webhooks with other Services as directed by the Data Controller. The responsibility for such transfers resides with the Controller.
We will respond to reasonable requests from the Controller to access, amend or delete data for an individual user or collective user set as required by the law. Any additional cost incurred to perform such requests will be borne solely by the client in such cases. Controllers may reach out to us via our support channels or by sending us an email at email@example.com
When we are the Processor, we will provide any Personal Information you submit through our Sites or Services to the Controller
Hearken does not control the information that a Controller requests from the end-user through our platforms. We are not responsible for any decisions or actions taken by the Controller with respect to your information (or by any third party with whom the Controller may share your information). Please read the applicable privacy policies of the Controller before submitting Personal Information.
8. Data Retention
We will not hold your personal information for any longer than is necessary for the uses outlined above, unless we are required to keep your personal data longer to comply with the law and any regulatory requirements. Where Hearken is the Controller of personal data we will retain your data for up to 3 years after your last active interaction with our Site and Services.
Where Hearken is the Processor, we will hold your personal information until told otherwise by the Controller or for up to 3 years after the Controller ceases to be a client. For more information on how your information is used by Controllers, please refer to their respective Privacy Policies.
9. Data Breach Response
On becoming aware of a Data Incident, Hearken will:
- notify any authorities as required by laws;
- notify the Controller or the Customer of the Data Incident without undue delay;
- make reasonable efforts to identify and mitigate the cause of such Data Incident; and,
- where the Data Incident was not caused by Customer or any Authorized User, take necessary steps that Hearken deems reasonable in order to remediate the cause of the Data Incident.
10. Do Not Track Signal Handling
Most popular browsers provide mechanisms for the users to send a “Do Not Track” signal to websites they visit. There is no consensus on what such signals mean in user privacy context. Hearken does not respond to Do Not Track signals and/or other similar mechanisms that provide consumer choice about tracking.
11. Your Rights as A User
If you are a user to whom certain data protection laws apply, you may have the following rights regarding your personal information.
11.1. Right to Know, Rectify and Delete Personal Data
You have the right to know and delete information on you collected by us. You have the right to request the following:
- The categories of personal information we have collected about you;
- The categories of sources from which the personal information was collected;
- The categories of personal information about you we disclosed for a business purpose or sold;
- The categories of third parties to whom the personal information was disclosed for a business purpose or sold;
- The business or commercial purpose for collecting or selling the personal information; and
- The specific pieces of personal information we have collected about you.
Under some laws, you may also have rights to do the following:
- The right to have your personal data rectified if it is inaccurate or incomplete;
- The right to request to have your personal data deleted in certain specific circumstances as set out in the Data Protection Legislation;
- The right to request to restrict the processing of your personal data in certain specific circumstances as set out in the Data Protection Legislation;
- The right to ask us not to process your personal data for marketing purposes or for purposes based on our legitimate interests;
- The right to ask us to not undergo automated decision making; and
- Where you have provided consent, to request to withdraw such consent at any time.
Data collected on you over the last 12 months or other period of time specified by Data Protection Laws is subject to the above provisions and rights.
11.2. Right to Opt-Out
We do not sell your data. Our users do not have to request to opt-out of sale of their data.
If you have consented to receiving marketing communications regarding products and Services that we believe may be of interest to you and you later decide that you no longer want to receive this type of marketing or promotional information, you may opt-out at any time by clicking the “Unsubscribe” button at the bottom of the marketing communication, or contacting us at firstname.lastname@example.org
You may also submit requests to access, update, correct or delete your Personal Information, to no longer receive communications, or to “opt-out” of certain Services, by contacting us at the above email address.
11.3. Right to Non-Discrimination
You have the right not to receive discriminatory treatment by us as a result of exercising any of your privacy rights.
Our ability to verify your identity is important to us being able to detect spam submissions and bots. If you chose to not verify your email address, we may be unable to provide the same level of service.
12. Responding to Data Access Requests
You can send us a request to email@example.com to view, rectify or delete information about you collected and held by us.
You may make such requests yourself or via an agent authorized to contact us on your behalf.
If you are an Authorized User on one of our Platforms or Services, you may have an option to view and modify your information on the platform.
12.1 Verifying identity
We have a duty as the holder of certain personal information to verify your identity when responding to requests to know or delete information to ensure that we do not disseminate information to another person.
To verify your identity, we will request and collect additional personal information from you to match it against our records. We may ask you to verify your email address or ask for additional information or documentation if we feel it is necessary to confirm your identity with the necessary degree of certainty. We may communicate with you through email, or other means of communication that is reasonable and appropriate.
