GDPR & Data Privacy Framework Notice
Effective as of June 15, 2018
This GDPR privacy notice (the "Notice") is included in our Privacy Policy and applies to the ‘personal data,’ as defined in the GDPR, of natural persons located in the European Economic Area ("EEA Individuals" or "you"), the UK, or Switzerland processed by Shortcut. Any capitalized terms or other terms not defined herein shall have the meaning ascribed to them in the Shortcut Privacy Policy or, if not defined herein or in the Privacy Policy, the GDPR. To the extent of any conflict between this Notice and the Shortcut Privacy Policy, this Notice shall control only with respect to EEA, UK, and Swiss Individuals and their personal data. If you are located elsewhere, please see our Privacy Policy here.
Processor Disclosure
We are a data processor of the personal data inputted or generated by our customer’s use of the Platform (including through our App) (collectively, "Platform Data"). When serving as a processor, we have certain obligations under GDPR including only processing personal data at our customers’ instructions reflected in the applicable Master Services Agreement, providing assistance with fulfillment of rights requests, and implementing appropriate security for personal data. We will forward any inquiries, complaints, or requests received from data subjects with respect to the Platform Data to the appropriate customer and await instructions before taking any action.
Controller Disclosure & Details
We are a data controller of personal data regarding the following EEA, UK, and Swiss Individuals: Prospective/current customers (including customers’ end-users of our Platform) and vendors ("Business Contacts") and our Website visitors ("Site Visitors") for the purposes and under the legal bases described in the table below. Please note that, in some cases, the categories of data subjects above may overlap (e.g., Business Contacts using the Website).
General (applies to all data subjects below)
Information Security: Our web servers will log your IP address and other information (e.g., browser information, operating system, request date/time, user agent string, referral and exiting URL) in order to maintain an audit log of activities performed. We use this information pursuant to our legitimate interests in tracking Website and Platform usage, combating DDOS or other attacks, and removing or defending against malicious visitors on the Website and Platform.
Business Contacts
Direct Marketing: Our legitimate interest in sending current or prospective customers email marketing;
Platform Demonstrations: Our legitimate interest in setting up demos with prospective customers pursuant to their request;
Executing Contracts and other Legal Documentation: We will process all personal data as necessary for the performance of contracts to which Business Contacts are a party (such as our Terms of Use) or to take requested steps to enter into such contracts; and
General Business Development: Our legitimate interest in furthering business relationships (such as by storing Business Contact information within a CRM or other file), ensuring customer satisfaction, and answering inquiries.
Site Visitors
Web Audience Measurement and Retargeting: Our legitimate interest in use of Google Analytics to understand how Site Visitors interact with the Website and where such Site Visitors are located (up to city-level only) in order to optimize the Website experience. Note that the last octets of Site Visitors’ IP Addresses have been anonymized and ‘Sharing With Google’ and ‘Demographics/Advertising’ features have been disabled within Google Analytics.
Controller’s Representative
Our representative in the European Union is:
ePrivacy GmbH
Große Bleichen 21
20354 Hamburg
Germany
Recipients
Our sales, marketing, and finance teams process Business Contacts and Site Visitor information internally and such information is also disclosed to the following US-based recipients: our customer relationship management system(s), web audience measurement tools, and marketing email provider(s).
Retention
We will retain the personal data of prospective Business Contacts for three (3) years. At that point, the prospective Business Contact will have to re-sign up for marketing or re-demonstrate interest in the Platform, as applicable. This retention period may be extended for prospective Business Contact that are in current negotiations with Shortcut near the end of such retention period.
Current Business Contacts’ (or Business Contacts with whom we’ve had a relationship) personal data will be retained until the relationship terminates, at which point their personal data will be retained for seven (7) years for finance and tax purposes and in case of repeat business.
Personal data relating to contractual and other legal documentation, such as with our Customers or vendors, will be retained permanently.
Emails sent to Shortcut will be retained for 7 years from the date of receipt.
Analytics data from Google Analytics will be retained for 14 months from the date of receipt.
Your GDPR Rights
As a natural person, you have a right to: (i) request access to, correction and/or erasure of your personal data; (ii) object to processing of your personal data; (iii) restrict processing of your personal data; and (iv) request a copy of your personal data, or have a copy thereof sent to another controller, in a structured, commonly used and machine readable format under the right of data portability. You may exercise these rights and submit a GDPR complaint by contacting: privacy@shortcut.com with the subject line "GDPR Notice."
You also have the right to lodge a complaint about the processing of your personal data with an appropriate data protection authority, and, as applicable, to exercise third-party beneficiary rights under Shortcut’s Standard Contractual Clauses.
Contact details for the EU data protection authorities can be found at: http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm
Objecting to Legitimate Interest/Direct Marketing
You may object to personal data processed pursuant to our legitimate interest. In such case, we will no longer process your personal data unless we can demonstrate appropriate, overriding legitimate grounds for the processing or if needed for the establishment, exercise, or defense of legal claims. You may also object at any time to processing of your personal data for direct marketing purposes by clicking "Unsubscribe" within an automated marketing email or by submitting your request to privacy@shortcut.com with the subject line "GDPR Notice" (the latter for instances where, for example, you would not like to receive follow-ups from our sales team). In such case, your personal data will no longer be used for that purpose.
