Privacy Notice & Cookies Policy

This Privacy Notice describes how Zaptic collects, uses and discloses information, and what choices you have with respect to the information.

Scope of this Privacy Notice


This policy applies to Zaptic’s products and services, including applicable mobile and desktop applications (collectively, the “Services”), Zaptic.com and other Zaptic websites (collectively, the “Websites”) and other interactions (e.g., customer service inquiries, user conferences, etc.) you may have with Zaptic. If you do not agree with the terms, do not access or use the Services, Websites, or any other aspect of Zaptic’s business.

Information Zaptic Collects and Receives


Zaptic may collect, generate, and receive Service Data and other information and data (“Other Information”; Service Data and Other Information collectively “Information”) in a variety of ways:

Service data. Customers and individuals granted access to a Customer Instance by a Customer (“Authorized Users”) may submit Service Data to Zaptic when using the Services.

Services metadata. When an Authorized User interacts with the Services, metadata is generated that provides additional context about the way Authorized Users interact with the Services. For example, Zaptic logs what Third Party Services are connected with the Services (if any).‍

Log data. As with most technology services delivered over the Internet, our servers automatically collect information when you access or use our Websites or Services and record it in log files. This log data may include the Internet Protocol (IP) address, the address of the web page visited before using the Website or Services, browser type and settings, the date and time the Services were used, information about browser configuration and plugins, language preferences and cookie data.‍

Device information. Zaptic collects information about devices accessing the Services, including type of device, what operating system is used, device settings, application IDs, unique device identifiers and crash data. Whether Zaptic collects some or all of this information often depends on the type of device, its settings or Zaptic services. 

Location information. Zaptic receives information from you and other third parties that may help Zaptic approximate your location. Zaptic may, for example, use a business address submitted by your employer, or an IP address received from your browser or device to determine approximate location. Zaptic may also collect location information from devices in accordance with the consent process provided by your device.

Cookie information. Zaptic uses cookies and similar technologies in our Websites and Services to help us collect Other Information. The Websites and Services may also include cookies and similar tracking technologies of third parties, which may collect Other Information about you via the Websites and Services and across other websites and online services. For more details about how Zaptic uses these technologies, and your opt-out opportunities and other options, please see Zaptic’s Cookie Policy. 

Third-Party Services. A Customer can connect Third-Party Services to its Customer Instance. Typically, Third-Party Services are software services that integrate with Zaptic Services, and a Customer can permit its Authorized Users to enable and disable these integrations for its Customer Instance. Zaptic may also develop and offer Zaptic applications that connect the Services with a Third-Party Service. Once enabled, the provider of a Third-Party Service may share certain information with Zaptic. For example, if a single sign-on service is connected with Zaptic, Zaptic may receive the username and email address of Authorized Users, along with additional information that the application has elected to make available to Zaptic to facilitate the integration. Authorized Users should check the privacy settings and notices in these Third-Party Services to understand what data may be disclosed to Zaptic. When a Third-Party Service is enabled, Zaptic is authorized to connect and access Other Information made available to Zaptic in accordance with any permission(s) granted by Customer (including, by its Authorized User(s)). Zaptic does not, however, receive or store passwords for any of these Third-Party Services when connecting them to the Services.

Contact information. An Authorized User is required to provide some contact information (e.g., an email address) when making an account on the Services.

Third-party data. Zaptic may receive data about organizations, industries, lists of companies that are customers, Website visitors, marketing campaigns and other matters related to our business from affiliates and subsidiaries, our partners, or others that Zaptic engages with to make Zaptic’s own information better or more useful. This data may be combined with Other Information Zaptic collects and might include aggregate-level data, such as which IP addresses correspond to zip/postal codes or countries. Or it might be more specific: for example, how well an online marketing or email campaign performed.

Zaptic processes Personal Data contained in Customer Account Data, Customer Usage Data, and any Personal Data provided by Customer or collected by Company in order to provide the Services. Categories of Personal Data include, name, email, job title, username, Company device identifiers (e.g. serial number), IP address for company device and training records. Customers are strictly prohibited from providing sensitive personal data or special categories of data to Company, including any data which discloses the criminal history of any persons.

‍Additional information provided to Zaptic. Zaptic receives Other Information when submitted to our Websites or in other ways, such as if you participate in a focus group, contest, activity or event, apply for a job, enroll in an educational program hosted by Zaptic or a vendor, request support, interact with our social media accounts or otherwise communicate with Zaptic.‍

How Zaptic Uses Information


Service Data will be used by Zaptic in accordance with the applicable MSA, Customer’s use of Services functionality, and as required by applicable law. Zaptic is a processor of Service Data and Customer is the controller.

