Privacy Policy and Notice

This Revision of the Kandy Privacy Policy is effective as of January 1, 2023

 

REVISION OF POLICY

Kandy Communications, an AVC Technologies, Inc. company, and its affiliates (“Kandy” or “We” or “Us”) reserve the right to change this privacy policy at our discretion from time to time, subject to business, technical, or legal requirements or developments. We encourage you to periodically review this Privacy Policy and particularly before you provide Personal Data to Kandy. The effective date of the newest version of the privacy policy is posted above. If you object to the changes or wish to obtain further information, please contact us at privacy@kandy.com. For previous versions of this policy, see the Privacy Policy Archive


SUMMARY OF CONTENTS OF THIS NOTICE

 

Section Name
Description of Contents
BACKGROUND AND INFORMATION VALUES Learn about Kandy and our information values. 
PURPOSE OF THIS PRIVACY POLICY The purpose of this Privacy Policy is to provide information on how we collect, store, share, and use your Personal Data.
FOR WHAT PURPOSE(S) DOES KANDY USE YOUR PERSONAL DATA? Kandy uses your Personal Data for many purposes related to your account with us, as a conduit for transmission, to facilitate audio and video images, to anonymize in an effort to enhance your experience of our products and services, to assist in the provision of technical and professional services, to collect credit card information when appropriate and to provide products and services training. Kandy does not market its products or services to children. We may also collect your Personal Data to facilitate employment relationships. 
WHERE AND HOW WE COLLECT AND USE PERSONAL DATA FOR MARKETING PURPOSES Kandy collects Personal Data such as customer account data directly from you when you visit Kandy’s website, request a product, service, or access to an event, or when you contact a member of the Kandy team or sign up for a Kandy account to use our products and services. Kandy also indirectly collects the Personal Data of your end users called customer usage data (metadata) and customer content. We process customer contact details such as your name, email, and phone number directly from you when you make a request, contact a member of our team or sign up for a Kandy account. We may also process your end users’ communications-related data such as phone numbers, email addresses, friendly names that you create for your end users, the content of communications sent by you or your end users to provide services to you and to carry out necessary functions of our business as a communications service provider. 
COOKIES, TRACKING, AND SIMILAR TECHNOLOGY Kandy uses common information-gathering tools such as cookies and similar tracking technologies to automatically collect information as you navigate our websites, our services, or when you interact with emails we send to you. You can manage these technologies easily at our  
MONITORING CUSTOMER INFORMATION We monitor in accordance with local law in a proportionate manner so as to respect your reasonable privacy expectations, in order to prevent unauthorized access to our offices and to protect employees, authorized visitors, and our property and for other legitimate business purposes including proof of business transactions and archiving, training, protection of confidential information, intellectual property and other business interests, to investigate breaches of Kandy policies and procedures, or other unlawful or improper acts, for compliance with a legal obligation; and for other legitimate purposes as permitted by applicable law. 
WITH WHOM DO WE SHARE YOUR PERSONAL DATA? We only share your Personal Data to the minimum extent necessary with those who need it in order to perform their tasks and duties and to service providers and other third parties who have a legitimate purpose for accessing it to assist us in providing products and services to you. 
HOW DO WE SECURE DATA? While there is no such thing as perfect security, we are committed to maintaining reasonable and appropriate security measures to ensure that your Personal Data is protected both online and offline. Read this section to learn more about our security measures and how you can better protect your account. Kandy provides you with many ways to make choices about your data and your end users’ data, such as accessing it, correcting it, deleting it, or updating your choices about how it is used. You can manage your choices by accessing our .
HOW LONG DOES KANDY RETAIN PERSONAL DATA? We store your information until it is no longer necessary to provide the services or otherwise relevant for the purposes for which it was collected. 
WHAT IS OUR LEGAL BASIS FOR PROCESSING PERSONAL DATA WITHIN THE UNITED STATES, PURSUANT TO NATIONAL AND STATE-SPECIFIC LAWS  At the present time, there is no overarching single US federal privacy law. A comparison of current state data protection laws is provided in a chart. We provide a brief description of your rights and our obligations under the laws of the five states – California, Connecticut, Colorado, Utah, and Virginia – that have enacted comprehensive privacy legislation, and information on how to exercise your privacy and data protection rights. Generally, consent and certain legitimate business purposes provide the legal basis in the United States for processing Personal Data. Our legal basis for collecting and using Personal Data will depend on the Personal Data concerned and the context in which we collect it. However, we will normally collect Personal Data from you only where we have your consent to do so for a specific purpose, where we need the Personal Data to carry out our contract with you, where we need the Personal Data to comply with our legal obligations, or where the processing is in our legitimate interests (such as for research and development, to market and promote the services, and to protect our legal rights and interests) and are not overridden by your data protection interests or fundamental rights and freedoms. 
WHAT IS OUR LEGAL BASIS FOR PROCESSING PERSONAL DATA OUTSIDE THE UNITED STATES?  You may lodge any complaints or concerns with your local data protection authority. You can find a list of the European and United Kingdom DPAs at https://ec.europa.eu/newsroom/article29/items/612080/en. A full list of contact information for Canada, the EU, the EEA, the UK, and Swiss data authorities is provided. 
HOW YOU CAN EXERCISE YOUR RIGHTS OUTSIDE THE UNITED STATES Generally, a data subject outside the United States has the right to notice, consent, and withdrawal of consent, transparency, access, accuracy, rectification, erasure (right to be forgotten), restriction of processing, objection to processing, receipt of information (right to information) and portability
YOUR RIGHTS IN CANADA In Canada, the Personal Data Protection and Electronics Documents Act (“PIPEDA”) covers how businesses handle Personal Data. 
YOUR RIGHTS IN THE EUROPEAN UNION In the EU, the General Data Protection Regulation (“GDPR”) governs how businesses handle Personal Data, including the international transfer of Personal Data. 
YOUR RIGHTS IN THE EEA, UK, AND SWITZERLAND Your privacy and data protection rights are subject to regulations set forth by the EEA data protection authorities, the UK data protection authorities, and the Swiss Data Protection Law, including the international transfer of Personal Data. 
OTHER USEFUL INFORMATION Here you’ll find other useful information about our data protection practices including with respect to children, enforcement, liability, training, translations, use of automated decision-making tools, and how to contact us with questions. 
APPENDIX I: JOB APPLICANTS In Appendix I, we describe how we address the issues in the main privacy policy for Applicants. How we address privacy issues with respect to employees is available to employees through HR Connect.
APPENDIX II: NOTICE TO CALIFORNIA RESIDENTS ABOUT THE COLLECTION, USE, AND DISCLOSURE OF PERSONAL DATA Appendix II is for California residents. It describes how we collect information, how and by whom it is used, and the categories of each. It also sets forth metrics regarding personal information collected and used for 2022.G

 

 

 

 

 

Background

Kandy, including its corporate affiliates (collectively, “Kandy” or “we” or “us” or “our”), is a cloud-based, real-time communications platform offering proprietary Unified Communications as a Service (UCaaS), Communications Platform as a Service (CPaaS), Microsoft Teams Direct Routing as a Service (DRaaS), and SIP Trunking as a Service (STaaS). Kandy's white-label solutions enable service providers, enterprises, software vendors, systems integrators, partners, and developers to enrich their applications and services with real-time contextual communications, providing a more engaging user experience. With Kandy, enterprises of all sizes and types can quickly embed real-time communications capabilities into their existing applications and business processes. Kandy collects information from you in a variety of ways when you interact with our websites and applications, regardless of whether you are a prospect or a customer.

 

 

 

OUR INFORMATION VALUES

Kandy attempts to offer consistent standards of privacy protection subject to applicable local laws. We continually monitor privacy, data protection, and security laws and regulations as they apply to our operations worldwide. Sometimes, a country’s data privacy and security laws may establish requirements that may diverge from our Privacy Policy. If a country’s law conflicts with our Privacy Policy, we use commercially reasonable steps to follow the law. Refer to our Cookie Policy in order to understand how we manage cookies.

 

uparrowTop

 

 

PURPOSE OF THIS PRIVACY POLICY

The purpose of this Privacy Policy is to provide information on how we collect, store, share, and use your Personal Data. We collect information from you in a variety of ways when you interact with our websites, desktop, and web-based applications. If you provide us with information about yourself or your company, we believe that you have the right to know why we are collecting that information and how we use it. We do not intend to sell or share any of the information you provide to us. When you use a Kandy product provided by your organization, Kandy’s processing of your Personal Data in connection with that product is governed by a contract between Kandy and your organization. If you have questions about Kandy’s processing of your personal data in connection with providing products to your organization, please contact your organization. If you have questions about Kandy’s business operations in connection with providing products to your organization, please contact your organization and/or privacy@kandy.io.

THIS NOTICE DOES NOT APPLY TO, NOR ARE WE RESPONSIBLE FOR, THE PRIVACY, INFORMATION, OR OTHER PRACTICES OF ANY THIRD PARTIES, INCLUDING ANY THIRD PARTY OPERATING ANY SITE OR SERVICE TO WHICH THE WEBSITE LINKS, INCLUDING BUT NOT LIMITED TO SOCIAL MEDIA SITES. THE INCLUSION OF A LINK ON THE WEBSITE DOES NOT IMPLY OUR ENDORSEMENT OF THE LINKED SITE OR SERVICE. YOU SHOULD CHECK THE PRIVACY NOTICES OF THOSE SITES BEFORE PROVIDING YOUR PERSONAL DATA TO THEM.

uparrowTop

 

 

 

FOR WHAT PURPOSE(S) DO WE USE PERSONAL DATA OF CUSTOMERS?

For information on how we use Personal Data of Applicants, refer to Appendix I - APPLICANT PRIVACY POLICY AND NOTICE

For information on how we use Personal Data of Employees, refer to  Employee Privacy on HR Connect.

Kandy uses, stores, and may share internally, to service providers or to our partners your Personal Data that we collect primarily for the purposes of:

  • creating a customer account;
  • providing Kandy services;
  • communicating with customer(s);
  • responding to requests for support;
  • marketing to potential customers;
  • providing information about the use of non-Kandy services through integrations or otherwise;
  • to process billing and payment services;
  • establishing training and/or development requirements;
  • connecting you to and optimizing your experience using our website, products, and services;
  • providing customer dashboards and reports;
  • conducting fraud and threat analysis, and detecting and preventing spam or unlawful or abusive activity or other wrongdoings or violations of our Acceptable Use Policy (“AUP”);
  • monitoring the performance of our data centers and networks;
  • providing IT security and administration;
  • conducting analytics to improve our website, applications, products, and service performance;
  • personalizing your experience with our websites, applications, products, and services – for example, providing you with disclosures appropriate to your location or interests;
  • complying with applicable laws and regulations, per judicial authorization or to exercise or defend legal rights;
  • for other legitimate purposes reasonably required for day-to-day operations, such as accounting, financial reporting, tax reporting, and business planning;
  • and for other lawful purposes which we will tell you about and, provided that we get your consent, to that use if required by law to do so.

Conduits: Kandy services are primarily for the benefit of customers and their end users, organizations, and subscribers in that the services transmit, route, switch or cache information and often merely serve as conduits for data - including Personal Data - transmitted by third parties and subscribers. Kandy does not determine the purposes and means of processing this Personal Data.

