Privacy Policy

Attio takes the security of your data and our infrastructure very seriously. We are committed to providing an environment that is safe, secure, and available to all of our customers all the time.

Last updated: March 2023

1. Introduction

This Privacy Policy sets out how We, Attio Limited, previously F Stack Limited and trading as Attio, with registered office at Office 25.3, 25 Easton Street, London, WC1X 0DS, England, collect and process your personal data and explains your rights in relation to your personal data. If you have any questions about this Privacy Policy or wish to exercise any of your rights in relation to your personal data, you can contact us at the address above or by email to [email protected]. Our preferred contact method is email.

This Privacy Policy affects your legal rights and obligations so please read it carefully. If you do not agree to be bound by this Privacy Policy, please do not provide your personal data to us or request that your employer does not do so.

We may update this Privacy Policy from time to time at our discretion and in particular to reflect any changes in applicable laws. If we do so, and the changes substantially affect your rights or obligations, we shall take commercially reasonable measures to notify you. Otherwise, you are responsible for regularly reviewing this Privacy Policy so that you are aware of any changes to it.

We may collect your personal data because you provide it to us, or because your employer or a colleague is our client and wishes to set up an account for you to access our platform. In such circumstances, we are the controller of your personal data.

Alternatively, we may receive your personal data through our platform because one of our clients has uploaded your details within their account on our platform. In such circumstances, we are the processor of your personal data, and we shall only process your personal data in accordance with the client’s instructions.

On certain occasions, we may allow certain developers or users access to the Attio API in order to develop certain applications enabling interoperation between a third-party platform and the Attio services (each an “Integration App”). Each Integration App will be developed independently and at the developer’s own risk. Accordingly, each developer of an Integration App shall be deemed to be a separate and independent controller of any personal data you may share by using such Integration App, and you will be subject to the Integration App’s separate terms and privacy policy. We encourage you to read the terms and privacy policy of every Integration App you may use in connection with our services.

This website is not intended for children, and we do not knowingly collect data relating to children.

This website may include links to third-party websites, plug-ins, and applications (including Integration Apps). Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.

2. What personal data do we collect and from whom?

By personal data we mean any identifiable information about you, such as your name, email address, gender, date of birth, mobile and home telephone number, your IP address or a photo of you which you upload to our platform. We reserve the right to anonymize and/or pseudonymize such personal data so that it is no longer personally identifiable and use it in anonymized and/or pseudonymized form for our internal business purposes, insights, or such other purposes from time to time.

We may obtain special categories of personal data about you if you or a client chooses to provide such data to us. Special categories of personal data are data about your race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership genetic data, biometric data, data concerning health or sex life or sexual orientation.

2.1 Data you provide to us

From time to time you may provide personal data to us. This may be because you wish to:

• use our website;

• use our mobile app;

• apply for a job with us;

• provide services to us;

• subscribe to receive product update e-mails from us; or

• otherwise contact us including with queries, comments, or complaints.

You may provide personal data to us directly, or to us through our social media platforms or an Integration App or others may provide your personal data, for example to add you to your team’s workspace.

We shall process all such personal data in accordance with this Privacy Policy. Certain personal data is mandatory to be provided to us in order that we can fulfil your request for example to provide services to you and we shall make this clear to you at the point of collection of the personal data.

Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with our services). In this case, we may have to cancel a product or service you have with us, but we will notify you if this is the case at the time.

All personal data that you provide to us must be true, complete, and accurate. At our request, you shall promptly provide evidence of your identity. If you provide us with inaccurate or false data, and we suspect or identify fraud, we will record this, and we may also report this. When you contact us by email or post, we may keep a record of the correspondence and we may also record any telephone call we have with you.

2.2 Data we automatically collect about you

When you use our website or use our mobile app, we automatically collect and store information about your device and your activities. This information could include:

• technical information about your device such as type of device, web browser or operating system;

• your preferences and settings such as time zone and language; and

• how long you used the website/app and which services and features you used.

Some of this information is collected using cookies and similar tracking technologies. If you want to find out more about the types of cookies we use, why, and how you can control them, please see our Cookies Policy.

2.3 Type of data we automatically collect from connected third-party services, such as Google Services, Dropbox, Microsoft Outlook, and Microsoft OneDrive

You may choose the option to log in with or access third-party services in order to access this information from within the Attio application and in such cases, we will automatically collect and store your user data from that third party. This may include:

• Profile with third party

• Name

• Email address

• E-Mails (content, attachments, and meta data)

• Calendar

• Files

2.4 Data we receive from others

As set out above, your employer or a colleague may from time to time provide personal data to us that relates to you (for example, your email address) so that you can create an account on our platform or one of our suppliers may send us personal data which we upload into our platform. If a third party such as your employer or a colleague provides us your email address which is your personal, non-work email address you must contact us to let us know and we will remove this data.

