Privacy Policy
Last updated: 2 Aug 2022
This Privacy Policy describes how A7 Europe, LTD. dba iTransfers, including its
affiliates and subsidiaries (collectively, iTransfers and also referred to as our, us and
we) collects, uses and discloses personal data, as well as any choices you have with
respect to this personal data.
When we refer to “iTransfers”, we mean the iTransfers entity that acts as the controller
or processor of your personal data, explained in more detail in the “Identifying the Data
Controller and Processor” section below.
Applicability of this Privacy Policy
This Privacy Policy applies to iTransfers’s online collaboration tools and platform,
including the associated iTransfers mobile and desktop applications (collectively, the
“Services”), iTransfers.com and other iTransfers websites (collectively, the “Websites”)
and other interactions (e.g. customer support, the iTransfers Community, etc.) you may
have with iTransfers, including the processing of any messages, files, video or audio
recordings or other content submitted through our Services (collectively, “Customer
Content”). This Privacy Policy does not apply to any third-party applications or software
that integrate with our Services (“Third-Party Services”), or any other third-party
products, services or businesses.
The organization (e.g., your employer or another entity or person) (“Customer”) that
entered into the PUBLIC OFFER
(END USER LICENSE AGREEMENT) controls its instance
of the Services (its “Organization”) and any associated Customer Content. Individuals
that are granted access to an Organization by a Customer (“Authorized Users”)
routinely submit Customer Content to iTransfers when using the Services.
If you have any questions about specific Organization settings and privacy practices,
please contact the Customer whose Organization you use. If you have received an
invitation to join an Organization but have not yet created an account, you should
request assistance from the Customer that sent the invitation.
Identifying the data controller and processor
Data protection law in certain jurisdictions differentiates between the “controller” and
“processor” of personal data. In general, Customer is the controller and iTransfers is the
processor of Customer Content.
As the controller for Customer Content, Customer may, for example, use the Services
to grant and remove access to an Organization, assign roles and configure settings,
access, modify, export, share and remove Customer Content and otherwise apply its
policies to the Services.
As the processor for Customer Content, iTransfers processes Customer Content only
on the Customer’s request and in accordance with the Customer’s written instructions,
including the applicable terms in the Customer Agreement, Customer’s use of the
Services, and as required by applicable law. For more information about how Customer
Content is processed (such as how your personal data is processed, the purpose and
legal basis for processing, and your data subject rights), we refer you to the relevant
Customer’s privacy notice.
iTransfers is the controller for certain other categories of data (described in paragraph 3
below). If you have any questions or complaints, or would like to exercise your rights
with regard to your personal data, please contact us at [email protected].
The types of personal data we collect
Your personal data is provided by you, obtained from third parties, and/or created by us
when you use the Services.
iTransfers may collect and receive Customer Content and other personal data (“Other
Data”) in a variety of ways:
-
Customer Content. Customers or Authorized Users routinely submit Customer
Content to iTransfers when using the Services.
-
Other Data. iTransfers also collects, generates and/or receives Other Data:
-
Organization and account information. To create or update an
Organization account, you or the relevant Customer (e.g. your employer)
supplies iTransfers with an email address, phone number, password,
domain and/or similar account details. In addition, Customers that purchase
a paid version of the Services provide iTransfers (or its payment
processors) with billing details such as credit card information, banking
information and/or a billing address.
-
Usage data.
-
Service metadata. When an Authorized User interacts with the
Services, metadata is generated to provide additional context about
their use of the Services. For example, iTransfers logs the
Organizations, boards, people, features, content and links that you
view or interact with, as well the types of files shared and any Third-
Party Services that you use.
-
Log data. Like most websites and services delivered over the
Internet, our servers automatically collect information when you
access or use our Websites or Services, recording this information in
log files. This log data may include the Internet Protocol (IP) address,
the address of the web page visited before using the Website or
Services, your browser type and settings, the date and time the
Services were used, information about browser configuration and
plugins, and language preferences.
-
Device data. iTransfers collects information about devices accessing
the Services, including the type of device, operating system used,
device settings, application IDs, unique device identifiers and crash
data. Whether we collect some or all of this Other Data often depends
on the type of device used and its settings.
