This Revision of the Kandy Privacy Policy is effective as of January 1, 2023
Kandy Communications, an AVC Technologies, Inc. company, and its affiliates (“Kandy” or “We” or “Us”) reserve the right to change this privacy policy at our discretion from time to time, subject to business, technical, or legal requirements or developments. We encourage you to periodically review this Privacy Policy and particularly before you provide Personal Data to Kandy. The effective date of the newest version of the privacy policy is posted above. If you object to the changes or wish to obtain further information, please contact us at privacy@kandy.com. For previous versions of this policy, see the Privacy Policy Archive.
Section Name |
Description of Contents |
BACKGROUND AND INFORMATION VALUES | Learn about Kandy and our information values. |
PURPOSE OF THIS PRIVACY POLICY | The purpose of this Privacy Policy is to provide information on how we collect, store, share, and use your Personal Data. |
FOR WHAT PURPOSE(S) DOES KANDY USE YOUR PERSONAL DATA? | Kandy uses your Personal Data for many purposes related to your account with us, as a conduit for transmission, to facilitate audio and video images, to anonymize in an effort to enhance your experience of our products and services, to assist in the provision of technical and professional services, to collect credit card information when appropriate and to provide products and services training. Kandy does not market its products or services to children. We may also collect your Personal Data to facilitate employment relationships. |
WHERE AND HOW WE COLLECT AND USE PERSONAL DATA FOR MARKETING PURPOSES | Kandy collects Personal Data such as customer account data directly from you when you visit Kandy’s website, request a product, service, or access to an event, or when you contact a member of the Kandy team or sign up for a Kandy account to use our products and services. Kandy also indirectly collects the Personal Data of your end users called customer usage data (metadata) and customer content. We process customer contact details such as your name, email, and phone number directly from you when you make a request, contact a member of our team or sign up for a Kandy account. We may also process your end users’ communications-related data such as phone numbers, email addresses, friendly names that you create for your end users, the content of communications sent by you or your end users to provide services to you and to carry out necessary functions of our business as a communications service provider. |
COOKIES, TRACKING, AND SIMILAR TECHNOLOGY | Kandy uses common information-gathering tools such as cookies and similar tracking technologies to automatically collect information as you navigate our websites, our services, or when you interact with emails we send to you. You can manage these technologies easily at our |
MONITORING CUSTOMER INFORMATION | We monitor in accordance with local law in a proportionate manner so as to respect your reasonable privacy expectations, in order to prevent unauthorized access to our offices and to protect employees, authorized visitors, and our property and for other legitimate business purposes including proof of business transactions and archiving, training, protection of confidential information, intellectual property and other business interests, to investigate breaches of Kandy policies and procedures, or other unlawful or improper acts, for compliance with a legal obligation; and for other legitimate purposes as permitted by applicable law. |
WITH WHOM DO WE SHARE YOUR PERSONAL DATA? | We only share your Personal Data to the minimum extent necessary with those who need it in order to perform their tasks and duties and to service providers and other third parties who have a legitimate purpose for accessing it to assist us in providing products and services to you. |
HOW DO WE SECURE DATA? | While there is no such thing as perfect security, we are committed to maintaining reasonable and appropriate security measures to ensure that your Personal Data is protected both online and offline. Read this section to learn more about our security measures and how you can better protect your account. Kandy provides you with many ways to make choices about your data and your end users’ data, such as accessing it, correcting it, deleting it, or updating your choices about how it is used. You can manage your choices by accessing our . |
HOW LONG DOES KANDY RETAIN PERSONAL DATA? | We store your information until it is no longer necessary to provide the services or otherwise relevant for the purposes for which it was collected. |
WHAT IS OUR LEGAL BASIS FOR PROCESSING PERSONAL DATA WITHIN THE UNITED STATES, PURSUANT TO NATIONAL AND STATE-SPECIFIC LAWS | At the present time, there is no overarching single US federal privacy law. A comparison of current state data protection laws is provided in a chart. We provide a brief description of your rights and our obligations under the laws of the five states – California, Connecticut, Colorado, Utah, and Virginia – that have enacted comprehensive privacy legislation, and information on how to exercise your privacy and data protection rights. Generally, consent and certain legitimate business purposes provide the legal basis in the United States for processing Personal Data. Our legal basis for collecting and using Personal Data will depend on the Personal Data concerned and the context in which we collect it. However, we will normally collect Personal Data from you only where we have your consent to do so for a specific purpose, where we need the Personal Data to carry out our contract with you, where we need the Personal Data to comply with our legal obligations, or where the processing is in our legitimate interests (such as for research and development, to market and promote the services, and to protect our legal rights and interests) and are not overridden by your data protection interests or fundamental rights and freedoms. |
WHAT IS OUR LEGAL BASIS FOR PROCESSING PERSONAL DATA OUTSIDE THE UNITED STATES? | You may lodge any complaints or concerns with your local data protection authority. You can find a list of the European and United Kingdom DPAs at https://ec.europa.eu/newsroom/article29/items/612080/en. A full list of contact information for Canada, the EU, the EEA, the UK, and Swiss data authorities is provided. |
HOW YOU CAN EXERCISE YOUR RIGHTS OUTSIDE THE UNITED STATES | Generally, a data subject outside the United States has the right to notice, consent, and withdrawal of consent, transparency, access, accuracy, rectification, erasure (right to be forgotten), restriction of processing, objection to processing, receipt of information (right to information) and portability |
YOUR RIGHTS IN CANADA | In Canada, the Personal Data Protection and Electronics Documents Act (“PIPEDA”) covers how businesses handle Personal Data. |
YOUR RIGHTS IN THE EUROPEAN UNION | In the EU, the General Data Protection Regulation (“GDPR”) governs how businesses handle Personal Data, including the international transfer of Personal Data. |
YOUR RIGHTS IN THE EEA, UK, AND SWITZERLAND | Your privacy and data protection rights are subject to regulations set forth by the EEA data protection authorities, the UK data protection authorities, and the Swiss Data Protection Law, including the international transfer of Personal Data. |
OTHER USEFUL INFORMATION | Here you’ll find other useful information about our data protection practices including with respect to children, enforcement, liability, training, translations, use of automated decision-making tools, and how to contact us with questions. |
APPENDIX I: JOB APPLICANTS | In Appendix I, we describe how we address the issues in the main privacy policy for Applicants. How we address privacy issues with respect to employees is available to employees through HR Connect. |
APPENDIX II: NOTICE TO CALIFORNIA RESIDENTS ABOUT THE COLLECTION, USE, AND DISCLOSURE OF PERSONAL DATA | Appendix II is for California residents. It describes how we collect information, how and by whom it is used, and the categories of each. It also sets forth metrics regarding personal information collected and used for 2022.G |
Kandy, including its corporate affiliates (collectively, “Kandy” or “we” or “us” or “our”), is a cloud-based, real-time communications platform offering proprietary Unified Communications as a Service (UCaaS), Communications Platform as a Service (CPaaS), Microsoft Teams Direct Routing as a Service (DRaaS), and SIP Trunking as a Service (STaaS). Kandy's white-label solutions enable service providers, enterprises, software vendors, systems integrators, partners, and developers to enrich their applications and services with real-time contextual communications, providing a more engaging user experience. With Kandy, enterprises of all sizes and types can quickly embed real-time communications capabilities into their existing applications and business processes. Kandy collects information from you in a variety of ways when you interact with our websites and applications, regardless of whether you are a prospect or a customer.
