Privacy Policy
Cherub Solutions and its Affiliates (together “we”, “us”, “our”, or “CherubSolutions”) provide a wide range of solutions to improve the marketing and communications experience for businesses, and your intended audience. We process personal data in order to deliver these services, operate our websites, and to conduct our day-to-day business. In this privacy statement, the terms “you”, “your”, or “Customer” refer to you. “Affiliate” means any entity that directly or indirectly controls, or is controlled by, or is under common control with the party specified. For purposes of this definition, “control” means direct or indirect ownership of more than fifty percent (50%) of the voting interests of the subject entity or the power to direct the management and policies of the subject entity.
This privacy statement applies to all products and services as provided by Cherub Solutions (including through any of its Affiliates) and contains information about what personal data we collect, why we collect it, and how we process it, so that you can make an informed decision before making use of our platform, website, and communications services. This privacy statement applies regardless of your or any end user’s geographical location and covers all of our websites, (sub)domains, mobile applications, desktop clients, as well as the services we provide.
Personal data refers to information that would allow any natural person to be directly or indirectly identified. Your use of our website or services may involve personal data relating to three categories of individuals:
-
Personal data related to a customer or potential customer, referred to as “Customer Account Data” or ‘potential customer information’.
-
Personal data related to an end user or recipient, meaning the individual that is interacting with you via our services and/or receiving communications from you via our services, referred to as ‘end user data’ (collectively, “End User”).
-
Personal data related to website visitors, referred to as ‘website visitor data’.
Data privacy and protection of your personal data (including personal data relating to your End Users) is one of Cherub Solutions’ core principles. Our privacy statement is intended to give you a detailed understanding of our data processing practices. It is important to us that we are transparent, and you feel informed and empowered when it comes to the privacy of your and your End Users’ personal data, and the steps we take to protect that personal data.
If you or any of your End Users are located in Singapore, references in this privacy statement to terms such as “data subject”, “data controller”, and “data processor” should be taken to refer to the equivalent terms of “individual”, “organization”, and “data intermediary” under the Personal Data Protection Act of 2012 (“PDPA”).
If you or any of your End Users reside in California, references in this privacy statement to terms such as “personal data”, “data subject”, “data controller”, and “data processor” should be taken to refer to the equivalent terms of “personal information”, “consumer”, “business”, and “service provider” under the California Consumer Privacy Act of 2018 (“CCPA”). Cherub Solutions does not sell, rent, or otherwise disclose personal data or the personal data of End Users for money or anything else of value.
1. About our personal data processing practices
We will only process personal data to the extent necessary to fulfill the specific purpose(s) for which you have submitted personal data. When you sign up to our services through our website, we request you to provide contact information details such as your name and email address. We subsequently use that information to create your account, facilitate your use of the services, billing purposes, and to provide you with relevant information about our services. Some basic examples of actions that result in us processing your personal data are (a) when you sign up to our newsletter, (b) you sign up for the services via our website and accept the General Terms and Conditions (the “Terms”), or (c) sign up for the services through an order form. To the extent permitted or required by applicable law, you will be given the opportunity to explicitly agree to the collection, use, disclosure, and sharing of the personal data you’ve provided. We do not use your personal data for any other purposes than those agreed to by you or as permitted by the Terms and this privacy statement.
When you share personal data with us, we commit to handle that information in accordance with the applicable data protection and e-privacy regulations, including the General Data Protection Regulation (“GDPR”). Due to the nature of the services we do not interact with End Users directly. You are responsible for ensuring that you have all applicable rights and consents to share any End User personal data with us and that the personal data is accurate and complete.
1.1 Roles and responsibilities. When it comes to processing personal data, there are several different roles and responsibilities that come into play. This privacy statement provides an explanation of the relevant roles, the corresponding responsibilities of each role, and the systems of governance that play an integral part in protecting your personal data. The data controller determines the purpose (why) and means (how) of personal data processing and remains ultimately responsible for the correct handling of the data subject’s personal data. In practice, the data controller is often the company that an individual (or data subject) provides their personal data to directly.
The data processor is a company that provides services to the data controller, and receives personal data from or on behalf of the data controller in order to perform those services. To give an example, when one of our customers sends a marketing campaign through our communications platform, we receive personal data from the customer, such as a phone number or email address of the intended recipient, in order to provide the service. In this example Cherub Solutions acts as the data processor of the customer, who in turn is acting as the data controller of the phone number or email address entrusted to it by the individual to which this personal data belongs. The data processor only processes personal data according to the instructions of the data controller. These instructions are typically laid down in a data processing agreement between the controller and the processor.