-
Location data. We receive information from you, the relevant
Customer and other third-parties that helps us approximate your
location. We may, for example, use a business address submitted by
your employer or an IP address received from your browser or device
to determine approximate location. iTransfers may also collect
location information from devices in accordance with the consent
provided by your device.
-
Third-party data. iTransfers may receive data about organizations,
industries, lists of companies that are customers, Website visitors,
marketing campaigns and other matters relevant to our business from
parent corporations, affiliates and subsidiaries, our partners, or other
third parties that we use to make our own information more useful.
This data may be combined and may include aggregate-level data.
For example, information about how well an online marketing or email
campaign performed, or to create a business contacts directory.
-
Cookie data. iTransfers uses a variety of cookies and similar
technologies in our Websites and Services to help us collect Other
Data. For more details about how we use these technologies, as well
as your opt-out opportunities and other options, please see our
Cookie Notice.
-
Third-Party Services data. A Customer may choose to use Third-
Party Services. If Customer enables Third-Party Services, iTransfers
may access and exchange Customer Content and Other Data with the
Third-Party on Customer’s behalf, in accordance with our agreement
with the Third-Party Services and any permissions granted by the
Customer (including its Authorized User(s)).
-
Contact data. In accordance with the consent provided by your
device or other third-party API, we process any contact information
that an Authorized User chooses to import when using the Services.
-
Community data. We also receive Other Data when submitted to our
Websites or in other ways, such as if you participate in the iTransfers
Community (such as in Forums, Programs, iTransfersverse, contests,
activities, events, educational programs hosted by iTransfers or a
vendor, or otherwise communicate with iTransfers).
-
Additional data provided to iTransfers. We also receive Other Data
when submitted to our Websites or in other ways, such as when you
request support, interact with our social media accounts or otherwise
communicate with iTransfers.
-
Business data. iTransfers may receive information about individuals from
organisations, industries, Customers, (potential) partners, parent corporations,
affiliates and subsidiaries, and our partners for cooperation and communication
purposes.
Generally, no one is under a statutory or contractual obligation to provide any Customer
Content or Other Data (collectively, “Personal Data”). However, certain Personal Data
is collected automatically and if some Personal Data, such as Organization setup
details, is not provided, we may be unable to provide the Services.
How we use personal data
Customer Content will be used by iTransfers in accordance with Customer’s
instructions, including any applicable terms in the Customer Agreement and Customer’s
use of the Services, and as required by applicable law.
iTransfers uses Other Data for the purposes of our legitimate interests in operating our
Services, Websites and business. More specifically, iTransfers uses Other Data:
-
To provide, update, maintain and protect our Services, Websites and
business. This includes the use of Other Data to support delivery of the Services
under a Customer Agreement, prevent or address service errors, security or
technical issues, and to analyze and monitor usage, trends and other activities.
-
As required by applicable law, legal process or regulation.
-
To support and communicate with you by responding to your requests,
comments and questions. If you contact us, we may use your Other Data to
respond.
-
To develop, test and provide search, learning and productivity tools and
additional features. iTransfers tries to make the Services as useful as possible.
For example, we make Services suggestions based on historical use and
predictive models, identify organizational trends and insights, customize your
experience of the Services, or to create new features and products.
-
To conduct market and user research. To improve our Services and
troubleshoot new products and features, we may carry out research. For example
we may survey Customers (including Admins, Users and other contacts) or third
parties about customer satisfaction, user experience, the effectiveness of our
marketing campaigns, and their broader interests.
-
To send emails and other communications.
-
We may send you service, transactional, technical and other administrative
communications, such as communications about your account, our Service
offerings, changes to the Services, and important Services-related notices,
such as security and fraud notices. These communications are considered
part of the Services.
-
In addition, if you have opted-in, we sometimes send emails about new
product features, recommendations and promotional communications, or
other news about iTransfers. You can opt-out of these messages at any time
by using the unsubscribe link included in all of these communications.
-
For billing, account management and other administrative matters.
iTransfers may need to contact you for invoicing, account management, and
similar reasons and we use account data to administer accounts and keep track of
billing and payments.
-
To investigate and help prevent security issues and abuse.
-
To manage and to contact you with regard to involvement. We may need to
manage and contact you with regard to your involvement and participation in the
iTransfers Community (such as the Forums, Programs, iTransfersverse, contests,
activities, events or educational programs hosted by iTransfers or a vendor).