Kandy attempts to offer consistent standards of privacy protection subject to applicable local laws. We continually monitor privacy, data protection, and security laws and regulations as they apply to our operations worldwide. Sometimes, a country’s data privacy and security laws may establish requirements that may diverge from our Privacy Policy. If a country’s law conflicts with our Privacy Policy, we use commercially reasonable steps to follow the law. Refer to our Cookie Policy in order to understand how we manage cookies.
The purpose of this Privacy Policy is to provide information on how we collect, store, share, and use your Personal Data. We collect information from you in a variety of ways when you interact with our websites, desktop, and web-based applications. If you provide us with information about yourself or your company, we believe that you have the right to know why we are collecting that information and how we use it. We do not intend to sell or share any of the information you provide to us. When you use a Kandy product provided by your organization, Kandy’s processing of your Personal Data in connection with that product is governed by a contract between Kandy and your organization. If you have questions about Kandy’s processing of your personal data in connection with providing products to your organization, please contact your organization. If you have questions about Kandy’s business operations in connection with providing products to your organization, please contact your organization and/or privacy@kandy.io.
THIS NOTICE DOES NOT APPLY TO, NOR ARE WE RESPONSIBLE FOR, THE PRIVACY, INFORMATION, OR OTHER PRACTICES OF ANY THIRD PARTIES, INCLUDING ANY THIRD PARTY OPERATING ANY SITE OR SERVICE TO WHICH THE WEBSITE LINKS, INCLUDING BUT NOT LIMITED TO SOCIAL MEDIA SITES. THE INCLUSION OF A LINK ON THE WEBSITE DOES NOT IMPLY OUR ENDORSEMENT OF THE LINKED SITE OR SERVICE. YOU SHOULD CHECK THE PRIVACY NOTICES OF THOSE SITES BEFORE PROVIDING YOUR PERSONAL DATA TO THEM.
For information on how we use Personal Data of Applicants, refer to Appendix I - APPLICANT PRIVACY POLICY AND NOTICE
For information on how we use Personal Data of Employees, refer to Employee Privacy on HR Connect.
Kandy uses, stores, and may share internally, to service providers or to our partners your Personal Data that we collect primarily for the purposes of:
Conduits: Kandy services are primarily for the benefit of customers and their end users, organizations, and subscribers in that the services transmit, route, switch or cache information and often merely serve as conduits for data - including Personal Data - transmitted by third parties and subscribers. Kandy does not determine the purposes and means of processing this Personal Data.
Audio and Video Images: Kandy services may facilitate the upload, recording, and storage of audio, video, and images by way of services such as voicemail, call recording, transcription, conference, and web collaboration recording. Users may elect to store or record Personal Data including Sensitive Personal Information (SPI) within these resources at their discretion.
Anonymized Data: Kandy may use anonymized, non-identifying data collected from the use of our Kandy services, websites, social media, and applications. This anonymized, non-identifying data may be used to enhance voice activation and recognition algorithms. Similarly, Kandy may use anonymized, non-identifying data collected from the use of our products in order to improve traffic analysis algorithms and techniques. This processing is executed under applicable terms and supports Kandy’s legitimate interests in tuning, maintaining, and enhancing these products and services.
Technical and Professional Services: Kandy provides technical support and professional services to network operators which includes post-sales product technical issue resolution, installation, and upgrade services. Certain technical issue resolution processing will include sample data required to provide the above services including Customer Proprietary Network Information (“CPNI”) and traffic data as well as other information sufficient to identify an individual.
Credit Card Information: Kandy only collects credit card information in order to bill for subscribed services or in support of entering a contract. Kandy utilizes credit card payment processing agents solely for the purpose of authenticating and securely processing payment for the services you receive. We require these agents to take reasonable and appropriate measures to protect this information from loss or misuse.
Training: Kandy provides products and solutions training services to individuals that may be delivered to student employees of our customers in an online, in-person as well as self-paced training format depending on the offering. Kandy may collect, generate and/or process certain Personal Data for the purposes of (i) student registration, communication, and billing, (ii) delivery of training content, (iii) maintenance of student online training profile/transcript, and (iv) maintenance of service consumption metrics.
Children’s Data: Kandy does not market its products or services to children.
Job Applicants and Employees: Employees, applicants, and independent contractors may also have certain rights with respect to their Personal Data. Please refer to Appendix I for additional information or contact us at privacy@kandy.io.
Kandy may be a Data Controller or a Data Processor: For marketing leads and website visitors, Kandy is generally the data controller (one who determines the means and purposes of processing Personal Data alone or jointly with others) of Personal Data we collect. We collect Personal Data when you visit our websites, when you provide it to us (by phone, in person, or by web form), when you register for or attend an event, when you request information regarding Kandy and when we collect it from public databases, partners, social media sites. We use this information to help us understand our customer and employee bases better, such as your industry, the size of your company, your company’s website URL, or your job history, preferences, and experiences. At times we may act as the processor of your data.
What is Personal Data?: Personal Data includes, among other data, your contact details such as name, physical address, country, email, company name, job title, and business telephone number (collectively “Personal Data”). When you visit a Kandy website, Kandy collects associated website visitor information such as IP address, geographic location, browser type, operating system, screen size, and company (collectively “Website Visitor Information”). Website Visitor Information will not be linked to your Personal Data unless you provide additional information to us (such as by filling out a form on our website) that connects the information to you. For more information on the above and choices available to website visitors please also refer to Kandy’s Cookie Policy .
We Don’t Sell or Share Your Data Without Consent: Kandy uses this data for direct marketing of Kandy products and services. Unless expressly requested by Kandy and consented by you, Kandy will not share or disclose or sell Personal Data to third parties for the purpose of their own marketing or resale activities. Please access Do Not Sell or Share My Personal Information to memorialize your choices.
Types of Data Requested: In some places on Kandy’s public-facing websites, you can fill out web forms to ask to be contacted by our Sales Team or our Human Resources Department, sign up for a newsletter, obtain delivery of press releases, register for a Kandy event, or take a survey. The specific Personal Data requested on these forms will vary based on the purpose of the form. We will ask you for information necessary for us to provide you with what you request through the form (for example, we will ask you for your email address if you want to sign up for an email newsletter and for your phone number if you want a member of our Sales Team to call you). We may also ask you for additional information to help us understand you better as a customer, such as your Kandy use case, your company name, your role at your company, or the position you are applying for or currently hold.
Opting Out of Ongoing Communications from Kandy: If you sign up to receive ongoing communications from Kandy, like a newsletter, you can always choose to opt out of further communications by following the “unsubscribe” instructions in emails from Kandy or by sending a request to either kandymarketing@kandy.io or customersuccess@kandy.io. Kandy requires and collects Customer Proprietary Network Information (“CPNI”), and traffic data and may also collect billing information that is essential for providing the subscribed service. Opting out or declining to provide the requested data may hinder the provision of subscribed services. Please note that it may take up to three (3) days to remove your contact information from our marketing communications lists, so you may receive correspondence from us for a short time after you make your request. You will not be able to opt-out of service emails from us, such as password reset emails, billing emails, or notifications of updates to our terms unless you deactivate your account.
