Kustomer, Inc. (“Kustomer,” “we”, “us,” or “our”) provides a SaaS customer relationship management platform that optimizes the communications and interactions of our business clients (“Client”) with the customers/end-users of their products and services (“Customers”). This Product Privacy Statement explains how Kustomer collects, uses, discloses, and otherwise processes Customers’ personal information or personal data on behalf of our Clients in connection with our Clients use of our products and services (collectively, the “Services”).
Personal information or personal data refers to any data or information that can be used to identify a natural person, and are subject to applicable data protection laws, such as the EU General Data Protection Regulation 2016/679 (“GDPR”) or the California Consumer Privacy Act (Assembly Bill 375), as amended (“CCPA”). We use the term “Personal Data” throughout this Product Privacy Statement to mean, as applicable, “personal data” (under the GDPR), “personal information” (under the CCPA), or similarly defined personally identifiable information governed by an applicable data protection law that is made available to Kustomer in connection with the Services.
With respect to cases in which Kustomer collects or receives Personal Data under and/or pursuant to the direction of our Clients, Kustomer is acting as a data processor (under GDPR) or service provider (under CCPA), and our Clients are the data controllers (under GDPR) or businesses (under CCPA) with respect to such Personal Data. To this end, if not stated otherwise in this Product Privacy Statement or in a separate disclosure, we process such Personal Data as a processor/service provider on behalf of our Clients (and their affiliates) who are the controller/business that have collected the Personal Data.
Kustomer’s processing of Personal Data in connection with the Services is governed by this Product Privacy Statement and our agreements with each Client, including our Master Subscription Agreement available here and our Data Processing Addendum available here (in each case, a “Client Agreement”). In the event of any conflict between this Product Privacy Statement and the corresponding Client Agreement, the Client Agreement will control to the extent permitted by applicable law.
For detailed privacy information related to a Client who uses our Services to process Personal Data, please contact our Clients directly. We are not responsible for and have no control over the privacy or data security practices of our Clients, which may differ from those explained in this Product Privacy Statement. This Product Privacy Statement is also not a substitute for any privacy notice that our Clients are required to provide to their Customers, employees and other personnel authorized to use the Services (“Client Users”), or other end-users. An individual who seeks access, or who seeks to correct, amend, or delete Personal Data that is stored in our Services on behalf of our Clients, in each case as permitted by applicable data protection laws, should direct their query to our Clients (the data controller/business).
What Personal Data Does Kustomer Collect or Receive through the Services?
Kustomer receives or collects Personal Data which is stored in or transmitted via the Services by, or on behalf of, our Clients. This may include Personal Data such as contact information of our Client’s Customers (first and last name, email or physical address, social media handle, telephone number and IP address), gender, order and purchase history, correspondence between Client Users and their Customers, medical information (for Clients who are covered entities and have engaged Kustomer as a business associate under HIPAA) and other data our Clients collect about their Customers’ use of their products and services. This Personal Data may be provided to us directly by our Clients or through third-party services such as connections and/or links to third party websites and/or services that Kustomer enables Client to integrate with and access through the Services, including, without limitation, via application programming interfaces, workflows or webhooks (“Third-Party Applications”).
We also collect Personal Data from Client Users such as name, email address, third-party account credentials and IP address and data about Client Users’ use of our Services. This Personal Data may be received or collected by us directly from our Clients and Client Users, through Third-Party Applications or by automated means, such as cookies (e.g. essential cookies) and web beacons through our use of sub-processors.
How Does Kustomer Use Personal Data?
We use the data we collect at the instruction of our Clients and in accordance with our Client Agreements, to operate and provide the Services and for related internal purposes, including: (a) enabling Client Users to access and use the Services; (b) providing information about the Services, responding to inquiries, complaints, and requests for support; (c) as we believe necessary or appropriate to comply with applicable law, enforce the terms and conditions that govern the Services, protect our rights, privacy, safety or property, and/or that of you or others, and protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity; and (d) improving our Services, including by using aggregated and/or de-identified data.
How Does Kustomer Share Personal Data?
We share the Personal Data we collect with (a) our Clients and Client Users, to the extent the Personal Data pertains to Client Users and Client’s Customers; (b) sub-processors that help us provide, manage, secure and improve the Services (you can see our list of third party sub-processors here); and (c) Third-Party Applications that you have set up for integration.
Client Users that register, install or access any Third Party Applications may be required to accept privacy notices provided by those Third Party Applications. Please review those notices carefully, as Kustomer does not control and cannot be responsible for these Third Party Applications’ privacy or information security practices.
We may also share Personal Data with government, law enforcement officials or private parties as required by law, when we believe such disclosure is necessary or appropriate to (a) comply with applicable law; (b) enforce the terms and conditions that govern the Services; (c) protect our rights, privacy, safety or property, and/or that of you or others; and (d) protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity, in the event of active or prospective litigation or arbitration, for regulatory compliance efforts and/or audit.
How Does Kustomer Secure and Protect Personal Data?
The security of Personal Data is important to us. Kustomer uses generally accepted physical, electronic, and procedural safeguards to protect Personal Data submitted to us (both during transmission and once it is received) from loss, theft, misuse, and unauthorized access, disclosure, alteration, and destruction in accordance with applicable law to protect the Personal Data.
If Client Users access the Services via a third party site or service, they may have additional or different sign-on protections via that third party site or service. Clients must prevent unauthorized access to Client Users’ account and Personal Data stored in the Services by selecting and protecting your password and/or other sign-on mechanism appropriately and limiting access to your computer or device and browser by signing off after you have finished accessing your account. We also recommend that our Clients take steps to protect against unauthorized access to any devices, networks and applications (including Third Party Applications) connected to, or integrated with, the Services.