If information is aggregated or de-identified so that it can no longer reasonably be
associated with an identified or identifiable natural person, iTransfers may use it for any
business purpose. To the extent information is associated with an identified or
identifiable natural person and is protected as personal data under applicable data
protection law, it is referred to in this Privacy Policy as “Personal Data.”
Data retention
iTransfers will retain Customer Content in accordance with a Customer’s instructions,
including any applicable terms in the Customer Agreement and Customer’s use of the
Services, and as required by applicable law. The deletion of Customer’s Personal Data
may result in the deletion and/or de-identification of an account and certain associated
Other Data. iTransfers may retain Other Data for as long as necessary for the purposes
described in this Privacy Policy.
Please note that we may keep certain types of Other Data after the deactivation of an
account for the period needed for iTransfers to pursue legitimate business interests,
conduct audits, comply with (and demonstrate compliance with) legal obligations,
resolve disputes, and enforce our agreements.
How we share and disclose personal data
This section describes how iTransfers may share and disclose personal data, as
described in paragraph 3 above. Customers determine their own policies and practices
for the sharing and disclosure of personal data. iTransfers does not control how they or
any other third party chooses to share or disclose personal data.
iTransfers may share and disclose personal data in accordance with a Customer’s
instructions, including any applicable terms in the Customer Agreement and the
Customer’s use of the Services and in compliance with applicable law. Where
necessary, may only share personal data with third parties where we have obtained
consent to do so.
We may share personal data as follows:
-
Displaying the Services. When an Authorized User submits Customer Content
(including personal data), it may be displayed to other Authorized Users that have
access to the same iTransfers Board. For example, an Authorized User’s name
and iTransfers profile may be displayed. Please consult the Help Center for more
information on this functionality.
-
Customer access. Owners, administrators, Authorized Users, and other
Customer representatives and personnel may be able to access, modify, or
restrict access to personal data. This may include, for example, your employer
using Service features to export logs of your activity or accessing or modifying
your profile details.
-
Subcontractors. We may engage third-party companies or individuals as sub-
processors to process personal data. These third parties may, for example,
provide virtual computing and storage services, or we may share business
information to develop strategic partnerships to support our Customers. Please
see more information on our subcontractors here.
-
Partners. We may share personal data with developers, partners and others we
engage to create iTransfers applications and/or integrating iTransfers features.
-
Forums. The information you choose to provide in a community forum, including
personal data, will be publicly available.
-
During a change to iTransfers’s business. If iTransfers engages in a merger,
acquisition, bankruptcy, dissolution, reorganization, sale of some or all of
iTransfers’s assets or stock, financing, public offering of securities, acquisition of
all or a portion of our business, a similar transaction or proceeding, or steps in
contemplation of such activities, some or all personal data may be shared or
transferred, subject to standard confidentiality arrangements.
-
To comply with laws. If we receive a request for personal data, we may disclose
personal data if we reasonably believe disclosure is in accordance with or
required by any applicable law, regulation, or legal process.
-
To enforce our rights, prevent fraud, and for safety. To protect and defend the
rights, property or safety of iTransfers, its users, or third parties, including
enforcing its contracts or policies, or in connection with investigating and
preventing illegal activity, fraud, or security issues, including to prevent death or
imminent bodily harm.
Security
iTransfers takes security of personal data very seriously. iTransfers strives to protect all
Personal Data from loss, misuse, and unauthorized access or disclosure, and we have
received internationally recognized security certifications. Given the nature of
communications and information processing technology, iTransfers cannot guarantee
that, during transmission through the internet or while stored on our systems or
otherwise in our care, personal data will be absolutely safe from intrusion by others.
Our responsibility for third party links
Our Services may contain links to websites and services operated by third parties. If
you follow a link to any of these websites, please note that these websites have their
own privacy notices and terms and conditions. Further, we have no responsibility for, or
control over, the information collected by any third-party website and we cannot be
responsible for the protection and privacy of any information which you may provide to
these websites. You should read the relevant privacy notices and terms and conditions
before using their websites or services.
Age restriction
iTransfers does not allow use of our Services and Websites by anyone younger than 16
years old (“Minor”). If you learn that a Minor has unlawfully provided us with personal
data, please contact us and we will take steps to delete this information.
