We may need to collect your personal data because you provide it to us, or because your employer is our client and wishes to set up an account for you to access our platform. In such circumstances, we are the controller of your personal data.
Or, we may receive your personal data within our platform because one of our clients has uploaded your details within their account on our platform. In such circumstances, we are the processor of your personal data and we shall only process your personal data in accordance with the client’s instructions.
2. What personal data do we collect and from whom?
By personal data we mean identifiable information about you, such as your name, email address, gender, date of birth, mobile and home telephone number and your IP address.
We may obtain special categories of personal data about you if you or a client chooses to provide such data to us. Special categories of personal data are data about your race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership genetic data, biometric data, data concerning health or sex life or sexual orientation.
2.1 Data you provide to us
From time to time you may provide to us personal data. This may be because you wish to:
- use our website
- use our mobile app
- apply for a job with us;
- provide services to us;
- subscribe to receive product update e-mails from us; or
- otherwise contact us including with queries, comments or complaints.
You may provide personal data to us directly, or to us through our social media platforms.
All personal data that you provide to us must be true, complete and accurate. At our request, you shall promptly provide evidence of your identity. If you provide us with inaccurate or false data, and we suspect or identify fraud, we will record this and we may also report this. When you contact us by email or post, we may keep a record of the correspondence and we may also record any telephone call we have with you.
2.2 Data we automatically collect about you
When you use our website or use our mobile app, we automatically collect and store information about your device and your activities. This information could include:
- technical information about your device such as type of device, web browser or operating system;
- your preferences and settings such as time zone and language; and
- how long you used the website / app and which services and features you used.
Some of this information is collected using cookies and similar tracking technologies. If you want to find out more about the types of cookies we use, why, and how you can control them, please see our Cookies Policy.
2.3 Type of data we automatically collect from connected Google Services
You may choose the option to log in with Google or share access to Gmail in order to access this information from within the Attio application. When you do so we automatically collect and store Google user data:
- Email address
- E-Mails (content, attachments and meta data)
2.4 Data we receive from others
As set out above, your employer may from time to time provide personal data to us that relates to you so that you can create an account on our platform, or one of our suppliers may send us personal data which upload into our platform.
We may also receive personal data about you from our payment providers and our website security service partners, particularly if there is any misuse of the platform including the introduction of viruses or other malicious software.
If you apply for a job with us, we may receive personal data about you from your previous employer or other reference.
3. Lawful use of your personal data
- consent (where you choose to provide it and never for data from connected Google Services);
- performance of our contract with you;
- compliance with legal requirements; and
- legitimate interests. When we refer to legitimate interests we mean our legitimate business interests in the normal running of our business which do not materially impact your rights, freedom or interests.
We will only use your personal data where we have a lawful basis to do so. But, how we use your personal data depends on why we have collected it.
3.1 Using data from your employer who uses Attio
If we have received your personal data because you are employed at a company that uses Attio as its CRM we will process your personal data to perform any contract we have entered into with your employer or in relation to any steps we take at the request of your employer prior to entering into a contract. Typically, this includes creating a user account for you so that you can access the Attio application.
3.2 Using data from connected Google Services
If we have received your personal data because you have chosen to Sign in with Google we will process your personal data to perform any contract we have entered into with your employer or in relation to any steps we take at the request of your employer prior to entering into a contract. In particular, this includes providing you with access to the Attio application.
Attio is providing a pipeline and relationship management software application aimed at business customers. If we have received personal data because you have chosen to connect your Gmail account we will collect your data from this service in order to enhance the email and contact management experience and improve your productivity when using the Attio application. In particular, this includes access to your Google user data from within in the Attio application where you can view your data in the relevant context of pipline and relationship management software application and manage your professional relationships.
Additional Limits on Use of Your Google User Data:
- We will only use access to read Gmail message bodies (including attachments), metadata, headers, and settings to provide a web email client that allows users to read and process emails and will not transfer this Gmail data to others unless doing so is necessary to provide and improve these features, comply with applicable law, or as part of a merger, acquisition, or sale of assets.
- We will never use Google User data for serving advertisements.
- We will not allow humans to read this data unless we have your affirmative agreement for specific messages, doing so is necessary for security purposes such as investigating abuse, to comply with applicable law, or for our internal operations and even then only when the data have been aggregated and anonymized.
3.3. Using data you uploaded or entered into the Attio application
If we have received your personal data because a client uploaded it to our platform, we shall process that personal data for our legitimate interests and on the instructions of our client.
3.4. Using data for our legitimate interests
3.5. Using data to provide Product Update E-Mails
You may consent to receive product update email messages from us. You can choose to no longer receive marketing emails from us by contacting us or clicking unsubscribe in the email. Please note that it may take us a few days to update our records to reflect your request.