In addition, Zaptic uses Information in furtherance of our legitimate interests in operating our Services, Websites, and business. More specifically, Zaptic uses Information:

To provide, update, maintain and protect our Services, Websites, and business. This includes use of Service Data and Other Information to support delivery of the Services under an MSA, prevent or address service errors, security or technical issues, analyze and monitor usage, trends and other activities, or at an Authorized User’s request.

As required by applicable law, legal process, or regulation.

To communicate with you by responding to your requests, comments, and questions. If you contact us, Zaptic may use Information to respond.

To develop and provide additional features. Zaptic tries to make the Services as useful as possible for Customers and Authorized Users, and Zaptic may use aggregated and anonymized Services Data and Other Information to develop new Services or improve existing Services.

To send emails and other communications. Zaptic may send you service, technical and other administrative emails, messages, and other types of communications. Zaptic may also contact you to inform you about changes in our Services, our Services offerings, and important Services-related notices, such as security and fraud notices. These communications are considered part of the Services and you may not opt out of them. In addition, Zaptic sometimes sends emails about new product features, promotional communications, or other news about Zaptic. These are marketing messages so you can control whether you receive them. If you have additional questions about a message you have received from Zaptic please reach out through the contact mechanisms described below.

For billing, account management, and other administrative matters. Zaptic may need to contact you for invoicing, account management, and similar reasons and Zaptic uses account data to administer accounts and keep track of billing and payments.

To investigate and help prevent security issues and abuse.‍ If information is aggregated or de-identified so that it is no longer reasonably associated with an identified or identifiable natural person, Zaptic may use it for any business purpose. To the extent Information is associated with an identified or identifiable natural person and is protected as personal data under applicable data protection law, it is referred to in this Privacy Notice as “Personal Data.”

Data Retention


Zaptic will retain Service Data in accordance with the applicable MSA, Customer’s use of Services functionality, and as required by applicable law.‍

Zaptic may retain Other Information for as long as necessary for the purposes described in this Privacy Notice. This may include keeping Other Information for the period of time needed for Zaptic to pursue legitimate business interests, conduct audits, comply with (and demonstrate compliance with) legal obligations, resolve disputes, and enforce our agreements.

How Zaptic Shares and Discloses Information


This section describes how Zaptic may share and disclose Information.

‍Third-party service providers and partners. Zaptic may engage third parties as service providers or business partners to process Information and support our business. To the extent necessary and applicable, these third-party service providers and partners will be bound by appropriate and commercially reasonable confidentiality obligations. Prior to engaging any third party Subprocessor, Zaptic performs diligence to evaluate their privacy, security and confidentiality practices.

Third-Party Services. Customers may enable or permit Authorized Users to enable Third- Party Services. Zaptic requires each Third-Party Service to disclose all permissions for information access in the Services, but Zaptic does not guarantee that they do so. When enabled and as requested by Customer, Zaptic may share Information with Third-Party Services. Third-Party Services are not owned or controlled by Zaptic and third parties that have been granted access to Information may have their own policies and practices for its collection, use, and sharing. Please check the permissions, privacy settings, and notices for these Third-Party Services or contact the service provider for any questions.

Corporate affiliates. Zaptic may share Information with its corporate affiliates, parents, and/or subsidiaries.

During a change to Zaptic’s business. If Zaptic engages in a merger, acquisition, bankruptcy, dissolution, reorganization, sale of some or all of Zaptic’s assets or stock, financing, public offering of securities, acquisition of all or a portion of Zaptic’s business, a similar transaction or proceeding, or steps in contemplation of such activities, some or all Information may be shared or transferred, subject to appropriate and commercially reasonable confidentiality arrangements.

Aggregated or de-identified data. Zaptic may disclose or use aggregated or de-identified Information for any purpose. For example, Zaptic may share aggregated or de-identified information with prospects or partners for business or research purposes.

To Comply with Laws. If a law enforcement or government agency sends Zaptic a demand for Information about a Customer, Zaptic shall attempt to redirect the agency to request that data directly from the Customer. As part of this effort, Zaptic may provide the Customer’s basic contact information to the law enforcement or government agency. If compelled to disclose Information to a law enforcement or government agency, then Zaptic will give the Customer reasonable notice of the demand and cooperation to allow the Customer to seek a protective order or other appropriate remedy unless Zaptic is legally prohibited from doing so. Zaptic will not voluntarily disclose Information related to a Customer to any law enforcement or government agency.

To enforce our rights, prevent fraud, and for safety. To protect and defend the rights, property, or safety of Zaptic or third parties, including enforcing contracts or policies, or in connection with investigating and preventing fraud or security issues.‍

With consent. Zaptic may share Information with third parties when Zaptic has consent to do so.

‍Security


Security is critical to Zaptic’s mission, and Zaptic takes security of data seriously. Zaptic uses industry-standard technical and organizational measures to protect Information from loss, misuse, and unauthorized access or disclosure. These steps take into account the sensitivity of the Information Zaptic collects, processes, and stores, and the current state of technology. 

