We are QContact, Inc. and QContact Limited. You can find further details about us and how to contact us in section 12. In this notice, "QContact", "we", "us" and "our" refer to QContact, Inc. and QContact Limited.
This notice explains how we handle the personal data we obtain in the course of our business.
QContact processes different types of personal data for different purposes depending on whether is processing personal data on its own behalf as a ‘controller’ or as a service provider on behalf of its customers as a ‘processor’ or ‘agent’.
(A ‘controller’ is a person or entity that determines why and how personal data is processed. A ‘processor’ or ‘agent’ is a person or entity that processes personal data on behalf of a controller on the controller’s instructions.)
Types of personal data we process as a controller
We process the following types of personal data relating to our individual customers, representatives of business customers and website users as a controller:
Core processing purposes
The purposes for which we use personal data in the normal course of our business, the types of personal data we use for those purposes and our legal bases for doing so are set out in the table below. An explanation of what the different legal bases mean can be viewed here.
|Purposes of processing||Types of personal data||Legal basis|
|Analysing use of our website||Usage data||Our legitimate interests in monitoring, improving and protecting our website, network, systems and data|
|Entering into contracts and communicating with customers and their personnel or representatives in connection with performing contracts||Contract data||If you are contracting with us as an individual, the relevant legal basis is performance of a contract.
If you are a representative or staff member of an organisation that is a customer of ours, the relevant legal basis is the legitimate interests of us and our customers in entering into and performing contracts for providing and receiving requested services
|Enabling and controlling online access to our services||Account data
|Our legitimate interests in enabling our customers to access and use our services and ensuring the security of our website, network, systems and data|
|Monitoring customers’ use of our services for billing purposes||Account data
|Our legitimate interests in billing customers for use of our services based upon their usage|
|Billing customers for use of our services||Contract data||Our legitimate interests in billing customers for use of our services based upon their usage|
|Communicating with you, for example in response to an enquiry or complaint||Correspondence data||Our legitimate interests in administering our business, services and website and communicating with customers, potential customers and users of our services|
|To provide you with (non-marketing) service information relevant to our customers generally, such as any maintenance work or problems affecting access to or use of our services||Contract data
|Our legitimate interests in administering our business, services and website and communicating important service information to customers and service users|
|Sending marketing communications (see more on this in the ‘Using personal data for marketing purposes’ section below||Marketing data
|Our legitimate interests in promoting our business, products and services to drive sales and sustain and grow our business|
Using personal data for marketing purposes
We may use email addresses comprised in marketing data and relevant contract data for the purposes of sending marketing communications in the following circumstances:
You can opt-out of receiving these communications at any time by using the unsubscribe links made available in every email or by contacting us directly via any of our contact methods.
Other processing purposes
In addition to the core processing activities set out above, we may also process personal data if and to the extent necessary for the following purposes:
|Establishing, exercising or defending legal claims||Our legitimate interests in defending legal claims brought against us, enforcing claims against others and protecting and asserting our legal rights and the legal rights of you and others|
|Obtaining or maintaining insurance coverage, managing risks or obtaining professional advice||Our legitimate interests in protecting our business against risks|
|Compliance with a legal obligation such as a statutory or regulatory obligation or an order of a court, government body or regulator.||Compliance with a legal obligation|
|In order to protect your vital interests or the vital interests of another natural person||Protection of vital interests|
Explanation of legal bases
It is only lawful to process personal data if there is a legal basis for doing it. Below is an explanation of the legal bases referred to in this notice.
Legitimate interests: processing of personal data is necessary for the purposes of the legitimate interests of us or a third party, except where such interests are overridden by your interests or fundamental rights and freedoms
Performance of a contract: processing of personal data is necessary for the performance of a contract with an individual or in order to take steps at the request of an individual prior to entering into a contract
Compliance with a legal obligation: processing of personal data is necessary for compliance with a legal obligation imposed by UK or EU law
Protection of vital interests: processing is necessary in order to protect the vital interests of you or another individual
We are a provider of a cloud-hosted software-as-a-service that enables its customers to bring all their calls, texts, web chats, emails and social media interactions with customers into one place, with tools for call routing, CRM integration, self-service and workflow automation.
