Privacy and cookies notice

  1. Introduction

    We are QContact, Inc. and QContact Limited. You can find further details about us and how to contact us in section 12. In this notice, "QContact", "we", "us" and "our" refer to QContact, Inc. and QContact Limited.

    This notice explains how we handle the personal data we obtain in the course of our business.

    QContact processes different types of personal data for different purposes depending on whether is processing personal data on its own behalf as a ‘controller’ or as a service provider on behalf of its customers as a ‘processor’ or ‘agent’.

    (A ‘controller’ is a person or entity that determines why and how personal data is processed. A ‘processor’ or ‘agent’ is a person or entity that processes personal data on behalf of a controller on the controller’s instructions.)

  2. Our processing as a controller

    Types of personal data we process as a controller

    We process the following types of personal data relating to our individual customers, representatives of business customers and website users as a controller:

    • Usage data: data about website visitors’ use of our website and services, such as IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths. This data is collected automatically by our analytics tracking system.
    • Contract data: data relating to our customers and our customers’ personnel and representatives collected in connection with entering into contracts with us, such as names, business email addresses, postal addresses and telephone numbers and job titles. This data might be provided by you directly and/or by other personnel or representatives of your organisation.
    • Account data: data collected in connection with setting up customer accounts to enable access to our services, such as names, usernames and email addresses. This might be provided by you directly and/or by other personnel or representatives of your organisation.
    • Correspondence data: information contained in or relating to any communications between us, including any personal data contained in the communication content, address and contact details and any metadata associated with the communication.
    • Marketing data: information collected in connection with any marketing subscription or opt-out request, such as email addresses and marketing preferences.

    Core processing purposes

    The purposes for which we use personal data in the normal course of our business, the types of personal data we use for those purposes and our legal bases for doing so are set out in the table below. An explanation of what the different legal bases mean can be viewed here.

    Purposes of processing Types of personal data Legal basis
    Analysing use of our website Usage data Our legitimate interests in monitoring, improving and protecting our website, network, systems and data
    Entering into contracts and communicating with customers and their personnel or representatives in connection with performing contracts Contract data If you are contracting with us as an individual, the relevant legal basis is performance of a contract.

    If you are a representative or staff member of an organisation that is a customer of ours, the relevant legal basis is the legitimate interests of us and our customers in entering into and performing contracts for providing and receiving requested services
    Enabling and controlling online access to our services Account data

    Usage data
    Our legitimate interests in enabling our customers to access and use our services and ensuring the security of our website, network, systems and data
    Monitoring customers’ use of our services for billing purposes Account data

    Usage data
    Our legitimate interests in billing customers for use of our services based upon their usage
    Billing customers for use of our services Contract data Our legitimate interests in billing customers for use of our services based upon their usage
    Communicating with you, for example in response to an enquiry or complaint Correspondence data Our legitimate interests in administering our business, services and website and communicating with customers, potential customers and users of our services
    To provide you with (non-marketing) service information relevant to our customers generally, such as any maintenance work or problems affecting access to or use of our services Contract data

    Account data
    Our legitimate interests in administering our business, services and website and communicating important service information to customers and service users
    Sending marketing communications (see more on this in the ‘Using personal data for marketing purposes’ section below Marketing data

    Contract data
    Our legitimate interests in promoting our business, products and services to drive sales and sustain and grow our business

    Using personal data for marketing purposes

    We may use email addresses comprised in marketing data and relevant contract data for the purposes of sending marketing communications in the following circumstances:

    • If you are a customer, or a representative or member of personnel of a customer, who has bought products and services from us
    • If you have indicated that you want to receive marketing communications from us, for example by clicking on a subscribe option made available on our website

    You can opt-out of receiving these communications at any time by using the unsubscribe links made available in every email or by contacting us directly via any of our contact methods.

