This Privacy Policy (the “Privacy Policy” or “Agreement”) is designed to explain what personal information Posh Technologies, Inc.(hereinafter, “Posh”, the “Company”, or “We”) collects, why we collect such data, how and when it is collected and shared, and how your content is handled. Posh provides customer service support via our Artificial Intelligence (“AI”)chatbots and related services (collectively the “Services”). For the purposes of this Agreement, “Personal Information” (or “PI”) means information that is related or may be used to identify an individual. We encourage all users of Posh Services and its website generally, to stay apprised of changes to this Privacy Policy, which may be updated from time to time. We will notify users of changes to this Agreement by posting a notice on our Website (www.posh.tech or the “Website”).
For the purposes of GDPR (the European General Data Protection Regulation); Posh is a Data Controller with respect to employees or applicants for employment to Posh and a supplier of Services to our Customers. We are a Data Processor with respect to PI about the end users who are customers of our clients (“End Users”) and our clients who use the Service (or “Customers”). Additional information related to how we process end-user or customer data can be found in our Data Protection Addendum.
Information you Provide to Posh
There are a number of ways that you may process PI via Posh. These include:
Interaction with the Services as an End User, where you will interact with our Services for the purpose of effectuating a support function by disclosing PI such as your username, password, email address or information, phone number, physical address, IP address or information, locations, transcripts of conversations with our AI rendering Services, and any and all information you choose to voluntarily disclose while interacting with this Website or the Services.
Using Services as a Customer. This is where a Customer or an employee or agent of the Customer uses our Services to provide support to their End Users. This may include PI such as your company email address, legal name, company or Customer name, mailing address, phone number, username, password, Customer tax information and basic site information.
Correspondence by phone, e-mail, form entry, or other related forms of communication. We will only request disclosure of information necessary to provide you with products and our Services or to effectuate improvements/suggestions to our Website or Services.
Applying to work for Posh. We collect information you supply to us including your CV. cover letter, legal name, IP, email, and physical address, and other relevant information you choose to supply to us. We encourage you to refrain from disclosing sensitive PII that is not relevant to our employment decision-making process such as gender, height, weight, medical history, religion or philosophical/political views, financial data, or others. We prefer not to handle this information for our mutual benefit.
Supplying us with goods or services—suppliers may provide information regarding their contact name, email and physical address, telephone number, or any other information you so choose to provide.
Information that we collect through your uses of the Website or the Services
We collect information to provide our Customers and End Users with superior service and customer experience, diagnose technical problems or issues, and generally administrate and improve our Website and Services for your benefit. Posh collects this data from visitors and Customers that interact with the Website. We may also track and analyze non-PI information, aggregate usage, and other statistical information from visitors and Customers who interact with the Website.
We receive message logs and usernames when End Users interface and interact with Services provided to our Customers. These logs may contain PI and other information the End User chooses to supply including but not limited to usernames, email or physical address, phone numbers, payment information, passwords, etc.. during the interaction with our service. etc. You are encouraged to supply only information that is necessary to use our Services and not volunteer any sensitive PI unprompted. We make every effort to support our data minimization policy by obfuscating or removing information not required in the use of our service.
Posh and our Customers utilize a variety of technologies like cookies, scripts, beacons, and tags for analysis of End User’s use of the Website, administration of the Website, and gathering aggregated information about how End Users interact with the Website and/or our Services. Our Website may also employ clear gifs, images, and scripts which are used as a tool to enhance and manage our Website. This information is anonymized and not connected or tied to our Customers’, End Users’, or visitors’ PI.
Cookies
Cookies consist of files that web browsers place on an End User’s, Customer, or visitor’s computer hard drive that allow for identification of returning visitors. You may also have cookies transmitted to you by interacting with links to third-party websites. We utilize cookies to enhance our product and the End User experience generally. These cookies, on their own, cannot identify you personally. Unless you choose to identify yourself, these cookies cannot be used to positively identity you.
There are two general types of cookies: session and persistent.
Session cookies exist while you are interacting with the Website and are erased from your hard drive once the End User or visitor closes the web browser or turns off their computer. Persistent cookies remain on your computer after interfacing with the Website.
Posh uses session cookies that allow your unique identification while you are logged in. This enables us to verify your identity when you are logged in or otherwise interacting with our Services or the Website. These are required to successfully interact with our Services and the Website. We use persistent cookies that are only usable and readable by us to identify End Users, Customers, or visitors to our Website. You may disable your web browser’s ability to accept cookies, but this will affect your ability to successfully interact with our Website or utilize our Services.
