Effective Date: 1st January, 2022
If you are a resident of the European Union (“EU”), United Kingdom, Lichtenstein, Norway, or Iceland, you may have additional rights under the EU General Data Protection Regulation (the “GDPR”) with respect to your Personal Data, as outlined below.
How and With Whom Do We Share Your Data?
• Payment processors
• Fraud prevention service providers
• Ad networks
• Analytics service providers
• Staff augmentation and contract personnel
• Hosting service providers
• Co-location service providers
• Marketing service providers
• Product development service providers
• Customer success providers
We also share Personal Data when necessary to complete a transaction initiated or authorized by you or provide you with a product or service you have requested. In addition to those set forth above, these parties also include:
• Other users (where you post information publicly, direct us to share the information (such as with other members of your team), or as otherwise necessary to effect a transaction initiated or authorized by you through the Services)
• Social media services (if you interact with them through your use of the Services)
• Third party business partners who you access through the Services
• Your vendors and service providers, such as customer relationship management system providers
We also share Personal Data when we believe it is necessary to:
• Comply with applicable law or respond to valid legal process, including requests from law enforcement or other government agencies
• Protect us, our business or our users, for example to enforce our terms of service, prevent spam or other unwanted communications and investigate or protect against fraud
• Maintain the security of our products and services
We also share information with third parties when you give us consent to do so.
In addition to the foregoing, we share Personal Data that is Profile data with other users, our customers, partners, resellers, and our resellers’ customers.
Last, we share Personal Data with our affiliates or other members of our corporate family. Furthermore, if we choose to buy or sell assets, user information is typically one of the transferred business assets. Moreover, if we, or substantially all of our assets, were acquired, or if we go out of business or enter bankruptcy, user information would be one of the assets that is transferred or acquired by a third party, and we would share Personal Data with the party that is acquiring our assets. You acknowledge that such transfers may occur, and that any acquirer of us or our assets may continue to use your Personal Information as set forth in this policy.
What Security Measures Do We Use? We seek to protect Personal Data using appropriate technical and organizational measures based on the type of Personal Data and applicable processing activity.
• The Startuppz website uses SSL (https).
• Account passwords are hashed when stored in our database.
• The authenticity of request methods are verified to prevent CSRF (cross-site request forgery) attacks.
• Startuppz employees use Single Sign-On (SSO) and passwords and enable screen locking.
• Access to AWS and Payment Processors is limited and requires Two-Factor Authentication (2FA).
• Access to production data requires VPN access.
• Startuppz performs third-party penetration testing.
How Long Do We Retain Your Personal Data? We retain Personal Data about you for as long as you have an open account with us or as otherwise necessary to provide you Services. In some cases we retain Personal Data for longer, if doing so is necessary to comply with our legal obligations, resolve disputes or collect fees owed, or is otherwise permitted or required by applicable law, rule or regulation. Afterwards, we retain some information in a depersonalized or aggregated form but not in a way that would identify you personally.
Personal Data of Children: As noted in the Terms of Service, we do not knowingly collect or solicit Personal Data from anyone under the age of 16. If you are under 16, please do not attempt to register for the Services or send any Personal Data about yourself to us. If we learn that we have collected Personal Data from a child under age 16, we will delete that information as quickly as possible. If you believe that a child under 16 may have provided us Personal Data, please contact us at email@example.com.
What Rights Do You Have Regarding Your Personal Data?
You have certain rights with respect to your Personal Data, including those set forth below. For more information about these rights, or to submit a request, please email firstname.lastname@example.org. Please note that in some circumstances, we may not be able to fully comply with your request, such as if it is frivolous or extremely impractical, if it jeopardizes the rights of others, or if it is not required by law, but in those circumstances, we will still respond to notify you of such a decision. In some cases, we may also need you to provide us with additional information, which may include Personal Data, if necessary to verify your identity and the nature of your request.
• Access: You can request more information about the Personal Data we hold about you and request a copy of such Personal Data by emailing email@example.com.
• Rectification: If you believe that any Personal Data we are holding about you is incorrect or incomplete, you can request that we correct or supplement such data. You can also correct some of this information directly by emailing firstname.lastname@example.org.
• Erasure: You can request that we erase some or all of your Personal Data from our systems.
• Withdrawal of Consent: If we are processing your Personal Data based on your consent (as indicated at the time of collection of such data), you have the right to withdraw your consent at any time. Please note, however, that if you exercise this right, you may have to then provide express consent on a case-by-case basis for the use or disclosure of certain of your Personal Data, if such use or disclosure is necessary to enable you to utilize some or all of our Services.
• Portability: You can ask for a copy of your Personal Data in a machine-readable format. You can also request that we transmit the data to another controller where technically feasible.
• Objection: You can contact us to let us know that you object to the further use or disclosure of your Personal Data for certain purposes, such as for direct marketing purposes.
• Restriction of Processing: You can ask us to restrict further processing of your Personal Data.
• Right to File Complaint: You have the right to lodge a complaint about Startuppz’s practices with respect to your Personal Data with the supervisory authority of your country or EU Member State.
Transfers of Personal Data: The Services are hosted and operated in the India (“U.S.”) through Startuppz and its service providers, and if you do not reside in the U.S., laws in the U.S. may differ from the laws where you reside. By using the Services, you acknowledge that any Personal Data about you, regardless of whether provided by you or obtained from a third party, is being provided to Startuppz in the U.S. and will be hosted on U.S. servers, and you authorize Startuppz to transfer, store and process your information to and in the U.S., and possibly other countries. You hereby consent to the transfer of your data to the U.S.
Privacy Shield Certification: Startuppz has certified to the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks set forth by the U.S. Department of Commerce regarding the collection and use of Personal Data transferred from the EU and Switzerland to the U.S., respectively. While Privacy Shield is no longer a valid lawful basis on which to transfer Personal Data from the EU to the U.S., Startuppz continues to comply with both the EU-US and the Swiss-US Privacy Shield Frameworks. For more information about the Privacy Shield Program, and to view Startuppz’s certification, please visit www.privacyshield.gov. Startuppz is committed to the Privacy Shield Principles of (1) notice, (2) consent, (3) accountability for onward transfer, (4) security, (5) data integrity and purpose limitation, (6) access and (7) recourse, enforcement and liability with respect to all Personal Data received from within the EU and Switzerland in reliance on the Privacy Shield. The Privacy Shield Principles require that we remain potentially liable if any third-party processing Personal Data on our behalf fails to comply with these Privacy Shield Principles (except to the extent we are not responsible for the event giving rise to any alleged damage). Startuppz’s compliance with the Privacy Shield is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.
Please contact us at email@example.com with any questions or concerns relating to our Privacy Shield Certification and to resolve your complaints. We commit to cooperate with the panel established by the EU data protection authorities (DPAs) or the Swiss Federal Data Protection and Information Commissioner, as applicable, and comply with the advice given by the panel or Commissioner. EU individuals wishing to reach their area DPA’s may locate them by going to http://ec.europa.eu/justice/article-29/strrtfr4ucture/data-protection-authorities/index_en.htm. Swiss individuals wishing to contact their local FDPIC may locate them by going to https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/links/data-protection—switzerland.html. Under certain conditions, you may also be entitled to invoke binding arbitration for complaints not resolved by other means.