    Other processing purposes

    In addition to the core processing activities set out above, we may also process personal data if and to the extent necessary for the following purposes:

    Purpose Legal basis
    Establishing, exercising or defending legal claims Our legitimate interests in defending legal claims brought against us, enforcing claims against others and protecting and asserting our legal rights and the legal rights of you and others
    Obtaining or maintaining insurance coverage, managing risks or obtaining professional advice Our legitimate interests in protecting our business against risks
    Compliance with a legal obligation such as a statutory or regulatory obligation or an order of a court, government body or regulator. Compliance with a legal obligation
    In order to protect your vital interests or the vital interests of another natural person Protection of vital interests

    Explanation of legal bases

    It is only lawful to process personal data if there is a legal basis for doing it. Below is an explanation of the legal bases referred to in this notice.

    Legitimate interests: processing of personal data is necessary for the purposes of the legitimate interests of us or a third party, except where such interests are overridden by your interests or fundamental rights and freedoms

    Performance of a contract: processing of personal data is necessary for the performance of a contract with an individual or in order to take steps at the request of an individual prior to entering into a contract

    Compliance with a legal obligation: processing of personal data is necessary for compliance with a legal obligation imposed by UK or EU law

    Protection of vital interests: processing is necessary in order to protect the vital interests of you or another individual

  3. Our processing as a processor/agent

    We are a provider of a cloud-hosted software-as-a-service that enables its customers to bring all their calls, texts, web chats, emails and social media interactions with customers into one place, with tools for call routing, CRM integration, self-service and workflow automation.

    Due to the nature and purpose of the software, personal data relating to individuals who are individual customers of, or representatives of business customers of, our customers are processed as a result of our customers’ use of the software within their own businesses. This may include the following types of personal data:

    • Any type of personal data held in our customers’ CRM systems, such as (but not limited to) names, email addresses, postal addresses, account balances, account status, gender and date of birth.
    • Any personal data provided directly by individuals making contact with our customers, for example by phone, email or webchat.
    • Individuals' IP addresses may also be collected where they interact with the product online, for example when using webchat. These will be collected through use of cookies placed on our customers’ websites.

    We process this personal data as a processor by virtue of our role in managing the platform from which the software is provided to our customers and when providing support services to our customers in relation to their use of the software. Our customers are the controllers of this personal data.

    We process this personal data as a processor on behalf of our customers for the purposes of providing the software and related support services to our customers in accordance with contracts between us and our customers.

  4. Recipients of personal data

    We may share the personal data described in this notice with the following categories of recipients, where and to the extent necessary for the purposes described in this notice:

    • Group companies: this currently includes QContact, Inc., QContact Ltd, and Castillo Ltd.
    • Insurers
    • Professional advisers: such as lawyers, accountants, consultants
    • Service providers: such as datacentre owners/operators and banking, payment, accounting, billing and website analytics services providers
    • Organisations or individuals engaged by us in the course of providing our services: such as individual consultants or their personal service companies
    • Prospective buyer: if we propose to sell or do sell any business or assets

    There may also be circumstances in which we need to share personal data with other organisations or individuals, such as where disclosure is necessary for the purposes set out in the ‘Other processing purposes’ section above.

    In all cases, we will only share personal data with such recipients where and to the extent reasonably necessary for the relevant processing purpose and in accordance with applicable data protection law.

  5. International transfers of personal data

    Our datacentres and the platform infrastructure for our software services are based in European Union (EU) countries. All our service providers are based in the EU except for a billing services provider based in New Zealand, which is deemed by the European Commission to provide adequate protection for personal data.

    However, the personal data we process as a controller and a processor as described in this notice above, is accessed by and shared between our group companies, which are based in various countries. Where we are acting as a controller in relation to personal data, our group companies may also process that personal data for the purposes described in section 2 of this notice. Where we are acting as a processor/agent for our customers, our group companies may also process the personal data for the purposes described in section 3 of this notice. This means that the personal data described in this notice is processed:

    • by QContact, Inc. in the United States
    • by QContact Ltd in the UK
    • by Castillo Ltd in Gibraltar

    Under EU and Swiss data protection law, personal data may not be transferred from an EEA country or Switzerland to a country outside the EEA or Switzerland (known as a ‘transfer’) unless certain conditions are complied with by both controllers and processors/agents. Those conditions are intended to ensure that any personal data transferred outside of the EEA or Switzerland are adequately protected in line with the protection given to personal data under EU and Swiss data protection law.

