Privacy Policy – EEA

Version 4.0 August 2, 2023

Who are we and how can you contact us?

This privacy notice aims at giving you information on how your personal data are processed by Mindbox.Cloud B.V. or Mindbox USA LLC (whichever is applicable). In this notice, we refer to ourselves as ’we’, ’us’ and ’our’.

If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact us using:

our email: dpo@mindbox.cloud

The policy extends to:

our email
our product
our website

What data, for what purposes, on what basis, and for how long do we process?

Our internal operations. We act as a controller in the
- following processings Sales

Purpose	Legal ground	Data	Storage period	Data recipients
Collecting data from potential customers	Legitimate interest to establish connections with people who might be interested in our services	Name Company name Email Phone number	1 year after the last communication	Mindbox DigitalOcean LLC
Communication with a potential customer (application processing, recommendations)	Legitimate interest to provide the interested person with information on our services	Name Company name Email Phone number	1 year after the last communication	Mindbox Google LLC Pipedrive OÜ
Secondary communication with leads who are considering/rejected	Legitimate interest to provide the interested person with information on our services	Name Company name Email Phone number	1 year after the last communication	Mindbox Google LLC Pipedrive OÜ
Maintaining a customer profile in CRM, saving the history of communication	Legitimate interest to sustain relations with potential and existing customers	Name Date of communication History of communication	1 year after the last communication	Mindbox Pipedrive OÜ
Manage customers’ complaints	Legitimate interest to ensure the quality of our services	Full name Complaint	until resolution of the problem + 6 months	Mindbox Atlassian Pty Ltd

Contract conclusion, payment processing and reporting

Purpose	Legal ground	Data	Storage period	Data recipients
Manage accounts receivable	Contract If you choose not to give your data, your receivable account will not be managed	Full name (legal) Email Payment amount Status of payment Company name Date	according to applicable law	Mindbox Xero Limited
Manage accounts payable	Contract If you choose not to give your data, your payable account will not be managed	Full name (legal) Email Payment amount Status of payment Company name Date	according to applicable law	Mindbox Xero Limited
Sending information to the tax authorities	Legal obligation If you object to this processing, we will still be obliged to conduct it. Otherwise, we will be in the breach of national legislation.	Full name (legal) Email Phone number Position of an employee Company name Document authorizing to act on behalf of the company Signature Payment amount	according to applicable law
Data storage for reporting (accounting, audits)	Legal obligation If you object to this processing, we will still be obliged to conduct it. Otherwise, we will be in the breach of national legislation.	Full name (legal) Email Phone number Position of an employee Company name Document authorizing to act on behalf of the company Signature Payment amount	5 years after the termination of a contract	Mindbox Pipedrive OÜ Xero Limited Google LLC
Conclude a contract with customers	Contract If you choose not to give your data, you will not be able to enter into contract with us	Full name (legal) Email Phone number Position of an employee Company name Document authorizing to act on behalf of the company Signature Payment amount	5 years after the termination of a contract	Mindbox Pipedrive OÜ Google LLC DocuSign Inc.
Enable ongoing/repeatable payments for products/services	Contract If you choose not to give your data, your payment will not be processed	Full name (legal) Position of an employee Company name Payment amount Selected modules	according to applicable law	Mindbox
Billing, issue invoices	Contract If you choose not to give your data, you will not receive an invoice	Full name (legal) Position of an employee Company name Payment amount Date Status of payment Number of an invoiceHelp customers complete transactions	according to applicable law	Mindbox Xero Limited
Manage customers’ complaints	Legitimate interest to ensure the quality of our services	Full name Complaint	until resolution of the problem	Mindbox Google LLC Atlassian Pty Ltd
Help customers complete transactions	Legitimate interest to ensure the quality of our services	Company name Email Payment amountManage customers’ complaints	1 year after the last communication	Mindbox Pipedrive OÜ Google LLC