Storage of Your Personal Data: If you contact our Sales or Customer Support Teams, or Human Resources, those teams may keep a record of that communication, including your contact details and other information you share during the course of the communication. We store this information to help us keep track of the inquiries we receive from you and from customers generally so we can improve our products and services and provide training to team members. This information also helps our teams manage our ongoing relationships with our customers, employees, and applicants. Because we store a record of these communications, please be thoughtful about what information you share with our teams. While we will take appropriate measures to protect any sensitive information you share with us, it is best to avoid sharing any personal or other sensitive information in these communications not necessary for these teams to assist you.
Processing of Your End User’s Data: We may also process the Personal Data of your end users who use or interact with Kandy services, like the people you communicate with by way of that application. This includes data we use to route messages and metadata about messages — we refer to this data as Customer Usage Data — and it also includes the contents of communications, which we refer to as Customer Content. Kandy may process these categories of Personal Data differently because the direct relationship we have with you, our customer, is different from the indirect relationship we have with your end users.
Notice Not Applicable to End Users: If you are an end user of a Kandy customer, this Privacy Notice does not apply to the services that our customers provide to their end users. Our customers have their own policies regarding the collection, use, and disclosure of the Personal Data of their end users. If you are an end-user of one of our customers and want to learn about how that customer handles your Personal Data, we encourage you to read the customer’s privacy policy. Only the customer can assist you with requests for access or deletion.
We may combine the information we collect. For example, we might combine the information you give us with information we get from a public source. We might also combine the information we collect from you with information we get from third parties. When we do so, we treat the combined information as disclosed in this Privacy Policy and Notice. In the rare and unlikely event that Kandy wishes to use an individual’s Personal Data for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individual, Kandy will seek consent in advance as required by law.
We use cookies and other technologies for the following purposes, subject to local law:
We receive information from you when you access our websites, download, and use our applications, or otherwise use our services or install our applications. This information may include device and usage Information; browsing information; cookies, including first-party cookies, third-party cookies, functional cookies, performance or analytic cookies, and targeting/advertising cookies; and Do Not Track Technology.
For additional information on how we use cookies and other technologies, and how you can determine what information we collect about you, please review our Cookie Policy (which includes information about opting out) and visit our to manage your choices.
Kandy physically and electronically monitors its offices, and use of our IT and communications systems and networks, for specific purposes. In doing so, we may come across Personal Data. We will always monitor in accordance with local law in a proportionate manner to respect your reasonable privacy expectations. In our offices, we may monitor customer activity and presence with badge readers, sign-in sheets, and surveillance cameras. We generally do these things to prevent unauthorized access to our offices and to protect employees, authorized visitors, and our property.
With many customers and employees working remotely, we may also monitor or record activity on our IT and communications systems and network, such as internet traffic, website filtering, email communications or systems accessed such as the use of video collaboration tools that may include chat. Subject to local law, we may also carry out monitoring for other purposes such as:
Sharing your Personal Data with third parties: We only share your Personal Data to the minimum extent necessary with those who need it in order to perform their tasks and duties, and to service providers and other third parties who have a legitimate purpose for accessing it to assist us in providing products and services to you. This may include third parties such as:
Why we might share your Personal Data: These service providers and third parties can only use or disclose Personal Data as directed by Kandy and in a manner consistent with this Privacy Policy and Notice, using appropriate data security measures, and pursuant to contractual arrangements between us. We may also disclose your Personal Data to a service provider or third party under the following circumstances:
Categories of Information We May Share: Kandy does not sell Personal Data to third parties. We may share certain Personal Data with third parties for our business purposes, from one or more of the following categories:
Categories of Business Purposes for which we Collect Data: Over the past twelve months, we may have collected and disclosed, for one or more business or commercial purposes, Personal Data from one or more of the above categories, as well as from social media channels, media, and other online sources. We retain Personal Data in each of these categories for different lengths of time, depending on the business purpose for which we collect the information, as set forth below.
Categories of Sources From Which we Collect Personal Data: This may include you; your former or current employer(s); family members; friends; schools, universities and other educational institutions; associations to which you now or may have belonged; scholarly sources including journal articles, magazine articles, news articles, monographs, nonfiction books, reference resources, textbooks; gray literature including a wide variety of documents that have not been published in the traditional sense, including unpublished conference papers; unpublished theses and dissertations; presentations; working papers; notes and logs kept by researchers; academic courseware, professors' teaching notes, students' lecture notes; company annual reports; project and study reports; institutional reports; technical reports and white papers; reports put out by government agencies; data and statistics; unpublished letters and manuscripts; patents; technical standards; newsletters, product catalogs, and certain other types of brief information with a strong informational value; social media channels, media and other online sources, or reprints of articles; customers, partners, resellers or competitors; vendors, suppliers and contractors; government agencies; software developers and others.
Categories of Third Parties to Whom We May Disclose Personal Data: Subject to and in accordance with local laws and regulations, we may disclose Personal Data to law enforcement; legal, governmental, and judicial entities; a future employer(s); family members; friends; schools, universities, and other educational institutions; associations to which you now or may belong; legal, accounting and tax personnel; news organizations; stock exchanges and other financial institutions; medical institutions and personnel; conference participants; customers, partners, resellers or competitors; vendors, suppliers, and contractors; software developers; and others.
Security Safeguards: We use appropriate administrative, physical, technical, and organizational security measures to protect the security of your Personal Data both online and offline including the implementation of access controls, firewalls, network intrusion detection, and use of anti-virus software. These safeguards consider the state of the art, the cost of implementation, and the nature, scope, context, and purposes of processing as well as the risks to individuals posed by any anticipated threats and unauthorized disclosure of the information. Kandy conveys safeguard obligations to our third parties who receive Personal Data from or on behalf of Kandy during their relationship with us.
Use of Commercially Reasonable Means to Secure Your Data: We employ reasonable means to keep Personal Data accurate, complete, and current, and use commercially reasonable steps to reduce the risk that your Personal Data is subject to the loss, misuse, unauthorized access, disclosure, alteration, or destruction. as needed for the purposes for which it was collected. Although we strive to protect your data, no system is completely secure and we cannot guarantee that unauthorized access, hacking, data loss, or a data breach will not occur. Therefore, you acknowledge the risk that third parties may gain unauthorized access to your information. You are responsible for any activity under your account using your account password or other credentials.
Security Measures You Can Take: There are security measures you can take to protect your Personal Data. Keep your account password confidential and do not disclose it publicly or to unauthorized individuals — this includes accidentally distributing them in a binary or checking them into source control. Please let us know immediately if you think your password was compromised or misused. To protect the confidentiality of your account and protect against unauthorized use of your account, we recommend enabling two-factor authentication. Similarly, if you provision an API Key, you should keep that secret, as well. You should store your API Key, Account SID, and secret key in a secure location.
Collection of Data for Security Purposes: We may collect and use marketing leads, prospect information, other company stakeholder information, Customer Account Data, Customer Usage Data, Employee or Applicant data, or information collected from generally interested parties to detect, prevent, or investigate security incidents, fraud, or abuse and misuse of our platform and services. In addition, we also use records containing end-user Personal Data to debug, troubleshoot, or investigate security incidents; to detect and prevent spam or fraudulent activity, and to detect and prevent network exploits and abuse. Specifically, we monitor text message content to detect spam, fraudulent activity, and violations of our Acceptable Use Policy. We may anonymize Personal Data and use it for our legitimate business needs, and, where allowed by law, this may include records containing end-user Personal Data.