Audio and Video Images: Kandy services may facilitate the upload, recording, and storage of audio, video, and images by way of services such as voicemail, call recording, transcription, conference, and web collaboration recording. Users may elect to store or record Personal Data including Sensitive Personal Information (SPI) within these resources at their discretion.

Anonymized Data: Kandy may use anonymized, non-identifying data collected from the use of our Kandy services, websites, social media, and applications. This anonymized, non-identifying data may be used to enhance voice activation and recognition algorithms. Similarly, Kandy may use anonymized, non-identifying data collected from the use of our products in order to improve traffic analysis algorithms and techniques. This processing is executed under applicable terms and supports Kandy’s legitimate interests in tuning, maintaining, and enhancing these products and services.

Technical and Professional Services: Kandy provides technical support and professional services to network operators which includes post-sales product technical issue resolution, installation, and upgrade services. Certain technical issue resolution processing will include sample data required to provide the above services including Customer Proprietary Network Information (“CPNI”) and traffic data as well as other information sufficient to identify an individual.

Credit Card Information: Kandy only collects credit card information in order to bill for subscribed services or in support of entering a contract. Kandy utilizes credit card payment processing agents solely for the purpose of authenticating and securely processing payment for the services you receive. We require these agents to take reasonable and appropriate measures to protect this information from loss or misuse.

Training: Kandy provides products and solutions training services to individuals that may be delivered to student employees of our customers in an online, in-person as well as self-paced training format depending on the offering. Kandy may collect, generate and/or process certain Personal Data for the purposes of (i) student registration, communication, and billing, (ii) delivery of training content, (iii) maintenance of student online training profile/transcript, and (iv) maintenance of service consumption metrics.

Children’s Data: Kandy does not market its products or services to children.

Job Applicants and Employees: Employees, applicants, and independent contractors may also have certain rights with respect to their Personal Data. Please refer to Appendix I for additional information or contact us at privacy@kandy.io.

uparrowTop

 

 

 

 

WHY AND HOW WE COLLECT AND USE PERSONAL DATA FOR MARKETING PURPOSES

Kandy may be a Data Controller or a Data Processor: For marketing leads and website visitors, Kandy is generally the data controller (one who determines the means and purposes of processing Personal Data alone or jointly with others) of Personal Data we collect. We collect Personal Data when you visit our websites, when you provide it to us (by phone, in person, or by web form), when you register for or attend an event, when you request information regarding Kandy and when we collect it from public databases, partners, social media sites. We use this information to help us understand our customer and employee bases better, such as your industry, the size of your company, your company’s website URL, or your job history, preferences, and experiences. At times we may act as the processor of your data.

What is Personal Data?: Personal Data includes, among other data, your contact details such as name, physical address, country, email, company name, job title, and business telephone number (collectively “Personal Data”). When you visit a Kandy website, Kandy collects associated website visitor information such as IP address, geographic location, browser type, operating system, screen size, and company (collectively “Website Visitor Information”). Website Visitor Information will not be linked to your Personal Data unless you provide additional information to us (such as by filling out a form on our website) that connects the information to you. For more information on the above and choices available to website visitors please also refer to Kandy’s Cookie Policy .

We Don’t Sell or Share Your Data Without Consent: Kandy uses this data for direct marketing of Kandy products and services. Unless expressly requested by Kandy and consented by you, Kandy will not share or disclose or sell Personal Data to third parties for the purpose of their own marketing or resale activities. Please access  Do Not Sell or Share My Personal Information to memorialize your choices.

Types of Data Requested: In some places on Kandy’s public-facing websites, you can fill out web forms to ask to be contacted by our Sales Team or our Human Resources Department, sign up for a newsletter, obtain delivery of press releases, register for a Kandy event, or take a survey. The specific Personal Data requested on these forms will vary based on the purpose of the form. We will ask you for information necessary for us to provide you with what you request through the form (for example, we will ask you for your email address if you want to sign up for an email newsletter and for your phone number if you want a member of our Sales Team to call you). We may also ask you for additional information to help us understand you better as a customer, such as your Kandy use case, your company name, your role at your company, or the position you are applying for or currently hold.

Opting Out of Ongoing Communications from Kandy: If you sign up to receive ongoing communications from Kandy, like a newsletter, you can always choose to opt out of further communications by following the “unsubscribe” instructions in emails from Kandy or by sending a request to either kandymarketing@kandy.io or customersuccess@kandy.io. Kandy requires and collects Customer Proprietary Network Information (“CPNI”), and traffic data and may also collect billing information that is essential for providing the subscribed service. Opting out or declining to provide the requested data may hinder the provision of subscribed services. Please note that it may take up to three (3) days to remove your contact information from our marketing communications lists, so you may receive correspondence from us for a short time after you make your request. You will not be able to opt-out of service emails from us, such as password reset emails, billing emails, or notifications of updates to our terms unless you deactivate your account.

Storage of Your Personal Data: If you contact our Sales or Customer Support Teams, or Human Resources, those teams may keep a record of that communication, including your contact details and other information you share during the course of the communication. We store this information to help us keep track of the inquiries we receive from you and from customers generally so we can improve our products and services and provide training to team members. This information also helps our teams manage our ongoing relationships with our customers, employees, and applicants. Because we store a record of these communications, please be thoughtful about what information you share with our teams. While we will take appropriate measures to protect any sensitive information you share with us, it is best to avoid sharing any personal or other sensitive information in these communications not necessary for these teams to assist you.

Processing of Your End User’s Data: We may also process the Personal Data of your end users who use or interact with Kandy services, like the people you communicate with by way of that application. This includes data we use to route messages and metadata about messages — we refer to this data as Customer Usage Data — and it also includes the contents of communications, which we refer to as Customer Content. Kandy may process these categories of Personal Data differently because the direct relationship we have with you, our customer, is different from the indirect relationship we have with your end users.

Notice Not Applicable to End Users: If you are an end user of a Kandy customer, this Privacy Notice does not apply to the services that our customers provide to their end users. Our customers have their own policies regarding the collection, use, and disclosure of the Personal Data of their end users. If you are an end-user of one of our customers and want to learn about how that customer handles your Personal Data, we encourage you to read the customer’s privacy policy. Only the customer can assist you with requests for access or deletion.

We may combine the information we collect. For example, we might combine the information you give us with information we get from a public source. We might also combine the information we collect from you with information we get from third parties. When we do so, we treat the combined information as disclosed in this Privacy Policy and Notice. In the rare and unlikely event that Kandy wishes to use an individual’s Personal Data for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individual, Kandy will seek consent in advance as required by law.

uparrowTop

 

 

 

COOKIES, TRACKING, AND SIMILAR TECHNOLOGY

We use cookies and other technologies for the following purposes, subject to local law:

  • to make our websites and services function properly;
  • to improve our websites and services;
  • to make login easier (such as by remembering your user ID);
  • to recognize you when you return to our websites;
  • to track your interaction with our websites and mobile applications;
  • to enhance your experience with the website and mobile applications;
  • to remember information that you have already provided;
  • to collect information about your activities over time and across third-party websites or other online services in order to deliver content tailored to your interests; and
  • to provide a secure browsing experience during your use of our websites.

We receive information from you when you access our websites, download, and use our applications, or otherwise use our services or install our applications. This information may include device and usage Information; browsing information; cookies, including first-party cookies, third-party cookies, functional cookies, performance or analytic cookies, and targeting/advertising cookies; and Do Not Track Technology.

For additional information on how we use cookies and other technologies, and how you can determine what information we collect about you, please review our Cookie Policy (which includes information about opting out) and visit our to manage your choices.

uparrowTop

 

 

MONITORING CUSTOMER INFORMATION

Kandy physically and electronically monitors its offices, and use of our IT and communications systems and networks, for specific purposes. In doing so, we may come across Personal Data. We will always monitor in accordance with local law in a proportionate manner to respect your reasonable privacy expectations. In our offices, we may monitor customer activity and presence with badge readers, sign-in sheets, and surveillance cameras. We generally do these things to prevent unauthorized access to our offices and to protect employees, authorized visitors, and our property.

With many customers and employees working remotely, we may also monitor or record activity on our IT and communications systems and network, such as internet traffic, website filtering, email communications or systems accessed such as the use of video collaboration tools that may include chat. Subject to local law, we may also carry out monitoring for other purposes such as:

  • Proof of business transactions and archiving;
  • Training;
  • Protection of confidential information, intellectual property, and other business interests;
  • To investigate breaches of Kandy policies and procedures or other unlawful or improper acts;
  • For compliance with a legal obligation; and
  • Other legitimate purposes as permitted by applicable law.

uparrowTop

 

 

WITH WHOM DO WE SHARE CUSTOMER DATA/THE CATEGORIES OF DATA WE MAY SHARE?

Sharing your Personal Data with third parties: We only share your Personal Data to the minimum extent necessary with those who need it in order to perform their tasks and duties, and to service providers and other third parties who have a legitimate purpose for accessing it to assist us in providing products and services to you. This may include third parties such as:

  • advertising agencies;
  • network analytics providers and business partners for the purposes of better fulfilling your business needs with regards to the use of Kandy service;
  • aggregators of data for marketing purposes, etc. as otherwise set forth herein;
  • benefits, payroll, and other HR providers; and
  • IT and data processing services providers that help us operate our business.


Why we might share your Personal Data: These service providers and third parties can only use or disclose Personal Data as directed by Kandy and in a manner consistent with this Privacy Policy and Notice, using appropriate data security measures, and pursuant to contractual arrangements between us. We may also disclose your Personal Data to a service provider or third party under the following circumstances:

  • if we in good faith believe we are compelled by any applicable law, regulation, legal process, or government authority;
  • where necessary to exercise, establish or defend legal rights, including to enforce our agreements and policies;
  • to protect our rights or property, including our intellectual property;
  • in connection with regular reporting activities to other members of the Kandy corporate family;
  • to protect Kandy, our other customers, or the public from harm or illegal activities;
  • to respond to an emergency that we believe in good faith requires us to disclose data to prevent harm;
  • in connection with the corporate sale, merger, reorganization, or dissolution of the company, provided that the successor may only continue to use the data pursuant to this Policy and Notice;
  • for legitimate business reasons with regard to the sale, purchase, licensing, delivery, and use of Kandy products and services; or
  • with your consent.

Categories of Information We May Share: Kandy does not sell Personal Data to third parties. We may share certain Personal Data with third parties for our business purposes, from one or more of the following categories:

  • Identifiers: Name, alias, postal address, unique personal identifier, online identifier, Internet Protocol (IP) address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers;
  • Customer Records Information: Name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit or debit card number, other financial information, medical information, health insurance information;
  • Commercial Information: Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies;
  • Financial Information: information includes Information a consumer provides to a financial institution on an application to obtain a loan, credit card, or other financial product or service; account balance information, payment history, overdraft history, and credit or debit card purchase information; the fact that an individual is or has been a consumer of a financial institution or has obtained a financial product or service from a financial institution.; any information about a financial institution’s consumer if it is disclosed in a manner that indicates that the individual is or has been the financial institution’s consumer; any information that a consumer provides to a financial institution or that a financial institution or its agent otherwise obtains in connection with collecting on a loan or servicing a loan; any personally identifiable financial information collected through an Internet cookie or an information collecting device from a Web server or information from a consumer report;
  • Characteristics of protected classifications: Race, religion, sexual orientation, gender identity, gender expression, age;
  • Biometric information: Hair color, eye color, fingerprints, height, retina scans, facial recognition, voice, and other biometric data;
  • Internet or other electronic network activity information: Browsing history, search history, and information regarding a consumer’s interaction with an Internet website, application, or advertisement;
  • Geolocation data: identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household;
  • Information detected by the senses: Audio, electronic, visual, thermal, olfactory, or similar information;
  • Professional or employment-related information: resumes, CVs, transcripts, awards, diplomas, certifications, job titles, position responsibilities, and similar information;
  • Education information: Information that is not “publicly available personally identifiable information” as defined in the California Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99); and
  • Inferences that could be used to create a profile reflecting a consumer’s: preferences, characteristics; psychological trends; predispositions; behavior; attitudes; intelligence; abilities; or aptitudes.