Security

Purpose	Legal ground	Data	Storage period	Data recipients
Investigate security incidents	Legitimate interest to maintain security of our product	Username Access level Internal ID (employee) Event data (login, wrong password, project change)	until resolution of the problem	Mindbox Microsoft Corporation LLC Leaseweb Deutschland GmbH Amazon Web Services
Evaluate and remediate safety / accessibility issues (block of the account in case of 5 failed attempts to enter the password)	Legitimate interest to maintain security of our product	Name Username Email Access level	until resolution of the problem	Mindbox Microsoft Corporation LLC Leaseweb Deutschland GmbH Amazon Web Services

Project Maintenance

Purpose	Legal ground	Data	Storage period	Data recipients
Offer access to a demo of the Mindbox service	Contract If you choose not to give your data, you will not get access to demo version	Name Phone number Email Company name Position of an employee	until the termination of a contract	Mindbox Pipedrive OÜ
Create a new project (customer- owner account)	Contract If you choose not to give your data, you will not be registered in our system	Login Company name	until the termination of a contract	Mindbox Microsoft Corporation LLC Leaseweb Deutschland GmbH Amazon Web Services
To manage customers’ subscription	Contract If you choose not to give your data, we will not be able to change the modules you are subscribed to	Company name Selected modules	until the termination of a contract	Mindbox
Product support to customers (handling requests, consulting on Mindbox system, project support, assistance in building filters in Mindbox system for mailing lists)	Contract If you choose not to give your data, we will not be able to provide you support	Email Name Request Company name	until resolution of the problem	Mindbox Atlassian Pty Ltd Google LLC Intercom, Inc. 37signals LLC
Manage customers’ complaints	Legitimate interest to ensure the quality of our services	Full name Complaint	until resolution of the problem	Mindbox Google LLC Atlassian Pty Ltd
Schedule appointment and send reminders	Contract If you choose not to give your data, you will not be able to have a meeting with us	Email Recording of the meeting if requested	1 year after the last communication	Mindbox Google LLC Zoom Video Communications, Inc.
Communicate developments / updates to customers	Legitimate interest to keep our customers updated on the product features	Email Selected modules	until the unsubscription	Mindbox Google LLC

Marketing

Purpose	Legal ground	Data	Storage period	Data recipients
Track online behavior (websites)	Consent	IP address Location (country or town) OS type and version Browser type and version Type of device and its display resolution Traffic source for the visitor OS and browser language Which buttons are being clicked What pages are being opened	until you withdraw consent	Mindbox Google LLC Meta Platforms, Inc. LinkedIn Corporation
Obtain and publish customers’ feedback	Consent	Name Company name Position of an employee Photo Feedback	until you withdraw consent	Mindbox Digital Ocean LLC Aut O’Mattic A8C Ireland Ltd.

Machine Learning

Purpose	Legal ground	Data	Storage period	Data recipients
Algorithm training	Contract If you choose not to give your data, we will not be able to operate modules based on machine learning	Average click rate Average open rate History of customert’s interaction with products, newsletters, etc.	6 months after the termination of a contract	Mindbox Microsoft Corporation LLC Leaseweb Deutschland GmbH Amazon Web services

Mindbox software. We process data on behalf of the customer and act as a processor in the following processings
- Client profile maintenance

Purpose	Data	Data recipients
Creating a client (customer) profile in CDP	Mindbox ID (customer) Name Email Phone numbe IP address Sex Date of birth Type of device and its display resolution Additional info (from the comments field) Extra fields added by customer Browser type and version Location (country or town) Registration date	Microsoft Corporation LLC Leaseweb Deutschland GmbH Amazon Web services
Creating an employee account in the system	Login Password Internal ID (employee)	Microsoft Corporation LLC Leaseweb Deutschland GmbH Amazon Web Services
Access distribution for customert’s employees	Email Login Access level Internal ID (employee)	Microsoft Corporation LLC Leaseweb Deutschland GmbH Amazon Web Services
Logging customer logins and employee actions	Login Time of the login Internal ID (employee) Actions with client’s data (editing, deletion, merging of the profiles etc.)	Microsoft Corporation LLC Leaseweb Deutschland GmbH Amazon Web Services
Authorization of user	Login Password Phone number Internal ID (employee)	Microsoft Corporation LLC Leaseweb Deutschland GmbH Amazon Web Services

