Privacy Policy

Updated January 9th, 2023

This Privacy Policy (the “Privacy Policy” or “Agreement”) is designed to explain what personal information Posh Technologies, Inc.(hereinafter, “Posh”, the “Company”, or “We”) collects, why we collect such data, how and when it is collected and shared, and how your content is handled. Posh provides customer service support via our Artificial Intelligence (“AI”)chatbots and related services (collectively the “Services”). For the purposes of this Agreement, “Personal Information” (or “PI”) means information that is related or may be used to identify an individual. We encourage all users of Posh Services and its website generally, to stay apprised of changes to this Privacy Policy, which may be updated from time to time. We will notify users of changes to this Agreement by posting a notice on our Website (www.posh.tech or the “Website”).

For the purposes of GDPR (the European General Data Protection Regulation); Posh is a Data Controller with respect to employees or applicants for employment to Posh and a supplier of Services to our Customers. We are a Data Processor with respect to PI about the end users who are customers of our clients (“End Users”) and our clients who use the Service (or “Customers”). Additional information related to how we process end-user or customer data can be found in our Data Protection Addendum.

Information you Provide to Posh

There are a number of ways that you may process PI via Posh. These include:

Interaction with the Services as an End User, where you will interact with our Services for the purpose of effectuating a support function by disclosing PI such as your username, password, email address or information, phone number, physical address, IP address or information, locations, transcripts of conversations with our AI rendering Services, and any and all information you choose to voluntarily disclose while interacting with this Website or the Services.

Using Services as a Customer. This is where a Customer or an employee or agent of the Customer uses our Services to provide support to their End Users. This may include PI such as your company email address, legal name, company or Customer name, mailing address, phone number, username, password, Customer tax information and basic site information.

Correspondence by phone, e-mail, form entry, or other related forms of communication. We will only request disclosure of information necessary to provide you with products and our Services or to effectuate improvements/suggestions to our Website or Services.

Applying to work for Posh. We collect information you supply to us including your CV. cover letter, legal name, IP, email, and physical address, and other relevant information you choose to supply to us. We encourage you to refrain from disclosing sensitive PII that is not relevant to our employment decision-making process such as gender, height, weight, medical history, religion or philosophical/political views, financial data, or others. We prefer not to handle this information for our mutual benefit.

Supplying us with goods or services—suppliers may provide information regarding their contact name, email and physical address, telephone number, or any other information you so choose to provide.

Information that we collect through your uses of the Website or the Services

We collect information to provide our Customers and End Users with superior service and customer experience, diagnose technical problems or issues, and generally administrate and improve our Website and Services for your benefit. Posh collects this data from visitors and Customers that interact with the Website. We may also track and analyze non-PI information, aggregate usage, and other statistical information from visitors and Customers who interact with the Website.

We receive message logs and usernames when End Users interface and interact with Services provided to our Customers. These logs may contain PI and other information the End User chooses to supply including but not limited to usernames, email or physical address, phone numbers, payment information, passwords, etc.. during the interaction with our service. etc. You are encouraged to supply only information that is necessary to use our Services and not volunteer any sensitive PI unprompted. We make every effort to support our data minimization policy by obfuscating or removing information not required in the use of our service.

Posh and our Customers utilize a variety of technologies like cookies, scripts, beacons, and tags for analysis of End User’s use of the Website, administration of the Website, and gathering aggregated information about how End Users interact with the Website and/or our Services. Our Website may also employ clear gifs, images, and scripts which are used as a tool to enhance and manage our Website. This information is anonymized and not connected or tied to our Customers’, End Users’, or visitors’ PI.

Cookies

Cookies consist of files that web browsers place on an End User’s, Customer, or visitor’s computer hard drive that allow for identification of returning visitors. You may also have cookies transmitted to you by interacting with links to third-party websites. We utilize cookies to enhance our product and the End User experience generally. These cookies, on their own, cannot identify you personally. Unless you choose to identify yourself, these cookies cannot be used to positively identity you.

There are two general types of cookies: session and persistent.

Session cookies exist while you are interacting with the Website and are erased from your hard drive once the End User or visitor closes the web browser or turns off their computer. Persistent cookies remain on your computer after interfacing with the Website.

Posh uses session cookies that allow your unique identification while you are logged in. This enables us to verify your identity when you are logged in or otherwise interacting with our Services or the Website. These are required to successfully interact with our Services and the Website. We use persistent cookies that are only usable and readable by us to identify End Users, Customers, or visitors to our Website. You may disable your web browser’s ability to accept cookies, but this will affect your ability to successfully interact with our Website or utilize our Services.

