Data Controller: The controller of your personal data is EMAILABLE LLC, with its registered seat at 223 Wall St, Huntington, NY 11743, United States, business registration number EIN 85-4358960 (“we”, “us”, and “our”).
Applicable data protection laws: We process personal data in accordance with applicable data protection laws, including, but not limited to, the EU 2016/679 General Data Protection Regulation (the “GDPR”) and the national laws implementing it; the Personal Information Protection and Electronic Documents Act (Canada) (the “PIPEDA”); the California Consumer Privacy Act of 2018 (the “CCPA”); California Privacy Rights Act of 2020 (the “CPRA”); the GDPR, as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (as amended or replaced from time to time) (the “UK GDPR”); and the Federal Act on Data Protection of 2020 (Switzerland) (the “FADP”). We are also certified under the Data Privacy Framework and adhere to its Principles, as explained in more detail in the Section “Data Privacy Framework”.
2. Categories of Personal Data
We may process the following categories of your personal data:
Data that you provide to us:
- First name, last name, email address, phone number, log-in credentials, billing details (e.g. your VAT/EIN number) and any additional information that you decide to provide us.
- We may collect such data when you use or register to receive our services, or when you communicate with us through email, web application forms, chat, our social media, and other forms of communication. We may also collect your personal data if you choose to participate in a contest, event, or a focus group.
Data that we collect from other sources:
- When using Emailable, you can choose to permit services, functionalities, and integration provided by third parties, including, but not limited to, third-party payment gateways (such as PayPal or Stripe), social media service providers, and comment service providers (collectively, the “Third-Party Services”). Once enabled, the providers of the Third-Party Services may share certain information that you make available to us through your settings, subject to their privacy policies.
- We do not, in any event, intentionally collect or process any personal data that may be classified as special or sensitive categories of personal data under applicable data protection laws.
3. Purposes of Processing
We may collect and process your personal data for the following purposes:
To provide and improve our services and to develop new offerings
We may use your personal data and information about your organization to deliver our services to you. We will use your personal data in particular to create and maintain your user account, identify you when you login to your account, process your payments, and fulfill your requests. If you enter a contest, or a similar event, we may use your personal data to administer such an event.
We may also use the personal data about you to enhance, optimize, secure, update, market, and analyze our services or develop new services.
To communicate with you
We may process your personal data to communicate with you, for example, when we assist you with setting up or administering your account, provide customer care, resolve your complaints, and send technical notices and other support messages. Such communication is not affected by your marketing communication preferences.
To inform you about our services
We may contact you about our news, events, services and their features or special offers that we believe may interest you, provided that we have the requisite permission to do so, either on the basis of your consent, or our legitimate interests to provide you with marketing communications where we may do so, within the limits provided by law. You can opt-out from receiving marketing messages at any time (free-of-charge) by clicking on the “unsubscribe” link contained in any of the messages sent to you or by contacting us directly at email@example.com.
To comply with legal obligations, prevent fraudulent activities and protect our rights
We may also process your personal data to comply with applicable legal obligations, or to detect, prevent and address fraud and other illegal activity. This includes establishing, exercising, or defending our legal claims, enforcing our Terms of Service and protecting our rights.
4. Lawfulness of Processing
Performance of a Contract: We process, use, and store your data primarily to perform our obligations under the contracts that we have concluded with you or your organization.
Legitimate Interest: In certain instances, we may also process your personal data based on our legitimate interests. Our legitimate interests include enhancing our services and customer base, providing you a better user experience, managing our customer relationships, conducting market research and analysis, exercising and defending our legal rights, preventing fraud, illegal activity or imminent harm, and ensuring the security and operability of our network and services. Where permissible under applicable law, we may also contact you about our services based on our legitimate interests.
Consent: In specific cases, we process your data based on your consent, in accordance with the requirements for consent under applicable data protection laws. For example, we may rely on your consent for direct marketing purposes or personalized advertising, where required.
