Kustomer, Inc. (“Kustomer,” “we,” “us,” or “our”) provides a SaaS customer relationship management platform that optimizes the communications and interactions of our business clients (“Client,” “you,” or “your“) with the customers/end-users of their products and services (“Customers“). This Product Privacy Statement explains how Kustomer collects, uses, discloses, and otherwise processes Customers’ personal information or personal data on behalf of our Clients in connection with our Clients use of our products and services (collectively, the “Services“). For the prior version of our Product Privacy Statement, click here.
Personal information or personal data refers to any data or information that can be used to identify a natural person, and are subject to applicable data protection laws, such as the EU General Data Protection Regulation 2016/679 (“GDPR”) or the California Consumer Privacy Act (Assembly Bill 375), as amended (“CCPA”). We use the term “Personal Data” throughout this Product Privacy Statement to mean, as applicable, “personal data” (under the GDPR), “personal information” (under the CCPA), or similarly defined personally identifiable information governed by an applicable data protection law that is made available to Kustomer in connection with the Services.
With respect to cases in which Kustomer collects or receives Personal Data under and/or pursuant to the direction of our Clients, Kustomer is acting as a data processor (under GDPR) or service provider (under CCPA), and our Clients are the data controllers (under GDPR) or businesses (under CCPA) with respect to such Personal Data. To this end, if not stated otherwise in this Product Privacy Statement or in a separate disclosure, we process such Personal Data as a processor/service provider on behalf of our Clients (and their affiliates) who are the controller/business that have collected the Personal Data.
Kustomer’s processing of Personal Data in connection with the Services is governed by this Product Privacy Statement and our agreements with each Client, including our Master Subscription Agreement available here and our Data Processing Addendum available here (in each case, a “Client Agreement”). In the event of any conflict between this Product Privacy Statement and the corresponding Client Agreement, the Client Agreement will control to the extent permitted by applicable law.
For detailed privacy information related to a Client who uses our Services to process Personal Data, please contact our Clients directly. We are not responsible for and have no control over the privacy or data security practices of our Clients, which may differ from those explained in this Product Privacy Statement. This Product Privacy Statement is also not a substitute for any privacy notice that our Clients are required to provide to their Customers, employees and other personnel authorized to use the Services (“Client Users”), or other end-users. An individual who seeks access, or who seeks to correct, amend, or delete Personal Data that is stored in our Services on behalf of our Clients, in each case as permitted by applicable data protection laws, should direct their query to our Clients (the data controller/business).
What Personal Data Does Kustomer Collect or Receive through the Services?
Kustomer receives or collects Personal Data which is stored in or transmitted via the Services by, or on behalf of, our Clients. This may include Personal Data such as contact information of our Client’s Customers (first and last name, email or physical address, social media handle, telephone number and IP address), gender, order and purchase history, correspondence between Client Users and their Customers, medical information (for Clients who are covered entities and have engaged Kustomer as a business associate under HIPAA) and other data our Clients collect about their Customers’ use of their products and services. This Personal Data may be provided to us directly by our Clients or through third-party services such as connections and/or links to third party websites and/or services that Kustomer enables Client to integrate with and access through the Services, including, without limitation, via application programming interfaces, workflows or webhooks (“Third-Party Applications”).
We also collect Personal Data from Client Users such as name, email address, third-party account credentials and data about Client Users’ devices (such as browser type, operating system, device identification number and IP address) and usage of our Services (such as pages viewed, date/time stamps and searches performed) through log files and other technologies, some of which may qualify as Personal Data. This Personal Data may be received or collected by us directly from our Clients and Client Users, through Third-Party Applications or by automated means, such as cookies (e.g. essential cookies) and web beacons through our use of sub-processors.
How Does Kustomer Use Personal Data?
We use the data we collect at the instruction of our Clients and in accordance with our Client Agreements, to operate and provide the Services and for related internal purposes, including: (a) enabling Client Users to access and use the Services; (b) maintain the security of the Services; (c) providing information about the Services, responding to inquiries, complaints, and requests for support; (d) as we believe necessary or appropriate to comply with applicable law, enforce the terms and conditions that govern the Services, protect our rights, privacy, safety or property, and/or that of you or others, and protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity; and (e) improving our Services, including by using aggregated and/or de-identified data.