Depending on your relationship with us, we can be either data controller or data processor, or in certain circumstances we can be both. If you have any questions about these practices or more general inquiries about how we handle personal data, you can contact us at privacy[at]cherub.solutions.
2. Why we collect personal data
We have a few key priorities when it comes to protecting your personal data. Not only do we prioritize keeping your personal data safe and secure, we are also highly focused on protecting your privacy rights and freedoms as an individual.
2.1 Legal bases. All personal data we process is lawfully obtained and will only be processed to the extent we have a legal basis to do so. The legal bases we rely upon for processing of personal data are: (a) consent, (b) performance of a contract, (c) compliance with a legal obligation, and (d) legitimate interest. The specific legal basis which permits us to process your personal data may differ when you receive our services from an entity located outside the European Economic Area (“EEA”) and as a result the services and our processing obligations may be subject to non-EU data protection requirements.
As indicated above, we process personal data on a limited set of legal bases:
-
Explicit consent from the data subject. For example, by ticking a box on our website when you want to download product information.
-
Performance of a contract. This includes not only the provision of the services but also negotiating and signing a contract in order to receive a service.
-
Compliance with legal obligations applicable to us. For instance, preventing misuse of our services, cooperating with formal disclosure requests, and retaining customer account data and financial data.
-
Our legitimate interest. This applies for example to direct marketing targeted to existing customers on an opt-out basis or to keep you updated on information regarding our services. Where we rely upon legitimate interest, we have assessed the processing is not high risk, does not involve the processing of special categories of personal data, and will not violate fundamental human privacy rights.
2.2 Purposes. The purposes for which we process your personal information depend on your relationship with us. For starters, you will be required to submit personal data related to you and the business you work for when creating an account. In addition, we may also require personal data in order to enable you and your End User’s (as applicable) to make use of our services. In other circumstances, we may process your personal data to conduct and expand our day-to-day business, such as for analytical improvements to the service, support, sales, marketing, and legitimate business purposes. Personal data can also help us improve the quality of our services and to develop new functionalities to fit the needs of our customers, such as product and experience personalization.
We only request personal data that is necessary to fulfill the specified purposes listed below as applicable to you; provided, however, if the nature of our relationship with you changes, we may need you to provide additional information. For example, if you fill out a form to request more information about one of our products, we will use your contact information to send the requested product information to you. If you then decide to become a customer, you will need additional information including your billing address for the purpose of account creation and providing you with the services.
The following is a list of purposes for which we may use your personal data. The specific purpose applicable to our processing of your personal data depends on the nature and extent of your relationship with us.
-
To promote the use of our services in accordance with your marketing preferences.
-
To share relevant information about our products and services in accordance with your marketing preferences, including important notifications about the services.
-
To create an account connected to you and the company you represent.
-
To verify your identity.
-
To facilitate access and use of the services in line with the Terms.
-
Finance and billing, including fulfilling financial obligations such as paying taxes and ensuring invoices are paid.
-
To provide customer support and communicate with you about your account.
-
To analyze usage of our products and services.
-
For the transmission of information over the services; defining communications processing priority, routing configurations, and optimizing infrastructure.
-
To enforce compliance with the Terms and applicable law.
-
To keep our site and your account safe and secure.
-
To detect, prevent, and combat fraudulent or unlawful activity.
-
To protect the rights, property, or safety of us, you, our other customers, or any other third party.
-
To meet legal requirements, including complying with court orders, valid discovery requests, valid subpoenas, and other appropriate legal mechanisms.
-
To conduct questionnaires and surveys in order to provide better services to you, our other customers, and End Users; provided, however your participation in and completion of any questionnaires is always voluntary.
3. What personal data we collect and how
The exact type of data we collect depends on the relationship we have with you and the product or service you use. Applying your cookie management settings on our website, signing up for a newsletter, downloading marketing materials, requesting to be contacted by our Sales team, creating an account, or using any of our products and services, are all examples of actions you take that require you to share certain personal data with us that is specific to that particular interaction.
3.1 Personal data directly collected from you. The categories of personal data we collect from you include personal identifiers, employment or professional information, financial information, commercial information, information related to internet activities, and location related information.
-
Personal identifiers. When you create an account and make use of any of our products and services, you are required to provide us with personal identifiers. Personal identifiers submitted as part of account creation or use of products and services are referred to as “Customer Account Data”. Customer Account Data consists of your name, contact details such as business address, phone number, and email address, financial information, gender (optional), and signature (subject to our business interactions). Additionally, when you request product related information, request to be contacted by our sales team, or attend events, we may request personal identifiers from you such as your name and contact details.