Changes to This Privacy Notice


Zaptic may change this Privacy Notice from time to time. Laws, regulations, and industry standards evolve, which may make those changes necessary, or Zaptic may make changes to our services or business. Zaptic will post the changes to this page and encourage you to review our Privacy Notice to stay informed. If Zaptic makes changes that materially alter your privacy rights, Zaptic will provide additional notice, such as via email or through the Services. If you disagree with the changes to this Privacy Notice, you should cease interacting with the Services. Contact the applicable Customer if you wish to request the removal of Personal Data under their control.

International Data Transfers


Zaptic may transfer personal data from the location in which the data subject resides as necessary to provide services. Customer acknowledges that Company’s primary processing operations take place in the United Kingdom, and that the transfer of Customer’s Personal Data to the United Kingdom is necessary for the provision of the Services to Customer. If Company transfers Personal Data to a jurisdiction for which the European Commission has not issued an adequacy decision, Company will ensure that appropriate safeguards have been implemented for the transfer of Personal Data in accordance with Data Protection Laws.

Identifying the Data Controller and Processor


Data protection law in certain jurisdictions differentiates between the “controller” and “processor” of information. In general, Customer is the controller of Service Data and Zaptic is the processor of Service Data and the controller of Other Information.

Your Rights


Individuals located in certain countries or states including the European Economic Area and the United Kingdom, have certain statutory rights in relation to their personal data. Subject to any exemptions provided by law, you may have the right to request access to Information, as well as to seek to update, delete or correct this Information.‍

Contacting Zaptic


Please also feel free to contact Zaptic if you have any questions about this Privacy Notice or Zaptic’s practices, or if you are seeking to exercise any of your statutory rights. Zaptic will respond within a timeframe that is compliant with all applicable regulations. You may contact us at privacy@zaptic.com or at the following address for the attention of the Data Protection Officer: 2 Mount Street, Manchester, M2 5WQ

Newsletter sign up, demo requests and downloadable resources

As part of the process for:
– Subscribing to our blog newsletter
– Requesting a demo, pricing information or a consultation with a member of the Zaptic team
– Filling out a contact form
– Downloading a white paper, ebook or case study,

We collect personal information such as name and surname, email address, company name, job title, phone number. We use the information we collect only in compliance with this Privacy Policy.

We use that information:
– To get in touch with you and respond to your request.
– If we need to obtain or provide additional information.
– To send you marketing communications relating to our business which we think may be of interest to you.
– To check that our records are right.
– To check that you are happy and satisfied with our communications.

We have zero tolerance to spam and do not rent or trade email lists with other organisations and businesses.

We use a third-party provider, HubSpot to deliver our newsletter. We gather statistics around email opening and clicks to help us monitor and improve our e-newsletter. For more information, please see https://legal.hubspot.com/dpa

Links to other websites
The privacy notice does not cover the links within the site linking to other websites. Those sites are not governed by this Privacy Policy, and if you have questions about how a site uses your information, you will need to check that site’s privacy statement.

Access to your personal information
You are entitled to access the personal information that we hold. You can request to edit your personal details, update your communication preferences or to be deleted from our database. Email your request or any questions you may have to Hannah Waugh at hannah@zaptic.com.

Changes to this Privacy Notice
We keep our privacy notice under regular review. This privacy notice was last updated on 29 March 2019.

Cookies Policy

We use a system of classifying the different types of cookies which we use on the Website, or which may be used by third parties through our website. The classification was developed by the International Chamber of Commerce UK and explains more about which cookies we use, why we use them, and the functionality you will lose if you decide you don’t want to have them on your device.

What is a Cookie?

Cookies are text files containing small amounts of information which are downloaded to your personal computer, mobile or other device when you visit a website. Cookies are then sent back to the originating website on each subsequent visit, or to another website that recognises that cookie. Cookies are useful because they allow a website to recognise a user’s device.

How long are cookies stored for?

Persistent cookies – these cookies remain on a user’s device for the period of time specified in the cookie. They are activated each time that the user visits the website that created that particular cookie.

Session cookies – these cookies allow website operators to link the actions of a user during a browser session. A browser session starts when a user opens the browser window and finishes when they close the browser window. Session cookies are created temporarily. Once you close the browser, all session cookies are deleted.

Cookies do lots of different jobs, like letting you navigate between pages efficiently, remembering your preferences, and generally improve the user experience.

You can find more information about cookies at www.allaboutcookies.org and www.youronlinechoices.eu.

Cookies on the website
A list of all the cookies used on the Website by category is set out below.

Strictly necessary cookies

These cookies enable services you have specifically asked for. These cookies are essential in order to enable you to move around the Website and use its features, such as accessing secure areas of the Website.