Categories of Business Purposes for which we Collect Data: Over the past twelve months, we may have collected and disclosed, for one or more business or commercial purposes, Personal Data from one or more of the above categories, as well as from social media channels, media, and other online sources. We retain Personal Data in each of these categories for different lengths of time, depending on the business purpose for which we collect the information, as set forth below.

Categories of Sources From Which we Collect Personal Data: This may include you; your former or current employer(s); family members; friends; schools, universities and other educational institutions; associations to which you now or may have belonged; scholarly sources including journal articles, magazine articles, news articles, monographs, nonfiction books, reference resources, textbooks; gray literature including a wide variety of documents that have not been published in the traditional sense, including unpublished conference papers; unpublished theses and dissertations; presentations; working papers; notes and logs kept by researchers; academic courseware, professors' teaching notes, students' lecture notes; company annual reports; project and study reports; institutional reports; technical reports and white papers; reports put out by government agencies; data and statistics; unpublished letters and manuscripts; patents; technical standards; newsletters, product catalogs, and certain other types of brief information with a strong informational value; social media channels, media and other online sources, or reprints of articles; customers, partners, resellers or competitors; vendors, suppliers and contractors; government agencies; software developers and others.

Categories of Third Parties to Whom We May Disclose Personal Data: Subject to and in accordance with local laws and regulations, we may disclose Personal Data to law enforcement; legal, governmental, and judicial entities; a future employer(s); family members; friends; schools, universities, and other educational institutions; associations to which you now or may belong; legal, accounting and tax personnel; news organizations; stock exchanges and other financial institutions; medical institutions and personnel; conference participants; customers, partners, resellers or competitors; vendors, suppliers, and contractors; software developers; and others.

uparrowTop

 

 

HOW DO WE SECURE DATA?

Security Safeguards: We use appropriate administrative, physical, technical, and organizational security measures to protect the security of your Personal Data both online and offline including the implementation of access controls, firewalls, network intrusion detection, and use of anti-virus software. These safeguards consider the state of the art, the cost of implementation, and the nature, scope, context, and purposes of processing as well as the risks to individuals posed by any anticipated threats and unauthorized disclosure of the information. Kandy conveys safeguard obligations to our third parties who receive Personal Data from or on behalf of Kandy during their relationship with us.

Use of Commercially Reasonable Means to Secure Your Data: We employ reasonable means to keep Personal Data accurate, complete, and current, and use commercially reasonable steps to reduce the risk that your Personal Data is subject to the loss, misuse, unauthorized access, disclosure, alteration, or destruction. as needed for the purposes for which it was collected. Although we strive to protect your data, no system is completely secure and we cannot guarantee that unauthorized access, hacking, data loss, or a data breach will not occur. Therefore, you acknowledge the risk that third parties may gain unauthorized access to your information. You are responsible for any activity under your account using your account password or other credentials.

Security Measures You Can Take: There are security measures you can take to protect your Personal Data. Keep your account password confidential and do not disclose it publicly or to unauthorized individuals — this includes accidentally distributing them in a binary or checking them into source control. Please let us know immediately if you think your password was compromised or misused. To protect the confidentiality of your account and protect against unauthorized use of your account, we recommend enabling two-factor authentication. Similarly, if you provision an API Key, you should keep that secret, as well. You should store your API Key, Account SID, and secret key in a secure location.

Collection of Data for Security Purposes: We may collect and use marketing leads, prospect information, other company stakeholder information, Customer Account Data, Customer Usage Data, Employee or Applicant data, or information collected from generally interested parties to detect, prevent, or investigate security incidents, fraud, or abuse and misuse of our platform and services. In addition, we also use records containing end-user Personal Data to debug, troubleshoot, or investigate security incidents; to detect and prevent spam or fraudulent activity, and to detect and prevent network exploits and abuse. Specifically, we monitor text message content to detect spam, fraudulent activity, and violations of our Acceptable Use Policy. We may anonymize Personal Data and use it for our legitimate business needs, and, where allowed by law, this may include records containing end-user Personal Data.

uparrowTop

 

 

 

HOW CAN YOU REQUEST ACCESS TO AND UPDATE YOUR PERSONAL DATA?

Kandy uses a wide variety of self-service tools that allow you to see, update, correct and/or delete your Personal Data. If we have Personal Data that you cannot access via these self-service systems, you may make a request by submitting a Privacy Rights Request Form and include sufficient information so that we may verify your identity and evaluate your right to access the Personal Data requested. We may need to deny your request in certain situations, such as when providing access might infringe on someone else’s privacy rights or impact our legal obligations. You may also want to withdraw prior consent for us to continue to collect and or process your Personal Data. Any processing we conducted prior to receipt of your written withdrawal of consent will not affect the lawfulness of activities previously undertaken, nor will it affect the processing of your Personal Data carried out in reliance on other lawful grounds other than consent.

uparrowTop

 

 

HOW LONG DOES KANDY RETAIN PERSONAL DATA?

Retention for a Minimal Period of Time: Kandy will retain your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy, or otherwise as required by law. Generally, this means we will keep your Personal Data until our contract or employment with you either expires or is terminated, plus a reasonable period of time after that where necessary to respond to any government inquiries, deal with legal, tax, accounting, or administrative matters, resolve disputes or to provide you with ongoing service pursuant to our contract. The criteria used to determine our retention periods include:  

  • the need to fulfill our legitimate business purpose;
  • prescription by applicable laws stated in the contract and other legal obligations; and
  • legal or regulatory obligation or investigation.

Retention for Internal Analysis Purposes: We will also retain website and mobile application usage data for internal analysis purposes.  Usage data will generally be retained for a shorter period of time, except when this data is used to strengthen the security or to improve the functionality of our services, or we are legally obligated to retain this data for longer periods. We store your information until it is no longer necessary to provide the services or otherwise relevant for the purposes for which it was collected. This time period may vary depending on the type of information and the services used, as detailed below. After such time, we will either delete or anonymize your information or, if this is not possible (for example, because the information has been stored in backup archives), then we will securely store your information and isolate it from any further use until deletion is possible. We may also retain aggregate information beyond this time for research purposes and to help us develop and improve our services. You cannot be identified from anonymized information retained or used for these purposes. 

Deletion Requests: If you ask Kandy to delete specific Personal Data from your Customer Account Data, we will honor this request unless deleting that information prevents us from carrying out necessary business functions, such as billing for our services, calculating taxes, or conducting required audits. More specifically, within sixty (60) days following the closure of your account, we will either delete other Customer Account Data or transform it such that it can no longer be used to identify you, with the following exceptions, depending on and in accordance with applicable law:

  • Customer Account Data is stored for as long as your account is active and then for a reasonable period thereafter (usually not longer than seven (7) years following the closure of your account) in case you decide to re-activate the services. However, we may retain invoice records, including their digital equivalent, for longer periods for legal, accounting, tax, and audit purposes.
  • Where we collect subscriber records, we will retain this data for such time as needed for legal, security, and anti-fraud purposes.
  • While you’re an active customer or employee, we retain the communications usage information generated by your use of the services and with our Customer or HR Support Teams until the information is no longer necessary to provide our services, and for a reasonable time thereafter as necessary (usually up to three (3) years after your account is closed or you cease employment with us), to comply with our legal obligations, to resolve disputes, to enforce our agreements, to support business operations, and to continue to develop and improve our services.
  • We may need to retain data due to special circumstances (such as due to an open investigation, audit, or other legal matter). If you have elected to receive marketing e-mails from us, we retain information about your marketing preferences for a reasonable period of time from the date you last expressed interest in our services, such as when you last opened an e-mail from us or visited our websites.

Device-Specific Information Retention: We collect device-specific information from you when we have provided end-user equipment to you, such as an analog telephone adapter or a VoIP phone, or you have installed our software on your device. If you do not revoke our access to this information via the privacy settings on your device, we will retain this information for as long as your account is active.

Stored Usage Records: If a Kandy product or service you use enables you to store records of your usage on Kandy’s platform, including Personal Data contained within those records, and you choose to do so, then Kandy will retain these records for as long as you instruct, up until the termination of your account. In some cases, the use of extended storage may cost more. If you later instruct us to delete those records, we will do so. Please note that it may take up to thirty (30) days for the data to be completely removed from all systems.

uparrowTop

 

 

 

WHAT IS OUR LEGAL BASIS FOR PROCESSING PERSONAL DATA WITHIN THE UNITED STATES?

NATIONAL LAWS

At the present time, there is no single federal privacy law, although legislation (the American Data Privacy and Protection Act – ADPPA) has been proposed and is pending in Congress. The bill draws on many of the principles of the European Union’s privacy laws and includes provisions for:

  • Better child protection;
  • Limits on targeted ads;
  • Limited private right of action;
  • A requirement that companies minimize data collection; and
  • Appointment of a chief privacy officer requirement for some organizations.

There are some doubts about the proposal, including concerns about:

  • Creating an excessive compliance burden;
  • Stymying innovation;
  • The potential for excess litigation;
  • Enforcement loopholes; and
  • Questions around state preemption i.e., whether companies will still have to follow individual state privacy laws.

If passed, the bill would be enforced by the Federal Trade Commission (FTC), but federal regulators and state attorneys general would have the right to sue companies that misbehave. There are also industry-specific privacy laws that preempt or provide exemptions under various state laws, such as the Gramm Leach Bliley Act for financial services and the Health Information Portability and Accountability Act related to the provision of health care services. Other federal laws related to privacy include FERPA (student education records), FCRA (credit reports), ECPA, COPPA, and VPPA. For more information about how Kandy complies with these laws, please contact privacy@kandy.io.

STATE LAWS

Many states have enacted individual privacy laws. California, Colorado, Connecticut, Utah, and Virginia have enacted legislation that comes into effect during 2023. Illinois has a biometric law generally followed by most states. Many other states have bills pending in their state legislatures. Thirty-one other states have privacy laws in the works. Although the laws introduced in each state are different, the general idea is the same across the board - consumers are being given the right to know what information companies have about them, how it is collected and being used, and what third parties have access to, and how they can use the data. They also have the right to opt out of some types of data collection. Only California additionally legislates protections for employment data and business-to-business transaction data.

Businesses have a duty to provide customers with information about their stored data and to take reasonable steps to keep data secure. Additional rules may apply for sensitive data such as biometric data, immigration status, and precise location. These laws are largely enforced by state attorneys general.