If you ask us to remove you from you from our product update mailing list, we shall keep a record of your name and email address to ensure that we do not send to you anymore product update information. We shall also continue to send you information relating to your use of our services if your employer has an account with us.
3.6. Using data to improve our service
We also analyse data usage of our platform, and use that information to improve our services and platform for our legitimate interests. Please see our Cookies Policy for detailed information.
3.7. Using data to process job applications
If you apply for a job with us, we shall use the personal data you provide to process your application and respond to you according.
4. Who do we share your data with?
For our legitimate interests, we may share your personal data with any service providers, sub-contractors and agents that we may appoint to perform functions on our behalf and in accordance with our instructions, including payment providers, IT service providers, accountants, auditors and lawyers. We shall provide our service providers, sub-contractors and agents only with such of your personal data as they need to provide the service for us and if we stop using their services, we shall request that they delete your personal data or make it anonymous within their systems.
In order to comply with our legal obligations, under certain circumstances we may have to disclose your personal data under applicable laws and/or regulations, for example, as part of anti-money laundering processes or to protect a third party's rights, property, or safety.
For our legitimate interests, we may also share your personal data in connection with, or during negotiations of, any merger, sale of assets, consolidation or restructuring, financing, or acquisition of all or a portion of our business by or into another company in which case we will send a notice to our users.
5. Where we hold and process your personal data
Some or all of your personal data may be stored or transferred outside of the European Economic Area (the EEA ) for any reason, including for example, if our email server is located in a country outside the EEA or if any of our service providers are based outside of the EEA.
Where your personal data is transferred outside the EEA, it will only be transferred to countries that have been identified as providing adequate protection for EEA data or to a third party where we have approved transfer mechanisms in place to protect your personal data – i.e., by entering into the European Commission's Standard Contract Clauses, or by ensuring the entity is Privacy Shield certified (for transfers to US-based third parties).
Please contact us on the email address set out in clause 10 if you require further information on the specific mechanism that we use when transferring your personal data outside of the EEA under this paragraph.
We shall process your personal data in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. We do this by using appropriate technical or organisational measures, for example, all information you provide to us is stored on our secure servers and our employees are required to comply with all applicable data protection laws.
If you are our client and you wish to send to us personal data to host on our platform, we shall both comply with our Information Transfer Policy.
Notwithstanding the above, you acknowledge that no system can be completely secure. Therefore, although we take these steps to secure your personal data, we do not promise that your personal data will always remain completely secure. If there is a security breach, we will do all that we can as soon as we can to stop the breach and minimise the loss of any data.
7. Your rights
You have a number of rights under applicable data protection legislation. Some of these rights are complex, and not all of the details have been included below. Further information can be found here.
- Right of access: You have the right to obtain from us a copy of the personal data that we hold for you.
- Right to rectification: You can require us to correct errors in the personal data that we process for you if it is inaccurate, incomplete or out of date.
- Right to portability: You can request that we transfer your personal data to another service provider.
- Right to restriction of processing: In certain circumstances, you have the right to require that we restrict the processing of your personal information.
- Right to be forgotten: You also have the right at any time to require that we delete the personal data that we hold for you, where it is no longer necessary for us to hold it. However, whilst we respect your right to be forgotten, we may still retain your personal data in accordance with applicable laws.
- Right to stop receiving marketing information: You can ask us to stop sending you information about our services, but please note we shall continue to contact you in relation to any matters relating to your report.
We reserve the right to charge an administrative fee if your request in relation to your rights is manifestly unfounded or excessive.
We may need to request specific information from you to help us to confirm your identity and ensure your right to access your personal data or to exercise any other right. We may also contact you to ask you for further information in relation to your request so we can deal with it promptly.
If we are a processor of your data (and our client is the controller) we shall only process your personal data as instructed by our client. You will need to contact our client directly if you wish to exercise your rights in relation to the data processed on our platform. If you do contact us directly, we will notify our client as soon as reasonably practical and assist our client as the controller by taking appropriate measures to enable the fulfilment of our obligations to you.
8. Retention of personal data
We will retain personal data in accordance with applicable laws.
If we have received your personal data because you are an employee of a client, we shall retain your personal data until we no longer work with your employer, except where we are required to retain personal data for a particular period of time to comply with legal, auditory or statutory requirements, including requirements of HMRC in respect of financial documents.
If we have your personal data because a client has uploaded it to our platform, we shall retain it in accordance with our client's instructions.
10 How to Contact Us
You can contact us with any questions or comments about your Personal Data, this Policy or any other privacy related enquiries by emailing firstname.lastname@example.org.
Last updated: October 2019