Kandy uses a wide variety of self-service tools that allow you to see, update, correct and/or delete your Personal Data. If we have Personal Data that you cannot access via these self-service systems, you may make a request by submitting a Privacy Rights Request Form and include sufficient information so that we may verify your identity and evaluate your right to access the Personal Data requested. We may need to deny your request in certain situations, such as when providing access might infringe on someone else’s privacy rights or impact our legal obligations. You may also want to withdraw prior consent for us to continue to collect and or process your Personal Data. Any processing we conducted prior to receipt of your written withdrawal of consent will not affect the lawfulness of activities previously undertaken, nor will it affect the processing of your Personal Data carried out in reliance on other lawful grounds other than consent.
Retention for a Minimal Period of Time: Kandy will retain your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy, or otherwise as required by law. Generally, this means we will keep your Personal Data until our contract or employment with you either expires or is terminated, plus a reasonable period of time after that where necessary to respond to any government inquiries, deal with legal, tax, accounting, or administrative matters, resolve disputes or to provide you with ongoing service pursuant to our contract. The criteria used to determine our retention periods include:
Retention for Internal Analysis Purposes: We will also retain website and mobile application usage data for internal analysis purposes. Usage data will generally be retained for a shorter period of time, except when this data is used to strengthen the security or to improve the functionality of our services, or we are legally obligated to retain this data for longer periods. We store your information until it is no longer necessary to provide the services or otherwise relevant for the purposes for which it was collected. This time period may vary depending on the type of information and the services used, as detailed below. After such time, we will either delete or anonymize your information or, if this is not possible (for example, because the information has been stored in backup archives), then we will securely store your information and isolate it from any further use until deletion is possible. We may also retain aggregate information beyond this time for research purposes and to help us develop and improve our services. You cannot be identified from anonymized information retained or used for these purposes.
Deletion Requests: If you ask Kandy to delete specific Personal Data from your Customer Account Data, we will honor this request unless deleting that information prevents us from carrying out necessary business functions, such as billing for our services, calculating taxes, or conducting required audits. More specifically, within sixty (60) days following the closure of your account, we will either delete other Customer Account Data or transform it such that it can no longer be used to identify you, with the following exceptions, depending on and in accordance with applicable law:
Device-Specific Information Retention: We collect device-specific information from you when we have provided end-user equipment to you, such as an analog telephone adapter or a VoIP phone, or you have installed our software on your device. If you do not revoke our access to this information via the privacy settings on your device, we will retain this information for as long as your account is active.
Stored Usage Records: If a Kandy product or service you use enables you to store records of your usage on Kandy’s platform, including Personal Data contained within those records, and you choose to do so, then Kandy will retain these records for as long as you instruct, up until the termination of your account. In some cases, the use of extended storage may cost more. If you later instruct us to delete those records, we will do so. Please note that it may take up to thirty (30) days for the data to be completely removed from all systems.
At the present time, there is no single federal privacy law, although legislation (the American Data Privacy and Protection Act – ADPPA) has been proposed and is pending in Congress. The bill draws on many of the principles of the European Union’s privacy laws and includes provisions for:
There are some doubts about the proposal, including concerns about:
If passed, the bill would be enforced by the Federal Trade Commission (FTC), but federal regulators and state attorneys general would have the right to sue companies that misbehave. There are also industry-specific privacy laws that preempt or provide exemptions under various state laws, such as the Gramm Leach Bliley Act for financial services and the Health Information Portability and Accountability Act related to the provision of health care services. Other federal laws related to privacy include FERPA (student education records), FCRA (credit reports), ECPA, COPPA, and VPPA. For more information about how Kandy complies with these laws, please contact privacy@kandy.io.
Many states have enacted individual privacy laws. California, Colorado, Connecticut, Utah, and Virginia have enacted legislation that comes into effect during 2023. Illinois has a biometric law generally followed by most states. Many other states have bills pending in their state legislatures. Thirty-one other states have privacy laws in the works. Although the laws introduced in each state are different, the general idea is the same across the board - consumers are being given the right to know what information companies have about them, how it is collected and being used, and what third parties have access to, and how they can use the data. They also have the right to opt out of some types of data collection. Only California additionally legislates protections for employment data and business-to-business transaction data.
Businesses have a duty to provide customers with information about their stored data and to take reasonable steps to keep data secure. Additional rules may apply for sensitive data such as biometric data, immigration status, and precise location. These laws are largely enforced by state attorneys general.
For the latest on various states’ privacy laws, please contact privacy@kandy.io The following chart shows the status of privacy and data protection legislation at the state level as of 11/27/2022. Kandy’s approach is to apply the strictest state law to all customers in the United States, regardless of location. Information about the laws in California, Colorado, Connecticut, Utah, and Virginia that will be going into effect in 2023 are summarized below.
California has enacted a robust set of laws that address privacy rights, which most states consider when enacting privacy legislation in their states. These include:
The Connecticut Privacy Act (“CTPA”) becomes effective on July 1, 2023. It applies to consumers, not employees or B2B transaction data, or non-profits. There is no private right of action. Under the CTPA, consumers have the following rights:
The CTPA has limited applicability to Kandy’s business. If you require additional information about the CTPA, contact us at privacy@kandy.io.
The Colorado Privacy Act (CPA) becomes effective on July 1, 2023. It applies to consumers, not employees or B2B transaction data, but it does apply to non-profit entities. The draft rules impose new requirements around compliance (disclosures, handling requests, and opt-out mechanisms), data governance, management of sensitive data, and inferences requiring consent that is periodically refreshed prior to collection and use (ethnic origins, religious beliefs, mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status), data minimization and purpose limitations; and data protection impact assessments and restrictions relating to profiling. These rules are anticipated to be finalized in the first half of 2023. The state attorney general has rulemaking powers. There is no private right of action. Under the CPA, consumers have the following rights:
The CPA has limited applicability to Kandy’s business. If required, Kandy will use commercially reasonable efforts to delete both the underlying Personal Data and the Sensitive Data inferences within the time frame specified by the rules (currently proposed to be 12 hours) of collection or completion of the processing activity. Kandy will not sell or share the Sensitive Data Inferences with any processor, nor process the data for any secondary purpose. If you require additional information about the CPA, contact us at privacy@kandy.io.
The Utah Consumer Privacy Act (“UCPA”) goes into effect on December 31, 2023. The UCPA does not apply to employment-related data or B2B transaction data. There is no private right of action. Under the UCPA, consumers have the following rights:
The UCPA has limited applicability to Kandy’s business. If required, Kandy will provide Personal Data within the time frame specified for collection or completion of the processing activity. Kandy will not sell or share Personal Data. If you require additional information about the UCPA, contact us at privacy@kandy.io.
The Virginia Consumer Data Protection Act (“VCDPA”) becomes effective on January 1, 2023. The VCDPA does not apply to employment-related data or B2B transaction data. The VCDPA has no opt-out provision and no private right of action. Under the VCDPA, consumers have the following rights:
You can exercise your rights yourself or you can alternatively designate an authorized agent to exercise these rights on your behalf. Please note that to protect your Personal Data, we will verify your identity by a method appropriate to the type of request you are making. We may also request that your authorized agent has written permission from you to make requests on your behalf, and we may also need to verify your authorized agent's identity to protect your Personal Data. To make a request with respect to any of the above areas, please contact our Privacy Team at privacy@kandy.io, and we will ask you to complete a Privacy Rights Request form. You do not have to be from California to make this request.