For the latest on various states’ privacy laws, please contact privacy@kandy.io The following chart shows the status of privacy and data protection legislation at the state level as of 11/27/2022. Kandy’s approach is to apply the strictest state law to all customers in the United States, regardless of location. Information about the laws in California, Colorado, Connecticut, Utah, and Virginia that will be going into effect in 2023 are summarized below. 


US State Data Protection Laws 2022-11 Chart

YOUR RIGHTS UNDER CALIFORNIA LAW

California has enacted a robust set of laws that address privacy rights, which most states consider when enacting privacy legislation in their states. These include:

  • California Consumer Privacy Act (the “CCPA”), requires Kandy to disclose information about what it does with your Personal Data. Kandy collects, uses, and discloses for Personal Data for business purposes which is subject to the CCPA.  This Privacy Policy and Notice contains information required by the CCPA, as amended. Under the CCPA, individuals have privacy rights including the rights of access, deletion, opt-out, and non-discrimination. Individuals wishing to exercise their rights under the CCPA may do so by sending an email to privacy@kandy.io. Pursuant to the CCPA, Kandy does not sell or disclose Personal Data to third parties for its own direct marketing purposes. It may, however, share information with business partners and service providers with legitimate business purposes.
  • California Privacy Rights Act (“CPRA”): California has amended the CCPA with the enactment of the (“CPRA”), which becomes effective on January 1, 2023. Although rules have not yet been promulgated, the CPRA is scheduled to include the rights of employees, applicants, and contractors, and extend to Personal Data involved in a business-to-business transaction. Please see Appendix I for our Applicant Privacy Policy and Notice. The CPRA expands a private right of action to cover (1) nonredacted and nonencrypted information; and (2) email addresses with a password or security question and answer that would permit access to the account (this second category is new).
     
    • Enforcement: The CCPA, as amended by the CPRA, is enforceable by the California Attorney General and the new California Privacy Protection Agency. Although the CCPA generally does not provide a private right of action for individuals to file civil claims against companies for CCPA violations, the CCPA does provide a private right of action that allows California consumers to file civil lawsuits if their Personal Data is subject to certain data security breaches that result from the company’s failure to implement and maintain reasonable security procedures and practices. As of January 1, 2023, this private right of action may be available to a company’s California employees and B2B contacts as well.
    • Consumer’s Rights Under the CPRA: In addition to a consumer’s rights under the CCPA, the CPRA provides consumers, applicants, contractors, and employees, and those engaged in B2B transactions, with the following rights. These rights are not absolute, as there may be cases when we decline your request as permitted by law.
       
      • Right to know upon submission of a verifiable request sent to privacy@kandy.io, specific pieces of Personal Data (PI) collected, used, and disclosed/shared about the customer in the preceding twelve (12) months, including how we collect it and share it, and the categories of sources from which we have collected or shared that information in the preceding twelve (12) months including contact information, and the commercial or business reason(s) we have collected or shared that information;
      • Right for us to provide you with Personal Data we have collected about you;
      • Right to correct or delete Personal Data collected or maintained by us, subject to certain exceptions;
      • Right to opt-out of sale or “sharing” of Personal Data, where sharing includes renting, transferring, or communicating Personal Data to a third party for “cross-context behavioral advertising,” whether for monetary or other valuable consideration or not. Cross-contextual behavioral advertising is the targeting of advertising to a consumer based on the consumer’s Personal Data obtained from the consumer’s activity across businesses, distinctly branded websites, applications, or other services, other than the business’ distinctly branded website, application, or service with which the consumer intentionally interacts. For example, companies that share B2B lead data with other companies will need to assess whether this may constitute a “sale,” and companies that share employees’ Personal Data with third-party partners will need to assess whether those partners qualify as “service providers” or whether the disclosures may constitute a “sale”;
      • Right to a website privacy policy that describes how to exercise these privacy rights; and
      • The right to non-discrimination means that you will not receive any discriminatory treatment when you exercise one of your privacy rights. Unless permitted by the CCPA, we will not:
        • Deny you goods or services;
        • Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties;
        • Provide you with a different level or quality of goods or services; or
        • Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.
    • Opt-Out Rights: You have the right to opt-out, and limit use and disclosure, of sensitive Personal Data, including SSN, license, state ID, passport, financial account, credit or debit card number, precise geolocation, racial or ethnic origin, religious or philosophical beliefs, union membership, mail, email, text (unless the business is the intended recipient of the communication), genetic data, biometric data, personal health information, and sexual orientation.
    • Business Obligations Under the CPRA: Businesses must protect Personal Data by:
      • Minimizing data collection;
      • Limiting data retention;
      • Protecting data security;
      • Conducting privacy risk assessments and cybersecurity audits;
      • Implement new security measures after a breach that do not constitute a cure of that breach; and
      • Conducting due diligence and updating agreements of service providers, contractors, and other third-parties that process relevant employee or B2B Personal Data to ensure these contain the applicable terms required under the CCPA as expanded by the CPRA and which specify the business purpose for which Personal Data is being disclosed.
    • Business Obligation to Provide Notice at Collection: The CCPA as amended mandates that businesses provide consumers with information via a ‘Notice at Collection’. Kandy meets this notice requirement via Appendix II annexed to this Privacy Policy Notice, which along with information provided in the Privacy Center:
      • Lists all categories of Personal Data collected and processed, including any Sensitive Personal Data, the categories of sources from which the Personal Data is collected, and the categories of third parties to whom the business discloses Personal Data;
      • States the business or commercial purposes for which the information to be collected is processed and used;
      • States how long the Personal Data will be retained, or the criteria used to determine the retention periods;
      • Sets forth a description of the rights available to the individual;
      • States how individuals may exercise their rights under the CCPA as amended; and
      • Provides individual consumers with a link to the business's privacy policy.
    • Your Rights as an Individual: Kandy does not market to consumers. However, if you are a California resident and receive Kandy Services or visit our website or Apps solely as a private individual - in other words, not as a member or representative of a company or other organization, or as an applicant, employee, or contractor - you may have the right to receive a free, yearly accounting of:

      • Information identifying each third-party company to whom we may have disclosed, within the past year, Personal Data pertaining to you for those third-party's direct marketing purposes; and
      • A description of the categories of Personal Data disclosed.
    • Limited Applicability: The CPRA has limited applicability to Kandy’s business with respect to consumers and children. Business-to-business transactions and relationships with employees, applicants, and contractors may be subject to the requirements, pending promulgation of amended legislation and/or related rulemaking anticipated to occur during Q12023. We will update this policy and our processes if necessary once such regulations are put in place. If you require additional information about the CPRA, contact us at privacy@kandy.io.
  • The California Shine the Light Law (Cal. Civ. Code §§ 1798.83) requires businesses to disclose to California customers, upon request, the identity of any third parties to whom the business has disclosed Personal Data within the previous calendar year for the third-party's direct marketing purposes, along with the type of Personal Data disclosed. If you are a California resident, please see Appendix II or make such a request by contacting us at privacy@kandy.io. Requests must include “California Privacy Rights Request” in the first line of the description and include your name, street address, city, state, and ZIP code. Please note that Kandy is not required to respond to requests made by means other than through the provided e-mail address.
  • California Age-Appropriate Design Code Act (“CAADCA”): On September 15, 2022, California Governor Gavin Newsom signed the CAADCA, which imposes stringent new privacy requirements on businesses that provide online products, services, or features that are “likely to be accessed” by consumers under 18 years of age. California residents under the age of eighteen (18) generally do not use our services. However, if they are registered users of our online sites, services, or applications, and have posted content or information on such sites, services, or applications, they can request that such information be removed by sending an e-mail to this email privacy@kandy.io. Requests must state that the user personally posted such content or information and detail where the content or information is posted. Kandy will make a good-faith effort to remove the post from prospective public view.

 

 

YOUR RIGHTS UNDER CONNECTICUT LAW

The Connecticut Privacy Act (“CTPA”) becomes effective on July 1, 2023. It applies to consumers, not employees or B2B transaction data, or non-profits. There is no private right of action. Under the CTPA, consumers have the following rights:

  • Right to access Personal Data;
  • Right to delete Personal Data;
  • Right to data portability;
  • Right to correct inaccuracies in Personal Data;
  • Right to opt-out of the sale of Personal Data, targeted advertising, and profiling;
  • Right to opt-in before collection, use, or processing of sensitive Personal Data including precise geolocation, racial or ethnic origin, religious or philosophical belief, genetic data, biometric data, personal health information, sexual orientation, data of a known child under the age of 13, citizenship or immigration status; and
  • Right to appeal a controller’s response to a consumer request.

The CTPA has limited applicability to Kandy’s business. If you require additional information about the CTPA, contact us at privacy@kandy.io.

 

 

YOUR RIGHTS UNDER COLORADO LAW

The Colorado Privacy Act (CPA) becomes effective on July 1, 2023. It applies to consumers, not employees or B2B transaction data, but it does apply to non-profit entities. The draft rules impose new requirements around compliance (disclosures, handling requests, and opt-out mechanisms), data governance, management of sensitive data, and inferences requiring consent that is periodically refreshed prior to collection and use (ethnic origins, religious beliefs, mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status), data minimization and purpose limitations; and data protection impact assessments and restrictions relating to profiling. These rules are anticipated to be finalized in the first half of 2023. The state attorney general has rulemaking powers. There is no private right of action. Under the CPA, consumers have the following rights:

  • Right to access Personal Data;
  • Right to delete Personal Data;
  • Right to data portability and right to obtain a portable copy of the data;
  • Right to correct inaccuracies in Personal Data;
  • Right to opt-out of the processing of Personal Data for the purposes of targeted advertising, sale of Personal Data, or profiling used for decisions that produce legal or similarly significant effects on a consumer;
  • Right to opt-in before collection, use, or processing of sensitive Personal Data, which includes racial or ethnic origin, religious or philosophical beliefs, genetic data, biometric data, personal health information, data of a known child under the age of 13;
  • Right to utilize an opt-out preference signal pursuant to a list of approved mechanisms; and
  • Right to appeal a controller’s response to a consumer request.

The CPA has limited applicability to Kandy’s business. If required, Kandy will use commercially reasonable efforts to delete both the underlying Personal Data and the Sensitive Data inferences within the time frame specified by the rules (currently proposed to be 12 hours) of collection or completion of the processing activity. Kandy will not sell or share the Sensitive Data Inferences with any processor, nor process the data for any secondary purpose. If you require additional information about the CPA, contact us at privacy@kandy.io.

 

 

YOUR RIGHTS UNDER UTAH LAW

The Utah Consumer Privacy Act (“UCPA”) goes into effect on December 31, 2023. The UCPA does not apply to employment-related data or B2B transaction data. There is no private right of action. Under the UCPA, consumers have the following rights:

  • Right to access Personal Data;
  • Right to delete Personal Data that the consumer provided to the controller;
  • Right to data portability that the consumer provided to the controller;
  • Right to opt-out of the processing for the purposes of sale of Personal Data or targeted advertising but no right to opt-out of profiling;
  • Right to opt-in before collection, use, or processing of sensitive Personal Data including precise geolocation, racial or ethnic origin, religious or philosophical beliefs, genetic data, biometric data, personal health information, sexual orientation or citizenship or immigration status;
  • No right to correct inaccuracies in Personal Data; and
  • No requirement that controllers provide an appeals process.

