1. Introduction

ChatShipper GmbH (“ChatShipper”, “we”, “us”, or “our”) provides a Software as a Service (SaaS) based “Conversation Platform” that allows our customers to store, manipulate, analyze and transfer messages between their business systems and their customers on a variety of ChatShipper-provided and third party messaging channels (the “Service”).

This document is intended to supplement and clarify the ChatShipper Privacy Policy with regard to Personal Data processed on behalf of our Customers during provision of the Service (“Service Data”). This Privacy Statement for Service Data represents an Agreement between ChatShipper and the Customer and governs the use of Service Data. If there is any inconsistency between this Agreement and any negotiated Agreement between ChatShipper and the Customer, the terms of the negotiated agreement will prevail.

2. Definitions

  1. Agent: an individual who communicates within the Conversation Cloud on behalf of the Customer
    1. For example, a member of the Customer’s web support team, or a representative of a third party to whom support has been outsourced
  2. Chat Participants: Agents and Users who communicate within the Conversation Cloud
  3. Customer: a legal entity with whom ChatShipper has an agreement to provide the Services
    1. For clarity, a Customer may be a Controller or a Processor of Personal Data. Where a Customer is a Processor of Personal Data, ChatShipper shall process Personal Data as sub-processor on behalf of the Controller. Instructions from the Controller regarding the processing Personal Data shall be given through the Processor.
  4. User: an individual who communicates with a Customer or Agent within the Conversation Cloud
    1. For example, a member of the public on Facebook Messenger, a visitor to the Customer’s Website, the holder of an SMS number, or the user of a mobile app

The following terms are used as defined in the EU General Data Protection Regulation (GDPR):

  1. Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
  2. Personal Data: any information relating to an identified or identifiable natural person (“Data Subject”)
  3. Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
  4. Third Party: a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data

3. Data We Process

This document is intended to supplement and clarify the ChatShipper Privacy Policy with regard to Personal Data processed on behalf of our Customers during provision of the Service (“Data Subject”)

ChatShipper may collect and process Personal Data about individuals for the purposes of account creation, billing, usage tracking, recruiting, and marketing. These data types and processing activities are governed instead by the ChatShipper Privacy Policy. Data that is not related to an identified or identifiable natural person, including aggregated or de-identified data, is not Personal Data and is not addressed by this document.

ChatShipper Services are not directed to children under 16. If you learn that a child under 16 has provided us with Personal Data without consent, please contact us.

4. Types of Service Data

ChatShipper may process the following types of Service Data on behalf of Customers:

User Profile Information

The ChatShipper API enables Agents to communicate with Users via multiple platforms such as social media (e.g., Facebook Messenger), email, SMS, and web apps (“Messaging Channels”). Each Channel transmits certain data about the User. Some examples include: First Name, Last Name, Email Address, Phone Number, IP Address, Location, Avatar/Image, Username/Handle, Linked IDs, and others.

The types of Personal Data transmitted in the User profile depend on the data collected by the Controller, and the User’s privacy settings and preferences. The Controller may be the Messaging Channel (e.g. Facebook, WeChat); or the Customer, when messages are received via [technology platform] (e.g. SMS, email), or web apps created using ChatShipper’s Software Development Kit.

Agent Profile Information

Customers may enable the configuration of profiles for their Agents, including details such as Name and Image.

Message Content

Message content may be structured or unstructured, and may or may not contain Personal Data. ChatShipper handles all messages in the Conversation Cloud as Personal Data.

Metadata

ChatShipper servers automatically record some information when Services are used, including information sent by browsers or mobile apps.

ChatShipper may collect information about the devices Services are being used on, including what type of device it is, operating system, device settings, application IDs, unique device identifiers, and crash data.

5. Purposes for Processing

ChatShipper processes the Personal Data types outlined above for the following purposes:

  1. To provide and enhance our product and service offerings
  2. To provide insights and statistics on an aggregated basis to help our Customers measure their performance, better understand their customers and improve their product and service offerings
  3. To respond to Customer requests for support or assistance

This policy is not intended to place any limits on what we do with data that is aggregated and/or de-identified. It is no longer associated with an identifiable user or Customer of the Services and is therefore not Personal Data.

6. How We Protect Data

With regard to the Service and Service Data, ChatShipper acts as a Processor on behalf of Customers. Customers have primary responsibility for interacting with Data Subjects, and the role of ChatShipper is generally limited to assisting Customers as needed. ChatShipper processes Service Data only upon a Customer’s instruction and shall have a duty to respect the security and confidentiality of Personal Data, pursuant to the measures outlined in agreements with Customers and as required by applicable law.

Privacy Program

ChatShipper maintains a managed privacy program to identify risks and implement preventative measures. Our Chief Privacy Officer, supported by a network of senior professionals throughout the business and development teams, is responsible for managing the privacy program. The privacy program is and will be reviewed on a regular basis to provide for continued effectiveness.

Personal Data collected and processed by ChatShipper is governed by the ChatShipper Data Privacy Policy. Employees with access to Personal Data are trained on the Policy and their responsibility to protect the data, and they are bound by confidentiality agreements. ChatShipper has implemented a Privacy by Design (PbD) approach, and our development team receives specific training related to their job responsibilities.