-
Employment or professional information. The information we process about you that relates to your employment or profession, the company you work for, and your job title.
-
Financial information. The payment and billing information we require you to share with us or directly with a payment-service provider, such as billing name and related address, bank account number, or credit card information.
-
Commercial information. Commercial data relates to your interest in products, your use of services, platforms, and account dashboards, and any of our web pages you visit.
-
Internet activity information. When you interact with our websites, marketing emails, and services, data is collected about your device and browser, time zone setting, web pages visited, products you view or search for, page response times, download errors, length of visits to certain pages, page interaction information, internet protocol (IP) address used to connect your computer to the internet, use of cookies, pixels, or similar technologies.
-
Location related information. The use of our services and products involves the processing of location related information. The type of data involved will differ depending on the service you use but location related information may include your and/or your End User’s IP address, business address, and service traffic related metadata such as the routing path and terminating carriers.
-
Support interaction information. When you interact with our Customer Support team over the phone we process the phone number you use and inform you that the call may be recorded in accordance with applicable laws.
We only request and retain personal data when strictly necessary. The data that we request will be relevant to our relationship and your purpose. For example, we require an email address to be able to send you marketing emails, but we do not need your gender or payment information.
3.2 Personal data collected from other sources. We collect personal data we obtain from sources other than you (“Third Party Data”). Third Party Data may include, but is not limited to, (a) personal identifiers, and (b) employment or professional information, such as company name, company description and website, company (estimated) revenue and employee range, company industry, employment role and title, seniority, full name, and phone number. The information we collect about you from other sources is business related but even in a business relationship certain information might be considered personal data.
Third Party Data is collected from the following sources:
-
Third party service providers of business information. We obtain business data such as employment or professional information from third parties. This information includes email addresses, the company an individual works for, job titles, phone numbers, and URLs of LinkedIn profiles. We obtain this information to expand our business through direct marketing, targeted advertising, and event promotion. Third Party Data may be combined with personal data that you provide to us. Information can be used to develop our business by updating, expanding, and analyzing our customer relationship records.
-
Third party social media providers. Depending on your and/or your End Users’ privacy settings, third party social media service providers such as Google, Twitter, and Facebook can provide us with information about you or an End User, as applicable. However, if you or an End User connects to a social media page you may (depending on the platform) be presented with the option to decide whether or not you would like to share that information with us. Third Party Data may be combined with personal data that you provide to us. Information can be used to develop our business by updating, expanding, and analyzing our customer relationship records.
-
Third party services & connectors. We make connectors available on the Cherub Solutions Platform that will allow our services to be used in connection with third party services through APIs or other connectors. For the sole purpose of enabling and facilitating the connector, your information may be made available to or shared by our services with the relevant third party service (and vice versa). Personal data that we may receive from the third party service provider on your behalf are contact data, activities and event data. Activities and event data may include personal data in case you as a customer include such information in the use case that you apply to the use of the services.
-
Google API & Connectors: When you as a customer are making use of a Cherub Solutions connector service that involves the use and transfer of information received from Google API to any other application, you are required to adhere to Google API Services User Data Policy, including the Limited Use requirements mentioned therein.
-
-
Someone else working for your company. Colleagues of yours can provide us with personal data about you such as your name, job title, email address, or phone number.
If you no longer want to be contacted by our sales and marketing teams, you can always unsubscribe from an email campaign by contacting your account manager or our Support team via support[at]cherub.solutions.
Subject to any exceptions noted in this privacy statement or in the Terms, you will always have a choice when it comes to the types and extent of the personal data you share with us. When we ask you to provide personal data to us, you can decline. However, many of our products and services require personal data so your choice not to provide personal data in certain instances can prevent you from using a certain product, service, or functionality.
End User personal data per service
PRODUCTS AND SERVICES
CATEGORIES OF END USER PERSONAL DATA INVOLVED
Email Services
Identification and contact data (name, email address, and other demographic and segment data provided by you); IT information (IP addresses, usage data, cookies data, online navigation data, location data, browser data); communication content.
5. International transfer of personal data
As a global cloud based service provider, the use of our services often involves the transfer of personal data to recipients and third parties both inside and outside the European Economic Area (“EEA”). We take care to ensure our partners regardless of location have sufficient safeguards in place to properly process and protect your personal data in line with our own data protection and information security standards.
