User Privacy Policy

This User Privacy Policy sets out our commitment to protecting the privacy of Personal Information provided to us or otherwise collected by us, offline or online including through this website (the “Services”) for logged in and identified users.

In this User Privacy Policy “you” means any party that provides Personal Information to us and “we” or “us” means Hikaya LLC.

If you visit our website, our section on Website Privacy Policy will also apply to you.

Please read this User Privacy Policy carefully. By providing Personal Information to us, you consent to our collection, holding, use and disclosure of your Personal Information in accordance with this User Privacy Policy. Please contact us if you have questions, our contact details are at the end of this User Privacy Policy. If you do not wish to provide Personal Information to us, then you do not have to do so.

How this privacy policy works

As a US business, this User Privacy Policy takes into account the requirements of the US Privacy Act of 1978. In addition to the US laws, individuals located in the European Union (“EU”) may also have rights under the General Data Protection Regulation 2016/679 (“GDPR”). Appendix 1 outlines the details of the additional rights of individuals located in the EU as well as information on how we process the personal information of individuals located in the EU.

Definitions

Throughout this User Privacy Policy:

User means any person who has registered an account on our Services, either through creating a new workspace themselves or being invited to an existing workspace by a Customer.

Personal data is as defined in GDPR. GDPR Art. 4 (1). defines personal data as "any information which are related to an identified or identifiable natural person."

Project/Projects means any project created by a User on the Services.

Customer Data means any content added by a User to the Services.

What information you provide to us

As a User of the Services, you provide information to us. This includes:

• profile information like your name, email address, and profile photo;
• content you add to the Services, for example files,projects, tables, layers, and maps;
• when you subscribe to our paid services, your billing details including your address;
• details of services we have provided to you or that you have enquired about;
• your responses to questionnaires, surveys, or requests for feedback; and
• additional Personal Information that you provide to us directly or indirectly through your use of our Services, associated social media platforms or accounts from which you permit us to collect information.

What information we log about you

We log information about your access and use of our Services. This includes:

• your communications with our Services;
• your behavior through analytics events;
• your Internet Protocol (IP) address;
• your approximate geographic location;
• the storage of Internet cookies;
• the type of browser you are using;
• the type of device you are using;
• the type of operating system you are using.

How we use information we collect

We collect and use your information:

• to enable you to access and use our Services;
• to enable you to create Projects via the Services;
• to enable you to add Customer Data to Projects via the Services;
• to process your payments where you have signed up to a paid service;
• to contact and communicate with you;
• to improve our Services through research and development;
• to prevent and address technical problems;
• to provide you with support services if requested;
• for internal record keeping;
• for advertising and marketing, including to send you information about our products and services.

How we share information we collect

Activity, Dots, and Grid are data management products built for teams. This means sharing information with others through the Services, and with certain third parties.

We share information we collect about you in the ways discussed below, including in connection with possible business transfers, but we are not in the business of selling information about you to advertisers or other third parties.

Where we disclose your Personal Information to third parties for the purposes listed below, we will confirm that the third party’s privacy policies and procedures are in accordance with the US Privacy Act.

Sharing with other users

Certain information will be shared with other members of your workspace. These people are usually colleagues you work with day-to-day, or clients you have added to your workspace.

The information shared with other users in your workspace includes:

• profile information like your name, email address, and profile photo;
• content you add to the Services, for example files,projects, tables, layers, and maps.

Sharing with third parties

As part of providing our Services, we use third party services to store and process your Personal Information. This includes third parties that store data outside of Australia.

For information on our use of third parties, including the geographic location of each subprocessor, see our list of Data Subprocessors.

Other third party disclosure

In addition, we may disclose Personal Information to:

• credit reporting agencies and courts, tribunals and regulatory authorities where you fail to pay for goods or services provided to you;
• courts, tribunals, regulatory authorities and law enforcement officers as required by law, in connection with any actual or prospective legal proceedings, or in order to establish, exercise or defend our legal rights;
• third parties, including agents or sub-contractors, who assist us in providing information, products, services or direct marketing to you. This may include parties located, or that store data, outside of the United States.

If there is a change of control of our business or a sale or transfer of business assets, we reserve the right to transfer our user databases, together with any Personal Information and non-Personal Information contained in those databases, to the extent permissible by law. This information may be disclosed to a potential purchaser. We would seek to only disclose information in good faith.

Your rights

Choice and consent: If you choose to provide us with your Personal Information, you acknowledge we will disclose or collect your Personal Information for these purposes and we will handle it in accordance with this User Privacy Policy.