How the above information is used by Posh for visitors to our website:

We collect the information discussed above to provide our Services to our Customers, their End Users, and visitors to our Website and, provide periodic updates on Posh’s products and services, and improve our Website’s interface. We use this information in the following ways:

We use information to administer and improve our Website and to ensure it is safe and secure. We will also use this information to better understand the effectiveness of our communication to our website visitors. We analyze data from our website to better understand how visitors interact and interface with our site and content.

Data Location

Data collected from you may be transferred to and/or stored in the United States, which is located outside of the European Economic Area (“EEA”) for which there is an adequacy decision relating to the safeguards of PI data from the European Commission (the EU-US Privacy Shield framework). For information on the security measures and safeguards we have in place in the United States, you may reach out to us at privacy@posh.tech.

Residents of the European Union

If you are a resident of the EU, you may submit a complaint to your local privacy commission or supervisory authority with respect to Posh’s processing of your PI.

Residents of California


Residents of California are afforded certain rights discussed below under the California Consumer Privacy Act (“CCPA”) and the California Privacy Rights Act (“CPRA”).

Posh does not sell, as defined in the CCPA and CPRA, PI we collect.

The CCPA and CPRA provides California consumers with the right to request details on the categories or specific PI we collect and how we use and/or disclose PI, to delete their PI, to optout of sales (as defined in CCPA and CPRA) of their PI. It is also unlawful to discriminate against consumers who choose to exercise these rights.

California consumers may reach out to us to request exercising their rights under the CCPA and CPRA at privacy@posh.tech. We will use reasonable steps to verify your identity and effectuate lawful requests—government issued ID may be required.

For further information related to your right to privacy; please review our Data Processing Addendum.  

Data Processing Addendum

1st December, 2022

The following Data Processing Notice sets out the summary of data processing responsibilities between Posh Technologies (Processor), Google Inc and Amazon Web Services (Subprocessor) and “you” (Data Controller).

Revision History

15th April 2022 - Initial Notice Creation
1st December 2022 - Notice Revision Updates

Notification Date

9th January 2023

Data Privacy Requirement

Posh Technologies Data Processing Addendum

Data Privacy Legislation concerning the processing of personal data and protection of privacy in electronic communication

Not limited to:
California Consumer Privacy Act of 2018, Cal. Civil Code § 1798.100 et seq., (“CCPA”),

European Commission, European Data Protection Board and applicable national supervisor y authorities including without limitation the UK Data Protection Act 2018, UKGDPR, GDPR and Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002

Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426)
Swiss Data Protection Act 2020

Systems

Software-as-a-Service platform providing Artificial Intelligence conversational agents through a B2B service.

Duration of Processing

As per the request of the data controller in line with the  terms of service

Purpose and Legal Basis For Processing

In accordance with GDPR Art.6, the lawful processor of data is done to meet the contractual terms of service. A Data Processing Impact Assessment (DPIA) to ensure personal identifiable information is not collected.

Nature of Processing

Data  defined by the Data Controller to optimize the service of the platform. Data  Subject information, if inadvertently processed through our platform, is  deleted through technological measures in a manner to where the data is  irrecoverable. Data Subject information as defined in the personal data  categories below is not persisted in Posh Systems.

Personal Data Categories

Data  Subject First Name.
Data  Subject Middle Name.
Data  Subject Last Name.
Data  Subject Email Address.
Data  Subject Geolocation Information (Cookies, IP, etc.).
Data Subject Indirect Information  (non-identifying information, e.g. Job Title).And, Phone Number  

Other data categories:  

The data  controller acknowledges they will be responsible for ensuring sensitive data  categories will not be used by data subjects during the transmission of data.  The data controller is responsible for informing their members/end-users of  their privacy rights. Posh Technologies may collect other data attributes if  advised by the data controller.

Note: At  the time of updating this document, Posh Technologies Inc. does not persist  identifiable data elements of customer employees or end-users.

Special Categories of Personal Data

Data Subject Account Number (only via authenticated mechanisms will this data be processed).

Sub-Processor

Google Inc
1600 Amphitheatre Parkway Mountain View, CA 94043

Salesforce
Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105 

Twilio
375 Beale Street, Suite 300. San Francisco, CA94105.

Processor and Sub-Processor Security Measures

Measures  taken by Posh Technologies Inc. and our cloud service providers to maintain  the confidentiality of data. (Article 32(1)(b) GDPR).
Posh Technologies uses  technical measures to delete data subject information once transmitted to  Posh Systems. The following controls (albeit not all controls) may apply in  some manner during the processing of information.