Data collection of customer’s clients

Purpose	Data	Data recipients
To merge profiles of the same people	Email Phone number App ID Web ID Mindbox ID (customer) Order number Bank card cash	Microsoft Corporation LLC Leaseweb Deutschland GmbH Amazon Web Services
Saving the history of customer’s actions on customer’s website, interactions with mailing lists etc. (actions)	What pages are being opened Which buttons are being clicked Whether the emails have been read (opening rate) Orders history Product lists Information about the loyalty program Mindbox ID (customer) Information about the lead form where the request was left Whether the customer is logged in to the site Loyalty card activation Bonuses accrual Viewing product categories Viewing product Subscription status Other actions	Microsoft Corporation LLC Leaseweb Deutschland GmbH Amazon Web Services
CDP segmentation (by behavior, purchases, and other personal data)	Segment Mindbox ID (customer) Phone number IP address Sex Age What pages are being opened Which buttons are being clicked Whether the emails have been read (opening rate) Orders history Product lists Information about the loyalty program Whether the customer is logged in to the site Loyalty card activation Bonuses accrual Viewing product categories Viewing product Subscription status Other actions DeviceUUID	Microsoft Corporation LLC Leaseweb Deutschland GmbH Amazon Web Services
Building communication scenarios	Behavioral trigger Mindbox ID	Microsoft Corporation LLC Leaseweb Deutschland GmbH Amazon Web Services
Collection of contacts from lead forms	Name Company name Email Phone number Information about the lead form where the request was left	Microsoft Corporation LLC Leaseweb Deutschland GmbH Amazon Web Services Albato Limited
Setting up loyalty programs	Segment Mindbox ID (customer) Subscriptions	Microsoft Corporation LLC Leaseweb Deutschland GmbH Amazon Web Services
Uploading data to the system from CSV files or via API	Customer’s database	Microsoft Corporation LLC Leaseweb Deutschland GmbH Amazon Web Services
Integration with third-party services for data collection/accumulation (CMS, CRM, ERP, Cashiers, BI, App, Wallet. Open API)	Customer’s database	Microsoft Corporation LLC Leaseweb Deutschland GmbH Amazon Web Services

Newsletters and push-notifications

Purpose	Data	Data recipients
Email newsletter	Segment Email Subscription status Behavioral trigger Order/delivery status Name Date of birth	Microsoft Corporation LLC Leaseweb Deutschland GmbH Amazon Web Services
SMS newsletter	Segment Phone number Subscription status	Microsoft Corporation LLC Leaseweb Deutschland GmbH Amazon Web Services SMS newsletters providers Mobile operators
Sending mobile push	Segment Subscription status Filter indicated by the client Clicks on the push Device settings concerning sending mobile pushes Sender ID ID of the project in the firebase Secret key Tracker (configuration of parameters of service worker and firebase)	Microsoft Corporation LLC Leaseweb Deutschland GmbH Apple Push Notifications Push Kit (Huawei) Firebase Cloud Messaging (Google LLC) Amazon Web Services
Sending web push	Segment Subscription status Filter indicated by the client Clicks on the push Whether the browser allows to send push Token (if the browser allows to send push) Sender ID ID of the project in the firebase Secret key Tracker (configuration of parameters of service worker and firebase)	Microsoft Corporation LLC Leaseweb Deutschland GmbH Google LLC Amazon Web Services
Integration with advertising tools	Customer's database Segment Email Phone number Sex Date of birth Surname Name Region City Index	Microsoft Corporation LLC Leaseweb Deutschland GmbH Amazon Web Services Media S.à r.l. Microsoft Corporation LLC Leaseweb Deutschland GmbH Amazon Web Services