One of the important steps we take when it comes to international data transfers involving third parties is due diligence and vetting. As part of the third party vetting process, we ensure that personal data will only be transferred to a third party located outside the EEA with the required cross-border transfer mechanism and safeguards in place. This means that when we engage a third party that is located outside of the EEA, we agree on the appropriate level of data protection, including additional contractual, technical, and organizational measures and the execution of a transfer impact assessment where necessary, to ensure the ongoing protection of the rights and freedoms of all individuals, inside and outside the EU. We consistently monitor changes to the international transfer mechanisms permitted under applicable privacy laws to ensure ongoing compliance with the international data protection standards.
6. The data protection and security standards we apply
Data security is paramount to Cherub Solutions. We invest in state-of-the-art technology and thorough security screenings of our infrastructure and employees to minimize security risks.
Since all our accounts to access our platform services are password protected (with optional two-factor authentication), you should be the only person with access to your account. You are responsible for safeguarding the credentials to your account. If your login information is stolen or used without your permission, it is imperative that you notify us immediately so we can take steps to secure your account. You can notify us of any unauthorized use of your account by sending an email to security[at]cherub.solutions with the subject ‘Urgent: account credentials’.
7. How long we retain personal data
The duration for which we are allowed to retain personal data depends on the nature and the purposes for which the personal data is processed. We retain personal data only to fulfill contractual or legal obligations applicable to us or the specific Affiliate you contract with (as outlined in the Terms). The applicable legal retention requirements for personal data retention may vary depending on the geographical location of us or the Affiliate you are contracting with, or where the communications services are being terminated.
7.1 SMS and Voice. Personal data related to the use of SMS and Voice, services have a default retention period of six (6) months. The retention of personal data related to those services are necessary (a) to fulfill our legal obligations to ensure the integrity and security of our services, and actively prevent misuse of telecommunications services, (b) for the transmission of information over the services, and (c) to ensure we are able to fulfill our legal obligations to assist formal governmental authorities.
7.2 Omnichannel communication services. For all other communications services, features, and products we retain personal data for the duration of our contract with you or our provision of the services to you, or where possible for a different period as agreed upon with you as the customer. In addition, we provide certain ancillary services which include, but are not limited to, the ability to maintain an online address book ‘Contacts’ for your convenience, and insights into account specific communication usage and transmission history for the duration of our contract with you or our provision of the services to you. You acknowledge and agree that any end-user/communication recipient personal data, such as phone numbers, email addresses, etc, are controlled by you and any data protection rights exercised by your End Users must be actioned by you. It is your responsibility as a data controller or acting on behalf of a data controller to ensure compliance with your obligations towards End Users whose personal data you control.
7.3 Marketing and sales. We keep personal data for marketing and sales purposes up to twelve (12) months, or, if you are an existing customer, for the duration of the services, unless you have withdrawn your consent or unsubscribed from receiving marketing information.
7.4 Compliance with corporate and financial legal obligations. We are under an obligation to demonstrate compliance with applicable national and EU financial and tax laws and regulations. To do so, we retain Customer Account Data such as name, email address, (company) address, (company) bank details, invoices, and position within the company for a period up to ten (10) years.
Proof that consent has been given or has been withdrawn for the processing of personal data, where applicable, will be retained for five (5) years.
Please note that we are not always in a position to fulfill a personal data erasure request if the request conflicts with one of our legal retention obligations. Since we are required to demonstrate that legitimate exercise of rights requests have been fulfilled, we retain confirmation emails relating to these requests for five (5) years.
After a retention period expires, we may keep personal data in a non-identifiable form for archival, statistical, and/or other legitimate business purposes. None of the data will be able to identify an individual directly or indirectly.
8. How to control your data protection rights and choices
Even though we collect your personal data for the various purposes outlined in this privacy statement, your personal data stays your own. You are in control of your personal data, as well as the personal data of End Users (if applicable). Unless we are under a legal obligation, your data protection rights and freedoms are controlled by you. You can change your cookie management settings as a website visitor, withdraw consent to our processing of your data if applicable, control and review your personal data, object to the processing of personal data when this is done on the legal basis of legitimate interest, or obtain restriction of the processing of data if necessary in accordance with applicable data protection laws.
8.1 Exercising your data protection rights: control your personal data.
Customers of Cherub Solutions, and all other individuals. If you do not have an account for any of our products or services, and therefore do not have access to the privacy dashboard you can exercise your personal data rights by sending a request to privacy[at]cherub.solutions.
8.2 Withdraw consent to our processing of your personal data. If you have provided us with your personal data on a consent basis and you no longer want us to use that personal data for any reason then you are always free to change your mind and revoke consent. If you make a legitimate withdrawal of consent request to us, we will always comply with your request, unless we’re legally required to keep your personal data (such as to demonstrate that we have acted upon a withdrawal of consent request).