By using our Services and Websites, you represent and warrant that you are not a
Minor as of the date of first access to our Services and Websites.
If you are a Minor, you represent and warrant that you are accessing the Services and
Websites with the consent of a competent guardian over the age of 16 years old who
takes responsibility for your use of the Services and Websites. If you are a Minor
accessing iTransfers via an education institution, that institution will have procured a
licence on your behalf and agreed to our terms and conditions. In particular, it will have
agreed that it has obtained all necessary consents and will take responsibility for your
use of the Services and Websites.
Changes to this Privacy Policy
iTransfers may change this Privacy Policy from time to time. Laws, regulations, and
industry standards evolve, which may make those changes necessary, or we may make
changes to our services or business. We will post the changes to this page and we
encourage you to review our Privacy Policy to stay informed. If we make changes that
materially alter your privacy rights, iTransfers will provide additional notice, such as via
email or through the Services. If you disagree with the changes to this Privacy Notice,
you should deactivate your account. Contact the relevant Customer if you wish to
request the removal of your personal data under their control.
Local provisions
European Union
If you are based in the European Union, the following provisions also apply:
-
GDPR means Regulation 2016/679 of the European Parliament and of the
Council of 27 April 2016 on the protection of natural persons with regard to the
processing of personal data and on the free movement of such data, and
repealing Directive 95/46/EC.
-
Member State means a member state of the European Union.
-
If we share your personal data with our group company(ies) or third parties
located outside the European Economic Area, we take steps to ensure that
appropriate safeguards are in place to guarantee the continued protection of your
personal data, such as by entering into the Standard Contractual Clauses adopted
by the European Commission (article 46(2)(c) GDPR), which are available here.
-
Where we are the controller of your personal data, the GDPR data protection
rights set out below apply to you. Most of these rights are not absolute and are
subject to exemptions under applicable law. We will respond to any request to
exercise your rights within one month, but have the right to extend this period in
certain circumstances. If we extend the response period, we will let you know
within one month of your request. If your request is clearly unfounded or
excessive, we reserve the right to charge a reasonable fee or refuse to comply
with it. To exercise these rights, please submit a request to us by sending an email
to [email protected].
-
Access your personal data. You are entitled to ask us if we are processing
your personal data and, if we are, you can request access to your personal
data. This enables you to receive a copy of the personal data we hold about
you.
-
Request the transfer of your personal data. We will provide your
personal data to you or a third party you have chosen in a structured,
commonly used, machine-readable format. Please note that this right
applies only to personal data you have provided to us, and only if we
process your personal data on the basis of consent, or where we process
your personal data in order to perform a contract with you.
-
Request erasure (deletion) of your personal data. You are entitled to ask
us to delete or remove personal data in certain circumstances. There are
certain exemptions where we may refuse a request for erasure. For
example, where the personal data is required for compliance with law or in
connection with legal claims. Where we rely on an exemption, we will inform
you about this.
-
Request the correction or updating of your personal data. This enables
you to have any incomplete or inaccurate data we hold about you corrected.
-
Request the restriction of our processing of your personal data in
some situations. If you request this, we can continue to store your
personal data but are restricted from processing it while the restriction is in
place.
-
Object to our processing of your personal data where we are relying
on legitimate interests. You also have a right to object where we are
processing your personal data for the purposes of direct marketing or
profiling. You can object at any time and we shall stop processing the
information you have objected to, unless we can show compelling legitimate
grounds to continue that processing.
-
Withdraw your consent. Where you have provided your consent to our
processing of your personal data, you can withdraw your consent at any
time. If you do withdraw consent, it will not affect the lawfulness of what we
have done with your personal data before you withdrew consent.
-
Lodge a complaint at a supervisory authority. We will do our best to
resolve any complaints you may have. However, if you feel we have not
resolved your complaint, you have a right to lodge a complaint with a
supervisory authority in the country where you live, where you work, or
where an alleged infringement of the applicable data protection law took
place. A list of EU supervisory authorities and their contact details is
available here.
-
If you exercise the rights above and there is any question about who you are, we
may require you to provide information in order to satisfy ourselves as to your
identity.