Due to the nature and purpose of the software, personal data relating to individuals who are individual customers of, or representatives of business customers of, our customers are processed as a result of our customers’ use of the software within their own businesses. This may include the following types of personal data:
We process this personal data as a processor by virtue of our role in managing the platform from which the software is provided to our customers and when providing support services to our customers in relation to their use of the software. Our customers are the controllers of this personal data.
We process this personal data as a processor on behalf of our customers for the purposes of providing the software and related support services to our customers in accordance with contracts between us and our customers.
We may share the personal data described in this notice with the following categories of recipients, where and to the extent necessary for the purposes described in this notice:
There may also be circumstances in which we need to share personal data with other organisations or individuals, such as where disclosure is necessary for the purposes set out in the ‘Other processing purposes’ section above.
In all cases, we will only share personal data with such recipients where and to the extent reasonably necessary for the relevant processing purpose and in accordance with applicable data protection law.
Our datacentres and the platform infrastructure for our software services are based in European Union (EU) countries. All our service providers are based in the EU except for a billing services provider based in New Zealand, which is deemed by the European Commission to provide adequate protection for personal data.
However, the personal data we process as a controller and a processor as described in this notice above, is accessed by and shared between our group companies, which are based in various countries. Where we are acting as a controller in relation to personal data, our group companies may also process that personal data for the purposes described in section 2 of this notice. Where we are acting as a processor/agent for our customers, our group companies may also process the personal data for the purposes described in section 3 of this notice. This means that the personal data described in this notice is processed:
Under EU data protection law, personal data may not be transferred from an EEA country or Switzerland to a country outside the EEA (known as a ‘transfer’) unless certain conditions are complied with by both controllers and processors/agents. Those conditions are intended to ensure that any personal data transferred outside of the EEA are adequately protected in line with the protection given to personal data under EU data protection law.
Because the processing of personal data by QContact, Inc. and QContact SEZC as described above involves a transfer of personal data outside the EEA, the QContact group is required to comply with the conditions for such transfers set out in EU data protection law. We do this by QContact, Inc. self-certifying to the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework.
The Privacy Shield Frameworks are adequacy decisions of the European Commission and Swiss Government in respect of the transfer and subsequent processing of personal data to and by organisations in the U.S. who self-certify their compliance with the principles set out in those decisions – known as the ‘Privacy Shield Framework Principles’.
QContact, Inc. participates in and complies with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States. QContact, Inc. has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this notice and the Privacy Shield Principles relating to the processing of personal data by QContact, Inc., the Privacy Shield Principles shall govern.
QContact, Inc. will ensure that all its processing of personal data and onward transfer to and processing by our group companies in other non-EEA countries as described in this notice complies with the Privacy Shield Framework Principles, including the onward transfer liability provisions. This means that the receipt and processing of personal data by QContact, Inc. in the U.S. and onward transfer to and processing by our group companies in other non-EEA countries is deemed to be adequately protected and complies with the conditions for such transfers under EU data protection law.
With respect to all personal data received or transferred pursuant to the Privacy Shield Frameworks, QContact, Inc. is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, QContact, Inc. may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
To learn more about the Privacy Shield program, please visit https://www.privacyshield.gov/. To view QContact Inc’s certification, please visit the Privacy Shield list: https://www.privacyshield.gov/list.
In addition to the known transfers described above, it may become necessary to transfer personal data described in this notice to organisations based in various countries in connection with the purposes described in the ‘Other processing purposes’ section above. If this happens, we would ensure that such a transfer complies with the conditions for transfers stipulated by EU data protection law.