We endeavor to protect the privacy of Client Users accounts and the Personal Data we store in the Services. Kustomer has achieved SOC 2 Type 2 compliance, we regularly engage third-party security experts to perform detailed penetration tests and our Support team is on call 24/7 to respond to security alerts and events. Unfortunately, we cannot guarantee that any safeguards or security measures will be sufficient to prevent a security problem. See the security section of our website and the Client Agreements for additional information regarding Kustomer’s information security practices.
Cross-Border Data Transfer and EU-U.S. and Swiss-U.S. Privacy Shield
The Services are hosted and operated in the United States (“U.S.”) and the European Union (“EU”) through Kustomer and our sub-processors. In order to provide the Services, Kustomer or our sub-processors may transfer Personal Data outside of the country in which Customers and Client Users are located, including to the U.S. or to other jurisdictions that may not be subject to equivalent data protection laws. See the Client Agreements for additional information regarding how Kustomer safeguards Personal Data transferred across borders.
When transferring Personal Data across borders we take steps reasonably necessary to ensure that the information or data is subject to appropriate safeguards, is treated securely and is transferred under an approved data transfer mechanism pursuant to applicable data protection laws.
In order to execute Kustomer’s Data Processing Addendum, please click here.
Kustomer also participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. We are committed to subjecting all Personal Data received from European Union (EU) member countries, the United Kingdom (UK), and Switzerland, respectively, in reliance on each Privacy Shield Frameworks, to the Framework’s applicable Principles. To learn more about the Privacy Shield Frameworks, and to view our certification, visit the U.S. Department of Commerce’s Privacy Shield List.
Client hereby consents to the transfer of Personal Data to the U.S. pursuant to EU-U.S. Privacy Shield Framework set forth by the U.S. Department of Commerce regarding the collection and use of Personal Data transferred from the EU to the U.S. With respect to Personal Data received or transferred pursuant to the Privacy Shield Frameworks, Kustomer is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission.
We retain Personal Data so long as Kustomer’s contractual obligations remain with our Clients. In some cases we retain Personal Data for longer, if doing so is necessary to comply with our legal obligations, resolve disputes or collect fees owed, or is otherwise permitted or required by applicable law, rule or regulation. Afterwards, we retain some information in aggregated and/or de-identified data but not in a way that would identify Client or individuals personally.
Data Subject Rights under GDPR & CCPA
Clients are the data controllers/businesses of Customer’s Personal Data. As such, Clients are responsible for receiving and responding to requests from their Customers and other individuals to exercise any rights afforded to them under applicable data protection laws. If requested to remove Personal Data by a Client, we will respond within a reasonable timeframe and in accordance with the Client Agreements.
Because we may only access a Client’s data upon their instructions, if Kustomer receives a data subject request directly from a Customer using our data subject request form, Kustomer will inform the Customer to contact the Client directly about any request relating to his/her Personal Data such as access or deletion, and to the extent that the applicable data protection law does not prohibit Kustomer from doing so, we will refer their request to the Client they specify in their request. Kustomer will not further respond to a data subject request without Client’s prior consent and will assist Clients in responding to such requests as set forth in the Client Agreement.
Additional Information regarding Personal Data of Residents of Europe
Kustomer’s legal grounds for our processing of Personal Data is based on one or more of the following:
|Category of data||Source of data||Purpose of processing||Grounds for processing||Specific legitimate interest (if applicable)||Retention period or criteria|
|Client User Personal Data||The Services and Third-Party Applications||To provide the Services; communicate with Client; comply w/ an applicable law||Contractual; legal obligation; legitimate interest; consent||N/A||7 years or as legally required|
|Customer Personal Data||The Services and Third-Party Applications||To provide the Services; comply w/ an applicable law||Contractual; legal obligation; legitimate interest; consent||N/A||7 years or until no longer applicable, whichever occurs first|
Additional Information regarding Personal Data of Residents of California
Kustomer understands and will comply with the foregoing restrictions and the applicable requirements of the CCPA. For the purposes of the CCPA, Clients as the “Business” under the CCPA bear the primary responsibility for ensuring that their processing of Personal Data is compliant with relevant data protection law, including the CCPA. Kustomer collects, accesses, maintains, uses, processes, transfers and shares the Personal Data of our Client’s Customers and Client Users processed through the Services solely for the purpose of performing our obligations under the Client Agreements; Kustomer does not receive any Personal Data, as defined by the CCPA, from its Clients as consideration for the Services.
We do not “sell” Client Users’ or Customer’s Personal Data as currently defined under the CCPA, meaning that we also do not rent, disclose, release, transfer, make available or otherwise communicate that Personal Data to a third party for monetary or other valuable consideration. We may share aggregated and/or anonymized information regarding use of the Service(s)—which is not considered Personal Data under the CCPA—with third parties to help us develop and improve the Services and provide our Clients with more relevant content and service offerings as detailed in our Client Agreements.
Changes to this Product Privacy Statement
If we make material changes to this Product Privacy Statement, we will notify you in a manner that we believe will be reasonably likely to reach you (which may include email, a specific announcement on this page, our website, or on our blog).
If you are a Client and have any questions about this Product Privacy Statement, you can contact our compliance team at email@example.com or write to us at:
318 W 39th St.
5th floor, New York, NY 10018
Attn: Compliance Officer
If you need to access this notice in an alternative format, please contact us at firstname.lastname@example.org.