8.3 Object to and restrict the processing of data. If we are processing your personal data using a legitimate interest basis, you have the ability to object to this processing and can exercise your right to restrict this processing. If you exercise your right to restrict personal data we process on a legitimate interest basis, we will assess each request on a case-by-case basis according to the rules set out by applicable data protection laws. If we reject your request we will demonstrate that we have compelling grounds to do so or that there’s a legal claim which allows us to retain personal data.
8.4 Processing time of data subject requests. Under normal circumstances, we will process your request as soon as possible but no later than within one (1) month of receiving the request. If a request is complicated or we receive too many requests during a given time period, our response time may be extended up to two (2) months from the date the request was received. We will inform you if you should expect a two (2) month response time. When you choose to delete your personal data, we may hold onto fully anonymised and aggregated data. If we do so, this anonymised and aggregated data will not be able to identify you as a person in any way. If we’re required to retain your information for legal reasons, we will let you know when we respond to your request.
Specifically for California based individuals, consumers shall not be discriminated because of the exercise of their rights under the CCPA.
9. Cookie notice
9.1 Types of cookie categories. Our websites primarily use four types of cookies; strictly necessary, performance, functional, and marketing cookies. These include first and third party cookies: first party cookies are set and controlled by us, while third party cookies are set and controlled by a third party tool or service provider. The duration for which a cookie is set varies. Session cookies disappear from your computer or browser when you logout of your account or close your browser, while persistent cookies are stored even after you have closed the page. The retention periods for cookies are specified below. With the exception of strictly necessary cookies, cookies will only be placed on your device and/or browser after you confirm or update your preferences through the cookie management settings.
If you decide to not allow opt-in performance and functional cookies on a site, the site may not function fully as designed. For example, you may face issues logging in or retaining set preferences, such as the preferred language the website displays.
-
Strictly Necessary. These cookies are necessary for the website to function and cannot be switched off in our systems. They are set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in, or filling in forms.
-
Functional. These cookies enable the website to provide enhanced functionality and personalization such as the website content being provided in the preferred language for your location. They may be set by us or by third party providers whose services we have added to our pages.
-
Performance. These cookies allow us to measure visits, traffic sources, and engagement so we can improve the performance of our site. They help us learn which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous.
-
Marketing. These cookies allow advertising parties to uniquely identify your browser and internet device. These cookies have the capability to either alone or in conjunction with others uniquely identify a person directly or indirectly. They may be regarded as personal data under the relevant Data Protection Legislation.
Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
IP Addresses: when you visit our website or account portal or use our products and services, we process your IP address. We use IP addresses to track and analyze information about the devices that interact with our systems and to know where these devices are located. For example, for the purpose of detecting the location of customer account logins to help us combat potential fraud or malicious activity.
Web Beacons: a web beacon is an object placed in a web page or email we use to check whether a user has accessed its content. We use web beacons along with cookies to gather data about your use of our site and account portal. For example, we may use web beacons in marketing emails that notify us when you open an email or click on a link.
9.2 Change your cookie settings. When you visit one of our websites for the first time, you can either allow us to place all the cookies we use on your browser, decide to accept specific cookies, or deny all cookies that are not strictly necessary. You can always change your preferences either in your browser settings or in the cookie settings on our website. Within our cookie management settings, we outline each cookie type in use on our site and provide an explanation of the implications of accepting each cookie type.
9.3 Manage cookies from your browser. Find out more on how to update, activate, deactivate, or remove cookies using your browser by visiting the links below:
Google Chrome
Internet Explorer
Firefox
Safari
10. Children
Our services and products are not directed to or intended for children under the age of 18. We never knowingly collect and/or process any personal data from children below the age of 18. If we discover that we have received personal data from a child without parental or legal consent, we will take reasonable steps to delete that information as quickly as possible. If you believe we have any information from or about a child, please contact us at privacy[at]cherub.solutions with the subject: ‘Children’.
12. Changes to our privacy statement
This privacy statement is subject to change. We reserve the right to change, update, modify, or remove any part of this privacy statement at any time. If any modifications substantially affect your rights under this privacy statement, we will notify you where possible. You can always decide to discontinue your use of our services if you disagree with any updates we may make to this privacy statement.
13. Disputes
If you have any dispute with us relating to our privacy practices, please contact our legal team at privacy[at]cherub.solutions with the subject: ‘Dispute’. If we are unable to reach an understanding via email, please refer to the Terms, which describes how disputes will be resolved between us. Please be sure to review the Terms before you use any of our products and services.
14. How to contact us
If you have any questions left regarding the processing of personal data after reading this privacy statement, or when you have feedback or suggestions to make this privacy statement better, please do not hesitate to contact us.