How Does Kustomer Share Personal Data?
We share the Personal Data we collect with (a) our Clients and Client Users, to the extent the Personal Data pertains to Client Users and Client’s Customers; (b) sub-processors that help us provide, manage, secure and improve the Services (you can see our list of third party sub-processors here); and (c) Third-Party Applications that you have set up for integration.
Client Users that register, install or access any Third Party Applications may be required to accept privacy notices provided by those Third Party Applications. Please review those notices carefully, as Kustomer does not control and cannot be responsible for these Third Party Applications’ privacy or information security practices.
We may also share Personal Data with government, law enforcement officials or private parties as required by law, when we believe such disclosure is necessary or appropriate to (a) comply with applicable law; (b) enforce the terms and conditions that govern the Services; (c) protect our rights, privacy, safety or property, and/or that of you or others; and (d) protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity, in the event of active or prospective litigation or arbitration, for regulatory compliance efforts and/or audit.
How Does Kustomer Secure and Protect Personal Data?
The security of Personal Data is important to us. Kustomer uses generally accepted physical, electronic, and procedural safeguards to protect Personal Data submitted to us (both during transmission and once it is received) from loss, theft, misuse, and unauthorized access, disclosure, alteration, and destruction in accordance with applicable law to protect the Personal Data.
If Client Users access the Services via a third party site or service, they may have additional or different sign-on protections via that third party site or service. Clients must prevent unauthorized access to Client Users’ account and Personal Data stored in the Services by selecting and protecting your password and/or other sign-on mechanism appropriately and limiting access to your computer or device and browser by signing off after you have finished accessing your account. We also recommend that our Clients take steps to protect against unauthorized access to any devices, networks and applications (including Third Party Applications) connected to, or integrated with, the Services.
We endeavor to protect the privacy of Client Users accounts and the Personal Data we store in the Services. Kustomer has achieved SOC 2 Type 2 compliance, we regularly engage third-party security experts to perform detailed penetration tests and we monitor and respond to security alerts and events. Unfortunately, we cannot guarantee that any safeguards or security measures will be sufficient to prevent a security problem. See the security section of our website and the Client Agreements for additional information regarding Kustomer’s information security practices.
Cross-Border Data Transfers
The Services are hosted and operated in the United States (“U.S.”) and the European Union (“EU”) through Kustomer and our sub-processors. In order to provide the Services, Kustomer or our sub-processors may transfer Personal Data outside of the country in which Customers and Client Users are located, including to the U.S. or to other jurisdictions that may not be subject to equivalent data protection laws. See the Client Agreements for additional information regarding how Kustomer safeguards Personal Data transferred across borders, including the additional protections we offer to safeguard the privacy rights of EU residents.
When transferring Personal Data across borders we take steps reasonably necessary to ensure that the information or data is subject to appropriate safeguards, is treated securely and is transferred under an approved data transfer mechanism pursuant to applicable data protection laws, including where applicable by entering into standard contractual clauses for the transfer of data as approved by the European Commission (as described in Article 46 of the General Data Protection Regulation).
In order to execute Kustomer’s Data Processing Addendum, please click here.
We retain Personal Data that we process on behalf of our Clients so long as Kustomer’s contractual obligations remain with our Clients. We endeavor to delete Personal Data as soon as reasonably practicable, but in no event more than ninety (90) days following the termination of our contractual relationship with a Client unless a longer retention period is requested by a Client and agreed to by us. Client Users with administrative rights can use the Services to delete and permanently remove Customer’s Personal Data that is stored within the Services. We will permanently delete Customer’s Personal Data pursuant to such instructions promptly, but at least within ninety (90) days of such requests. For deletion of all other Personal Data and/or for deletion of your entire Kustomer instance at the end of your contractual relationship, please email firstname.lastname@example.org. Afterwards, where permitted by applicable law, we may retain some information in aggregated and/or de-identified form but not in a way that would identify Client or individuals personally.