    Because the processing of personal data by QContact, Inc. as described above involves a transfer of personal data outside the EEA and Switzerland, the QContact group is required to comply with the conditions for such transfers set out in EU and Swiss data protection law. We do this by QContact, Inc. self-certifying to the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework.

    The Privacy Shield Frameworks are adequacy decisions of the European Commission and Swiss Government in respect of the transfer and subsequent processing of personal data to and by organisations in the U.S. who self-certify their compliance with the principles set out in those decisions – known as the ‘Privacy Shield Framework Principles’.

    QContact, Inc. participates in and complies with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States. QContact, Inc. has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this notice and the Privacy Shield Principles relating to the processing of personal data by QContact, Inc., the Privacy Shield Principles shall govern.

    QContact, Inc. will ensure that all its processing of personal data and onward transfer to and processing by our group companies in countries outside the EEA and Switzerland as described in this notice complies with the Privacy Shield Framework Principles, including the onward transfer liability provisions. This means that the receipt and processing of personal data by QContact, Inc. in the U.S. and onward transfer to and processing by our group companies in other countries outside the EEA and Switzerland is deemed to be adequately protected and complies with the conditions for such transfers under EU and Swiss data protection law.

    With respect to all personal data received or transferred pursuant to the Privacy Shield Frameworks, QContact, Inc. is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, QContact, Inc. may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

    To learn more about the Privacy Shield program, please visit https://www.privacyshield.gov/. To view QContact Inc’s certification, please visit the Privacy Shield list: https://www.privacyshield.gov/list.

    In addition to the known transfers described above, it may become necessary to transfer personal data described in this notice to organisations based in various countries in connection with the purposes described in the ‘Other processing purposes’ section above. If this happens, we would ensure that such a transfer complies with the conditions for transfers stipulated by EU and Swiss data protection law and with the Privacy Shield Principles as applicable.

  6. Retention and deletion of personal data

    We will only retain the personal data described in this notice for as long as necessary to fulfil the processing purposes described in this notice.

    To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of the personal data, the purposes for which we process it and whether we can achieve those purposes through other means, and applicable legal requirements.

    We will apply the following general retention periods and/or retention criteria to the personal data described in this notice:

    • Usage data: 1 year
    • Contract data: 6 years after the relevant customer contract has terminated
    • Account data: 6 months after the relevant customer contract has terminated
    • Correspondence data: 6 years after the date of the correspondence or termination of the customer contract to which the communication relates (whichever is later)
    • Marketing data and contract data used for marketing: we will continue to use this data until we receive an opt-out request, after which time we will retain the email address and marketing preference information to ensure that we do not send marketing to the unsubscribed email address

    These retention periods are subject to any longer retention periods that may be necessary for compliance with a legal obligation, establishing, exercising or defending legal claims or in order to protect your vital interests or the vital interests of another natural person.

    Upon expiry of the relevant retention period we will securely destroy the personal data in accordance with applicable laws and regulations.

  7. Security of personal data

    We will take appropriate technical and organisational precautions to secure the personal data we process and prevent accidental or unlawful destruction, loss or alteration and unauthorised disclosure of, or access to, that personal data.

    If you have an account to access our services via our website, you must ensure that your password is not susceptible to being guessed, whether by a person or a computer program. You are responsible for keeping your password confidential. We will not ask you for your password (except when you log in to our website).

    We will notify you and any applicable regulator of any personal data breach where we are legally required to do so.

  8. Your rights

    Where we process your personal data as a controller as described in section 2 of this notice above, you have a number of different rights you might be able exercise against us in relation to personal data about you that we process. These are rights to:

    • access, obtain rectification or erasure, restrict processing and object to processing of your personal data
    • have your personal data ‘ported’ to you or another organisation
    • complain to a supervisory authority about our processing of your personal data
    • withdraw consent to our processing of your personal (where you have given consent)

    The availability of these rights varies depending on the legal basis that we rely on for processing the relevant personal data. Below we have summarised these rights and explained how you can request to exercise them.