The UCPA has limited applicability to Kandy’s business. If required, Kandy will provide Personal Data within the time frame specified for collection or completion of the processing activity. Kandy will not sell or share Personal Data. If you require additional information about the UCPA, contact us at privacy@kandy.io.

 

 

YOUR RIGHTS UNDER VIRGINIA LAW

The Virginia Consumer Data Protection Act (“VCDPA”) becomes effective on January 1, 2023. The VCDPA does not apply to employment-related data or B2B transaction data. The VCDPA has no opt-out provision and no private right of action. Under the VCDPA, consumers have the following rights:

  • Right to confirm if data is being processed;
  • Right to access Personal Data;
  • Right to delete Personal Data;
  • Right to data portability;
  • Right to correct inaccuracies in Personal Data;
  • Right to opt-out of the processing of Personal Data for purposes of targeted advertising, the sale of Personal Data, and profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer;
  • Right to opt-in before collection, use, or processing of sensitive Personal Data, which includes racial or ethnic origin, religious or philosophical beliefs, genetic data, biometric data, personal health information, data of a known child under the age of 13; and
  • Right to appeal a controller’s response to a consumer request by contacting the Virginia Office of the Attorney General at mailoag@oag.state.va.us, or by phone (804) 786 2071, or by mail to the Virginia Office of the Attorney General, 202 North Ninth Street, Richmond, VA 23219.  
  • The VCDPA has limited applicability to Kandy’s business. If required, Kandy will send Personal Data within the time frame specified for collection or completion of the processing activity. Kandy will not sell or share Personal Data. If you require additional information about the VCDPA, contact us at privacy@kandy.io.



 

HOW TO EXERCISE YOUR RIGHTS IN THE UNITED STATES

You can exercise your rights yourself or you can alternatively designate an authorized agent to exercise these rights on your behalf. Please note that to protect your Personal Data, we will verify your identity by a method appropriate to the type of request you are making. We may also request that your authorized agent has written permission from you to make requests on your behalf, and we may also need to verify your authorized agent's identity to protect your Personal Data.  To make a request with respect to any of the above areas, please contact our Privacy Team at privacy@kandy.io, and we will ask you to complete a Privacy Rights Request form. You do not have to be from California to make this request.

uparrowTop

 

 

 

WHAT IS OUR LEGAL BASIS FOR PROCESSING PERSONAL DATA OUTSIDE THE UNITED STATES?

Kandy is a global company with customers, employees, and offices all around the world. We are committed to abiding by all applicable data protection laws. This policy is global, applying to all Kandy collection, processing, storage, and usage of Personal Data. It applies to Personal Data regardless of format. For example, the policy applies to computerized records and electronic information as well as paper-based files. The concepts enumerated in this policy guide Kandy’s selection and expectations of its employees, service providers, resellers, agents and subcontractors, and other recipients to whom Kandy transfers and relies upon for the processing of Personal Data.

Data protection laws around the world require organizations like ours to provide a lawful basis to collect and use your information. If you are a customer outside of the United States, our legal basis for collecting and using the Personal Data described above will depend on the Personal Data concerned and the context in which we collect it. However, we will normally collect Personal Data from you only where we have your consent to do so for a specific purpose, where we need the Personal Data to carry out our contract with you, where we need the Personal Data to comply with our legal obligations, or where the processing is in our legitimate interests (such as for research and development, to market and promote the services, and to protect our legal rights and interests) and are not overridden by your data protection interests or fundamental rights and freedoms. Legitimate interests may also include:

  • Understanding who our customers and potential customers are and their interests in Kandy products and services;
  • Managing our relationships with you and other customers;
  • Protecting the vital interests of our customers and others, such as sharing it with third parties in the event of an emergency;
  • Carrying out core business operations such as accounting, filing taxes, and fulfilling regulatory obligations which may involve service providers;
  • Responding to a request from law enforcement or in the context of a government; and
  • Helping detect, prevent, or investigate security incidents, fraud, and other abuse or misuse of our products and services.

You may choose for what discretionary purposes we may collect, use, store and share your Personal Data at our Privacy Center. When you select your privacy preferences, we will advise you if the provision of your Personal Data is mandatory in order to access and use our products and services as well as the consequences if you fail to provide it.

Your Personal Data may be collected, used, processed, stored, or disclosed by us and our service providers outside your home jurisdiction, including in the U.S., and in some cases, other countries. These countries may have data protection laws that are different than the laws of your country. Kandy only transfers Personal Data to another country, including within the Kandy corporate family, in accordance with applicable privacy laws, provided there is adequate protection in place for the data, or with your consent.

uparrowTop

 

 

 

YOUR RIGHTS OUTSIDE THE UNITED STATES

As a data subject outside of the United States, you have multiple rights (which may vary slightly by jurisdiction) in relation to your Personal Data, including:

  • Right to notice;
  • Right to consent and withdrawal of consent;
  • Right to rectification;
  • Transparency;
  • Right to access;
  • Right to accuracy;
  • Right to rectification;
  • Right to receipt of information (right to information);
  • Right to object to the processing of your Personal Data;
  • Right to ask us to restrict processing of your Personal Data;
  • Right to request portability of your Personal Data; and
  • Right to have your Personal Data erased in several other circumstances, such as where it has been unlawfully processed, or where there are no overriding legitimate grounds for the processing.

You can make any of these requests or contact us if you have questions about or need further information concerning the legal basis on which we collect and use your Personal Data, by managing your rights at our Privacy Center or contacting us at privacy@kandy.io. We will use commercially reasonable efforts to respond to all requests in accordance with applicable data protection laws.

uparrowTop

 

 

 

HOW YOU CAN EXERCISE YOUR RIGHTS OUTSIDE THE UNITED STATES

You may lodge any complaints or concerns with your local data protection authority (DPA). You can find a list of the European and United Kingdom DPAs at https://ec.europa.eu/newsroom/article29/items/612080/en, or you can address questions or inquiries about privacy issues in a particular country to the appropriate data protection authority as follows: 

EUROPEAN UNION COUNTRY EMAIL ADDRESS
Austria

dsb@dsb.gv.at

Belgium

commission@privacycommission.be 

Bulgaria

kzld@cpdp.bg 

Croatia

azop@azop.hr or info@azop.hr 

Cypress

commissioner@dataprotection.gov.cy 

Czech Republic

posta@uoou.cz 

Denmark

dt@datatilsynet.dk 

Estonia

info@aki.e 

Finland

tietosuoja@om.fi 

France

No email address is provided.  You may contact the DPA from 9:30 a.m. to 5 p.m. by calling +33 (0)1 53 73 22 22 

Germany (there are additional regional offices)

zast@bfdi.bund.de 

Greece

contact@dpa.gr 

Hungary

privacy@naih.hu 

Ireland

info@dataprotection.ie 

Italy

segreteria.stanzione@gpdp.it 

Latvia

info@dvi.gov.lv 

Lithuania

ada@ada.lt 

Luxembourg

info@cnpd.lu 

Malta

commissioner.dataprotection@gov.mt 

Netherlands

info@autoriteitpersoonsgegevens.nl 

Poland

kancelaria@giodo.gov.pl or desiwm@giodo.gov.pl 

Portugal

geral@cnpd.pt 

Romania

anspdcp@dataprotection.ro 

Slovakia

statny.dozor@pdp.gov.sk 

Slovenia

gp.ip@ip-rs.si 

Spain

internacional@agpd.es 

Sweden

datainspektionen@datainspektionen.se 

CANADA, EEA COUNTRY, UK OR SWITZERLAND EMAIL ADDRESS
Canada You may send questions about privacy issues to the Information Centre at 1-800-282-1376 
Iceland (member of EEA) postur@dpa.is 
Liechtenstein (member of EEA)

info.dss@llv.li 

Norway (member of EEA)

postkasse@datatilsynet.no 

Switzerland

info@edoeb.admin.ch 

United Kingdom

dataprotectionfee@ico.org.uk 

 

uparrowTop

 

 

YOUR RIGHTS IN CANADA

GENERAL INFORMATION

Canada has two federal privacy laws that are enforced by the Office of the Privacy Commissioner (“OPC”):

  • The privacy, which covers how the federal government handles Personal Data; and
  • The Personal Data Protection and Electronics Documents Act (“PIPEDA”) covers how businesses handle Personal Data. PIPEDA sets the ground rules for how private-sector organizations collect, use, and disclose Personal Data in the course of for-profit, commercial activities and federally regulated organizations that conduct business in Canada. It also applies to the Personal Data of employees of federally-regulated businesses such as banks, airlines, and telecommunications companies.

PIPEDA generally applies to Personal Data held by private sector entities that are not federally regulated, and conduct business in Manitoba, New Brunswick, Newfoundland and Labrador, Northwest Territories, Nova Scotia, Nunavut, Ontario, Prince Edward Island, Saskatchewan, Yukon. New regulations are expected to go into effect in Quebec in September 2023. The provinces of Alberta, British Columbia, and Quebec have private-sector privacy laws that may apply instead of PIPEDA in some cases. Alberta and British Columbia have also passed privacy laws that apply to employee information.

When Kandy transfers Personal Data out of Canada, Kandy will put in place contractual assurances that transferred Personal Data will be subject to appropriate safeguards by way of standard data protection clauses such as those adopted by the European Commission under GDPR Article 46.

 

PIPEDA’S TEN FAIR INFORMATION PRINCIPLES

Kandy makes commercially reasonable efforts to comply with PIPEDA’s ten information principles. Under PIPEDA, Personal Data means information about an identifiable individual. These principles form the ground rules for the collection, use, and disclosure of Personal Data, as well as for providing access to Personal Data. They give individuals control over how their Personal Data is handled in the private sector. In addition to these principles, PIPEDA states that any collection, use, or disclosure of Personal Data must only be for purposes that a reasonable person would consider appropriate in the circumstances. The Office of the Privacy Commissioner (“OPC”) has determined that the following purposes would generally be considered inappropriate by a reasonable person (i.e., no-go zones). Kandy does not use the information it collects for such purposes:

  • collecting, using, or disclosing Personal Data in ways that are otherwise unlawful;
  • profiling or categorizing individuals in a way that leads to unfair, unethical, or discriminatory treatment contrary to human rights law;
  • collecting, using, or disclosing Personal Data for purposes that are known or likely to cause significant harm to the individual;
  • publishing Personal Data with the intent of charging people for its removal;
  • requiring passwords to social media accounts for the purpose of employee screening; and
  • conducting surveillance on an individual using their own device’s audio or video functions.

Principle 1 - Accountability: Kandy is responsible for Personal Data under its control. It appointed a Privacy Officer who is accountable for its compliance with these fair information principles.

Principle 2 - Identifying Purposes: Kandy identifies the purposes for which the Personal Data is being collected before or at the time of collection. These purposes are set forth in this Privacy Policy.

Principle 3 - Consent: The knowledge and consent of the individual are required for the collection, use, or disclosure of Personal Data, as more fully as set forth above. Such collection, use, or disclosure may be limited.

Principle 4 - Limiting Collection: Kandy’s collection of Personal Data is limited to that which is needed for the purposes identified by the organization. Information is collected by fair and lawful means.