How the above information is used by Posh for visitors to our website:
We collect the information discussed above to provide our Services to our Customers, their End Users, and visitors to our Website and, provide periodic updates on Posh’s products and services, and improve our Website’s interface. We use this information in the following ways:
We use information to administer and improve our Website and to ensure it is safe and secure. We will also use this information to better understand the effectiveness of our communication to our website visitors. We analyze data from our website to better understand how visitors interact and interface with our site and content.
Data Location
Data collected from you may be transferred to and/or stored in the United States, which is located outside of the European Economic Area (“EEA”) for which there is an adequacy decision relating to the safeguards of PI data from the European Commission (the EU-US Privacy Shield framework). For information on the security measures and safeguards we have in place in the United States, you may reach out to us at privacy@posh.tech.
Residents of the European Union
If you are a resident of the EU, you may submit a complaint to your local privacy commission or supervisory authority with respect to Posh’s processing of your PI.
Residents of California
Residents of California are afforded certain rights discussed below under the California Consumer Privacy Act (“CCPA”) and the California Privacy Rights Act (“CPRA”).
Posh does not sell, as defined in the CCPA and CPRA, PI we collect.
The CCPA and CPRA provides California consumers with the right to request details on the categories or specific PI we collect and how we use and/or disclose PI, to delete their PI, to optout of sales (as defined in CCPA and CPRA) of their PI. It is also unlawful to discriminate against consumers who choose to exercise these rights.
California consumers may reach out to us to request exercising their rights under the CCPA and CPRA at privacy@posh.tech. We will use reasonable steps to verify your identity and effectuate lawful requests—government issued ID may be required.
For further information related to your right to privacy; please review our Data Processing Addendum.
The following Data Processing Notice sets out the summary of data processing responsibilities between Posh Technologies (Processor), Google Inc and Amazon Web Services (Subprocessor) and “you” (Data Controller).
Revision History
15th April 2022 - Initial Notice Creation
1st December 2022 - Notice Revision Updates
Notification Date
9th January 2023
Data Privacy Requirement
Posh Technologies Data Processing Addendum
Data Privacy Legislation concerning the processing of personal data and protection of privacy in electronic communication
Not limited to:
California Consumer Privacy Act of 2018, Cal. Civil Code § 1798.100 et seq., (“CCPA”),
European Commission, European Data Protection Board and applicable national supervisor y authorities including without limitation the UK Data Protection Act 2018, UKGDPR, GDPR and Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002
Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426)
Swiss Data Protection Act 2020
Systems
Software-as-a-Service platform providing Artificial Intelligence conversational agents through a B2B service.
Duration of Processing
As per the request of the data controller in line with the terms of service
Purpose and Legal Basis For Processing
In accordance with GDPR Art.6, the lawful processor of data is done to meet the contractual terms of service. A Data Processing Impact Assessment (DPIA) to ensure personal identifiable information is not collected.
Nature of Processing
Data defined by the Data Controller to optimize the service of the platform. Data Subject information, if inadvertently processed through our platform, is deleted through technological measures in a manner to where the data is irrecoverable. Data Subject information as defined in the personal data categories below is not persisted in Posh Systems.
Personal Data Categories
Data Subject First Name.
Data Subject Middle Name.
Data Subject Last Name.
Data Subject Email Address.
Data Subject Geolocation Information (Cookies, IP, etc.).
Data Subject Indirect Information (non-identifying information, e.g. Job Title).And, Phone Number
Other data categories:
The data controller acknowledges they will be responsible for ensuring sensitive data categories will not be used by data subjects during the transmission of data. The data controller is responsible for informing their members/end-users of their privacy rights. Posh Technologies may collect other data attributes if advised by the data controller.
Note: At the time of updating this document, Posh Technologies Inc. does not persist identifiable data elements of customer employees or end-users.
Special Categories of Personal Data
Data Subject Account Number (only via authenticated mechanisms will this data be processed).
Sub-Processor
Google Inc
1600 Amphitheatre Parkway Mountain View, CA 94043
Salesforce
Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105
Twilio
375 Beale Street, Suite 300. San Francisco, CA94105.
Processor and Sub-Processor Security Measures
Measures taken by Posh Technologies Inc. and our cloud service providers to maintain the confidentiality of data. (Article 32(1)(b) GDPR).
Posh Technologies uses technical measures to delete data subject information once transmitted to Posh Systems. The following controls (albeit not all controls) may apply in some manner during the processing of information.
Access control to premises and facilities
Measures must be taken to prevent unauthorized physical access to premises and facilities holding End User Personal Data:
· Access control system
· ID reader, magnetic card, chip card
· (Issue of) keys
· Door locking (electric door openers etc.)