We may also receive personal data about you from an Integration App, our payment providers and/or our website security service partners, particularly if there is any misuse of the platform including the introduction of viruses or other malicious software.

If you apply for a job with us, we may receive personal data about you from your previous employer or other reference.

3. Lawful use of your personal data

We will only use your personal data where we have a lawful basis to do so. The lawful purposes that we rely on under this Privacy Policy are:

• consent (where you choose to provide it e.g. when you choose to use an Integration App to share your data between Attio and a third party, and never for data from connected Google Services);

• performance of our contract with you or your employer or colleague;

• compliance with legal requirements; and

• legitimate interests. When we refer to legitimate interests, we mean our legitimate business interests in the normal running of our business which do not materially impact your rights, freedom, or interests.

We will only use your personal data where we have a lawful basis to do so. How we use your personal data depends on why we have collected it.

3.1 Using data from your employer or colleague who uses Attio

If we have received your personal data because you are employed at a company that uses Attio as its CRM or a colleague uses Attio for such services and invites you to collaborate on their workspace, we will process your personal data to perform any contract we have entered into with your employer or colleague or in relation to any steps we take at the request of your employer or colleague prior to entering into a contract with us or updating such contract with us. Typically, this includes creating a user account for you so that you can access the Attio applications and join your employer’s or colleague’s workspace.

3.2 Using data from connected Google Services

If we have received your personal data because you have chosen to Sign in with Google, we will process your personal data to perform any contract we have entered into with your employer or in relation to any steps we take at the request of your employer prior to entering into a contract. In particular, this includes providing you with access to the Attio application.

Attio is providing a customer relationship management (CRM) and task management application aimed at business customers. If we have received personal data because you have chosen to connect your Google Drive, Google Calendar and/or your Gmail account we will collect your data from this service in order to enhance the email, file and contact management experience and improve your productivity when using the Attio application. In particular, this includes access to your Google user data from within in the Attio application where you can view your data in the relevant context of a CRM software application and manage your professional relationships.

Additional Limits on Use of Your Google User Data:

Notwithstanding anything else in this Privacy Policy, if you provide us with access to data from connected Google services, our use of that data will be subject to these additional restrictions:

• We will only use access to data from a connected Google Service to provide our Attio web and mobile CRM and task management application that allows users to read, process, write and delete emails, track recipient opens, clicks and replies to emails, access their Google Drive files and calendar. Furthermore, our use of data is limited to providing or improving user-facing features that are prominent in the requesting application’s user interface.

• We will not transfer this data to others unless doing so is necessary to provide and improve features that are prominent in the user interface, comply with applicable law, or as part of a merger, acquisition, or sale of assets.

• We will never use Google User data for serving advertisements, including retargeting, personalized, or interest-based advertising.

• We will not allow humans to read this data unless we have your affirmative agreement for specific messages, doing so is necessary for security purposes such as investigating abuse, to comply with applicable law, or for our internal operations and even then, only when the data have been aggregated and anonymized.

• Attio’s use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.

3.3 Using data you uploaded or entered into the Attio application

If we have received your personal data because you uploaded it to our platform, we shall process that personal data for any of the lawful purposes described above and on your instructions.

3.4 Using data for our legitimate interests

We may also use your personal data for our legitimate interests, including dealing with any customer services you require, for regulatory and legal purposes (for example anti-money laundering and fraud prevention purposes), for audit purposes and to contact you about changes to this Privacy Policy.

3.5 Using data to provide Product Update E-Mails (Marketing)

We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising.

We may use your identity, contact, technical, usage and profile data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (we call this marketing).

You will receive marketing communications from us if you have requested information from us or purchased our services from us and you have not opted out of receiving that marketing.

You may consent to receive product update email messages from us. You can ask to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you, accessing our website settings or by contacting us at any time.

Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of a purchase, warranty registration, product/service experience or other transactions. You may therefore receive emails relating to your use, account and/or users use or account even if you have opted-out of our marketing emails. This is because these emails are transactional and do not require your consent to receive. Please note that where you do opt-out of marketing emails, it may take us a few days to update our records to reflect your request.

If you ask us to remove you from our product update mailing list, we shall keep a record of your name and email address to ensure that we do not send to you anymore product update information. We shall also continue to send you necessary information relating to your use of our services if you, your employer or colleague has an account with us.

We will also get your express opt-in consent before we share your personal data with any third party for marketing purposes.

3.6 Using data to improve our service

We also analyze data usage of our platform and use that information to improve our services and platform for our legitimate interests. Please see our Cookies Policy for detailed information.

3.7 Using data to process job applications

If you apply for a job with us, we shall use the personal data you provide to process your application and respond to you accordingly.

3.8 Change of purpose

We will only use your personal data for the purposes for which we collected it (as described above), unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

4. Who do we share your data with?

For our legitimate interests, we may share your personal data with any service providers, sub-contractors, and agents that we may appoint to perform functions on our behalf and in accordance with our instructions, including payment providers, IT service providers, accountants, auditors, and lawyers. We shall provide our service providers, sub-contractors, and agents only with such of your personal data as they need to provide the service for us and if we stop using their services, we shall request that they delete your personal data or make it anonymous within their systems.