Access  control to premises and facilities

Measures  must be taken to prevent unauthorized physical access to premises and  facilities holding End User Personal Data:
·          Access control system
·          ID reader, magnetic card, chip card
·          (Issue of) keys
·          Door locking (electric door openers etc.)
·          Surveillance facilities
·          Alarm system, video/CCTV monitor
·          Logging of facility exits/entries

Access  to Control Data

·       Differentiated access rights
·       Access rights defined according to duties
·       Automated log of user access via IT systems
·       Measures to prevent the use of automated data- processing systems by unauthorized persons using data communication equipment
-         Data Obfuscation and/or Data Deletion
-         Access Reviews

Integrity

(Article32(1)(b) GDPR)
·       Compulsory use of encrypted private networks for all data transfers
·       Creating an audit trail of all data transfers
-       File Integrity Monitoring

Disclosure Control

·       Compulsory use of encrypted private  networks for all data transfers
·       Creating an audit trail of all data  transfers

Input Control

·     Logging user activities on IT systems
·     That it is possible to verify and establish to which bodies End User Personal Data have been
·       or may be transmitted or made available using data communication equipment.
·       That it is possible to verify and establish which End User Personal Data have been input into
·           automated data-processing systems and when and by whom the data have been inputted for processing (data controller party).

Job Control

·   Unambiguous wording of contractual instructions
·   Monitoring of contract performance

Segregation Control

·      Restriction of access to data stored for different purposes according to staff duties
·      Segregation of business IT systems
·      Segregation of IT testing and production environments -      Role-based access control / least privilege access

Availability Control

·   Installed systems may, in the case of interruption, be restored
·   Systems are functioning, and that faults are reported
·   Data is processed while incorporating security measures to mitigate corruption
·   Uninterruptible power supply (UPS)
·   Business Continuity procedures
·   Remote storage
·   Antivirus/firewall systems

Data Subject Rights

Right to Access Personal Data

Right to Access Personal Data Posh Technologies uses technological measures to ensure personal data as defined above is removed, if processed by the data controller. The Data Controller is  responsible for ensuring data subject’s rights are maintained.

Right to Rectification.

Posh Technologies uses technological measures to ensure personal data as defined above is removed, if processed by the data controller. The Data Controller is responsible for ensuring data subject’s rights are maintained.

Right to Erasure

Posh Technologies uses technological measures to ensure personal data as defined above is removed, if processed by the data controller. The Data Controller is responsible for ensuring data subject’s rights are maintained.

Right to Restrict Data Processing

The Data Controller is responsible for addressing and exercising the data subject’s rights and informing Posh Technologies Inc. within 30 days of being notified of this action. All requests can be sent to our privacy team at: privacy@posh.tech. Once the requested personal data of the data subject is deleted or obfuscated, Posh Technologies will inform the Data Controller.

Right to be Notified

The Data Controller is responsible for addressing and exercising data subject’s rights and informing Posh Technologies Inc. within 30 days of being notified of this action. All requests can be sent to our privacy team at: privacy@posh.tech

Right to Data Portability

Posh Technologies uses technological measures to ensure personal data as defined above is removed, if processed by the data controller. The Data Controller is responsible for ensuring data subject’s rights are maintained.

Right to Object

The Data Controller is responsible for addressing and exercising data subject’s rights and informing Posh Technologies LLC within 30 days of being notified of this action. All requests can be sent to our privacy: privacy@posh.tech

Right to Reject Automated Individual Decision-Making

Posh Technologies uses technological measures to ensure personal data as defined above is removed, if processed by the data controller. The Data Controller is responsible for ensuring data subject’s rights are maintained.

Additional Data Processing Obligations

Right To Audit

Posh is regularly audited by third party auditors as well as performing our own internal audits. Customers can request a copy of these documents provided all parties ensure an applicable non-disclosure agreement is in place. All audit requests are limited to once per calendar year per subscribed customer.

Data Protection Officer

Please contact our Data Protection Officer at privacy@posh.tech

Compliance with Data Protection Legislation

Each party  will comply with their applicable obligations under the Data Protection  Legislation as it relates to the processing of personal data or data owned by  the controller. All parties will include compliance with Data Protection  Legislation for example but not limited to Article 31 of GDPR

Right to Restrict Data Processing

The Data Controller is responsible for addressing and exercising the data subject’s rights and informing Posh Technologies Inc. within 30 days of being notified of this action. All requests can be sent to our privacy team at: privacy@posh.tech. Once the requested personal data of the data subject is deleted or obfuscated, Posh Technologies will inform the Data Controller.

Data Breach Notification

Posh Tech shall notify impacted parties upon the discovery of a data breach of personal data owned by the Data Controller. Disclosure will be done so within72 hours upon discovery.

Data Controller Obligations

The Data Controller shall at all times recognize and use a legal basis for processing Personal Data through the Processor or Subprocessor systems. Data Controller is responsible for notifying the Processor in the event any data privacy rights are exercised by their end-users (or members).

Deleting Information

Posh Technologies actively and regularly investigates whether their technological measures delete data subject information upon transmission to Posh Systems. In the event you believe your information is held by Posh Technologies, despite our data deletion measures, you can contact our data privacy team at privacy@posh.tech