Compliance with a legal obligation: We may also process your personal data where such processing is necessary to comply with the laws applicable to our business operations.
5. Retaining and Deleting Personal Data
6. Security Measures
We employ our best efforts to keep your personal data safe and secure. We implemented organizational and technical information security measures to protect your personal data from unauthorized access and disclosure, loss, and misuse. The security measures taken by us include:
- Secured networks;
- Strong passwords;
- Limited access to your personal data by our staff;
- Anonymization of personal data (when possible); and
- Choosing reliable data processors (service providers).
Third-party links: Emailable may contain links to websites and services that are owned, operated, and controlled by third-party service providers. We are not responsible for the privacy and security practices employed by such third parties or for the content of their websites or services. If you have any questions concerning the way your personal data is processed, used, or stored by such third-party service providers, we recommend referring to the privacy policies on their relevant websites.
7. Disclosure of Personal Data
We may disclose your personal data to:
Third parties, such as professional advisors or public authorities, when necessary, to comply with legal obligations, to enforce or defend our legal rights, including in connection with a corporate restructuring or insolvency, to prevent fraudulent activities or imminent harm, and/or to ensure the security and operability of our network and services.
Our suppliers, who process your personal data as our processors (service providers) on our behalf and pursuant to our instructions, to provide you with the services you requested and to ensure their proper functioning and development (IT support, hosting, payment processing, etc.). We strive to select our suppliers carefully and ensure that they are able to provide adequate data protection and security safeguards.
8. International Transfers of Personal Data
Where required by the applicable data protection laws, any transfer of your personal data outside the EU, UK or Switzerland only takes place if the requirements of the applicable data protection laws, in particular as laid down in Art. 44 et seq. GDPR, have been fulfilled, e.g., based on the European Commission’s adequacy decisions, or the Standard Contractual Clauses (EU or Swiss), including the UK SCC Addendum, where applicable.
Data transfers to the U.S. from the EU, UK (including Gibraltar), and Switzerland (as of the effective date of the recognition of the Swiss-U.S. Data Privacy Framework by the Swiss Federal Administration) are based on the Data Privacy Framework as described in detail in the Section below.
9. Data Privacy Framework
For the purposes of this Section, the following definitions apply:
“Data Privacy Framework” shall mean the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework, and the UK Extension to the EU-U.S. Data Privacy Framework.
“Data Privacy Framework Principles” or “Principles” shall mean the principles which present a set of requirements governing the U.S. participating organizations’ use and treatment of personal data received from the EU, UK or Switzerland and apply to the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework.
“EU-U.S. Data Privacy Framework” shall mean the EU-U.S. data transfer mechanism developed by the U.S. Department of Commerce which was recognized by the European Commission Implementing Decision of 10 July 2023 to provide an adequate level of protection of personal data pursuant to the GDPR.
“Swiss-U.S. Data Privacy Framework” shall mean the Swiss-U.S. data transfer mechanism to be recognized by the Swiss Federal Administration’s adequacy decision under the FADP.
“UK Extension to the EU-U.S. Data Privacy Framework” shall mean the UK-U.S. data transfer mechanism which was recognized by the UK Government decision effective as of 12 October 2023 to provide an adequate level of protection of personal data pursuant to the UK GDPR.
Our commitment: Our transfers of personal data from the EU, UK (including Gibraltar) and Switzerland to the U.S., are conducted in strict compliance with the Data Privacy Framework set forth by the US Department of Commerce. More information about the Data Privacy Framework can be found here.
Data Privacy Framework Principles: We have self-certified that we adhere to the Data Privacy Framework Principles of notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, recourse, enforcement, and liability. You can easily check our self-certification status by visiting the website of the US Department of Commerce.
We comply with the Data Privacy Framework Principles as described below.