Your provision of third party information: If you provide us with third party Personal Information then you warrant to us that you have the third party’s consent.

Restrict: If you have previously agreed to us collecting and using your Personal Information, you may change your mind at any time by contacting us at the email address listed in this User Privacy Policy. This may mean no longer using the Services.

Access: You may request details of Personal Information that we hold about you, in certain circumstances set out in the US Privacy Act of 1978 (Privacy Act). We may refuse to provide you with information that we hold about you, in certain circumstances set out in the Privacy Act.

Correction: If you believe that any information we hold about you is inaccurate, out of date, incomplete, irrelevant or misleading, please edit your Personal Information or contact us. We rely in part upon customers advising us when their Personal Information changes. We will respond to any request within a reasonable time. We will endeavor to promptly correct any information found to be inaccurate, incomplete or out of date.

Complaints: If you wish to make a complaint, please contact us using the details below and provide us with full details of the complaint. We will promptly investigate your complaint and respond to you, in writing, setting out the outcome of our investigation and the steps we will take in response to your complaint. You also have the right to contact the relevant authority in the country in which you are based.

Unsubscribe: You may opt out of non-transactional or non-account related promotional emails by clicking the “unsubscribe” link located at the bottom of our communications.

Data storage, transfer, and security

Hikaya hosts data with hosting service providers in numerous countries including the European Union and the United States. We are committed to ensuring that the information you provide is secure. In order to prevent unauthorized access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information and protect it from misuse, interference, loss and unauthorized access, modification and disclosure.

No information transmitted over the Internet can be guaranteed to be secure. We cannot guarantee the security of any information that you transmit to us, or receive from us. Although we take measures to safeguard against unauthorized disclosures of information, we cannot assure you that Personal Information that we collect will not be disclosed in a manner that is inconsistent with this User Privacy Policy.

Where data is transferred over the Internet, the data is encrypted using industry standard SSL (HTTPS), with HTTP Strict Transport Security (HSTS) enabled.

Links to other websites

Our Services may contain links to other websites of interest. We do not have any control over those websites. We are not responsible for or liable for the protection and privacy of any information which you provide whilst visiting such websites, and such websites are not governed by this User Privacy Policy.

Amendments

We may, at any time and at our discretion, amend this User Privacy Policy. We will notify you if we amend this User Privacy Policy, by contacting you through the contact details you have provided to us. Any amended User Privacy Policy is effective once we notify you of the change.

Appendix 1: Additional rights for individuals located in the European Union

Under the GDPR individuals located in the EU have extra rights. Personal Information under the GDPR is referred to as ‘personal data’ and is defined as: “means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” (Personal Data).

This Appendix sets out the additional rights we give to individuals located in the EU, including how we process Personal Data lawfully, transparently and fairly.

Legal bases for processing (for EEA users)

If you are an individual in the European Economic Area (EEA), we collect and process information about you only where we have legal bases for doing so under applicable EU laws. The legal bases depend on the Services you use and how you use them. This means we collect and use your information only where:

we need it to provide you the Services, including to operate the Services, provide customer support and personalized features and to protect the safety and security of the Services;

it satisfies a legitimate interest (which is not overridden by your data protection interests), such as for research and development, to market and promote the Services and to protect our legal rights and interests;

you give us consent to do so for a specific purpose; or

we need to process your data to comply with a legal obligation.

If you have consented to our use of information about you for a specific purpose, you have the right to change your mind at any time, but this will not affect any processing that has already taken place.

Where we are using your information because we or a third party (e.g. your employer) have a legitimate interest to do so, you have the right to object to that use though, in some cases, this may mean no longer using the Services.

Data retention

We will only retain your Personal Data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for Personal Data, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure of your Personal Data, the purposes for which we process your Personal Data, whether we can achieve those purposes through other means and the applicable legal requirements.

In some circumstances you can ask us to delete your data: see ‘access, erasure and data portability’ below for further information.

In some circumstances we may anonymize your Personal Data (so that it can no longer be associated with you) for analytics, research or statistical purposes in which case we may use this anonymized information indefinitely without further notice to you.

Data transfers

The countries to which we send data for the purposes listed above may not have the same data protection laws as the country in which you initially provided the information. If we transfer your Personal Data to third parties in other countries: (i) we will perform those transfers in accordance with the requirements of applicable law; and (ii) we will protect the transferred Personal Data in accordance with the Privacy Policy, as supplemented by this Appendix.