For Client User Personal Data that is shared with us (1) in connection with responding to Client User inquiries, complaints, and requests for support of the Services (2) on order forms and as part of contracts (e.g. contact information on statements of work, etc.) and (3) for invoicing purposes, including Client financial information, we may retain such Personal Data beyond the end of our contractual obligations with our Clients, if doing so is necessary to comply with our legal obligations, resolve disputes or collect fees owed, or is otherwise permitted or required by applicable law, rule or regulation. Additionally, like most hosted service operators, we retain some of the device and usage data collected by the Services in log files beyond the end of our contractual obligations with our Clients, whether alone or in conjunction with other data. This log file data may be aggregated and/or de-identified data in a way that would not identify Client Users personally but certain log file data could be personally identifying to a Client User. To the extent we retain any such data beyond the end of our contractual obligations, we will continue to treat such data in accordance with this Product Privacy Statement.
Please see your Client Agreements for additional information regarding Kustomer’s data retention practices. In the event of any conflict with the above, such Client Agreements shall control.
Data Subject Rights under GDPR & CCPA
Clients are the data controllers/businesses of Customer’s Personal Data. As such, Clients are responsible for receiving and responding to requests from their Customers and other individuals to exercise any rights afforded to them under applicable data protection laws. If requested to remove Personal Data by a Client, we will respond within a reasonable timeframe and in accordance with the Client Agreements.
Because we may only access a Client’s data upon their instructions, if Kustomer receives a data subject request directly from a Customer using our data subject request form, Kustomer will inform the Customer to contact the Client directly about any request relating to his/her Personal Data such as access or deletion, and to the extent that the applicable data protection law does not prohibit Kustomer from doing so, we will refer their request to the Client they specify in their request. Kustomer will not further respond to a data subject request without Client’s prior consent and will assist Clients in responding to such requests as set forth in the Client Agreement.
Additional Information regarding Personal Data of Residents of California
Kustomer understands and will comply with the foregoing restrictions and the applicable requirements of the CCPA. For the purposes of the CCPA, Clients as the “Business” under the CCPA bear the primary responsibility for ensuring that their processing of Personal Data is compliant with relevant data protection law, including the CCPA. Kustomer collects, accesses, maintains, uses, processes, transfers and shares the Personal Data of our Client’s Customers and Client Users processed through the Services solely for the purpose of performing our obligations under the Client Agreements; Kustomer does not receive any Personal Data, as defined by the CCPA, from its Clients as consideration for the Services.
We do not “sell” Client Users’ or Customer’s Personal Data as currently defined under the CCPA, meaning that we also do not rent, disclose, release, transfer, make available or otherwise communicate that Personal Data to a third party for monetary or other valuable consideration. We may share aggregated and/or anonymized information regarding use of the Service(s)—which is not considered Personal Data under the CCPA—with third parties to help us develop and improve the Services and provide our Clients with more relevant content and service offerings as detailed in our Client Agreements.
Do Not Track
Client Users’ browsers may offer a “Do Not Track” or “DNT” option, which allows individuals to signal to operators of websites and web applications and services that such individual does not wish such operators to track certain online activities over time and/or across different websites. Because we consider certain tracking of Client User activity as necessary for the proper performance and functioning of our Services, our Services do not respond to, and we do not support, Do Not Track requests at this time. To find out more about “Do Not Track,” you can visit www.allaboutdnt.com.
Changes to this Product Privacy Statement
If we make material changes to this Product Privacy Statement, we will notify you in a manner that we believe will be reasonably likely to reach you (which may include email, a specific announcement on this page, our website, or on our blog).
If you are a Client and have any questions about this Product Privacy Statement, you can contact our compliance team at email@example.com or write to us at:
5 Penn Plaza, 19th Floor
New York, NY 10001
Attn: Compliance Officer
If you need to access this notice in an alternative format, please contact us at firstname.lastname@example.org.