Last updated: October 2022
Chillwall Inc., operating as Chillwall AI (the “Company”)
COMPLIANCE WITH LEGISLATION
In Canada, the Company is a service provider and may act as a service provider, information manager or electronic service provider under applicable privacy legislation, including Ontario’s Personal Health Information Protection Act (PHIPA) regulations (the “Applicable Laws”).
The Company may use and disclose personal information if it is required to do so by law, when it is permitted to do so consistent with HIPAA, or if the Company has a good faith belief that such action is necessary to conform to applicable laws or comply with any legal, regulatory or similar requirement or investigation, to protect or defend the rights or property of the Company or another user or to enforce the Company’s License Agreement (as defined below).
The Company is dedicated to safeguarding the personal information under our remit and in developing a data protection regime that is effective, fit for purpose and demonstrates an understanding of, and appreciation for the GDPR. Our preparation and objectives for GDPR compliance have been summarized in this statement and include the development and implementation of new data protection roles, policies, procedures, controls, and measures to ensure ongoing compliance.
a) LICENSE AGREEMENT AND END USER LICENCE AGREEMENT
b) CONSENT AND AGREEMENT TO BE BOUND
ii) YOU MAY ALSO HAVE PROVIDED CONSENT THROUGH DISTRIBUTION PLATFORMS. There are certain types of device data that the Product cannot access without Your consent. The various platforms that the Company serves the Product through will notify You the first time the Product requires permission to access certain types of data and will let You decide to consent to that request. You further agree to abide by all the terms in the third-party distributor site or platform and their applicable end user licensing agreement, or terms and conditions (“Distribution Platforms”), so long as such agreement does not conflict with the terms herein or the License Agreement.
iii) CHANGES WILL REQUIRE YOUR CONSENT. In the case of a material change to the Product as described in the amendment provision set out in the License Agreement, and in accordance with the amendment requirements set out therein, the Company will provide written notice to inform You and will obtain consent from You for any new purposes not previously identified.
c) CONSENT TO COLLECTION AND ANALYSIS OF THE INFORMATION YOU PROVIDE TO US
ii) CONSENT TO PROCESS THIRD PARTY DATA YOU SEND TO US IS YOUR RESPONSIBILITY. Any data sent to the Company for processing by You is considered to be third party data (“Third Party Data”). For all Third-Party Data, consent is required upon collection of third party data shall be obtained by You (“Third Party Data Consent”).
iii) CONSENT TO RECEIVING COMMUNICATIONS FROM US: When You sign up for an account, You are opting in to receive emails from the Product for administrative or technical issues and You may occasionally receive Company newsletters.
b. WE WILL NOT REQUEST CONFIDENTIAL PERSONAL INFORMATION: The Company will never send email messages to customers requesting confidential information such as passwords, credit card numbers, or social security or social insurance numbers. Please do not act on any such emails as You may compromise Your Personal Information by replying or by following links to a fraudulent website.
INFORMATION YOU SHARE WITH THIRD PARTIES. You should be aware that by providing third parties with Your name and password, You may inadvertently enable unauthorized persons to review, modify or delete Your Personal Information. The Company is not under an obligation to monitor the use of the Product.
i) CONTACT INFORMATION. If You have questions or concerns regarding Company's policy or practices, please contact the Company by email at email@example.com.
COLLECTION OF USER INFORMATION INCLUDING PERSONAL INFORMATION
a) DISCLOSURE OF COLLECTION
b) COLLECTION OF PERSONAL INFORMATION
When You use the Product, the Company stores certain information about Your device and Your activities that You provide to the Company and that the Company automatically collects, including:
i. REGISTRATION INFORMATION: Your user registration information which includes the following personal information (“Personal Information”): Your first and last name, and email address. You agree and understand that You are responsible for maintaining the confidentiality of your password, which, together with your Personal Information (together the “User ID”), allow You to access the Product. You agree that all Personal Information provided to us will be accurate and up to date. You agree to keep your password secure. We will not be liable if we are unable to retrieve or reset a lost password. If You become aware of any unauthorized use of your password or account, You agree to notify our privacy officer via email at firstname.lastname@example.org as soon as possible;
ii. TECHNICAL INFORMATION: technical information about Your device such as Your computer’s Internet Protocol address (IP address), the type of device, the pages of the Platform that you visit, Internet Service Provider (ISP), OS version, location, the time and date of Your use of the Platform, the time spent on the Platform’s pages, unique device identifiers, geolocation, clickstream data, other browser information (e.g., size, connection speed, connection version, and connection type), and other diagnostic data;
iii. MOBILE DEVICE LOCATION INFORMATION: Upon registration or the use of our location-enabled services on the Product (for example, when you access services from a mobile device), we may need to collect and process information about your actual Global Positioning System location (including the latitude, longitude or altitude of your mobile device) and the time the location information was recorded. Certain features of the Product require your location data to work, along with your device identification and other information we hold about you. If you do not want your location information collected when you use the Product, please contact your device manufacturer or platform provider to determine how to disable the collection of this information.