· Surveillance facilities
· Alarm system, video/CCTV monitor
· Logging of facility exits/entries
Access to Control Data
· Differentiated access rights
· Access rights defined according to duties
· Automated log of user access via IT systems
· Measures to prevent the use of automated data- processing systems by unauthorized persons using data communication equipment
- Data Obfuscation and/or Data Deletion
- Access Reviews
Integrity
(Article32(1)(b) GDPR)
· Compulsory use of encrypted private networks for all data transfers
· Creating an audit trail of all data transfers
- File Integrity Monitoring
Disclosure Control
· Compulsory use of encrypted private networks for all data transfers
· Creating an audit trail of all data transfers
Input Control
· Logging user activities on IT systems
· That it is possible to verify and establish to which bodies End User Personal Data have been
· or may be transmitted or made available using data communication equipment.
· That it is possible to verify and establish which End User Personal Data have been input into
· automated data-processing systems and when and by whom the data have been inputted for processing (data controller party).
Job Control
· Unambiguous wording of contractual instructions
· Monitoring of contract performance
Segregation Control
· Restriction of access to data stored for different purposes according to staff duties
· Segregation of business IT systems
· Segregation of IT testing and production environments - Role-based access control / least privilege access
Availability Control
· Installed systems may, in the case of interruption, be restored
· Systems are functioning, and that faults are reported
· Data is processed while incorporating security measures to mitigate corruption
· Uninterruptible power supply (UPS)
· Business Continuity procedures
· Remote storage
· Antivirus/firewall systems
Data Subject Rights
Right to Access Personal Data
Right to Access Personal Data Posh Technologies uses technological measures to ensure personal data as defined above is removed, if processed by the data controller. The Data Controller is responsible for ensuring data subject’s rights are maintained.
Right to Rectification.
Posh Technologies uses technological measures to ensure personal data as defined above is removed, if processed by the data controller. The Data Controller is responsible for ensuring data subject’s rights are maintained.
Right to Erasure
Posh Technologies uses technological measures to ensure personal data as defined above is removed, if processed by the data controller. The Data Controller is responsible for ensuring data subject’s rights are maintained.
Right to Restrict Data Processing
The Data Controller is responsible for addressing and exercising the data subject’s rights and informing Posh Technologies Inc. within 30 days of being notified of this action. All requests can be sent to our privacy team at: privacy@posh.tech. Once the requested personal data of the data subject is deleted or obfuscated, Posh Technologies will inform the Data Controller.
Right to be Notified
The Data Controller is responsible for addressing and exercising data subject’s rights and informing Posh Technologies Inc. within 30 days of being notified of this action. All requests can be sent to our privacy team at: privacy@posh.tech
Right to Data Portability
Posh Technologies uses technological measures to ensure personal data as defined above is removed, if processed by the data controller. The Data Controller is responsible for ensuring data subject’s rights are maintained.
Right to Object
The Data Controller is responsible for addressing and exercising data subject’s rights and informing Posh Technologies LLC within 30 days of being notified of this action. All requests can be sent to our privacy: privacy@posh.tech
Right to Reject Automated Individual Decision-Making
Posh Technologies uses technological measures to ensure personal data as defined above is removed, if processed by the data controller. The Data Controller is responsible for ensuring data subject’s rights are maintained.
Additional Data Processing Obligations
Right To Audit
Posh is regularly audited by third party auditors as well as performing our own internal audits. Customers can request a copy of these documents provided all parties ensure an applicable non-disclosure agreement is in place. All audit requests are limited to once per calendar year per subscribed customer.
Data Protection Officer
Please contact our Data Protection Officer at privacy@posh.tech
Compliance with Data Protection Legislation
Each party will comply with their applicable obligations under the Data Protection Legislation as it relates to the processing of personal data or data owned by the controller. All parties will include compliance with Data Protection Legislation for example but not limited to Article 31 of GDPR
Right to Restrict Data Processing
The Data Controller is responsible for addressing and exercising the data subject’s rights and informing Posh Technologies Inc. within 30 days of being notified of this action. All requests can be sent to our privacy team at: privacy@posh.tech. Once the requested personal data of the data subject is deleted or obfuscated, Posh Technologies will inform the Data Controller.
Data Breach Notification
Posh Tech shall notify impacted parties upon the discovery of a data breach of personal data owned by the Data Controller. Disclosure will be done so within72 hours upon discovery.
Data Controller Obligations
The Data Controller shall at all times recognize and use a legal basis for processing Personal Data through the Processor or Subprocessor systems. Data Controller is responsible for notifying the Processor in the event any data privacy rights are exercised by their end-users (or members).
Deleting Information
Posh Technologies actively and regularly investigates whether their technological measures delete data subject information upon transmission to Posh Systems. In the event you believe your information is held by Posh Technologies, despite our data deletion measures, you can contact our data privacy team at privacy@posh.tech