Personalisation

Purpose	Data	Data recipients
Send location-based marketing	Segment	Microsoft Corporation LLC Leaseweb Deutschland GmbH Amazon Web Service
Customization of popups, banners, embeddings and widgets	Segment Email Name Subscription status UTM-tags URL from which new lead was obtained Domen City City ID Date and time of creation Number of purchases Orders history History of client’s interaction with products, newsletters, etc. Time spent on the website Bonuses accrual Phone number Promocode History of website visits Type of device and its display resolution Commentaries left in the form Items in the shopping bag Traffic source for the visitor Actions on the website page	Microsoft Corporation LLC Leaseweb Deutschland GmbH Amazon Web Services
Integration with advertising tools	Customer's database Segment Email Phone number Sex Date of birth Surname Name Region City Index	Microsoft Corporation LLC Leaseweb Deutschland GmbH Amazon Web Services
Setting up audiences for advertising tools	Segment Customer’s database	Microsoft Corporation LLC Leaseweb Deutschland GmbH Amazon Web Services
Auto update for advertising tools		Microsoft Corporation LLC Leaseweb Deutschland GmbH Amazon Web Services
Retention marketing	Name Phone number Email Orders history Order amount	Microsoft Corporation LLC Leaseweb Deutschland GmbH Amazon Web Services
Targeting by personal data and behavior on the site	Segment Mindbox ID (customer) Phone number IP address Sex Age What pages are being opened Which buttons are being clicked Whether the emails have been read (opening rate) Orders history Product lists Information about the loyalty program Other actions	Microsoft Corporation LLC Leaseweb Deutschland GmbH Amazon Web Services

Reports generation

Purpose	Data	Data recipients
Advertising campaign analytics and report generation (conversion, advertising effectiveness measurement)	What pages are being opened Which buttons are being clicked Whether the emails have been read (opening rate)	Microsoft Corporation LLC Leaseweb Deutschland GmbH Amazon Web Services
Generating reports on newsletters	Clicks on the newsletter Openings of the newsletter Name of the newsletter Newsletter campaign Newsletter channel Newsletter type Tag Brand Conversions Unsubscribtions Revenue Orders	Microsoft Corporation LLC Leaseweb Deutschland GmbH
Generating reports on customers	Subscription status Brand Date of subscription Whether client is registered on the chosen channel Average Open rate Average Click rate Orders history Age Sex Region Segment Viewing product Viewing product categories Information about the loyalty program	Microsoft Corporation LLC Leaseweb Deutschland GmbH Amazon Web Services
Generating a report on billing actions	Customer’s billing actions Date of actions	Microsoft Corporation LLC Leaseweb Deutschland GmbH Amazon Web Services

Modules operating based on machine learning

Purpose	Data	Data recipients
Generate the next offer	Orders history Viewing product Viewing product categories Actions with client's lists Behaviour of similar clients Client's actions with product categories The list of clients most likely to buy products (tomorrow) Product recommendations History of client’s interaction with products, newsletters, etc. Region Web ID Mindbox ID (customer)	Microsoft Corporation LLC Leaseweb Deutschland GmbH Amazon Web Services
Build a scenario of recommendations for products	Orders history Viewing product Viewing product categories Actions with client's lists Behaviour of similar clients Client's actions with product categories The list of clients most likely to buy products (tomorrow) Product recommendations History of client’s interaction with products, newsletters, etc. Region Web ID Mindbox ID (customer)	Microsoft Corporation LLC Leaseweb Deutschland GmbH Amazon Web Services
Determine the best time to send materials	Average click rate Average open rate History of client’s interaction with products, newsletters, etc. Name Surname Mindbox ID (customer) Distribution of the most appropriate time to send messages by days Email Phone number Brand Contact point Region	Microsoft Corporation LLC Leaseweb Deutschland GmbH Amazon Web Services
Finding Look-A-like audiences in relation to the products they buy	Behaviour of similar clients History of client’s interaction with products, newsletters, etc.	Microsoft Corporation LLC Leaseweb Deutschland GmbH Amazon Web Services

Where did we get your data from?

Browser

Your internet browser (such as Mozilla Firefox, Google Chrome, or Microsoft Internet Explorer) automatically transmits some information to us every time you access content on one of our internet domains. Examples of such information include the URL of the particular Web page you visited, the IP (Internet Protocol) address of the computer you are using, or the browser version that you are using to access the website.

Our customer

Out customers can upload their databases to our system, which will create a profile of you as a customer’s client. The customer should inform you about that in their privacy notice.