Choice: You have an opportunity to choose (opt out) whether your personal data is (i) to be disclosed to a third party or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by you. You can do so by contacting us at firstname.lastname@example.org. Please note that, in certain situations (e.g., when a disclosure is made to a third party that is acting as an agent to perform task(s) on our behalf or under our instructions and we have entered into a contract with such party), it may not be possible to opt-out without impairing the services provided by us.
Accountability for onward transfer: When we act in the capacity of a data controller and transfer your personal data to a third-party controller, we comply with the Principles of “notice” and “choice” described above. We also enter into a contract with the third-party controller that ensures that such data may only be processed for limited and specified purposes consistent with the consent provided by you (the data subject) and that the recipient will provide the same level of protection as the Principles and, if this obligation is no longer met, a notification will be provided to us. The contract also provides that, when such a determination is made, the third-party controller ceases processing or takes other reasonable and appropriate steps to remediate.
When we transfer personal data to a third party acting as an agent (our data processor / service provider), we ensure that the agent: (i) uses personal data only for limited and specified purposes; (ii) is obligated to provide at least the same level of protection as it is required by the Principles; (iii) takes reasonable and appropriate steps to ensure that it effectively processes the personal data transferred in a manner consistent with our obligations under the Principles; (iv) is required to notify us if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles; and (v) upon our notice, including under (iv), take reasonable and appropriate steps to stop and remediate unauthorized processing of personal data. We will also provide a summary or a representative copy of the relevant privacy provisions of the contract, upon request of a public authority.
In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
In particular, we remain responsible and liable under the Principles if third-party agents that we engage to process personal data on our behalf do so in a manner inconsistent with the Principles, unless we can prove that we are not responsible for the event giving rise to the damage.
Security: We take reasonable and appropriate measures to protect personal data from loss, misuse, unauthorized access, disclosure, alteration and destruction. When ensuring such security, we take into due account the risks involved in the processing and the nature of the personal data. Our security measures are listed in the Section “Security Measures”.
Data integrity and purpose limitation: We collect only a minimal amount of personal data that is relevant for the purposes of processing. We do not process personal data in a way that is incompatible with the purposes for which such personal data was collected or subsequently authorized by an individual (you). Moreover, we put reasonable efforts to ensure that personal data is reliable for its intended use, accurate, complete, and current. We adhere to the Principles for as long as we retain personal data.
Access: You have the right to access the personal data that we hold about you. Moreover, you are able to correct, amend, or delete that data where it is inaccurate, or has been processed in violation of the Principles. Your rights are described in detail in Section “Your Rights”. Please note that this right cannot be exercised if the burden or expense of providing access to your personal data would be disproportionate to the risks to your privacy or where the rights of persons other than you would be violated. You can exercise your rights by contacting us at email@example.com.
Recourse, enforcement, and liability: For the purposes of Data Privacy Framework compliance, we are subject to the investigatory and enforcement authority of the US Federal Trade Commission. In compliance with the Principles, we commit to resolve complaints about your privacy and our collection or use of your personal information transferred to the U.S. pursuant to the Data Privacy Framework. EU, UK, and Swiss individuals with Data Privacy Framework inquiries or complaints should first contact us by email at firstname.lastname@example.org. We will respond to your claim without undue delay.
We have further committed to refer unresolved privacy complaints under the Principles to an independent dispute resolution mechanism, Data Privacy Framework Services, operated by BBB National Programs. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit the BBB National Programs website for more information and to file a complaint. This service is provided free of charge to you.
If your Data Privacy Framework complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See here for more information.
10. Your Rights
As a data subject located in the EU, UK, or Switzerland, you have the following rights:
- The right to access;
- The right to rectification;
- The right to erasure;
- The right to restrict processing;
- The right to object to processing;
- The right to data portability;
- The right to withdraw consent; and
- The right to lodge a complaint.
Right to access: You have the right to request access to the personal data about you that we process and to receive a copy of that data. You may also contact us at any time with a request to receive more information regarding:
- the purposes for which we use your personal data;
- how we categorize your personal data;
- the recipients of your personal data;
- the length of time we store your personal data; and
- your rights as a data subject.