Performance Cookies

These cookies collect anonymous information on the pages visited. By using the Website, you agree that we can place these types of cookies on your device.

These cookies collect information about how visitors use the Website, for instance which pages visitors go to most often, and if they get error messages from web pages. These cookies don’t collect information that identifies a visitor. All information these cookies collect is aggregated and therefore anonymous. It is only used to improve how the Website works.

Functionality cookies

These cookies remember choices you make to improve your experience. By using the Website, you agree that we can place these types of cookies on your device.

These cookies allow the Website to remember choices you make (such as your user name, language or the region you are in) and provide enhanced, more personal features. These cookies can also be used to remember changes you have made to text size, fonts and other parts of web pages that you can customise. They may also be used to provide services you have asked for such as watching a video or commenting on a blog. The information these cookies collect may be anonymised and they cannot track your browsing activity on other websites.

Third Party Cookies

These cookies allow third parties to track the success of their application or customise the application for you. Because of how cookies work we cannot access these cookies, nor can the third parties access the data in cookies used on our site.

For example, if you choose to ‘share’ content through Twitter or other social networks you might be sent cookies from these websites. We don’t control the setting of these cookies, so please check those websites for more information about their cookies and how to manage them.

Zaptic Security Overview

Last updated 15 June, 2022

Introduction

Earning and maintaining the trust of our customers is a critical, strategic priority for Zaptic. Security of our systems and the customer data is a core consideration in the delivery of Zaptic and we take a collaborative approach with our customers to continuously deliver and improve on our security objectives.

Zaptic is hosted using a comprehensively hardened infrastructure as a service (IaaS) using platforms from Amazon Web Services.

SOC 2 compliance
We have a SOC 2 Type 2 report by our third party auditor certifying that our security policies and controls continuously meet the highest industry standards. This is available upon request under NDA for qualified customers.



Product Security

Authentication
Zaptic enforces authentication for all access to the platform. Authentication is managed at an individual level and can be integrated with customers identity providers to provide Single Sign On capability.

Permissions
Zaptic supports flexible permission levels for workers. Permission levels can be set for the various third-party systems in use.

Physical Security
Zaptic production data is processed and stored within world-renowned data centers that use state-of-the-art multilayer access, alerting, and auditing measures.

System Security

Servers and Networking
All Zaptic servers and structured data stores use managed infrastructure services provided and secured by Amazon Web Services.

Our web servers encrypt data in transit using the industry standard for HTTPS security (TLS 1.2) so that requests are protected from eavesdroppers and man- in-the-middle attacks. Our SSL certificates are 2048 bit RSA, signed with SHA256.

Operational Security

Policies
Zaptic has developed a comprehensive set of security policies covering a range of topics. These policies are updated frequently and shared with all employees.

Employee Training
All Zaptic employees are trained on security best practices and awareness during onboarding. We perform annual disaster recovery and data restoration tests.

Employee Equipment
All employee computers have strong passwords, encrypted disks, and virus scanners.

Employee Access
We use Google account infrastructure to verify employee account identity. All employee contracts include a confidentiality agreement.

Code Reviews and Production Deployment
All changes to source code are subject to automated testing and all changes are subject to code review by a qualified engineering peer that includes security, performance, and potential-for-abuse analysis.

All code is deployed to a testing environment for quality assurance and automated tests must pass prior to updating production services.

Service Levels, Backups, and Recovery
Zaptic infrastructure utilizes multiple and layered techniques for increasingly reliable uptime, including the use of load balancing and task queues. Zaptic uses highly redundant datastores, rapid recovery infrastructure, and point-in-time backups making unintentional loss of customer data very unlikely.

Application Security

Server and Client Hardening
Zaptic servers use AWS managed infrastructure which utilize firewalls to restrict system access from external and internal networks, DDoS mitigation, spoofing and sniffing protections, and port scanning. Request-handling code paths have frequent user re-authorization checks, payload size restrictions, rate limiting where appropriate, and other request verification techniques.

Client code utilizes multiple techniques to ensure that using the Zaptic app is safe and that requests are authentic, including XSS and CSRF protection, signed and encrypted user authentication cookies, and session expiration.

Pentests
We engage third-party security experts to perform detailed penetration tests on the Zaptic app and infrastructure.

API and Integrations
Access to the Zaptic RPC API endpoints requires an access key that can be regenerated on demand by customers.

Integrations with other apps are all opt-in and authenticate via OAuth or other applicable mechanisms required by the third party app. Integrations can be disabled at any time.

Incident Reporting

Incident Response
Zaptic implements a protocol for handling security events which includes escalation procedures, rapid mitigation, and post mortem. All employees are informed of our policies.

Responsible Disclosure
If you have a security concern, question, or are aware of an incident, please send an email to security@zaptic.com, a carefully controlled and monitored email account.