Kandy is a global company with customers, employees, and offices all around the world. We are committed to abiding by all applicable data protection laws. This policy is global, applying to all Kandy collection, processing, storage, and usage of Personal Data. It applies to Personal Data regardless of format. For example, the policy applies to computerized records and electronic information as well as paper-based files. The concepts enumerated in this policy guide Kandy’s selection and expectations of its employees, service providers, resellers, agents and subcontractors, and other recipients to whom Kandy transfers and relies upon for the processing of Personal Data.
Data protection laws around the world require organizations like ours to provide a lawful basis to collect and use your information. If you are a customer outside of the United States, our legal basis for collecting and using the Personal Data described above will depend on the Personal Data concerned and the context in which we collect it. However, we will normally collect Personal Data from you only where we have your consent to do so for a specific purpose, where we need the Personal Data to carry out our contract with you, where we need the Personal Data to comply with our legal obligations, or where the processing is in our legitimate interests (such as for research and development, to market and promote the services, and to protect our legal rights and interests) and are not overridden by your data protection interests or fundamental rights and freedoms. Legitimate interests may also include:
You may choose for what discretionary purposes we may collect, use, store and share your Personal Data at our Privacy Center. When you select your privacy preferences, we will advise you if the provision of your Personal Data is mandatory in order to access and use our products and services as well as the consequences if you fail to provide it.
Your Personal Data may be collected, used, processed, stored, or disclosed by us and our service providers outside your home jurisdiction, including in the U.S., and in some cases, other countries. These countries may have data protection laws that are different than the laws of your country. Kandy only transfers Personal Data to another country, including within the Kandy corporate family, in accordance with applicable privacy laws, provided there is adequate protection in place for the data, or with your consent.Top
As a data subject outside of the United States, you have multiple rights (which may vary slightly by jurisdiction) in relation to your Personal Data, including:
You can make any of these requests or contact us if you have questions about or need further information concerning the legal basis on which we collect and use your Personal Data, by managing your rights at our Privacy Center or contacting us at privacy@kandy.io. We will use commercially reasonable efforts to respond to all requests in accordance with applicable data protection laws.
You may lodge any complaints or concerns with your local data protection authority (DPA). You can find a list of the European and United Kingdom DPAs at https://ec.europa.eu/newsroom/article29/items/612080/en, or you can address questions or inquiries about privacy issues in a particular country to the appropriate data protection authority as follows:
EUROPEAN UNION COUNTRY | EMAIL ADDRESS |
Austria | |
Belgium | |
Bulgaria | |
Croatia | |
Cypress | |
Czech Republic | |
Denmark | |
Estonia | |
Finland | |
France |
No email address is provided. You may contact the DPA from 9:30 a.m. to 5 p.m. by calling +33 (0)1 53 73 22 22 |
Germany (there are additional regional offices) | |
Greece | |
Hungary | |
Ireland | |
Italy | |
Latvia | |
Lithuania | |
Luxembourg | |
Malta | |
Netherlands | |
Poland | |
Portugal | |
Romania | |
Slovakia | |
Slovenia | |
Spain | |
Sweden | |
CANADA, EEA COUNTRY, UK OR SWITZERLAND | EMAIL ADDRESS |
Canada | You may send questions about privacy issues to the Information Centre at 1-800-282-1376 |
Iceland (member of EEA) | postur@dpa.is |
Liechtenstein (member of EEA) | |
Norway (member of EEA) | |
Switzerland | |
United Kingdom |
GENERAL INFORMATION
Canada has two federal privacy laws that are enforced by the Office of the Privacy Commissioner (“OPC”):
PIPEDA generally applies to Personal Data held by private sector entities that are not federally regulated, and conduct business in Manitoba, New Brunswick, Newfoundland and Labrador, Northwest Territories, Nova Scotia, Nunavut, Ontario, Prince Edward Island, Saskatchewan, Yukon. New regulations are expected to go into effect in Quebec in September 2023. The provinces of Alberta, British Columbia, and Quebec have private-sector privacy laws that may apply instead of PIPEDA in some cases. Alberta and British Columbia have also passed privacy laws that apply to employee information.
When Kandy transfers Personal Data out of Canada, Kandy will put in place contractual assurances that transferred Personal Data will be subject to appropriate safeguards by way of standard data protection clauses such as those adopted by the European Commission under GDPR Article 46.
Kandy makes commercially reasonable efforts to comply with PIPEDA’s ten information principles. Under PIPEDA, Personal Data means information about an identifiable individual. These principles form the ground rules for the collection, use, and disclosure of Personal Data, as well as for providing access to Personal Data. They give individuals control over how their Personal Data is handled in the private sector. In addition to these principles, PIPEDA states that any collection, use, or disclosure of Personal Data must only be for purposes that a reasonable person would consider appropriate in the circumstances. The Office of the Privacy Commissioner (“OPC”) has determined that the following purposes would generally be considered inappropriate by a reasonable person (i.e., no-go zones). Kandy does not use the information it collects for such purposes:
Principle 1 - Accountability: Kandy is responsible for Personal Data under its control. It appointed a Privacy Officer who is accountable for its compliance with these fair information principles.
Principle 2 - Identifying Purposes: Kandy identifies the purposes for which the Personal Data is being collected before or at the time of collection. These purposes are set forth in this Privacy Policy.
Principle 3 - Consent: The knowledge and consent of the individual are required for the collection, use, or disclosure of Personal Data, as more fully as set forth above. Such collection, use, or disclosure may be limited.
Principle 4 - Limiting Collection: Kandy’s collection of Personal Data is limited to that which is needed for the purposes identified by the organization. Information is collected by fair and lawful means.
Principle 5 - Limiting Use, Disclosure, and Retention: Unless the individual consents otherwise or it is required by law, Personal Data is only used or disclosed for the purposes for which it was collected. Personal Data is kept for as long as required to serve those purposes.
Principle 6 - Accuracy: Kandy strives to keep Personal Data as accurate, complete, and up-to-date as possible in order to properly satisfy the purposes for which it is to be used.
Principle 7 - Safeguards: Kandy protects Personal Data by appropriate security relative to the sensitivity of the information.
Principle 8 - Openness: Kandy makes detailed information about its policies and practices relating to the management of Personal Data publicly and readily available.
Principle 9 - Individual Access: Upon verifiable and written request, an individual is informed of the existence, use, and disclosure of their Personal Data and is given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
Principle 10 - Challenging Compliance: An individual can challenge Kandy’s compliance with the above principles. Their challenge should be addressed to the person accountable for the organization’s compliance with PIPEDA, at privacy@kandy.io.
International transfers of Personal or Sensitive Personal Data between Kandy entities in the European Union and Kandy entities elsewhere or third-party suppliers or service providers are subject to regulations set forth by the European Union (“EU”) Data Protection Authorities. Kandy’s service provides the technology platform for hosted cloud information and communications services which are subject to the EU General Data Protection Regulation (EU Regulation 2016/679, “GDPR”). These services typically act as a conduit for data transmitted by third parties and subscribers. Personal Data processed in the above context is typically controlled by or originated from other companies, such as our customers, subscribers, or other business partners. Kandy does not generally own, control, or direct the use of any of the Personal Data stored or processed by the above parties.