We will only retain the personal data described in this notice for as long as necessary to fulfil the processing purposes described in this notice.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of the personal data, the purposes for which we process it and whether we can achieve those purposes through other means, and applicable legal requirements.
We will apply the following general retention periods and/or retention criteria to the personal data described in this notice:
These retention periods are subject to any longer retention periods that may be necessary for compliance with a legal obligation, establishing, exercising or defending legal claims or in order to protect your vital interests or the vital interests of another natural person.
Upon expiry of the relevant retention period we will securely destroy the personal data in accordance with applicable laws and regulations.
We will take appropriate technical and organisational precautions to secure the personal data we process and prevent accidental or unlawful destruction, loss or alteration and unauthorised disclosure of, or access to, that personal data.
If you have an account to access our services via our website, you must ensure that your password is not susceptible to being guessed, whether by a person or a computer program. You are responsible for keeping your password confidential. We will not ask you for your password (except when you log in to our website).
We will notify you and any applicable regulator of any personal data breach where we are legally required to do so.
Where we process your personal data as a controller as described in section 2 of this notice above, you have a number of different rights you might be able exercise against us in relation to personal data about you that we process. These are rights to:
The availability of these rights varies depending on the legal basis that we rely on for processing the relevant personal data. Below we have summarised these rights and explained how you can request to exercise them.
Please note that if you are an individual customer or a representative of a business customer of one of our customers, you should contact that customer if you want to exercise any of your data protection rights in relation to the personal data described in section 3 of this notice above. This is because it is the controller, not the processor, who must respond to requests from individuals to exercise their rights under EU data protection law. if you are an individual customer or a representative of a business customer of one of our customers, we process your personal data as a processor/agent on behalf of our customer with whom you have a relationship, and that customer is the controller of your personal data. Therefore please contact the customer with whom you have a relationship with any requests to exercise your rights.
Access: You have the right to confirmation as to whether or not we process your personal data and, where we do, access to the personal data, together with certain additional information. That additional information includes details of the purposes of the processing, the categories of personal data concerned and the recipients of the personal data. Providing that the rights and freedoms of others are not affected, we will supply to you a copy of your personal data. The first copy will be provided free of charge, but additional copies may be subject to a reasonable fee.
Rectification: You have the right to have any inaccurate personal data about you corrected and, taking into account the purposes of the processing, to have any incomplete personal data about you completed. We may need to verify the accuracy of the new data you provide to us.
Erasure: You have the right to the erasure of your personal data without undue delay where the personal data are no longer necessary in relation to the purposes for which we collected or otherwise processed them, you successfully object to our processing, you object to our use of your personal data for direct marketing purposes, we have processed your personal data unlawfully, or an applicable law requires the relevant personal data to be erased. However, there are exclusions to the right to erasure, including where we have overriding legitimate grounds to continue processing the relevant personal data or are required to do so by applicable law or where we need it to establish, exercise or defend a legal claim.
Restriction: You have the right to restrict our processing of your personal data where you contest the accuracy of the personal data, our processing is unlawful, we no longer need the personal data for our purposes but you require it to establish, exercise or defend a legal claim, or you have objected to processing, pending the verification of that objection. Where processing has been restricted on this basis, we may continue to store your personal data. However, we will only otherwise process it to establish, exercise or defend a legal claim, to protect the rights of another natural or legal person or for reasons of important public interest or with your consent.
Object: You have the right to object to our processing of your personal data where we rely on legitimate interests as the legal basis for the processing. If you make such an objection, we will cease to process the personal information unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims.
Object to processing for direct marketing purposes: You have the right to object to our processing of your personal data for direct marketing purposes (including profiling for direct marketing purposes).
Data portability: where our processing of your personal data is based on performance of a contract and is carried out by automated means, you have the right to receive your personal data from us in a structured, commonly used and machine-readable format. However, this right does not apply where it would adversely affect the rights and freedoms of others.