In order to comply with our legal obligations, under certain circumstances we may have to disclose your personal data under applicable laws and/or regulations, for example, as part of anti-money laundering processes or to protect a third party’s rights, property, or safety.

For our legitimate interests, we may also share your personal data in connection with, or during negotiations of, any merger, sale of assets, consolidation or restructuring, financing, or acquisition of all or a portion of our business by or into another company in which case we will send a notice to our users.

5. Where we hold and process your personal data

Some or all of your personal data may be stored or transferred outside of the United Kingdom (UK) or European Economic Area (the EEA), including for example, if our email server is located in a country outside the UK or EEA or if any of our service providers are based outside of the UK or EEA.

Where your personal data is transferred outside the UK or EEA, it will only be transferred to countries that have been identified as providing adequate protection for your data or to a third party where we have approved transfer mechanisms in place to protect your personal data – i.e., by entering into the UK’s International Data Transfer Agreement (IDTA) or Addendum, or the European Commission's Standard Contract Clauses.

Please contact us on the email address set out in clause 10 if you require further information on the specific mechanism that we use when transferring your personal data outside of the UK or EEA under this paragraph.

6. Security

We shall process your personal data in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage. We do this by using appropriate technical or organizational measures, for example, all information you provide to us is stored on our secure servers and our employees are required to comply with all applicable data protection laws.

If you are our client and you wish to send to us personal data to host on our platform, we shall both comply with our obligations under the Attio Customer Agreement.

Notwithstanding the above, you acknowledge that no system can be completely secure. Therefore, although we take these steps to secure your personal data, we do not promise that your personal data will always remain completely secure. If there is a security breach, we will do all that we can as soon as we can to stop the breach and minimize the loss of any data.

7. Your rights

You have a number of rights under applicable data protection legislation. Some of these rights are complex, and not all of the details have been included below. Further information can be found here.

• Right of access: You have the right to obtain from us a copy of the personal data that we hold for you.

• Right to rectification: You can require us to correct errors in the personal data that we process for you if it is inaccurate, incomplete, or out of date.

• Right to portability: You can request that we transfer your personal data to another service provider.

• Right to restriction of processing: In certain circumstances, you have the right to require that we restrict the processing of your personal information.

• Right to be forgotten: You also have the right at any time to require that we delete the personal data that we hold for you, where it is no longer necessary for us to hold it. However, whilst we respect your right to be forgotten, we may still retain your personal data in accordance with applicable laws.

• Right to stop receiving marketing information: You can ask us to stop sending you information about our services, but please note we shall continue to contact you in relation to any matters relating to your report.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us to confirm your identity and ensure your right to access your personal data or to exercise any other right. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request so we can deal with it promptly.

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

If we are a processor of your data (and our client is the controller) we shall only process your personal data as instructed by our client. You will need to contact our client directly if you wish to exercise your rights in relation to the data processed on our platform. If you do contact us directly, we will notify our client as soon as reasonably practical and assist our client as the controller by taking appropriate measures to enable the fulfilment of our obligations to you.

If you have any complaints in relation to this Privacy Policy or otherwise in relation to our processing of your personal data, please tell us. We shall review and investigate your complaint and try to get back to you within a reasonable time. You can also contact the Information Commissioner, see www.ico.org.uk or if you are based outside of the United Kingdom, please contact your local data protection authority.

8. Retention of personal data

We will retain personal data in accordance with applicable laws.

If we have received your personal data because you are an employee of a client, we shall retain your personal data until we no longer work with your employer, except where we are required to retain personal data for a particular period of time to comply with legal, auditory, or statutory requirements, including requirements of HMRC in respect of financial documents.

If we have your personal data because a client has uploaded it to our platform, we shall retain it in accordance with our client's instructions.

In some circumstances you can ask us to delete your data: see ‘Your rights’ above for further information.

In some circumstances we will anonymize your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

9. General

If any provision of this Privacy Policy is held by a court of competent jurisdiction to be invalid or unenforceable, then such provision shall be construed, as nearly as possible, to reflect the intentions of the parties and all other provisions shall remain in full force and effect.

This Privacy Policy shall be governed by and construed in accordance with the law of England and Wales, and you agree to submit to the exclusive jurisdiction of the English Courts.

10. How to contact us

You can contact us with any questions or comments about your Personal Data, this Policy, or any other privacy-related enquiries by emailing [email protected].

If you are in the European Union, you may address privacy-related inquiries to our EU representative pursuant to Article 27 GDPR:

EU-REP.Global GmbH, Attn: Attio

Hopfenstr. 1d, 24114 Kiel, Germany

[email protected]

www.eu-rep.global