Kandy also provides services to network operators which include post-sales product technical issue resolution, installation, and upgrade services. In some cases, Kandy may collect and process Personal Data for its own legitimate business purposes including the management of business relationships with current or prospective customers, vendors, independent contractors, suppliers, service providers, resellers or partners, direct marketing of Kandy products and services, and provision of training services.
This notice contains information required under GDPR Articles 13 and 14 and details Kandy’s data controller and processor accountabilities. For our EU customers, the data controller of your Personal Data will be the corporate entity from whom you acquire our products and services. In the context of the above processing, which is subject to the EU GDPR, Kandy’s accountabilities are generally those of a data controller but may include those of a processor as defined under Chapter IV of the regulation. Accordingly, when acting as a processor, Kandy relies on the guidance and direction of the applicable data controller(s), who determine the purposes and generally the means of processing such Personal Data. When acting as a controller, Kandy provides guidance and direction to the applicable processor. Until the European Union determines a country (including the United States) satisfies its “adequacy” requirements, when Kandy transfers Personal Data out of the EU, Kandy will put in place contractual assurances that transferred Personal Data will be subject to appropriate safeguards by way of standard data protection clauses adopted by the European Commission under GDPR Article 46.
If you have questions about or need further information concerning the legal basis on which we collect and use your Personal Data, please contact us at privacy@kandy.io.
Your rights in the UK, EEA, and Switzerland are like those of the EU under GDPR. International transfers of Personal or Sensitive Personal Data between Kandy entities in the EEA, Switzerland, or in the United Kingdom and Kandy entities elsewhere or third-party service providers or suppliers are subject to regulations set forth by the EEA Data Protection Authorities, the Swiss Data Protection Law, or the UK Data Protection authorities, respectively. If required, we will obtain your consent prior to transferring your Personal Data elsewhere.
For Personal Data pertaining to UK, EEA, or Swiss data subjects Kandy will only transfer or provide direct access to Personal Data covered by this policy to third parties that:
Individuals having rights governed by the EU, EEA, UK, or Swiss data protection laws may exercise the following rights as data subjects:
RIGHT | SUMMARY |
Notice | Kandy provides required notice to individuals at points where Kandy collects Personal Data. |
Consent and Withdrawal of Consent | Where consent is required for Kandy to collect Personal Data, Kandy will request the individual’s consent. If you have consented to our use of Personal Data for a specific purpose, you have the right to change your mind at any time. Any decision will not affect any processing that has already occurred, nor will it affect the processing of your Personal Data conducted in reliance of lawful processing grounds other than consent. Withdrawing your consent may mean your access to the Services will be limited or suspended, and your accounts may be terminated, if applicable. Where you withdraw your consent, but we are using your information because we or a third party (e.g., your employer) have a legitimate interest in doing so, or we have a different legal basis for using your information (for example, fulfilling a contract with you), we may continue to process your information, subject to your rights to access and control your information. |
Transparency, |
Individuals are provided with credentialed access to much of their own Personal Data that Kandy collects and maintains through various service portals. This enables individuals to access, review, export, and in many instances enter or certify their Personal Data. If you believe that any Personal Data we are holding about you is incorrect or incomplete, you can request that we correct or supplement the data. You can also correct some of this information directly by logging into your Service account if you are a customer. |
Erasure (Right to be Forgotten) | Kandy will review and act upon requests by individuals for the erasure of Personal Data to the extent required under applicable law. Generally, individuals have the right to have some, or all, of their Personal Data erased when it is no longer necessary for the purposes for which it was collected or otherwise processed or the legal basis on which the data processing was based (e.g., consent) no longer applies. |
Restriction of Processing | Kandy will review and act upon requests to restrict the processing of Personal Data of individuals to the extent required under applicable law. If you ask us to restrict further processing of your Personal Data, we may have to delete your account. |
Objection to Processing | Kandy will review and act upon individuals’ objecting to the processing of Personal Data for certain purposes to the extent required under applicable law. Kandy will no longer process the data where it is unable to demonstrate compelling legitimate grounds for the processing. |
Receipt of information (Right to Information) | Generally, individuals have the right to receive information about their Personal Data which is processed by Kandy. This right to information includes information on the purposes of the processing, the categories of the processed data, the recipients to whom the Personal Data has been or will be disclosed, and the intended storage period. Upon written request to privacy@kandy.io. Kandy will provide the requesting individual with a copy of his/her Personal Data processed by Kandy. |
Portability | Under certain conditions, individuals have the right to receive their Personal Data which they have provided to the company in a structured, commonly used, and machine-readable format. Individuals also have the right to transmit such data to another controller if the data processing is based on the consent of the individual and the data is processed by using automated processes. In this regard, individuals should refer to their Access rights described above. You can also request that we transmit the data to someone else where it’s technically possible. |
In addition to the rights shown above, individuals have the right under GDPR Article 77 to lodge a complaint about Kandy’s practices with respect to your Personal Data with a supervisory authority, in the Member State of your habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of Personal Data relating to him or her infringes this Regulation.
Questions or inquiries about privacy issues in a particular country can be directed to the data protection authority in the UK, Switzerland, and EEA as set forth above.
Kandy understands the data minimization and storage limitation principles within the GDPR and other data protection laws which require that data be deleted when its retention is no longer required to satisfy the purposes for which it was collected, generated, or provided to Kandy by a data controller. Kandy complies with all applicable information retention laws and regulations including those associated with electronic communication service provider requirements. The following table illustrates some sample maximum retention periods employed by Kandy:
Information | Maximum Retention Period |
Marketing Contact Data | 24 months after last marketing service interaction |
Tech Support Sample Data | 24 months after case closure |
Kandy has offices, personnel, and customers located around the world. In addition to the US, the EU, and the UK, key locations include Canada, Mexico, and Turkey. If you are in a region other than the EU, EEA, the UK, Canada, or the United States, we aren’t forgetting you! If you are, or become, aware of specific changes we need to make to our privacy policy to comply with a country’s privacy or data protection laws or require an in-language version of our Privacy Policy, please let us know at privacy@kandy.io.
When we transfer data across borders, we also take supplementary measures to ensure that data is protected. If you’d like additional information about the security measures we take, please contact us at privacy@kandy.io.
Kandy may use automated decision-making leveraging a variety of signals derived from records we collect to help monitor, identify, and suspend accounts sending spam or engaging in other abusive or fraudulent activity. Holders of accounts suspended under these circumstances are notified of the suspension and given an opportunity to request a human review of the suspension decision.
Our websites, online services, desktop, mobile, and web applications are not directed toward children under the age of 13 in the US and UK, or 16 if you live in the EEA, and we do not knowingly collect any Personal Data from children under the age of 13 in the US and UK, or 16 if you live in the EEA. If a child under 13 in the US or UK, or 16 in the EEA, provided our website, online service, or mobile application with Personal Data, we may use commercially reasonable steps to promptly delete the child’s information from our records, we ask that a parent or guardian contact us by writing us at the contact information below.
In the United States, Kandy is subject to the investigatory and enforcement powers of the United States FTC, FCC, and various other federal and state agencies
In the context of an onward transfer of Personal Data, Kandy has responsibility for the processing of Personal Data it receives and subsequently transfers to a third-party agent. Kandy will remain liable under the GDPR (and possibly other regulations) if their third-party agent processes such Personal Data in a manner inconsistent with laws and regulations as legally required unless Kandy proves that it is not responsible for the event giving rise to the damage.