Directly from you

We may obtain personal data directly from you, e.g. when you contact us, when our cookies are enabled on the customers’ websites.

Cross-border transfer?

Information about these companies and their data protection practices:

Internal operations

Mindbox

Mindbox has sales, marketing, R&D, support, accounting team in Kazakhstan and Armenia.

They work in accordance with this Privacy Policy. The relevant agreements are used to ensure that your personal data are properly protected.

Xero limited

Xero is an accounting software. The recipient is located in New Zealand, which is considered by European Data Protection Board to provide adequate level of data protection. Relevant Privacy Policy.

Digital Ocean LLC

Diginal Ocean is a hosting for our website mindbox.cloud. The recipient is located in the USA. Relevant Privacy Policy of Digital Ocean LLC. Unfortunately, the country of data recipient doesn’t ensure an adequate level of protection of your personal data. Standard Contractual Clauses are used to transfer your data to ensure that they are properly protected.

Google LLC

The services for internal data storage and communications is provided by Google LLC. Address: Google LLC, Google Data Protection Office, 1600 Amphitheatre Parkway, Mountain View, California 94043, USA. Relevant privacy policy of Google. Unfortunately, the country of data recipient doesn’t ensure an adequate level of protection of your personal data. Standard Contractual Clauses are used to transfer your data to Google to ensure that they are properly protected. For more information: click on this link.

DocuSign Inc.

We use DocuSign in order to sign the agreements with customers electronically. Address: 221 Main St., Suite 1000 San Francisco, USA. Relevant privacy policy of DocuSign. Unfortunately, the country of data recipient doesn’t ensure an adequate level of protection of your personal data. Standard Contractual Clauses are used to transfer your data to ensure that they are properly protected.

Atlassian Pty Ltd

To manage the tasks within our team, we use such tools as Trello and Slack. Some of your personal information (such as support request) may be processed within these tools.

Relevant privacy policy. Unfortunately, the country of data recipient doesn’t ensure an adequate level of protection of your personal data. Standard Contractual Clauses are used to transfer your data to ensure that they are properly protected.

37signals LLC

We use Basecamp provided by 37signals LLC located in the USA to manage our projects. Relevant privacy policy. Unfortunately, the country of data recipient doesn’t ensure an adequate level of protection of your personal data. Standard Contractual Clauses are used to transfer your data to ensure that they are properly protected.

Zoom Video Communications, Inc.

The video conference calls services are provided by Zoom Video Communications, Inc. Address: 55 Almaden Boulevard, 6 th Floor, San Jose, California 95113, USA. Relevant privacy policy of Zoom. Unfortunately, the country of data recipient doesn’t ensure an adequate level of protection of your personal data. Standard Contractual Clauses are used to transfer your data to ensure that they are properly protected.

LinkedIn Corporation

The marketing services are provided by Linkedin Corporation. Address: 1000 West Maude Avenue Sunnyvale, CA 94085, USA. Relevant privacy policy of Linkedin. Unfortunately, the country of data recipient doesn’t ensure an adequate level of protection of your personal data.

Standard Contractual Clauses are used to transfer your data to ensure that they are properly protected.

Meta Platforms, Inc.

The marketing services are provided by Relevant privacy policy. Unfortunately, the country of data recipient doesn’t ensure an adequate level of protection of your personal data. Standard

Contractual Clauses are used to transfer your data to ensure that they are properly protected.

Mindbox software

Mindbox

Mindbox has sales, marketing, R&D, support, accounting team in Kazakhstan and Armenia. They work in accordance with this Privacy Policy. The relevant agreements are used to ensure that your personal data are properly protected.

Mindbox

Apple

If you are Mindbox Customer and your clients use iPhone, when Mindbox send mobile push notification to them, Apple Push Notification service (APNs) receives your clients’ data. Relevant privacy policy. Unfortunately, the country of data recipient doesn’t ensure an adequate level of protection of your personal data. Standard Contractual Clauses are used to transfer your data to ensure that they are properly protected.