Objecting to processing: You have the right to object to processing of your Personal Data that is based on our legitimate interests or public interest. If this is done, we must provide compelling legitimate grounds for the processing which overrides your interests, rights and freedoms, in order to proceed with the processing of your Personal Data.

Restricting processing: You have the right to request that we restrict the processing of your Personal Data if (i) you are concerned about the accuracy of your Personal Data; (ii) you believe your Personal Data has been unlawfully processed; (iii) you need us to maintain the Personal Data solely for the purpose of a legal claim; or (iv) we are in the process of considering your objection in relation to processing on the basis of legitimate interests.

Access, erasure and data portability: You may have the right to request details of the Personal Data we hold about you, or to request that we erase the Personal Data we hold about you, or that we transfer this information to a third party.

Rectification: If you believe that any Personal Data we hold about you is inaccurate, out of date, incomplete, irrelevant or misleading, please contact us using the details below. We will take reasonable steps to promptly correct any information found to be inaccurate, incomplete, misleading or out of date.

For questions and notices, please email [email protected].

Website Visitor

This Website Visitor Privacy Policy sets out our commitment to protecting the privacy of Personal Information collected by us through this website (the “Website”). In this Website Visitor Privacy Policy “you” means a visitor to our Website and “we” or “us” means Hikaya LLC.

What we log about you

Our Website uses Google Analytics and Google AdWords conversion tracking.

Google Analytics uses ‘cookies’ (text files stored in your browser to allow us to analyze how you use our Website). In common with other businesses using Google Analytics the data that is generated by the cookie (including your IP address) is forwarded to a Google server in the USA and stored there.

IP anonymization is enabled on this Website. This means we will truncate / anonymize the last 4 digits of the IP address for Member States of the European Union as well as for other parties to the Agreement on the European Economic Area. Only in exceptional cases will the cookie send the full IP address to Google, who themselves are committed to truncating the IP address.

We use the information collected by Google Analytics and Google AdWords to help us understand how you use our Website, in order to improve our Website for all visitors.

You can change the settings on your browser to prevent cookies being stored, and you also have the option to stop the capture of data that is generated and processed by Google cookies by downloading and installing this plug-in (opens new window) from Google.

Amendments

This Website Visitor Privacy Policy may be amended, including with changes, additions and deletions, from time to time in our sole discretion. Your continued use of our Website following any amendments indicates that you accept the amendments.

You should check this Website Visitor Privacy Policy each time you visit our website to ensure you are aware of any changes, and only proceed to use our Website if you accept the new Website Visitor Privacy Policy.

For questions and notices, please email [email protected].

Data Subprocessors

Below is the list of Subprocessors we work with to deliver our services:

Digital Ocean

digitalocean.com (opens new window)

• Location: Frankfurt, Germany
• Certifications: Privacy Shield, SOC 2 (opens new window), ISO 27001 (opens new window), PCI-DSS (opens new window)
• Data processed: User added content, email address, IP address
• DPA signed: Signed on March 19, 2021

Google

google.com (opens new window)

• Location: Mountain View, United States
• Certifications: Privacy Shield (opens new window), ISO 27001 (opens new window)
• Data processed: User name, email address, IP address, analytics
• DPA signed: Signed on April 8, 2019

Postmark

https://postmarkapp.com/ (opens new window)

• Location: Philadelphia, United States
• Data processed: Contact name, email address, workspace name
• DPA signed: Signed on August 20, 2021

Slack

slack.com (opens new window)

• Location: San Francisco, United States
• Certifications: ISO 27001 (opens new window), ISO 27017, ISO 27018, ISO 27701, SOC 2, SOC 3
• Data processed: Contact name, email address, phone number
• DPA signed: Signed on March 19, 2021

Stripe

stripe.com (opens new window)

• Location: San Francisco, United States
• Certifications: PCI (opens new window)
• Data processed: Billing contact name, email address, address, card details
• DPA signed: Signed on March 19, 2021

Data processing agreement

A Data Processing Agreement (DPA) is a legally binding document between a processor and a controller which follows the rules set out in the GDPR. The data processing agreement covers data processing as well as the relationship between the parties.

The DPA is a pre-signed document by Hikaya and will become legally binding up upon receipt of signing by the customer.

With the new Standard Contractual Clauses (opens new window) adopted and approved by the European Commission, we are in the process of updating our DPA and our privacy compliance process by September 27, 2021.