    Please note that if you are an individual customer or a representative of a business customer of one of our customers, you should contact that customer if you want to exercise any of your data protection rights in relation to the personal data described in section 3 of this notice above. This is because it is the controller, not the processor, who must respond to requests from individuals to exercise their rights under EU data protection law. if you are an individual customer or a representative of a business customer of one of our customers, we process your personal data as a processor/agent on behalf of our customer with whom you have a relationship, and that customer is the controller of your personal data. Therefore please contact the customer with whom you have a relationship with any requests to exercise your rights.

    Access: You have the right to confirmation as to whether or not we process your personal data and, where we do, access to the personal data, together with certain additional information. That additional information includes details of the purposes of the processing, the categories of personal data concerned and the recipients of the personal data. Providing that the rights and freedoms of others are not affected, we will supply to you a copy of your personal data. The first copy will be provided free of charge, but additional copies may be subject to a reasonable fee.

    Rectification: You have the right to have any inaccurate personal data about you corrected and, taking into account the purposes of the processing, to have any incomplete personal data about you completed. We may need to verify the accuracy of the new data you provide to us.

    Erasure: You have the right to the erasure of your personal data without undue delay where the personal data are no longer necessary in relation to the purposes for which we collected or otherwise processed them, you successfully object to our processing, you object to our use of your personal data for direct marketing purposes, we have processed your personal data unlawfully, or an applicable law requires the relevant personal data to be erased. However, there are exclusions to the right to erasure, including where we have overriding legitimate grounds to continue processing the relevant personal data or are required to do so by applicable law or where we need it to establish, exercise or defend a legal claim.

    Restriction: You have the right to restrict our processing of your personal data where you contest the accuracy of the personal data, our processing is unlawful, we no longer need the personal data for our purposes but you require it to establish, exercise or defend a legal claim, or you have objected to processing, pending the verification of that objection. Where processing has been restricted on this basis, we may continue to store your personal data. However, we will only otherwise process it to establish, exercise or defend a legal claim, to protect the rights of another natural or legal person or for reasons of important public interest or with your consent.

    Object: You have the right to object to our processing of your personal data where we rely on legitimate interests as the legal basis for the processing. If you make such an objection, we will cease to process the personal information unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims.

    Object to processing for direct marketing purposes: You have the right to object to our processing of your personal data for direct marketing purposes (including profiling for direct marketing purposes).

    Data portability: where our processing of your personal data is based on performance of a contract and is carried out by automated means, you have the right to receive your personal data from us in a structured, commonly used and machine-readable format. However, this right does not apply where it would adversely affect the rights and freedoms of others.

    Complain to a supervisory authority: If you consider that our processing of your personal data infringes data protection laws, you have a legal right to lodge a complaint with a supervisory authority responsible for data protection. You may do so in the EU member state of your habitual residence, your place of work or the place of the alleged infringement.

    Withdraw consent: where any of our processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal.

    How to exercise these rights against us: You can exercise any of your rights in relation to your personal data that require any action by us by emailing your request to [email protected], in addition to any other methods specified in this policy.

    How to complain to a supervisory authority: To make a complaint to a supervisory authority, you may contact the supervisory authority of your choice using contact details made available by that supervisory authority. Contact details for the supervisory authorities can be found here: http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm.

  9. Complaints

    We are committed to resolving any complaints about our processing of your personal data.

    If you have an enquiry or complaint about our processing of your personal data, please contact [email protected] in the first instance, regardless of which country you are situated in.

    You may also complain to a supervisory authority responsible for data protection in the EU, either in the EU member state of your habitual residence, your place of work or the place of the alleged infringement, or to the Swiss Federal Data Protection and Information Commissioner. Contact details for the supervisory authorities can be found here: http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm and contact details for the Swiss Federal Data Protection and Information Commissioner can be found here: https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/contact.html.

    We will also participate in independent dispute resolution of any complaints you may have about our processing of your personal data through the panel established by the EU supervisory authorities (Authorities) and/or the Swiss Federal Data Protection and Information Commissioner (Commissioner) with regard to personal data transferred from the EEA and/or Switzerland under the Privacy Shield. We commit to cooperate with the Authorities and/or Commissioner in the investigation and resolution of complaints brought under the Privacy Shield and comply with any advice given by the Authorities and/or Commissioner where they take the view that we need to take specific action to comply with the Privacy Shield Principles.