All employees who handle Personal Data will receive training regarding the data privacy principles and procedures under this policy and applicable law.
Translated versions of this Privacy Notice are available upon request and may be provided for convenience only. In the event of any difference in meaning between the English language version and any translated version, the English language version will prevail.
We welcome your questions, comments, and concerns about privacy. You can contact us by calling (404) 239-2863 or writing us at:
Attn: Privacy Officer American Virtual Cloud Technologies, Inc.
1720 Peachtree Street, NW, Suite 629
Atlanta, GA 30309
E-mail privacy@kandy.io
Index
APPLICANT RELATED INFORMATION
DEFINITIONS
COMPLIANCE WITH LOCAL LAWS
WHAT PERSONAL DATA OF APPLICANTS DO WE COLLECT? HOW DO WE COLLECT IT?
FOR WHAT PURPOSE(S) DO WE USE APPLICANT PERSONAL DATA?
YOUR PRIVACY RIGHTS AS AN EMPLOYEE OR APPLICANT
MONITORING APPLICANT AND EMPLOYEE INFORMATION
WITH WHOM DO WE SHARE APPLICANT AND EMPLOYEE DATA?
HOW DO WE SECURE APPLICANT DATA?
HOW CAN YOU REQUEST ACCESS TO AND UPDATE YOUR PERSONAL DATA?
HOW LONG DOES KANDY RETAIN THE PERSONAL DATA OF APPLICANTS?
WHAT IS OUR LEGAL BASIS FOR PROCESSING PERSONAL DATA OF APPLICANTS OUTSIDE OF THE UNITED STATES?
We believe that our individuals applying for a position with Kandy, just like our customers, deserve a positive, proactive approach to managing the privacy of their Personal Data. We have put together this Applicant Privacy Notice to give you a better understanding of what Personal Data we collect from you as an Applicant, what we use that Personal Data for, and to whom we disclose that data. We may retain Personal Data you submit and use the information we collect about you in a variety of ways, including: to process your application; to communicate with you; to conduct applicant and employment-related statistical evaluation and record keeping; engage third-party service providers, to perform aggregated analytics to improve the applicant experience; to respond to your inquiries and requests for information; to maintain and improve our sites; to detect, prevent, or investigate security breaches or fraud; and to maintain appropriate records for internal administrative purposes.
Data privacy laws can vary in different jurisdictions where Kandy operates and has Applicants. Kandy’s policy is to comply with local laws. Some jurisdictions require us to notify Applicants in that country of its Personal Data practices, and in some cases, obtain consent to those practices. Where local laws are stricter than the policies described in this notice, Kandy has adopted specific privacy practices to satisfy those stricter requirements. Where local laws are less strict than this policy, the protections described in this notice will apply.
Effective January 1, 2023, California law pursuant to the CPRA will govern the privacy rights for Applicants of California residents, although specific rules have not yet been promulgated. This Notice attempts in good faith to set forth Kandy’s treatment of the privacy rights of Applicants as we expect them to be. Other jurisdictions may enact similar legislation. This policy will be revised if and as deemed necessary after California’s rules or the enactment of legislation elsewhere, come into effect.
Kandy’s collection, use, retention, and sharing of Personal Data must be reasonably necessary and proportionate to achieve the purposes for which the Personal Data is collected or processed, or for other compatible purposes that have been disclosed to the Applicant. Kandy may collect and store different types of Personal Data about Applicants, including but not limited to:
Usually, we collect this Personal Data directly from Applicants although, at times, third-parties or service providers may provide it with your permission, such as when we perform background checks that are necessary for the role to be performed by you. You may also consent to share certain demographic data that qualifies as Sensitive Personal Data, such as race, ethnicity, sexual orientation, gender identification, and disability to help us understand the diversity of our workforce. Applicants are not required to provide this information unless it is necessary for us to collect such information to comply with our financial and legal obligations.
Kandy uses, stores, and discloses the Personal Data that we collect primarily for the purposes of managing our employment relationship with you, such as:
We may require additional Personal Data from you as an Employee.
Generally, Applicants have the following rights:
Kandy will not sell your Sensitive Personal Data to any third party, nor process or share it for any secondary purpose without your consent and only for one of the legitimate business purposes set forth above. If you require additional information about your privacy rights as an Applicant, contact us at privacy@kandy.io.
Kandy physically and electronically monitors its offices, and use of our IT and communications systems and networks, for specific purposes. In doing so, we may come across the Personal Data of Applicants. We will always monitor in accordance with local law in a proportionate manner so as to respect your reasonable privacy expectations. In our offices, we may monitor Applicant’s activity and presence with badge readers, sign-in sheets, and surveillance cameras. We generally do these things to prevent unauthorized access to our offices and to protect employees, authorized visitors, and our property
With many Applicants and Employees working remotely, we may also monitor or record activity on our IT and communications systems and network, such as internet traffic, website filtering, email communications, or systems accessed. Subject to local law, we may also carry out monitoring for other purposes such as:
We only share your Personal Data to the minimum extent necessary with those who need it in order to perform their tasks and duties, and with service providers and third parties who have a legitimate purpose for accessing it to establish, manage or terminate your employment relationship with Kandy. This may include third parties such as employee benefit plan providers, payroll support services, legal services, professional employment services, employee travel management services providers, and IT and data processing services providers that help us operate our business. These service providers and third parties can only use or disclose Personal Data as directed by Kandy and in a manner consistent with this Privacy Notice, using appropriate data security measures, and pursuant to contractual arrangements between us.
We may also disclose your Personal Data to a service provider or third party under the following circumstances:
We use appropriate technical and organizational security measures to protect the security of your Personal Data both online and offline including the implementation of access controls, implementation of firewalls, network intrusion detection, and use of anti-virus software. The Company attempts to offer consistent standards of privacy protection to all Applicants, however, no system is completely secure, and we cannot guarantee that unauthorized access, hacking, data loss, or a data breach will never occur.
Kandy uses a wide variety of self-service tools that allow you to see and/or update and/or delete your Personal Data. If we have Personal Data that you cannot access via these self-service systems, you may make a request directly to HR or, if related to your privacy rights, by contacting privacy@kandy.io, and include sufficient information so that we may verify your identity and evaluate your right to access the Personal Data requested. We may need to deny your request in certain situations, such as when providing access might infringe on someone else’s privacy rights or impact our legal obligations.
In addition to being able to access, update, correct, and delete your Personal Data, you may also have other data protection rights, such as withdrawing prior consent for us to continue to collect and or process your Personal Data. Any processing we conducted prior to receipt of your written withdrawal of consent will not affect the lawfulness of activities previously undertaken, nor will it affect the processing of your Personal Data carried out in reliance on other lawful grounds other than consent.
We will keep your Personal Data for as long as is needed to carry out the purposes we’ve described above, or as otherwise required by law. Generally, this means we will keep your Personal Data until a decision is made about the status of your application plus a reasonable period of time as required by local employment data retention standards. This retention period is required to respond to any employment inquiries and manage legal, tax, accounting, or administrative matters.