Principle 5 - Limiting Use, Disclosure, and Retention: Unless the individual consents otherwise or it is required by law, Personal Data is only used or disclosed for the purposes for which it was collected. Personal Data is kept for as long as required to serve those purposes.

Principle 6 - Accuracy: Kandy strives to keep Personal Data as accurate, complete, and up-to-date as possible in order to properly satisfy the purposes for which it is to be used.

Principle 7 - Safeguards: Kandy protects Personal Data by appropriate security relative to the sensitivity of the information.

Principle 8 - Openness: Kandy makes detailed information about its policies and practices relating to the management of Personal Data publicly and readily available.

Principle 9 - Individual Access: Upon verifiable and written request, an individual is informed of the existence, use, and disclosure of their Personal Data and is given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

Principle 10 - Challenging Compliance: An individual can challenge Kandy’s compliance with the above principles. Their challenge should be addressed to the person accountable for the organization’s compliance with PIPEDA, at privacy@kandy.io.

uparrowTop

 

 

 

YOUR RIGHTS IN THE EUROPEAN UNION INCLUDING INTERNATIONAL DATA TRANSFERS

International transfers of Personal or Sensitive Personal Data between Kandy entities in the European Union and Kandy entities elsewhere or third-party suppliers or service providers are subject to regulations set forth by the European Union (“EU”) Data Protection Authorities. Kandy’s service provides the technology platform for hosted cloud information and communications services which are subject to the EU General Data Protection Regulation (EU Regulation 2016/679, “GDPR”). These services typically act as a conduit for data transmitted by third parties and subscribers. Personal Data processed in the above context is typically controlled by or originated from other companies, such as our customers, subscribers, or other business partners. Kandy does not generally own, control, or direct the use of any of the Personal Data stored or processed by the above parties.

Kandy also provides services to network operators which include post-sales product technical issue resolution, installation, and upgrade services. In some cases, Kandy may collect and process Personal Data for its own legitimate business purposes including the management of business relationships with current or prospective customers, vendors, independent contractors, suppliers, service providers, resellers or partners, direct marketing of Kandy products and services, and provision of training services.

This notice contains information required under GDPR Articles 13 and 14 and details Kandy’s data controller and processor accountabilities. For our EU customers, the data controller of your Personal Data will be the corporate entity from whom you acquire our products and services. In the context of the above processing, which is subject to the EU GDPR, Kandy’s accountabilities are generally those of a data controller but may include those of a processor as defined under Chapter IV of the regulation. Accordingly, when acting as a processor, Kandy relies on the guidance and direction of the applicable data controller(s), who determine the purposes and generally the means of processing such Personal Data. When acting as a controller, Kandy provides guidance and direction to the applicable processor. Until the European Union determines a country (including the United States) satisfies its “adequacy” requirements, when Kandy transfers Personal Data out of the EU, Kandy will put in place contractual assurances that transferred Personal Data will be subject to appropriate safeguards by way of standard data protection clauses adopted by the European Commission under GDPR Article 46.

If you have questions about or need further information concerning the legal basis on which we collect and use your Personal Data, please contact us at privacy@kandy.io.

uparrowTop

 

 

 

YOUR RIGHTS IN THE UNITED KINGDOM, EEA, and SWITZERLAND INCLUDING INTERNATIONAL TRANSFERS OF PERSONAL OR SENSITIVE PERSONAL DATA

Your rights in the UK, EEA, and Switzerland are like those of the EU under GDPR. International transfers of Personal or Sensitive Personal Data between Kandy entities in the EEA, Switzerland, or in the United Kingdom and Kandy entities elsewhere or third-party service providers or suppliers are subject to regulations set forth by the EEA Data Protection Authorities, the Swiss Data Protection Law, or the UK Data Protection authorities, respectively. If required, we will obtain your consent prior to transferring your Personal Data elsewhere.

For Personal Data pertaining to UK, EEA, or Swiss data subjects Kandy will only transfer or provide direct access to Personal Data covered by this policy to third parties that:

  • are located in a jurisdiction subject to the EU GDPR (or UK equivalent) or are subject to privacy laws designated to be adequate by the European Commission under GDPR Article 45; or
  • have provided Kandy contractual assurances that transferred Personal Data will be subject to appropriate safeguards by way of standard data protection clauses adopted by the European Commission under GDPR Article 46, the UK Data Protection Act (and similar safeguards in the EEA and Switzerland). 

uparrowTop

 

 

EU, EEA, UK, AND SWISS DATA SUBJECT RIGHTS

Individuals having rights governed by the EU, EEA, UK, or Swiss data protection laws may exercise the following rights as data subjects:

RIGHT SUMMARY
Notice Kandy provides required notice to individuals at points where Kandy collects Personal Data.
Consent and Withdrawal of Consent Where consent is required for Kandy to collect Personal Data, Kandy will request the individual’s consent. If you have consented to our use of Personal Data for a specific purpose, you have the right to change your mind at any time. Any decision will not affect any processing that has already occurred, nor will it affect the processing of your Personal Data conducted in reliance of lawful processing grounds other than consent. Withdrawing your consent may mean your access to the Services will be limited or suspended, and your accounts may be terminated, if applicable. Where you withdraw your consent, but we are using your information because we or a third party (e.g., your employer) have a legitimate interest in doing so, or we have a different legal basis for using your information (for example, fulfilling a contract with you), we may continue to process your information, subject to your rights to access and control your information.

Transparency,
Access,
Accuracy, and
Rectification

Individuals are provided with credentialed access to much of their own Personal Data that Kandy collects and maintains through various service portals. This enables individuals to access, review, export, and in many instances enter or certify their Personal Data.   If you believe that any Personal Data we are holding about you is incorrect or incomplete, you can request that we correct or supplement the data. You can also correct some of this information directly by logging into your Service account if you are a customer.
Erasure (Right to be Forgotten) Kandy will review and act upon requests by individuals for the erasure of Personal Data to the extent required under applicable law. Generally, individuals have the right to have some, or all, of their Personal Data erased when it is no longer necessary for the purposes for which it was collected or otherwise processed or the legal basis on which the data processing was based (e.g., consent) no longer applies.
Restriction of Processing Kandy will review and act upon requests to restrict the processing of Personal Data of individuals to the extent required under applicable law. If you ask us to restrict further processing of your Personal Data, we may have to delete your account.
Objection to Processing Kandy will review and act upon individuals’ objecting to the processing of Personal Data for certain purposes to the extent required under applicable law. Kandy will no longer process the data where it is unable to demonstrate compelling legitimate grounds for the processing.
Receipt of information (Right to Information) Generally, individuals have the right to receive information about their Personal Data which is processed by Kandy. This right to information includes information on the purposes of the processing, the categories of the processed data, the recipients to whom the Personal Data has been or will be disclosed, and the intended storage period. Upon written request to privacy@kandy.io. Kandy will provide the requesting individual with a copy of his/her Personal Data processed by Kandy.
Portability Under certain conditions, individuals have the right to receive their Personal Data which they have provided to the company in a structured, commonly used, and machine-readable format. Individuals also have the right to transmit such data to another controller if the data processing is based on the consent of the individual and the data is processed by using automated processes. In this regard, individuals should refer to their Access rights described above. You can also request that we transmit the data to someone else where it’s technically possible.

 

In addition to the rights shown above, individuals have the right under GDPR Article 77 to lodge a complaint about Kandy’s practices with respect to your Personal Data with a supervisory authority, in the Member State of your habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of Personal Data relating to him or her infringes this Regulation.

Questions or inquiries about privacy issues in a particular country can be directed to the data protection authority in the UK, Switzerland, and EEA as set forth above.

RETENTION OF YOUR DATA

Kandy understands the data minimization and storage limitation principles within the GDPR and other data protection laws which require that data be deleted when its retention is no longer required to satisfy the purposes for which it was collected, generated, or provided to Kandy by a data controller. Kandy complies with all applicable information retention laws and regulations including those associated with electronic communication service provider requirements. The following table illustrates some sample maximum retention periods employed by Kandy:

Information Maximum Retention Period
Marketing Contact Data 24 months after last marketing service interaction
Tech Support Sample Data 24 months after case closure

uparrowTop

 

YOUR RIGHTS IN OTHER PARTS OF THE WORLD AND OTHER REGIONS REQUIRING A LEGAL BASIS FOR PROCESSING PERSONAL DATA

Kandy has offices, personnel, and customers located around the world. In addition to the US, the EU, and the UK, key locations include Canada, Mexico, and Turkey. If you are in a region other than the EU, EEA, the UK, Canada, or the United States, we aren’t forgetting you! If you are, or become, aware of specific changes we need to make to our privacy policy to comply with a country’s privacy or data protection laws or require an in-language version of our Privacy Policy, please let us know at privacy@kandy.io.

When we transfer data across borders, we also take supplementary measures to ensure that data is protected. If you’d like additional information about the security measures we take, please contact us at privacy@kandy.io.

uparrowTop

 

OTHER USEFUL INFORMATION


AUTOMATED DECISION-MAKING AND MACHINE LEARNING

Kandy may use automated decision-making leveraging a variety of signals derived from records we collect to help monitor, identify, and suspend accounts sending spam or engaging in other abusive or fraudulent activity. Holders of accounts suspended under these circumstances are notified of the suspension and given an opportunity to request a human review of the suspension decision.


CHILDREN’S PRIVACY

Our websites, online services, desktop, mobile, and web applications are not directed toward children under the age of 13 in the US and UK, or 16 if you live in the EEA, and we do not knowingly collect any Personal Data from children under the age of 13 in the US and UK, or 16 if you live in the EEA. If a child under 13 in the US or UK, or 16 in the EEA, provided our website, online service, or mobile application with Personal Data, we may use commercially reasonable steps to promptly delete the child’s information from our records, we ask that a parent or guardian contact us by writing us at the contact information below.


ENFORCEMENT

In the United States, Kandy is subject to the investigatory and enforcement powers of the United States FTC, FCC, and various other federal and state agencies


LIABILITY

In the context of an onward transfer of Personal Data, Kandy has responsibility for the processing of Personal Data it receives and subsequently transfers to a third-party agent. Kandy will remain liable under the GDPR (and possibly other regulations) if their third-party agent processes such Personal Data in a manner inconsistent with laws and regulations as legally required unless Kandy proves that it is not responsible for the event giving rise to the damage.


TRAINING

All employees who handle Personal Data will receive training regarding the data privacy principles and procedures under this policy and applicable law.