Complain to a supervisory authority: If you consider that our processing of your personal data infringes data protection laws, you have a legal right to lodge a complaint with a supervisory authority responsible for data protection. You may do so in the EU member state of your habitual residence, your place of work or the place of the alleged infringement.
Withdraw consent: where any of our processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal.
How to exercise these rights against us: You can exercise any of your rights in relation to your personal data that require any action by us by emailing your request to [email protected], in addition to any other methods specified in this policy.
How to complain to a supervisory authority: To make a complaint to a supervisory authority, you may contact the supervisory authority of your choice using contact details made available by that supervisory authority. Contact details for the supervisory authorities can be found here: http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm.
We are committed to resolving any complaints about our processing of your personal data.
If you have an enquiry or complaint about our processing of your personal data, please contact [email protected] in the first instance, regardless of which country you are situated in.
You may also complain to a supervisory authority responsible for data protection in the EU, either in the EU member state of your habitual residence, your place of work or the place of the alleged infringement, or to the Swiss Federal Data Protection and Information Commissioner. Contact details for the supervisory authorities can be found here: http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm and contact details for the Swiss Federal Data Protection and Information Commissioner can be found here: https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/contact.html.
If you have an unresolved complaint or concern that we have not addressed to your satisfaction, please contact our third-party alternative dispute resolution provider JAMS located in the U.S.here: https://www.jamsadr.com/file-an-eu-us-privacy-shield-claim for more information or to file a complaint. The services of JAMS are provided at no cost to you.
Under certain conditions you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted. Further details can be found on the Privacy Shield website, here: https://www.privacyshield.gov/article?id=ANNEX-I-introduction
Please let us know if any of the personal data that we hold about you needs to be corrected or updated.
What is a cookie?
A cookie is a file containing an identifier (a string of letters and numbers) that is sent by our web server to your web browser when you visit our website and is stored by your browser. The identifier is then sent back to our server each time your browser requests a page from our server
Cookies are either "persistent" cookies or "session" cookies: a persistent cookie will be stored by your web browser and remain valid until its set expiry date, unless deleted by you before the expiry date; a session cookie, on the other hand, will expire when you close your web browser.
Cookies do not typically contain any information that personally identifies a website user, but we might theoretically be able to identify individuals by linking any personal data we already have with information stored in and obtained from cookies.
Cookies that we use on our website:
|authentication||to identify you when you visit our website and as you navigate our website||n/a||n/a|
|personalisation||to store information about your preferences and to personalise our website for you||n/a||n/a|
|security||to protect user accounts, including preventing fraudulent use of login credentials, and to protect our website and services generally||n/a||n/a|
|advertising||to help us to display advertisements that will be relevant to you||n/a||n/a|
|analysis||to help us to analyse the use and performance of our website and services||n/a||n/a|
Most browsers allow you to refuse to accept cookies and to delete cookies. The methods for doing so vary from browser to browser, and from version to version. You can however obtain up-to-date information about blocking and deleting cookies via these links:
Blocking all cookies will have a negative impact upon the usability of many websites, and if you block cookies, you will not be able to use all the features on our website.
QContact, Inc. is registered in Delaware, U.S.A. under registration number 6898423, with its registered office at 8333 NW 53rd St Suite 450, Doral, FL 33166.
QContact Inc’s representative in the EU for the purposes of EU data protection law is QContact Ltd.
QContact Ltd is registered in England and Wales under registration number 10927190, with its registered office at Peter House, Oxford Street, Manchester, M1 5AN.
For enquiries or complaints relating to this notice or our processing of your personal data, please contact [email protected], which is a dedicated contact address for this purpose.
You can also contact us or our group companies using any of the email addresses, postal addresses or telephone numbers published on our website from time to time.
We may update this notice from time to time by publishing a new version on our website and, where any changes materially affect you, we will also make reasonable efforts to notify you.
Last updated 14th January 2019