United Kingdom
If you are based in the United Kingdom, the following provisions also apply:
-
UK GDPR means the Retained Regulation 2016/679 of the European Parliament
and of the Council of 27 April 2016 on the protection of natural persons with
regard to the processing of personal data and on the free movement of such data,
and repealing Directive 95/46/EC.
-
If we share your personal data with our group company(ies) or third parties
located outside the United Kingdom, we take steps to ensure that appropriate
safeguards are in place to guarantee the continued protection of your personal
data, such as by entering into the international data transfer addendum to the
European Commission’s Standard Contractual Clauses, adopted by the UK
Government under section 119A of the Data Protection Act 2018..
-
In relation to your data subject rights, these are the same as for the EU as listed
above, except that references to the "GDPR" should be read as references to the
"UK GDPR", and in case you wish to lodge a complaint with a supervisory
authority, you should direct your complaint to the UK supervisory authority, the
Information Commissioner’s Office.
United States
If you are based in California, the following provisions also apply:
-
California Data Protection Laws means the California Consumer Privacy Act of
2018 and the California Privacy Rights Act of 2020, as each may be amended or
replaced from time to time, and any regulations implementing the foregoing.
-
Under the California Data Protection Laws you have the following rights:
-
Right to Know about Personal Information Collected, Disclosed or Sold. You
have the right to request that we disclose certain information to you about our
collection, use, disclosure or sale of your personal information over the past 12
months. Once we receive and confirm your verifiable consumer request (see
Exercising Access and Deletion Rights), and subject to certain limitations that we
describe below, we will disclose such information. You have the right to request
any or all of the following:
-
The categories of personal information we collected about you.
-
The categories of sources from which the personal information is collected.
-
The categories of third parties with whom we share that personal
information.
-
The specific pieces of personal information we collected about you (also
called a data portability request).
-
Notice of Sale. We do not sell the personal information of California residents.
We also do not have any actual knowledge of selling the personal information of
any California resident who is 16 years or younger.
-
Right to Request Deletion. You have the right to request that we delete any of
your personal information that we collected from you and retained, subject to
certain exceptions. Once we receive and confirm your verifiable consumer request
(see Exercising Access and Deletion Rights), we will delete (and direct our service
providers to delete) your personal information from our records. However, we may
retain personal information that has been de-identified or aggregated.
Furthermore, we may deny your deletion request if retaining the information is
necessary for us or our service provider(s) in order to perform certain actions set
forth under the California Data Protection Laws, such as detecting security
incidents and protecting against fraudulent or illegal activity.
-
Exercising Access and Deletion Rights. To exercise the access and deletion
rights described above, please submit a request to us by sending an email to
[email protected].. Only you, or a person or business entity registered with the
California Secretary of State that you authorize to act on your behalf (an
“authorized agent”), may make the requests set forth above. You may also make a
request on behalf of your minor child. The request should include your contact
information and describe your request with sufficient detail that allows us to
properly understand, evaluate, and respond to it. In addition, you should provide
adequate information that we can reasonably verify that you are the person about
whom we collected the personal information (including information that enables us
to verify the identifying information we possibly maintain about you).
-
We will respond to consumer requests in a reasonably timely manner. If we
require extra time to respond, we will inform you of the reason and
extension period in writing. In order to protect the security of your personal
information, we will not honour a request if we cannot verify your identity or
authority to make the request and confirm the personal information relates
to you. The method used to verify your identity will depend on the type,
sensitivity and value of the information, including the risk of harm to you
posed by any authorized access or deletion. Generally speaking, verification
will be performed by matching the identifying information provided by you to
the personal information that we already have.
-
Any disclosures we provide will only cover the 12-month period preceding
our receipt of your request (and will not be made more than twice in a 12-
month period). If we cannot comply with a request, or cannot fully comply
with a request, the response we provide will also explain the reasons we
cannot comply.
-
Non-Discrimination. We will not discriminate against you for exercising any of
your CCPA based on the California Data Protection Laws, including, but not
limited to, by:
-
Denying you goods or services.
-
Charging you different prices or rates for goods or services, including
through granting discounts or other benefits, or imposing penalties.
-
Providing you a different level or quality of goods or services.
-
Suggesting that you may receive a different price or rate for goods or
services or a different level or quality of goods or services.