Push Kit

If you are Mindbox customer and your clients use Huawei phone, when Mindbox send mobile push notification to them, Push Kit, operated by Huawei receives your clients’ data. Relevant privacy policy. Unfortunately, the country of data recipient doesn’t ensure an adequate level of protection of your personal data. Standard Contractual Clauses are used to transfer your data to ensure that they are properly protected.

Firebase Cloud Messaging

If you are Mindbox customer and your clients use Andriod phone, when Mindbox send mobile push notification to them, Firebase Cloud Messaging, operated by Google LLC receives your clients’ data. Relevant privacy policy. Unfortunately, the country of data recipient doesn’t ensure an adequate level of protection of your personal data. Standard Contractual Clauses are used to transfer your data to ensure that they are properly protected.

Mobile operators

When we send SMS newsletters, some personal information may be collected by mobile operators. The customer chooses which mobile operator will be operating the processing.

SMS newsletter providers

When we send SMS newsletters, the customer may refer to the services of SMS newsletter providers and choose the appropriate one.

Where Mindbox store Customer’s data

We store your data within the EU in order ensure that they are properly protected.

Microsoft Azure

Microsoft provides could services called «Microsoft Azure» where we store Customer’s data. We rent servers in the Eurozone, that is, your data is stored on the servers located in the EU.

Address: Microsoft Ireland Operations Limited, Attn: Data Protection Officer, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland. Relevant privacy policy of Microsoft Corporation.

Amazon Web Services

Amazon provides could services called «Amazon Web Services» where we store customer’s data. We rent servers in the Eurozone, that is, your data is stored on the servers located in the EU.

Address: Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855, Luxembourg. Relevant privacy policy of Amazon Web Services.

Leaseweb Deutschland GmbH

Leaseweb is a data center where we rent servers for storing customer’s data. We rent servers in the Eurozone, that is, your data is stored on the servers located in the EU.

Address: Leaseweb Deutschland GmbH Hanauer Landstraße 121 60314 Frankfurt am Main. Relevant privacy policy of Leaseweb.

Automated decisions

Our customer can activate the module based on machine learning. We use machine learning to determine product recommendations and best time to send the materials.

Your rights

request information about the processing of your personal data obtain access to the personal data held about you

Under Article 15 of the GDPR, individuals have a right of access that gives them the right to obtain a copy of their personal data, as well as other supplementary information. It helps individuals to understand how and why companies are using their data, and check the lawfulness of the processing.

ask for incorrect, inaccurate or incomplete personal data to be corrected

Under Article 16 of the GDPR, individuals have the right to have inaccurate personal data rectified. An individual may also be able to have incomplete personal data completed — although this will depend on the purposes for the processing.

request that personal data be erased when they are no longer needed or if processing is unlawful

Under Article 17< of the GDPR, individuals have the right to have personal data erased. This is also known as the ’right to be forgotten’. The right is not absolute and only applies in certain circumstances.

request the restriction of the processing of your personal data in specific cases

Article 18 of the GDPR gives individuals the right to restrict the processing of their personal data in certain circumstances. This means that an individual can limit the way that an organisation uses their data. This is an alternative to requesting the erasure of their data.

receive your personal data in a machine-readable format and send them to another controller (’data portability’)

Under Article 20 of theGDPR, individuals have the right to data portability that gives individuals the right to receive personal data they have provided to a controller in a structured, commonly used and machine readable format. It also gives them the right to request that a controller transmits those data directly to another controller.

object to the processing of your personal data for marketing purposes or on grounds relating to your particular situation

Article 21 of theGDPR gives individuals the right to object to the processing of their personal data at any time. This effectively allows individuals to stop or prevent you from processing their personal data.

request that decisions based on automated processing concerning you or significantly affecting you and based on your personal data are made by natural persons, not only by computers. You also have the right in this case to express your point of view and to challenge the decision

withdraw your consent at any time

The GDPR gives a specific right to withdraw consent. You need to tell people about their right to withdraw, and offer them easy ways to withdraw consent at any time.

lodge a complaint with a supervisory authority

In accordance with Article 77 of theGDPR, you, as a data subject, have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or where an alleged infringement of the GDPR has taken place.If you have any questions about the protection of your personal data, you can contact us by using our email: dpo@mindbox.cloud