Right to rectification: You have the right to have any inaccurate personal data about you corrected and, considering the purposes of the processing, to have any incomplete personal data about you supplemented.
Right to erasure: Where applicable, you have the right to the erasure of your personal data without undue delay. Please note, that in some cases we may be legally obliged to retain some of your personal data. We may also retain some of your personal data in order to defend our legal rights, avoid sending you unwanted promotional materials in the future, and to keep a record of your request and our response.
Right to restrict processing: In some circumstances, you have the right to restrict the processing of your personal data, in particular if you believe that such processing is unlawful, or your data are inaccurate.
Right to object processing: Where we rely on our legitimate interests to process your personal data, you have the right to object to our processing of your personal data. You also have the right to object to our processing of your personal data for direct marketing purposes.
Right to data portability: To the extent that the legal basis for our processing of your personal data is (i) your consent or (ii) that the processing is necessary for the performance of a contract to which you are party, and such processing is carried out by automated means, you have the right to receive your personal data from us in a structured, commonly used and machine-readable format. You may also request us to transfer such data to another data controller.
Right to withdraw consent: To the extent that the legal basis for our processing of your personal information is consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal.
Right to launch a complaint: You may also have the right to make a complaint to the relevant Data Protection Authority. For the EU, the list of Data Protection Authorities is available here. For the UK, the Supervisory Authority is the Information Commissioner's Office, with registered office at Wycliffe House, Water Lane, Wilmslow SK9 5AF, United Kingdom. For Switzerland, the Supervisory Authority is the Federal Data Protection and Information Commissioner (FDPIC), with registered office at Feldeggweg 1, CH - 3003 Bern, Switzerland.
Exercising your rights: You may exercise any of your rights in relation to your personal data by contacting us at email@example.com. In order to verify the legitimacy of your request, we may ask you to provide us with an identifying piece of information, so that we can locate you in our system.
If you are a Californian consumer, please see the Section “CCPA Notice” for a complete statement of your rights under the CCPA, including the right to opt-out of the sharing and sale of your personal data.
We do not allow anyone younger than 18 years old to use Emailable. Therefore, we do not knowingly collect personal data of anyone below the age of 18. If we become aware that personal data of anyone under 18 has been collected, we will take appropriate steps to delete such data.
12. CCPA Notice
Your rights regarding your personal information: As a California consumer, you have certain rights granted by the CCPA with regard to your personal information. These rights are:
- To receive information about:
- The categories of personal information that we collected from you;
- The categories of sources from personal information is collected;
- The business or commercial purposes for which we collected your personal information;
- The categories of third parties to which your personal information was disclosed and the personal information that was disclosed; and
- The specific pieces of personal information that we collected about you.
Please note that we do not collect sensitive personal information about you. - To request us to delete your personal information that we hold about you, unless there is an exception under the CCPA; and - To remain free from unlawful discrimination for exercising your rights.
Making requests under the CCPA: You can submit your requests for exercising your rights to us by email at firstname.lastname@example.org with “CCPA request” in the subject line. We will reply to you as soon as possible. Please note that we may need to verify your identity by requesting you to submit certain identifying details.
Authorized agent: You can exercise your rights through an authorized agent. To do so, you will need to (i) provide us with a copy of your written permission for the authorized agent to act on your behalf; and (ii) verify your identity with us. Alternatively, you can (i) provide your authorized agent with a power of attorney under the California Probate Code sections 4000 to 4465 and (ii) submit a copy of the power of attorney to us.
Declining your requests: In some instances, we may not honor your request. Such instances include: (i) the failure to verify your identity; (ii) if you do not have authority to exercise the rights on behalf of another person; (iii) if there is an exception under the CCPA; or (iv) where the personal information that we hold about you is not subject to the CCPA.
13. Term and Amendments
14. Contact us
Email address: email@example.com
Postal address: EMAILABLE LLC, 223 Wall St, Huntington, NY 11743, United States