Transfer of Personal Data
Shortcut is self-certified and adheres to the EU-U.S. Data Privacy Framework Principles with respect to personal data of individuals in the European Economic Area (EEA) member states, the United Kingdom (and Gibraltar) and to the Swiss-U.S. Data Privacy Framework Principles with respect to the personal data of individuals in Switzerland processed by Shortcut as part of providing our cloud communications services. When transferring your personal data to our agents, service providers, or controllers (such as our customers) in other countries not covered by the above Data Privacy Frameworks, we may alternatively rely on appropriate Standard Contractual Clauses with such recipients to ensure adequate protection for your personal data.
Governmental Access Requests
Shortcut may be required to disclose personal data in response to lawful requests by public authorities, including for the purpose of meeting national security or law enforcement requirements. We may also disclose personal data to other third parties when compelled to do so by government authorities or required by law or regulation including, but not limited to, in response to court orders and subpoenas.
Corporate Restructuring
In the event of a merger, reorganization, dissolution or similar corporate event, or the sale of all or substantially all of our assets, we expect that the information that we have collected, including personal data, would be transferred to the surviving entity in a merger or the acquiring entity. All such transfers shall be subject to our commitments with respect to the privacy and confidentiality of such personal data as set forth in this Notice. This Notice shall be binding upon Shortcut and its legal successors in interest.
Updates to this Notice
If, in the future, we intend to process your personal data for a purpose other than that which it was collected, we will provide you with information on that purpose and any other relevant information at a reasonable time prior to such processing. After such time, the relevant information relating to such processing activity will be revised or added appropriately within this Notice, and the "Effective Date" at the top of this page will be updated accordingly.
How to Contact Us
Shortcut address is 201 Allen St, Unit #10004, New York, NY 10002. Please use this address or, preferably, reach out to privacy@shortcut.com or any questions, complaints, or requests regarding this Notice; please include the subject line "GDPR Notice."
Data Protection Framework (DPF) Notice
Shortcut complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Shortcut has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Shortcut has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Shortcut commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU and UK individuals and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact contact Shortcut at privacy@shortcut.com with the subject line "DPF Inquiry."
Shortcut has further committed to refer unresolved privacy complaints under the DPF Principles to an independent dispute resolution mechanism, Data Privacy Framework Services, operated by BBB National Programs. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://bbbprograms.org/programs/all-programs/dpf-consumers/ProcessForConsumers for more information and to file a complaint. This service is provided free of charge to you.
If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/framework-article/ANNEX-I-introduction.
How We Protect Your Personal Information
Shortcut takes very seriously the security and privacy of the personal information that it collects pursuant to the Data Privacy Framework. Accordingly, we will implement reasonable and appropriate security measures to protect your personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into account the risks involved in processing and the nature of such data, and comply with applicable laws and regulations.
Onward Transfer to Third Parties
Like many businesses, we hire other companies to perform certain business-related services. We may disclose personal information to certain types of third party companies but only to the extent needed to enable them to provide such services. The types of companies that may receive personal information and their functions are: marketing assistance, error tracking, email management, payment processing, customer service, data storage, and hosting services. All such third parties function as our agents, performing services at our instruction and on our behalf pursuant to contracts which require they provide at least the same level of privacy protection as is required by this Privacy Policy and implemented by Shortcut. We may also disclose personal information to our affiliates in order to support marketing, sale, and delivery of any services.
In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. We may also disclose personal data to other third parties when compelled to do so by government authorities or required by law or regulation including, but not limited to, in response to court orders and subpoenas.
Shortcut’s accountability for personal data that it receives and subsequently transfers to a third party is described in the Data Privacy Framework Principles. In particular, Shortcut remains responsible and liable under the Data Privacy Framework Principles if third-party agents that it engages to process the personal data on its behalf do so in a manner inconsistent with the Principles, unless Shortcut proves that it is not responsible for the event giving rise to the damage.
Opt-In and Opt-Out to Certain Onward Transfers
Individuals have the opportunity to opt-out of sharing of their personal data with third parties other than our agents or before we use it for a purpose other than which it was originally collected or subsequently authorized. To limit the use and disclosure of your personal information, please submit a written request to privacy@shortcut.com with the subject line "DPF Inquiry."
We will not disclose your sensitive personal information to any third party without first obtaining your opt-in consent. In addition to any consent mechanisms on the Website, you may provide your consent by sending us an email at privacy@shortcut.com with the subject line "DPF Inquiry." In each instance, please allow us a reasonable time to process your response.
Access Rights
Upon request to privacy@shortcut.com with the subject line "DPF Access Inquiry", we will provide you with confirmation as to whether we are processing your personal data pursuant to the Data Privacy Framework principles, and have such data communicated to you within a reasonable time. You have the right to access, correct, amend, or delete the personal data processed pursuant to the Data Privacy Framework where it is inaccurate or has been processed in violation of our privacy disclosures to you. We may require payment of a non-excessive fee to defray our expenses in this regard. Please allow us a reasonable time to respond to your inquiries and requests.
Retention of Personal Information
Shortcut retains personal information processed pursuant to the Data Privacy Framework obligations in a form that identifies you in accordance with our data retention periods in the Retention section above. We may continue processing such personal information for longer periods, but only for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research and statistical analysis, and subject to the protection of our privacy disclosures. After such time periods have expired, we may either delete your personal information or retain it in a form such that it does not identify you personally.
U.S. Federal Trade Commission Enforcement
Shortcut's commitments under the Data Privacy Framework are subject to the investigatory and enforcement powers of the United States Federal Trade Commission.