iv. USER PREFERENCES COLLECTED AUTOMATICALLY: Your User Preferences which the Company will collect and determine automatically through Cookies (as defined below) and Traffic Data (as defined below);
v. USER PREFERENCES SUPPLIED BY YOU: Your user experience preferences and settings (time zone, language, etc.), as well as content and usage preferences (collectively, the “User Preferences”); and
vi. CONTENT SUPPLIED BY YOU: The Company collects content that You upload, post, and/or share to Company's Product which includes the Company's Social Media Services (as defined below).
c) METHODS OF COLLECTION
We may collect electronic information from You from the following sources:
i. COLLECTION OF INFORMATION AT REGISTRATION. Registration is required if You want to use the Product. As part of this registration, the Company will require that You submit certain information that is relevant to the purposes of the Product.
ii. COLLECTION THROUGH SOCIAL MEDIA: If You are logged into social media websites or applications (such as Facebook, Instagram, Twitter, among others, and individually and collectively, “Social Media Services”) on pages and/or locations that are related to the Company's Product, the Company may receive information from such Social Media Services, in which case the Company may collect and store information identifying Your account with the Social Media Services;
i) COLLECTED AUTOMATICALLY THROUGH ANALYTICS TOOLS: The Company may collect and store information (including Personal Information) locally on Your device using mechanisms such as Product data caches, “Cookies” (cookies, pixel tags or other similar technologies which are small data files that are stored on an End-User's device for record-keeping purposes that track where You travel on the Product and what You look at, on single sessions or cumulated over time. Although Cookies are used by most major Products and are accepted by default by most Products, it may be possible to disable Cookies via Your settings), and through "Traffic Data" which collects the route and destination of users and information on and through Company's Product, as well as cookies that are stored temporarily on Your device. The Company uses the following Cookies:
a. Session Cookies. The Company uses Session Cookies to operate the Product (“Session Cookies”);
b. Preference Cookies. The Company uses Preference Cookies to collect and store your preferences and various settings (“Preference Cookies”); and
c. Security Cookies. The Company uses Security Cookies for security purposes ("Security Cookie”).
a) INFORMATION MAY BE RETAINED UNTIL A SYSTEM-WIDE BACKUP IS PURGED: such data may continue to temporarily persist in the Company’s system-wide business recovery back-ups (if any) until such time as the system-wide business recovery backup is deleted and replaced with data that does not include data collected during Your agreement term; however, You have no expectation of data retention whatsoever and acknowledge that backing up of Your own data is Your responsibility; or
b) INFORMATION MAY BE RETAINED IF REQUIRED TO COMPLY WITH LAW: such data may continue to temporarily persist to the extent that such information is required to be retained for compliance with applicable law (for example, to prevent, investigate, or identify possible wrongdoing in connection with the Product or to comply with legal obligations) and until such time as such information is no longer required for this purpose, however, You acknowledge that recovery of data is not permitted by You from within this system under these circumstances unless Company is required and compelled to do so by law, and in such event, at Your sole expense.
iv. CHANGE REQUESTS MAY REQUIRE IDENTITY VERIFICATION ON YOUR PART: When updating Your Personal Information, the Company may ask You to verify Your identity before the Company can act on Your request.
v. TRACKING YOUR PREFERENCES. The Company may capture and manage all End-User and Client privacy preferences. Your preferences may be tracked in the database and attached to Your End-User records. If the preferences are changed, the modifications may be incremental, and added to an audit log. Tracking of Your consent to the collection, storage and use of Your Personal Information may also be recorded for the purposes of an audit log for consent. To ensure that the data is traceable, the source of the data may be logged, as well as a timestamp for the transaction.
b) STORAGE AND RETENTION
ii. DATA RETENTION:
a. OF NON-PERSONAL INFORMATION: Data that is non-Personal Information may be kept by Company for an indefinite period however, this does not constitute a guarantee that Company will keep the data indefinitely. If a User or Client would like to ensure that data is indefinitely kept, that can be requested, upon written agreement of the parties of a custom services plan. This data will primarily be used in aggregate and anonymized format to drive business intelligence and analytics.