    Under certain conditions you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted. Further details can be found on the Privacy Shield website, here: https://www.privacyshield.gov/article?id=ANNEX-I-introduction

  10. Updating your personal data

    Please let us know if any of the personal data that we hold about you needs to be corrected or updated.

  11. Our use of cookies

    What is a cookie?

    A cookie is a file containing an identifier (a string of letters and numbers) that is sent by our web server to your web browser when you visit our website and is stored by your browser. The identifier is then sent back to our server each time your browser requests a page from our server

    Cookies are either "persistent" cookies or "session" cookies: a persistent cookie will be stored by your web browser and remain valid until its set expiry date, unless deleted by you before the expiry date; a session cookie, on the other hand, will expire when you close your web browser.

    Cookies do not typically contain any information that personally identifies a website user, but we might theoretically be able to identify individuals by linking any personal data we already have with information stored in and obtained from cookies.

    Cookies that we use on our website:

    Category Purpose Relevant cookies Expiry
    authentication to identify you when you visit our website and as you navigate our website n/a n/a
    status we use cookies to help us to determine if you are logged into our website n/a n/a
    personalisation to store information about your preferences and to personalise our website for you n/a n/a
    security to protect user accounts, including preventing fraudulent use of login credentials, and to protect our website and services generally __cfduid Cloudflare is a service that can be used to provide additional security and distributed processing to large website.
    More information from Cloudflare
    advertising to help us to display advertisements that will be relevant to you BizoID
    BizoUserMatchHistory
    bcookie
    These cookies are used to collect data about how visitors use our site, and to offer targeted advertising on LinkedIn.
    More information from LinkedIn
    analysis to help us to analyse the use and performance of our website and services _gid
    _ga
    These cookies are used to collect data about how visitors use our site. We use the data to compile reports and to help us improve the site. The cookies mostly collect anonymous data although Google do use the IP address but this is not shared with the MDU. Example data we collect includes the number of visitors to the site, where visitors have come to the site from and the pages they visited.
    More information from Google
    cookie consent to store your preferences in relation to the use of cookies more generally n/a n/a

    We use Google Analytics to analyse the use of our website. Google Analytics gathers information about website use by means of cookies. The information gathered relating to our website is used to create reports about the use of our website. Google's privacy policy is available at: https://www.google.com/policies/privacy/. The relevant cookies are: _gid and _ga.

    Managing cookies

    Most browsers allow you to refuse to accept cookies and to delete cookies. The methods for doing so vary from browser to browser, and from version to version. You can however obtain up-to-date information about blocking and deleting cookies via these links:

    • Chrome: https://support.google.com/chrome/answer/95647?hl=en
    • Firefox: https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences
    • Opera: http://www.opera.com/help/tutorials/security/cookies/
    • Internet Explorer: https://support.microsoft.com/en-gb/help/17442/windows-internet-explorer-delete-manage-cookies
    • Safari: https://support.apple.com/kb/PH21411
    • Edge: https://privacy.microsoft.com/en-us/windows-10-microsoft-edge-and-privacy

    Blocking all cookies will have a negative impact upon the usability of many websites, and if you block cookies, you will not be able to use all the features on our website.

  12. Our details

    QContact, Inc. is registered in Delaware, U.S.A. under registration number 6898423, with its registered office at 8333 NW 53rd St Suite 450, Doral, FL 33166.

    QContact Inc’s representative in the EU for the purposes of EU data protection law is QContact Ltd.

    QContact Ltd is registered in England and Wales under registration number 10927190, with its registered office at Peter House, Oxford Street, Manchester, M1 5AN.

    For enquiries or complaints relating to this notice or our processing of your personal data, please contact [email protected], which is a dedicated contact address for this purpose.

    You can also contact us or our group companies using any of the email addresses, postal addresses or telephone numbers published on our website from time to time.

  13. Changes to this notice

    We may update this notice from time to time by publishing a new version on our website and, where any changes materially affect you, we will also make reasonable efforts to notify you.

Last updated 1st June 2019