We will respond to you within 30 days of verification of the request. If additional time is needed to fulfill your request or to determine our capability of fulfilling your request, we will notify you if such additional time is needed (but not more than an additional 60 days).
We will attempt to respond to and comply with all reasonable requests. However, we may charge a reasonable fee when a request is manifestly unfounded or excessive.
We retain the right to deny requests under certain circumstances. In such cases, we will notify you of the reasons for denial. We will not provide you with specific pieces of personal information if the disclosure creates a substantial, articulable, and unreasonable risk to the security of that personal information, your account with us, or the security of our systems or networks. We will not disclose, if we are in possession of, your Social Security number, driver’s license number or other government-issued identification number, financial account number, any health insurance or medical identification number, an account password, or security questions and answers.
If we are the Processor of the information you requested us to modify or delete. We may redirect your request to the Controller of the information.
12.2. Propagation and Persistence of Requests
We will make reasonable attempts to notify any third-party Services we may have shared your data with if your request requires making changes to or deleting the shared data. We are not responsible for making sure that such requests are completed.
Because of the nature of the infrastructure and redundancy built in, some data may persist for longer than intended.
13. Children’s Privacy
Hearken does not knowingly collect Personal Data from children under the age of 13.
The Services are intended for a general audience and are not intended for and should not be used by children under the age of 13. We do not knowingly collect information from children under the age of 16.
If a Controller chooses to collect information from users who have not verified their age, we will consider this information as one-time transactional information. We will limit who has access to the PII information from users whose age is not verified.
Entering age information in fields of the form that is not intended for such purposes do not construe to us being aware of the user’s age.
14. Links to Other Websites
15. API, Webhook Usage or Data Downloads
We are not responsible for the data once it leaves Hearken systems. We do not hold responsibility for verifying the terms of Services of the third-party Services or systems that the Authorized Users of our systems send the data to. When delivering data via webhooks, we are acting as the Data Processor complying with the instructions given to us by our clients who act as the Data Controller.
16.1. Unsolicited Submissions
16.2. Business Critical Data
Any data that is reasonably and demonstrably required for our conduct of business or has a legitimate business purpose may be excluded from being deleted.
16.3. Anonymized Data
16.4. Published or Publicly Available Data
16.5. Data that Is No Longer on Hearken Controlled Systems
16.6. Data stored in backups
Any data that has been moved out of our primary and active systems into inactive backups or storage are exempt from requests to know, modify or delete.
However, if the data were to be restored from these backups for any reason, we will take reasonable steps to ensure that all privacy elections are applied to the restored data.
17. Cross-Border Transfer; Privacy Shield Notice
We are part of a global network and interact with users and use third parties located in other countries to help us run our business. As a result, personal information may be transferred outside the countries where we and our clients are located. This includes transfers to countries outside the European Economic Area (“EEA”) and to countries that may not have laws that provide the same degree of protection for personal information as your home country. We have taken steps designed to facilitate adequate protection for any information so transferred.
Hearken, Inc., and its affiliated US entity, Curious Nation, Inc., adhere to the EU – U.S. Privacy Shield Framework and the Swiss – U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use and retention of personal information that is transferred from the EEA, its Member States, the United Kingdom, and/or Switzerland to the United States. Hearken has certified that it adheres to the Privacy Shield Principles within the scope of Hearken’s Privacy Shield certification. To learn more, see our Privacy Shield Policy.
When we transfer personal information outside of the EEA to a country or framework not determined by the European Commission as providing an adequate level of protection for personal information, the transfers will be under an agreement which covers European Union requirements for such transfers, such as standard contractual clauses. The European Commission approved standard contractual clauses are available here.
18. Your California Privacy Rights
19. Changes to the policy
We update this Policy from time to time at our discretion. We will not reduce your rights under this policy without your explicit consent. We will not, without your consent, use your Personal Data in a manner materially different than what was stated at the time your Personal Data was collected.
When changes in the policy are significant, we will notify our authenticated users of any material changes to the way in which we treat Personal Data by posting a notice on relevant areas of the Services.
We will also provide notice to you in other ways at our discretion, such as through contact information you have provided. Any updated version of this Privacy Notice will be effective immediately upon the posting of the revised Privacy Notice unless otherwise specified. Your continued use of the Services after the effective date of the revised Privacy Notice (or such other act specified at that time) will constitute your consent to those changes.
We always indicate the date the last changes were published and we offer access to archived versions for your review.
20. Contact Us
If you have any questions about this Privacy Notice, please feel free to contact us by email at: firstname.lastname@example.org