 

TRANSLATIONS

Translated versions of this Privacy Notice are available upon request and may be provided for convenience only. In the event of any difference in meaning between the English language version and any translated version, the English language version will prevail.

uparrowTop

 

 

 

CONTACT US

We welcome your questions, comments, and concerns about privacy. You can contact us by calling (404) 239-2863 or writing us at:
Attn: Privacy Officer American Virtual Cloud Technologies, Inc.
1720 Peachtree Street, NW, Suite 629
Atlanta, GA 30309
E-mail privacy@kandy.io

 

 

 

 

APPENDIX I

APPLICANT PRIVACY POLICY AND NOTICE

 

Index
APPLICANT RELATED INFORMATION
DEFINITIONS
COMPLIANCE WITH LOCAL LAWS
WHAT PERSONAL DATA OF APPLICANTS DO WE COLLECT? HOW DO WE COLLECT IT?
FOR WHAT PURPOSE(S) DO WE USE APPLICANT PERSONAL DATA?
YOUR PRIVACY RIGHTS AS AN EMPLOYEE OR APPLICANT
MONITORING APPLICANT AND EMPLOYEE INFORMATION
WITH WHOM DO WE SHARE APPLICANT AND EMPLOYEE DATA?
HOW DO WE SECURE APPLICANT DATA?
HOW CAN YOU REQUEST ACCESS TO AND UPDATE YOUR PERSONAL DATA?
HOW LONG DOES KANDY RETAIN THE PERSONAL DATA OF APPLICANTS?
WHAT IS OUR LEGAL BASIS FOR PROCESSING PERSONAL DATA OF APPLICANTS OUTSIDE OF THE UNITED STATES?

uparrowTop of Appendix I

 

APPLICANT RELATED INFORMATION

We believe that our individuals applying for a position with Kandy, just like our customers, deserve a positive, proactive approach to managing the privacy of their Personal Data. We have put together this Applicant Privacy Notice to give you a better understanding of what Personal Data we collect from you as an Applicant, what we use that Personal Data for, and to whom we disclose that data. We may retain Personal Data you submit and use the information we collect about you in a variety of ways, including: to process your application; to communicate with you; to conduct applicant and employment-related statistical evaluation and record keeping; engage third-party service providers, to perform aggregated analytics to improve the applicant experience; to respond to your inquiries and requests for information; to maintain and improve our sites; to detect, prevent, or investigate security breaches or fraud; and to maintain appropriate records for internal administrative purposes.

 

uparrowTop of Appendix I

 

DEFINITIONS

  • “Applicant” refers to individuals who have submitted information to Kandy, such as a resume or job application, in order to apply to be a Kandy Employee.
  • “Personal Data” means any information which relates to an identifiable, living individual and references one or more factors specific to their physical, physiological, mental, economic, cultural, or social identity.
  • “Sensitive Personal Data” means Personal Data about physical or mental health, racial or ethnic origin, political or religious views, trade union membership, sexual orientation, genetic data, biometric information, the commission or alleged commission of crime or related proceedings, Personal Data of dependents including children, and, in some countries, financial information. Sensitive Personal Data is usually subject to stricter controls and protections than Personal Data.

uparrowTop of Appendix I

 

COMPLIANCE WITH LOCAL LAWS

Data privacy laws can vary in different jurisdictions where Kandy operates and has Applicants. Kandy’s policy is to comply with local laws. Some jurisdictions require us to notify Applicants in that country of its Personal Data practices, and in some cases, obtain consent to those practices. Where local laws are stricter than the policies described in this notice, Kandy has adopted specific privacy practices to satisfy those stricter requirements. Where local laws are less strict than this policy, the protections described in this notice will apply.

Effective January 1, 2023, California law pursuant to the CPRA will govern the privacy rights for Applicants of California residents, although specific rules have not yet been promulgated. This Notice attempts in good faith to set forth Kandy’s treatment of the privacy rights of Applicants as we expect them to be. Other jurisdictions may enact similar legislation. This policy will be revised if and as deemed necessary after California’s rules or the enactment of legislation elsewhere, come into effect.

uparrowTop of Appendix I

 

 

WHAT PERSONAL DATA OF APPLICANTS DO WE COLLECT? HOW DO WE COLLECT IT?

Kandy’s collection, use, retention, and sharing of Personal Data must be reasonably necessary and proportionate to achieve the purposes for which the Personal Data is collected or processed, or for other compatible purposes that have been disclosed to the Applicant. Kandy may collect and store different types of Personal Data about Applicants, including but not limited to:

  • Contact details – home address, telephone, email addresses, and emergency contact details.
  • Educational and professional background – academic/professional qualifications, education, CV/resumé, reference letters and interview notes, criminal records data (where permissible and in accordance with applicable law).
  • Employment details – job title/position, office location, hire dates, employment contracts, performance and disciplinary records, grievance procedures, sickness/holiday records.
  • Family information – information about your marital status, your spouse or domestic partner, beneficiaries, and dependents.
  • Financial information – banking details, tax information, payroll information, withholdings, salary, benefits, expenses, company allowances, stock, and equity grants.
  • Health information – information about benefits enrollment, short or long-term disabilities, or illnesses that you might share with HR or the manager, especially in relation to any leave of absence you may need.
  • Identification data – your name, gender, photograph, date of birth, employee identification number, and languages spoken or used.
  • IT information – information required to provide access to Kandy’s IT systems and networks such as IP addresses, log files, login information, and software/hardware inventories.
  • National identifiers – national ID/passport, immigration status and documentation, visas, social security numbers (US only), and national insurance numbers.
  • Other information you choose to share with us – hobbies, social preferences, etc.

Usually, we collect this Personal Data directly from Applicants although, at times, third-parties or service providers may provide it with your permission, such as when we perform background checks that are necessary for the role to be performed by you. You may also consent to share certain demographic data that qualifies as Sensitive Personal Data, such as race, ethnicity, sexual orientation, gender identification, and disability to help us understand the diversity of our workforce. Applicants are not required to provide this information unless it is necessary for us to collect such information to comply with our financial and legal obligations.

uparrowTop of Appendix I

 

 

FOR WHAT PURPOSE(S) DO WE USE APPLICANT PERSONAL DATA?

Kandy uses, stores, and discloses the Personal Data that we collect primarily for the purposes of managing our employment relationship with you, such as:

  • determining eligibility for hiring, including the verification of references and qualifications and, where permitted by law, administering background checks;
  • complying with laws and regulations (e.g., labor and employment laws, health and safety, tax, anti-discrimination laws), under judicial authorization, or to exercise or defend legal rights;
  • to detect fraud or other types of wrongdoing;
  • facilitating IT security and administration;
  • managing workplace health and safety requirements;
  • for other legitimate purposes reasonably required for day-to-day operations, such as accounting, financial reporting, and business planning; and
  • for other lawful purposes which we will disclose, provided that you consent to that use if required by law to do so.

We may require additional Personal Data from you as an Employee.

uparrowTop of Appendix I

 

 

YOUR PRIVACY RIGHTS AS AN EMPLOYEE OR APPLICANT

Generally, Applicants have the following rights:

  • Right To Access Personal Data – you may request access to your Personal Data and information about how automated decision technologies work and what their likely outcomes are, free of charge.
  • Right to Delete – you may request deletion of your Personal Data, subject to several broad exemptions, upon receipt of a verifiable request. We will notify third-parties to whom we have legitimately shared such Personal Data, unless doing so proves impossible or involves disproportionate efforts.
  • Right to Know – You have a right to know the following, as set forth elsewhere in this policy:
    • The categories of Personal Data collected;
    • Specific pieces of Personal Data collected;
    • The categories of sources from which we collected Personal Data;
    • What the Personal Data is being used for (the business purpose);
    • The categories of third parties with whom we share your Personal Data; and
    • The categories of information that we share with third parties.
  • Right to Data Portability, and right to obtain a portable copy of the data – If the data is provided electronically, to the extent technically feasible, it will be in a readily usable format that allows you to transmit your information to another entity without hindrance.
  • Right to Correct Inaccuracies in Personal Data – you may request that we use commercially reasonable efforts to correct inaccurate Personal Data, considering the nature of the Personal Data and the purposes of the processing of the Personal Data.
  • Right to opt-out - you may opt-out of the following:
    • processing of Personal Data for the purposes of advertising;
    • sale of Personal Data to third parties, where selling is broadly defined and includes sharing or disclosing Personal Data for monetary compensation or other valuable consideration;
    • sharing of Personal Data to third parties, where sharing is defined as disclosing or making available Personal Data to third parties for “cross-context behavioral advertising,” regardless of whether money is exchanged;
    • profiling used for decisions that produce legal or similarly significant effects; and
    • use of automated decision-making technology which may include candidate screening and assessment software
  • Right to opt-in before collection, use, or processing of sensitive Personal Data, which includes racial or ethnic origin, religious or philosophical beliefs, genetic data, biometric data, personal health information, data of a known child under the age of applicable to the jurisdiction governing such matters;
  • Right to Limit the Use and Disclosure of Sensitive Personal Data to that “which is necessary to perform the services or provide the goods reasonably expected by an average Applicant,” subject to certain exemptions;
  • Right to utilize an opt-out preference signal pursuant to a list of approved mechanisms; and
  • Right to appeal a controller’s response to a consumer request

Kandy will not sell your Sensitive Personal Data to any third party, nor process or share it for any secondary purpose without your consent and only for one of the legitimate business purposes set forth above. If you require additional information about your privacy rights as an Applicant, contact us at privacy@kandy.io.

uparrowTop of Appendix I

 

 

MONITORING APPLICANT AND EMPLOYEE INFORMATION

Kandy physically and electronically monitors its offices, and use of our IT and communications systems and networks, for specific purposes. In doing so, we may come across the Personal Data of Applicants. We will always monitor in accordance with local law in a proportionate manner so as to respect your reasonable privacy expectations. In our offices, we may monitor Applicant’s activity and presence with badge readers, sign-in sheets, and surveillance cameras. We generally do these things to prevent unauthorized access to our offices and to protect employees, authorized visitors, and our property

With many Applicants and Employees working remotely, we may also monitor or record activity on our IT and communications systems and network, such as internet traffic, website filtering, email communications, or systems accessed. Subject to local law, we may also carry out monitoring for other purposes such as:

  • Proof of business transactions and archiving;
  • Training and evaluation of applicants;
  • Protection of confidential information, intellectual property, and other business interests;
  • To investigate breaches of Kandy policies and procedures or other unlawful or improper acts;
  • For compliance with a legal obligation;
  • Review of, and obtain work product and the tools used, to generate that work product; and
  • Other legitimate purposes as permitted by applicable law.

uparrowTop of Appendix I

 

WITH WHOM DO WE SHARE APPLICANT AND EMPLOYEE DATA?

We only share your Personal Data to the minimum extent necessary with those who need it in order to perform their tasks and duties, and with service providers and third parties who have a legitimate purpose for accessing it to establish, manage or terminate your employment relationship with Kandy. This may include third parties such as employee benefit plan providers, payroll support services, legal services, professional employment services, employee travel management services providers, and IT and data processing services providers that help us operate our business. These service providers and third parties can only use or disclose Personal Data as directed by Kandy and in a manner consistent with this Privacy Notice, using appropriate data security measures, and pursuant to contractual arrangements between us.

We may also disclose your Personal Data to a service provider or third party under the following circumstances:

  • if we in good faith believe we are compelled by any applicable law, regulation, legal process, or government authority;
  • where necessary to exercise, establish or defend legal rights, including to enforce our agreements and policies;
  • to protect our rights or property, including our intellectual property;
  • in connection with regular reporting activities to other members of the Kandy corporate family;
  • to protect Kandy, our other customers, or the public from harm or illegal activities;
  • to respond to an emergency in which we believe in good faith requires us to disclose data to prevent harm;
  • in connection with the corporate sale, merger, reorganization, or dissolution of the company, provided that the successor may only continue to use the data pursuant to this notice; or
  • with your consent.

uparrowTop of Appendix I

 

HOW DO WE SECURE APPLICANT DATA?