Where we have no continuing legitimate business need to process your Personal Data, we will either delete or anonymize it or, if this is not possible (for example, because your Personal Data has been stored in backup archives), then we will securely store your Personal Data and isolate it from any further processing until deletion is possible.
If you are an Applicant outside of the United States, our legal basis for collecting and using the Personal Data described above will depend on the Personal Data concerned and the context in which we collect it. However, we will normally collect Personal Data from you only where we have your consent to do so, where we need the Personal Data to carry out our relationship with you as an Applicant, where we need the Personal Data to comply with our legal obligations or exercise rights in the field of employment, or where the processing is in our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms. In some cases, we may need the Personal Data to protect your vital interests or those of another person, such as sharing it with third parties in the event of an emergency at work.
If we ask you to provide Personal Data to comply with a legal requirement, to perform a contract with you, or for our (or a service provider’s or third party’s) legitimate interests, we will make this clear at the relevant time and let you know whether the provision of your Personal Data is legally required or not, as well as the possible consequences if you do not provide it.
Your Personal Data may be collected, used, processed, stored, or disclosed by us and our service providers outside your home jurisdiction, including in the U.S., and in some cases, other countries. These countries may have data protection laws that are different from the laws of your country. Kandy only transfers Personal Data to another country, including within the Kandy corporate family, in accordance with applicable privacy laws, provided there is adequate protection in place for the data, or within your consent.
Many jurisdictions provide additional rights to Applicants in relation to your Personal Data, including:
You can make any of these requests by contacting us at privacy@kandy.io. If you have questions about or need further information concerning the legal basis on which we collect and use your Personal Data, please contact us at privacy@kandy.io. We will respond to all requests in accordance with applicable data protection laws.
International transfers of Personal or Sensitive Personal Data between Kandy entities in the European Union or in the United Kingdom and Kandy entities elsewhere are subject to regulations set forth by the European Union (“EU”) Data Protection Authorities or the UK Data Protection authorities, respectively. Other jurisdictions such as Canada, Mexico, and the UAE have similar regulations regarding the transfer of Personal or Sensitive Data. Kandy is committed to taking steps to adequately protect Personal Data that we process regardless of where the information resides, using the European Commission’s Standard Contractual Clauses for transfers of Personal Data between the Kandy group companies and any third parties, or as otherwise required by other jurisdictions. If required, we will obtain your consent prior to transferring your Personal Data elsewhere. Further, for our EU, Mexico, UAE, or UK Applicants, the data controller of your Personal Data will be the corporate entity that employs you.
Collection, Use, and Disclosure of California Personal Information CCPA – Related Request Metrics
Effective date January 1, 2023
Appendix II provides detailed information applicable only to California residents under the California Consumer Protection Act (CCPA). It does not cover “publicly available information” as defined in the CCPA. This is a summary of the collection and use of personal information about California residents by AVC Technologies, Inc. and Kandy Communications Inc. and their direct and indirect subsidiaries (“Company,” “we,” “us,” or “our”). For more detail, you can read the Privacy Policy to which this Appendix II is annexed. This summary does not cover our handling of personal information (i) in our capacity as an employer, (ii) solely on behalf of a contractor or other third party, or (iii) in situations where the information is handled in deidentified form or is otherwise not subject to the “notice at collection” requirements of the California Consumer Privacy Act (“CCPA”).
INDEX
Categories of Personal Information Collected
We use personal information for the following purposes
“Sale” or “Sharing”
We collect the categories of personal information described below. We intend to retain this information for as long as we feel it is necessary for the purposes described further below, or for any longer period required by law. Because we may collect and use the same category of personal information for different purposes and in different contexts, there is not typically a fixed retention period that always will apply to a particular category of personal information. Examples of how long we normally intend to retain personal information in certain situations are set forth below.
During the 12 months leading up to the effective date of this Privacy Policy, we have collected different types of personal information described in our Privacy Policy. During that period, we may have made disclosures of personal information about Californians for the purposes described in the Privacy Policy, as follows:
CATEGORY OF PERSONAL INFORMATION | CATEGORIES OF ENTITIES TO WHICH WAS DISCLOSED |
Identifiers (e.g., name, mailing address, email address, phone number, username, and password) | Affiliates; vendors (e.g., vendors that handle credit card processing and shipping, provide us with data management services, manage our digital platforms, or manage our communications and perform market research for us) and third parties such as marketing partners or contractors. |
Protected Characteristics (e.g., gender, age, or other classifications under applicable law) | Same as first row, except not to vendors that handle credit card processing and shipping. |
Family Details (e.g., name of partner and household members) | Same as first row. |
Financial Information (e.g., bank account information, bank or credit card numbers, and payment information) | Same as first row (though in some cases a portion of the card number is disclosed instead of the entire number). |
Professional or Employment-Related Information (e.g., job title, department, office address and business contact information, professional communications, and correspondence) | Same as first row. |
Communications (e.g., responses to polls or surveys, questions, comments, or requests you send us) | Same as first row, except not to vendors that handle credit card processing and shipping. |
Audio, Electronic, Visual, Thermal, Olfactory, or Similar Information (e.g., graphics, photographs, recordings of calls or meetings, and ambient humidity or temperature) | Same as first row, except not to vendors that handle credit card processing and shipping. |
Commercial Information (e.g., records of transactions) | Same as first row. |
Internet or other Electronic Network Activity Information (e.g., browsing history, search history, and interactions with our digital platforms and third-party websites and applications) |
Same as first row, except not to vendors that handle shipping. |
Geolocation Data | Same as first row, except not to vendors that handle credit card processing. |
Precise Geolocation Data | Affiliates, vendors that help us manage our digital platforms. |
Account Login Credentials | Affiliates, vendors that help us manage our digital platforms. |
Inferences drawn from any of the information identified herein | Same as first row, except not to vendors that handle credit card processing and shipping. |
During the 12 months leading up to the effective date of this Privacy Policy, we did not “sell” commercial information (transaction data) and internet or electronic network activity (like a record of a browser’s visit to our website) to marketing and advertising services to assist with such activities (as those terms are defined under the CCPA), although we may have “shared” such data or internet or electronic network activity with service providers or others with whom we do business, such as resellers. We continue to refrain from any “sale” of personal data, and limit sharing of your personal data based upon the preferences you have provided to us. We do not “sell” or “share” personal information (as those terms are defined under the CCPA) if we have actual knowledge that the individual providing the information is less than 16 years of age.
CCPA-Related Requests Metrics.
Below are metrics of CCPA-related requests received by AVCT and Kandy during the calendar year 2022.
ACCESS REQUESTS | JANUARY - DECEMBER 2022 |
Total Number of Requests Received | 0 |
Total Number of Requests Complied in whole or in part | 0 |
Total Number of Requests Denied | 0 |
DELETION REQUESTS | JANUARY - DECEMBER 2022 |
Total Number of Requests Received | 0 |
Total Number of Requests Complied in whole or in part | 0 |
Total Number of Requests Denied | 0 |
DO NOT SELL (DNS) REQUESTS | JANUARY - DECEMBER 2022 |
Total Number of Requests Received | 0 |
Total Number of Requests Complied in whole or in part | 0 |
Total Number of Requests Denied | 0 |
AVERAGE DAYS TO RESPOND | JANUARY - DECEMBER 2022 |
Total Number of Requests Received | N/A |
Total Number of Requests Complied in whole or in part | N/A |
Total Number of Requests Denied | N/A |