b. OF PERSONAL INFORMATION: Personal Information data will be kept until the Personal Data Removal Date (as defined above), with such deletion to be initiated by Company or by the User, in the manner described above in the section entitled “Removal of Personal Information by Company or by You.”
c. DATA RECOVERY BY YOU: Other than information that Company is required to retain and provide to You by law. The Company runs a periodic backup of End User’s User Data every twenty-four (24) months and may store the End-User’s User Data as long as the End-User’s account is current and active until expiry of the Data Retention Period.
d. DATA RESTORES: The Company will not restore data unless it is available and then only if the Company determines, in its sole discretion that a data recovery is necessary.
e. PERIODIC AUDIT. Company may perform routine audits at its sole discretion or on a schedule as required by Applicable Law to confirm deletion of the data has occurred in the manner described above in the section entitled “Removal of Personal Information by Company or By You.”
c) SECURITY MEASURES: The Company takes Your privacy very seriously. If You have a security related concern, please contact the Company at the contact details provided above. The Company will work closely with You to ensure a quick and personal response to Your concerns. In addition, the Company restricts unauthorized access through protective policies, procedures, and technical measures, including:
a. SAFEGUARDS PROVIDED BY YOU: To keep Your Personal Information secure, You are required to safeguard Your End-User name and password information in accordance with the License Agreement. You acknowledge that the use of a username and password is an adequate form of security. You further acknowledge and agree that internet transmissions are never completely private or secure and that any message or information that you may send to the Website may be read or intercepted by others, notwithstanding our efforts to protect such transmissions.
Further, as a condition of your use of the Product, You agree that You will not take any action intended to: (i) access data that is not intended for You; (ii) invade the privacy of, or obtain the identity of, or obtain any personal information about any Company user or End-User; (iii) probe, scan or test the vulnerability of the Website or the Product or breach security or authentication measures without proper authorization; (iv) attempt to interfere with service to any user, End-User, host, or network or otherwise attempt to disrupt our business, including without limitation, via means of submitting a virus to this Website, overloading, “flooding,” “spamming,” “mail bombing,” or “crashing;” or, (v) send unsolicited mail, including promotions and/or advertising of products and services. Violations of system or network security may result in civil or criminal liability.
b. SAFEGUARDS PROVIDED BY US: The Company will provide physical and electronic safeguards with regard to the storage of Personal Information as required by law, such as ensuring our servers meet ISO 27001 and FISMA certifications and using secured SSL API encryption. However, and pursuant to disclaimer provided in the License Agreement, You understand that in order for the Company to operate the Product, End-User Data may be transmitted by You to the Company over the internet, public networks or otherwise, and You acknowledge that that no such data transmission can be guaranteed to be completely secure, and that, beyond Company's requirements to provide a warranty on information security as required by law, Company cannot warrant the security of any information You transmit to us, and that You do so at Your own risk.
c. ACTIONS IN THE EVENT OF DATA BREACH. A “Data Breach” is defined as any non-authorized access to the storage locations of the data, or access to a storage location by an individual that is potentially suspected of having performed non-authorized activities. In the case where a Data Breach has occurred, if the Company believes that the breach creates a real risk of significant harm to the end-users, the End-User and Client will be notified in the manner as required by law, and all details regarding the impact to the End-User and Client will be shared.
d) TRAINING COMPANY'S STAFF IN DATA MANAGEMENT:
a. TRAINING OF COMPANY'S STAFF FOR HANDLING PERSONAL INFORMATION: The Company's employees and contractors may be required to adhere to standards and policies to ensure that Personal Information is secure and treated with the utmost care and respect. Furthermore, the Company limits access to Your Personal Information to those employees or contractors who the Company reasonably believes need to come into contact with that information in order to do their jobs and Personal Information will only be reviewed if accessed on a “need-to-know” basis.