We use appropriate technical and organizational security measures to protect the security of your Personal Data both online and offline including the implementation of access controls, implementation of firewalls, network intrusion detection, and use of anti-virus software. The Company attempts to offer consistent standards of privacy protection to all Applicants, however, no system is completely secure, and we cannot guarantee that unauthorized access, hacking, data loss, or a data breach will never occur.

uparrowTop of Appendix I

 

HOW CAN YOU REQUEST ACCESS TO AND UPDATE YOUR PERSONAL DATA?

Kandy uses a wide variety of self-service tools that allow you to see and/or update and/or delete your Personal Data. If we have Personal Data that you cannot access via these self-service systems, you may make a request directly to HR or, if related to your privacy rights, by contacting privacy@kandy.io, and include sufficient information so that we may verify your identity and evaluate your right to access the Personal Data requested. We may need to deny your request in certain situations, such as when providing access might infringe on someone else’s privacy rights or impact our legal obligations.

In addition to being able to access, update, correct, and delete your Personal Data, you may also have other data protection rights, such as withdrawing prior consent for us to continue to collect and or process your Personal Data. Any processing we conducted prior to receipt of your written withdrawal of consent will not affect the lawfulness of activities previously undertaken, nor will it affect the processing of your Personal Data carried out in reliance on other lawful grounds other than consent.

uparrowTop of Appendix I

 

HOW LONG DOES KANDY RETAIN THE PERSONAL DATA OF APPLICANTS?

We will keep your Personal Data for as long as is needed to carry out the purposes we’ve described above, or as otherwise required by law. Generally, this means we will keep your Personal Data until a decision is made about the status of your application plus a reasonable period of time as required by local employment data retention standards. This retention period is required to respond to any employment inquiries and manage legal, tax, accounting, or administrative matters.

Where we have no continuing legitimate business need to process your Personal Data, we will either delete or anonymize it or, if this is not possible (for example, because your Personal Data has been stored in backup archives), then we will securely store your Personal Data and isolate it from any further processing until deletion is possible.

uparrowTop of Appendix I

 

WHAT IS OUR LEGAL BASIS FOR PROCESSING PERSONAL DATA OF APPLICANTS OUTSIDE OF THE UNITED STATES? HOW DO WE HANDLE TRANSFERS OUT OF YOUR HOME JURISDICTION?

If you are an Applicant outside of the United States, our legal basis for collecting and using the Personal Data described above will depend on the Personal Data concerned and the context in which we collect it. However, we will normally collect Personal Data from you only where we have your consent to do so, where we need the Personal Data to carry out our relationship with you as an Applicant, where we need the Personal Data to comply with our legal obligations or exercise rights in the field of employment, or where the processing is in our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms. In some cases, we may need the Personal Data to protect your vital interests or those of another person, such as sharing it with third parties in the event of an emergency at work.

If we ask you to provide Personal Data to comply with a legal requirement, to perform a contract with you, or for our (or a service provider’s or third party’s) legitimate interests, we will make this clear at the relevant time and let you know whether the provision of your Personal Data is legally required or not, as well as the possible consequences if you do not provide it.

Your Personal Data may be collected, used, processed, stored, or disclosed by us and our service providers outside your home jurisdiction, including in the U.S., and in some cases, other countries. These countries may have data protection laws that are different from the laws of your country. Kandy only transfers Personal Data to another country, including within the Kandy corporate family, in accordance with applicable privacy laws, provided there is adequate protection in place for the data, or within your consent.

Many jurisdictions provide additional rights to Applicants in relation to your Personal Data, including:

  • The right to object to the processing of your Personal Data;
  • The right to ask us to restrict the processing of your Personal Data;
  • The right to request portability of your Personal Data; and
  • The right to have your Personal Data erased in a number of other circumstances, such as where it has been unlawfully processed, or where there are no overriding legitimate grounds for the processing.

You can make any of these requests by contacting us at privacy@kandy.io. If you have questions about or need further information concerning the legal basis on which we collect and use your Personal Data, please contact us at privacy@kandy.io. We will respond to all requests in accordance with applicable data protection laws.

International transfers of Personal or Sensitive Personal Data between Kandy entities in the European Union or in the United Kingdom and Kandy entities elsewhere are subject to regulations set forth by the European Union (“EU”) Data Protection Authorities or the UK Data Protection authorities, respectively. Other jurisdictions such as Canada, Mexico, and the UAE have similar regulations regarding the transfer of Personal or Sensitive Data. Kandy is committed to taking steps to adequately protect Personal Data that we process regardless of where the information resides, using the European Commission’s Standard Contractual Clauses for transfers of Personal Data between the Kandy group companies and any third parties, or as otherwise required by other jurisdictions. If required, we will obtain your consent prior to transferring your Personal Data elsewhere. Further, for our EU, Mexico, UAE, or UK Applicants, the data controller of your Personal Data will be the corporate entity that employs you.

uparrowTop of Appendix I

 

 

 

 

 

APPENDIX II: Details for California Residents Notice of Collection

Collection, Use, and Disclosure of California Personal Information CCPA – Related Request Metrics

Effective date January 1, 2023

Appendix II provides detailed information applicable only to California residents under the California Consumer Protection Act (CCPA). It does not cover “publicly available information” as defined in the CCPA. This is a summary of the collection and use of personal information about California residents by AVC Technologies, Inc. and Kandy Communications Inc. and their direct and indirect subsidiaries (“Company,” “we,” “us,” or “our”).  For more detail, you can read the Privacy Policy to which this Appendix II is annexed. This summary does not cover our handling of personal information (i) in our capacity as an employer, (ii) solely on behalf of a contractor or other third party, or (iii) in situations where the information is handled in deidentified form or is otherwise not subject to the “notice at collection” requirements of the California Consumer Privacy Act (“CCPA”).

 

INDEX
Categories of Personal Information Collected
We use personal information for the following purposes
“Sale” or “Sharing”

 

Categories of Personal Information Collected  

We collect the categories of personal information described below.  We intend to retain this information for as long as we feel it is necessary for the purposes described further below, or for any longer period required by law.  Because we may collect and use the same category of personal information for different purposes and in different contexts, there is not typically a fixed retention period that always will apply to a particular category of personal information.  Examples of how long we normally intend to retain personal information in certain situations are set forth below.  

During the 12 months leading up to the effective date of this Privacy Policy, we have collected different types of personal information described in our Privacy Policy. During that period, we may have made disclosures of personal information about Californians for the purposes described in the Privacy Policy, as follows:  

CATEGORY OF PERSONAL INFORMATION CATEGORIES OF ENTITIES TO WHICH WAS DISCLOSED
Identifiers (e.g., name, mailing address, email address, phone number, username, and password)  Affiliates; vendors (e.g., vendors that handle credit card processing and shipping, provide us with data management services, manage our digital platforms, or manage our communications and perform market research for us) and third parties such as marketing partners or contractors.
Protected Characteristics (e.g., gender, age, or other classifications under applicable law)  Same as first row, except not to vendors that handle credit card processing and shipping.
Family Details (e.g., name of partner and household members) Same as first row.
Financial Information (e.g., bank account information, bank or credit card numbers, and payment information)  Same as first row (though in some cases a portion of the card number is disclosed instead of the entire number). 
Professional or Employment-Related Information (e.g., job title, department, office address and business contact information, professional communications, and correspondence)  Same as first row.
Communications (e.g., responses to polls or surveys, questions, comments, or requests you send us) Same as first row, except not to vendors that handle credit card processing and shipping.
Audio, Electronic, Visual, Thermal, Olfactory, or Similar Information (e.g., graphics, photographs, recordings of calls or meetings, and ambient humidity or temperature) Same as first row, except not to vendors that handle credit card processing and shipping.
Commercial Information (e.g., records of transactions)  Same as first row. 
Internet or other Electronic Network Activity Information (e.g., browsing history, search history, and interactions with our digital platforms and third-party websites and applications)

Same as first row, except not to vendors that handle shipping.

Geolocation Data Same as first row, except not to vendors that handle credit card processing.
Precise Geolocation Data Affiliates, vendors that help us manage our digital platforms.
Account Login Credentials Affiliates, vendors that help us manage our digital platforms.
Inferences drawn from any of the information identified herein Same as first row, except not to vendors that handle credit card processing and shipping.

 

uparrowTop of Appendix II

 

We use personal information for the following purposes:

  • We use information to provide you with services, including, without limitation, on our digital platforms or in connection with our products and services, and to respond to your requests, inquiries, comments, and questions. We also use information to provide our partners, service providers, contractors, resellers, and others with services. 
  • We use information to troubleshoot and improve our products and services, including, without limitation, our digital platforms. We may use the information we collect to customize your experience with us. We use information for online and offline marketing purposes. For example, we might use the information we collect to send you information about products, services, or special offers that we believe may interest you. This might include information about upcoming contests or promotions. We may use the information we collect to deliver advertisements based on your activities on our digital platforms and third-party websites and applications. For example, if you view one of our products on our website, you may receive a postcard or an online ad for that product or a related product on our digital platforms or on third-party websites and applications. For more information see our Cookie Policy.
  • We use information to communicate with you about your accounts, your subscriptions, or our relationship. For example, we might tell you about changes to our digital platforms or to your accounts or subscriptions with us. Or we might reach out to you and ask you to take a customer satisfaction survey.
  • We may use the information we collect for analytical purposes, such as to better understand the interests and preferences of our customers, people who use our digital platforms, and people who buy our products and services. For example, we may use information to generate and analyze aggregate statistics about how users interact with our digital platforms.
  • We use information as permitted or required by law and as otherwise disclosed to you. For example, we may use the information we collect to protect the rights and property of us, you, and others; to comply with any legal or regulatory obligations; to handle legal claims or disputes, or to otherwise operate our business.  

uparrowTop of Appendix II

 

“Sale” or “Sharing” 

During the 12 months leading up to the effective date of this Privacy Policy, we did not “sell” commercial information (transaction data) and internet or electronic network activity (like a record of a browser’s visit to our website) to marketing and advertising services to assist with such activities (as those terms are defined under the CCPA), although we may have “shared” such data or internet or electronic network activity with service providers or others with whom we do business, such as resellers. We continue to refrain from any “sale” of personal data, and limit sharing of your personal data based upon the preferences you have provided to us. We do not “sell” or “share” personal information (as those terms are defined under the CCPA) if we have actual knowledge that the individual providing the information is less than 16 years of age.

CCPA-Related Requests Metrics.

Below are metrics of CCPA-related requests received by AVCT and Kandy during the calendar year 2022.  

ACCESS REQUESTS JANUARY - DECEMBER 2022
Total Number of Requests Received 0
Total Number of Requests Complied in whole or in part 0
Total Number of Requests Denied 0
   
DELETION REQUESTS JANUARY - DECEMBER 2022
Total Number of Requests Received 0
Total Number of Requests Complied in whole or in part 0
Total Number of Requests Denied 0
   
DO NOT SELL (DNS) REQUESTS JANUARY - DECEMBER 2022
Total Number of Requests Received 0
Total Number of Requests Complied in whole or in part 0
Total Number of Requests Denied 0
   
AVERAGE DAYS TO RESPOND JANUARY - DECEMBER 2022
Total Number of Requests Received N/A
Total Number of Requests Complied in whole or in part N/A
Total Number of Requests Denied N/A

 

uparrowTop of Appendix II

 

 

 

Privacy Policy Archive 

uparrowTop of Policy