Information Security

ChatShipper takes security seriously. We take various steps to protect information you provide to us from loss, misuse, and unauthorized access or disclosure. These steps take into account the sensitivity of the information we collect, process and store, and the current state of technology.

To learn more about current practices and policies regarding security and confidentiality of Customer Data and other information, please see our Security Notice, we keep that document updated as these practices evolve over time.

7. Transparency and Cooperation with Customers

ChatShipper undertakes to be transparent regarding its Personal Data processing activities and to provide Customers with reasonable cooperation to help facilitate their respective data protection obligations regarding Personal Data.

Data Breach Notification

In the event that ChatShipper becomes aware of any unauthorized access to or disclosure of Personal Data, ChatShipper will promptly notify affected Customers to the extent such notification is permitted by applicable law.

Customer Audits

Upon a Customer’s request, and subject to appropriate confidentiality obligations, ChatShipper shall make available to the Customer (or such Customer’s independent, third-party auditor) information regarding ChatShipper and third-party sub-processors’ compliance with the data protection requirements set forth in our agreements.

Obligations Upon Termination

Upon termination of the Services, ChatShipper shall, at the request of the Customer, delete, render unidentifiable, or return all Personal Data to the Customer. ChatShipper will certify that it has done so, unless legislation prevents it from returning or destroying the data. In that case, ChatShipper will protect the data in accordance with its commitments and will not actively process the personal data transferred anymore.

8. Sharing and Disclosure

There are times when information described in this privacy statement may be shared by ChatShipper. This section discusses how ChatShipper may share such information. Customers determine their own policies for the sharing and disclosure.

ChatShipper reserves the right to disclose or use aggregate or de-identified information for any purpose. For example, we may share aggregated or de-identified information with our partners or others for business or research purposes like telling a prospective ChatShipper Customer the average number of messages sent within a day.

Sub-processing by Third Parties

ChatShipper may retain third party sub-processors, and depending on the location of the third-party sub-processor, processing of Personal Data by such sub-processors may involve transfers of Personal Data. Such third-party sub-processors shall process Personal Data only in accordance with the Customer’s instructions.

As of the date hereof, these third party providers include technical operations such as database monitoring, data storage and hosting services and customer support software tools.

Such third-party sub-processors have entered into written agreements with ChatShipper in accordance with the applicable requirements.

Compliance with Laws

ChatShipper may share or disclosed data to comply with legal or regulatory requirements and to respond to lawful requests, court orders and legal process.

Enforcing Our Rights, Preventing Fraud, and Safety

ChatShipper may share or disclose data to protect and defend the rights, property, or safety of us or third parties, including enforcing contracts or policies, or in connection with investigation and preventing fraud.

Changes to our Business Structure

ChatShipper may share or disclose data if we engage in a merger, acquisition, bankruptcy, dissolution, reorganization, sale of some or all of ChatShipper’s assets, financing, acquisition of all or a portion of our business, a similar transaction or proceeding, or steps in contemplation of such activities (e.g. due diligence).

9. Data Subject Rights

ChatShipper acts as a data Processor on behalf of Customers. Customers have primary responsibility for interacting with Data Subjects, and the role of ChatShipper is generally limited to assisting Customers as needed.

Access, Correction, Amendment or Deletion Requests

ChatShipper shall promptly notify a Customer if ChatShipper receives a request from a Data Subject for access to, correction, amendment or deletion of that person’s Personal Data. ChatShipper shall not respond to any such Data Subject request without the Customer’s prior written consent except to confirm that the request relates to that Customer.

ChatShipper shall provide Customers with cooperation and assistance in a reasonable period of time and to the extent reasonably possible in relation to any request regarding Personal Data to the extent Customers do not have access to such Personal Data through their respective uses of the Services.

Handling of Complaints

Data Subjects may lodge a complaint about processing of their respective Personal Data by contacting the relevant Customer or the ChatShipper Privacy department at the email address privacy@ChatShipper.com. ChatShipper shall promptly communicate the complaint to the Customer to whom the Personal Data relates.

Customers shall be responsible for responding to all Data Subject complaints forwarded by ChatShipper, except in cases where a Customer has disappeared factually or has ceased to exist in law or become insolvent. Where ChatShipper is aware of such a case, it undertakes to respond directly to Data Subjects’ complaints within thirty (30) days, including the consequences of the complaint and further actions Data Subjects may take if they are unsatisfied by the reply.

Regulatory Inquiries and Complaints

ChatShipper shall, to the extent legally permitted, promptly notify a Customer if it receives an inquiry or complaint from a data protection authority in which that Customer is specifically named. Upon a Customer’s request, ChatShipper shall provide the Customer with cooperation and assistance in relation to any regulatory inquiry or complaint involving ChatShipper’s processing of Personal Data.

10. Changes to this Statement

We may change this statement from time to time, and if we do we will post any changes on this page. If you continue to use the Services after those changes are in effect, you agree to the revised policy.

This document was last updated in December 2018.

11. Contacting ChatShipper

Please feel free to contact us if you have any questions about ChatShipper’s Privacy commitments or practices. You may contact us at privacy@chatshipper.com.