DATA USAGE SCHEDULE TO THE PRODUCT LICENSE AGREEMENT
a. USE AND DISCLOSURE OF PERSONAL INFORMATION. The Company will not use or disclose Personal Information other than the purposes identified below (individually and collectively, the “Purpose”):
i. TO COMMUNICATE WITH YOU AND TO PROVIDE CUSTOMER SERVICE: To provide Customer Service and support, administrative messages, updates, and security alerts, to resolve disputes, to detect and prevent technical issues, and to troubleshoot problems;
ii. TO IMPROVE THE COMPANY'S PRODUCT: To fulfill Your requests or the Company's product roadmap for certain features of the Product, to customize, measure, and improve the Product including by analyzing trends or responses from your participation in online surveys, tracking user movements and preferences on the Product, gathering demographic statistics about the Company's user base as a whole, and to assist the Company to measure the Company’s performance and effectiveness of the Company’s content, and to share the Company's performance information with others;
iii. TO IMPROVE THE COMPANY'S CONTENT: The Company may post Your social media content, testimonials, and other information provided by you;
iv. TO FULFIL THE COMPANY'S BUSINESS GOALS: to directly or indirectly offer or provide You with products and services that are based on the Company's analysis of Your needs as determined by the Company's analytics and the analytics of the Company's third-party processors, unless You opt out;
vi. IN THE EVENT OF AN ACQUISITION OF THE COMPANY. In the event that the Company, or all or a portion of the Company's business, or one or more of its divisions, is acquired by one or more third parties as a result of an acquisition, merger, sale, reorganization, consolidation, liquidation or another similar transaction, Your Personal Information shall be one of the transferred assets. To the extent that the Company is required to do so by law, You will be notified of any changes in ownership or uses of Your Personal Information;
ix. And to fulfill other purposes related to Company’s Product, subject to Your explicit consent if consent is required by law.
d) INTERNATIONAL DATA TRANSFER. Pursuant to the Purpose set out in section 4(a) “Use and Disclosure of Personal Information”, You agree that all information processed by the Company may be transferred, processed, and stored anywhere in the world, including but not limited to, the countries which may have data protection laws that are different from the laws where You live. The Company has taken appropriate safeguards to ensure that Your Personal Information will remain protected and require our third-party service providers and partners to have appropriate safeguards as well, including that all information be processed and stored in countries which have safeguards at least as strict as in the Province of Ontario.
e) RIGHTS TO CONTENT PROVIDED BY THE END-USERi. FOR INFORMATION YOU PROVIDE. By posting content on the Product (the “User Data”), the End-User and Client jointly hereby grant to the Company a worldwide, non-revocable, non-exclusive, perpetual, royalty-free, and sub-licensable right to use, create derivative works of, modify, and to distribute (including without limitation, distribution online, through multiple channels, and bundled with other applications or materials) such content, and further, the agrees to waive any moral rights to such User Data, and agrees that the Company may modify or adapt the User Data in order to transmit, display or distribute it over other applications and in various media. The Client and/or End-User agrees that the Client and/or End-User will individually and jointly defend, indemnify and hold harmless the Company from and against any Claims (as defined in the Agreement) arising from the nature of the content submitted and/or the ownership of End-User Data and any claims of infringement of third-party intellectual property related to such End-User Data.
LIST OF THIRD-PARTY PROVIDERS AND END-USER DATA STORAGE PROVIDERS
a. AWS – Amazon Web Services Inc.
b. Heroku – Cloud Platform Services
3. DATA MANAGEMENT
a) VALIDATION AND CHANGES TO OF COMPANY'S END USER-INFORMATION
i. CLIENTS COLLECTING INFORMATION ON BEHALF OF THEIR END-USERS. In the case that the End-User Personal Information is provided to the Company by one of the Company's End-Users or clients, the Company will accept that End-User Personal Information as verified and accurate. If the Company is collecting the data on behalf of the Company's client, the Company will work with the Client to ensure that processes will be put in place to ensure that End-Users are given the chance to review and correct any data issues.
ii. REVIEW OF INFORMATION AND INDIVIDUAL ACCESS. The Company relies on You to ensure that the Personal Information You enter into the Company's system is as accurate, complete and up to date as necessary for the purposes for which it is to be used. Until the Personal Information Removal Date (as defined below), You may review or update Your Personal Information by logging into your online account through the Website and visiting your account’s profile or by submitting a request to review or update Your Personal Information to email@example.com indicating that You are requesting such review or update, subject to the identity verification process set out herein, and with the understanding that the Company may make changes to Your Personal Information to meet the technological requirements of the Company's networks and media. Unless required to comply by law, the Company may reject access or modification requests that are unreasonably repetitive, require disproportionate technical effort, risk the privacy of others, or would be extremely impractical. Where the Company can provide information access and correction, and when required by law, Company will do so for free.
iii. REMOVAL OF YOUR PERSONAL INFORMATION BY US OR BY YOU: At any time and up to twenty-four (24) months after Your License Agreement with Company have been terminated or the maximum time period allowed by applicable law as described below, whichever is longer (this is the “Personal Information Removal Date”) the End User may request a copy of all of the End-User’s User Data from the Product. After the Personal Information Removal Date, or upon Your specific request to firstname.lastname@example.org to delete the Personal Information, such Personal Information shall be deleted by the Company within a reasonable period, unless: