Effective Date: Last Updated as of March 18, 2019.
Table of Contents
- Purpose, Scope & Application
- Data Collected
- Use and Retention
- Sharing and Disclosure
- Choices and Rights
- European Users
- California Users
- Contact Us & FAQs
Supplement: E.U-U.S and Swiss-U.S Privacy Shield Policy
Exhibit: Expert DPA
1.1. Directly Service. Welcome to our website, directly.com, and related marketplace platform, and related software, technology and services (collectively the “Services”) operated by Directly Software, Inc. (“Directly,” “we,” “our,” “us”). Directly provides the Services to deliver a better customer experience for our corporate enterprise customers (“Customers”). The Services combine and improve technologies for customer experience automation with empathy and expertise from people who register and qualify as end-user experts on the Services (“Experts”). Experts are eligible to accept routed requests to perform tasks via the Services as specified by the applicable Customer, including to resolve customer service questions (“Answers”), to train technology systems for automation (“Training”), and to update knowledge databases (“Knowledge Base”, collectively “Expert Content”).
Our Services (including directly.com) are intended for adults and not for children: Anyone under the age of 18 is not permitted to access or use directly.com or the Services. If you are under the age of 18 you are prohibited from registering for or using a Directly Account or submitting any Data to us.
2. Data Collected
2.1. Experts and Registration for a Directly Account. We collect Personal Data in different ways. You can visit Directly.com and certain subdomains without registering, but to become an authorized Expert eligible to respond to requests and submit Expert Content, you will need to create an account with Directly (“Directly Account”) and submit the following types of Personal Data: legal name, email address and/or mobile phone number, a personal “headshot” photo, physical mailing address, birthdate, verification phone number, and government identification (“Expert Registration Information”). Experts also have the option to create a user profile containing a description why they should be considered a “team expert,” as well as top skills and language abilities. We use elements of the Expert Registration Information to verify your identity, combat fraud and keep our Services, Experts, Customers and partners secure. By registering for a Directly account, you authorize us and/or our Third-Party Providers to verify Registration Information, including your identity.
As described in our Terms, Directly or Customers may impose additional terms and duties for your eligibility (“Supplemental Terms”). You will be given an opportunity to review and consent to such Supplemental Terms. For example, where a Customer or applicable data protection law requires special expert certification measures, and subject to your consent, Experts may be asked to provide additional Personal Data relating to professional background.
2.2. Log and Usage Information. We also collect other types of Data, which may be construed as Personal Data in certain jurisdictions, including the following: website usage information such as how you’ve used our Services, IP address, and other technical data such as browser type, unique device identifiers and information, language preference, referring site and the date and time of access, operating system, and mobile network information; approximate location data (from IP address); information regarding interactions with directly.com, such as comments, poll responses; and other information you may provide such as contact form submissions.
3. Use and Retention
3.1. Personal Data Use. We and our Third Party Providers use Personal Data to: (i) provide our Services; (ii) promote, analyze and improve our Services; (iii) detect and prevent fraud, harmful or abusive conduct, or other harm to Experts, Customers, Directly and third parties. Some examples of how we may use Personal Data include:
- Creating your Directly Account,
- Identifying you on our system, and verifying your actual identity and Registration Information, to ensure the security of our Services and enable you to send or respond to certain routed Tasks,
- Responding to your inquiries, to administer and improve our website and Services,
- Informing the applicable Customer of your relevant activity on the Services,
- Providing technical support and respond to inquiries by Experts and Customers,
- Soliciting input and feedback to improve and customize your Expert experience,
- Informing you about new features, services, and programs on the Services,
- Customizing your use of the Services and/or content, or other material that we may send to you from time to time,
- Conducting aggregate analysis and develop business intelligence that enable us to operate, protect, make informed decisions, and improve and report on the performance of our Services and business,
- For audits, regulatory purposes, or compliance with industry standards,
- For any other purpose, provided we disclose this to you at the relevant time, and provided that you agree to the proposed use of your Personal Data.
3.2. Retention. Where Directly is processing and using your Personal Data, as permitted by law or under your consent, we will store your Personal Data (i) only for as long as is required to fulfil the purposes set out below, (ii) until you object to Directly’s use of your Personal Data (where Directly has a legitimate interest in using your Personal Data), or (iii) until you withdraw your consent (where you consented to Directly using your Personal Data). However, where Directly is required by mandatory law to retain your Personal Data longer, or where your Personal Data is required for Directly to assert or defend against legal claims, we will retain your Personal Data until the end of the relevant retention period or until the claims in question have been settled. Please note that we have a variety of obligations to retain Personal Data and Other Data, you provide to us, including to ensure that rewards and associated payments can be appropriately processed consistent with applicable law and our legal obligations. Accordingly, even if you close your Directly Account, we may retain certain data to meet our obligations.
4. Sharing and Disclosure
4.1. General. Directly does not sell or rent Personal Data to marketers or unaffiliated third parties. Generally, we will share Personal Data collected by Directly with Third-Party Providers only in limited circumstances, including: (i) with your consent; (ii) to an authorized Third-Party Provider who meets our data protection standards; or (iii) when we have a good faith belief it is required by law, such as pursuant to a subpoena or other legal process, or to enforce our Terms.
4.4. Experts. We disclose certain limited content of each request for Answers (e.g., non-personally identifiable usernames or first names of Experts). We also share Other Data with Experts about their responses to Answers and the generation of Expert Content.
4.5. Customer Users. We disclose the content of the responses to Answers (including the first name of the Expert who responded) to the Customer who generated the request for Answers (and to any subsequent Customer end users that pose a similar request). When an Expert responds to requests for Answers by end users posted via the Services, certain limited and filtered Data contained in the Answer, such as non-personally identifiable user name(s), and the text of the response to the Answer will be shared by us with the Customer and other Personal Data (such as an Expert’s headshot or picture) will be accessible to certain authorized Customer end users.
4.6. Usage Data. Directly will not use or disclose (except as expressly provided herein) the personal data of Experts, except to provide the Services as specified herein, but, except where prohibited by applicable law or legal duty, may use and disclose data about usage of the Services that does not identify or reasonably could be anticipated to be used to identify any individual user of the Services or otherwise constitute Personal Data (“Usage Data”). We share Usage Data about our Website and Services with our business partners. We reserve the right to use and disclose Usage Data for any purpose and to any third parties subject to the terms herein.
4.8. Legal Disclosures. We reserve the right to disclose your Other Data and Personal Data as required by law, in connection with any legal investigation, when we believe that disclosure is necessary to protect our rights (or those of other Users) and/or to comply with a judicial proceeding, court order, warrant, subpoena, or legal process served on us.
4.9. Communications. Services/Services-related Announcements. We will send you services-related announcements when it is necessary to do so. For instance, if our Services are temporarily suspended for maintenance, we might send you an email or other communications. App Notifications. We may send you notifications on your mobile device. You may disable these notifications in the settings of your device. Customer Service. Based upon the Personal Data you provide us, we will send you a welcoming email to verify your username and password. We will also communicate with you in response to your inquiries, to provide the services you request, and to manage your Directly Account. We will communicate with you by email or telephone, in accordance with your indicated preferences.
5. Choices and Rights
5.2. Access Rights. Individuals located in certain countries, such as the European Union or EEA, have certain statutory rights in relation to their Personal Data. Please read section 7.5 below carefully so you understand all your rights and how to exercise them.
The security of your Personal Data is important to us. We follow generally accepted industry standards to protect the Data submitted to us, both during transmission and once we receive it. No method of transmission over the Internet, or method of electronic storage, is 100% secure, however. Therefore, while we strive to use commercially acceptable means to protect your Data, we cannot guarantee its absolute security.
We urge you to take steps to keep your Personal Data safe (including your account password), and to log-out of your account after use. If your Directly Account is hacked, this may lead to unauthorized access, so be careful to keep your account data secure. You use our Website and Services at your own risk, and you’re responsible for taking reasonable measures to secure your account (like using a strong password).
7. Important Information for European Users
7.2. Safeguards for Exports from EEA. If you are located in the EEA or Switzerland, we comply with applicable laws to provide an adequate level of data protection for the transfer of Personal Data. Directly is certified under the EU-U.S. and the Swiss-U.S. Privacy Shield Framework. For more, see Directly’s Privacy Shield Policy. You agree that Directly may transfer your Personal Data to countries other than the one in which you live. We deploy the following safeguards when Directly transfers Personal Data originating from the European Union or Switzerland to other countries not deemed adequate under applicable data protection law:
- E.U.-U.S. Privacy Shield and Swiss-U.S. Privacy Shield. To comply with European Union and Swiss data protection laws, Directly self-certified under the E.U.-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield. These frameworks were developed to enable companies to comply with data protection requirements when transferring Personal Data from the European Union and Switzerland to the United States. To learn more about the Privacy Shield Program, please see http://www.privacyshield.gov/welcome.
- European Union Model Clauses. Directly offers European Union Model Clauses, also known as Standard Contractual Clauses, to meet the adequacy and security requirements for our Customers that operate in the European Union, and other international transfers of Personal Data. A copy of our standard data processing addendum, incorporating the Model Clauses, is available here.
7.3. Legal Basis for Processing. If you are an individual residing in the EEA, we collect and process information about you only where we have legal bases for doing so under applicable EU laws. The legal bases depend on the specific aspects of the Services you use and how you use them. This means we collect and use your information only where:
- We need it to provide you with or operate the Services, including to provide customer support and personalized features and to protect the safety and security of the Services;
- It satisfies a legitimate interest (which is not overridden by your data protection interests), such as for anti-fraud protection or to protect our legal rights and interests;
- You give us consent to do so for a specific purpose; or
- We need to process your data to comply with a legal obligation.
If you have consented to our use of your Personal Data for a specific purpose, you have the right to change your mind at any time, but this will not affect any processing that has already taken place. Where we are using your Personal Data because we or a third party have a legitimate interest to do so, you have the right to object to that use though, in some cases, this may mean no longer using the Services or associated services.
7.4. Identifying Data Controller and Data Processor and Different GDPR Roles. Data protection law in certain jurisdictions differentiates between the “controller” and “processor” of data. It is important to note that Directly acts as both as a Data Controller and as a Data Processor within the realm of GDPR compliance: (a) As a Data Controller, Directly is responsible for safeguarding the data of our registered expert users as they interact directly with our marketplace platform and our visitors to directly.com; (b) As a Data Processor, Directly is responsible for safeguarding the data of our Customer’s end users as it flows through our marketplace platform.
Each of Directly’s Customers is the controller of its end users’ personal data. In this context Directly serves as the processor of such personal data under instructions from each controller. Each Customer is also responsible for making sure that their respective Customer end user’s privacy rights are protected, including responding to data subject requests. Directly will respond to such data subject requests from Customers and Customer end users as a Data Processor; this means with respect to Personal Data of Customer end users, we must respond as a matter of law and contract through our Customer. On the other hand, with respect to Experts, Directly serves as the controller of Expert Personal Data and will directly respond to data subject request rights from Experts.
7.5. Access Rights. Individuals located in certain countries, including the European Economic Area, have certain statutory rights in relation to their personal data. Subject to any exemptions provided by law, such individuals may have the right to request access to their Personal Data, as well as to seek to update, delete or correct this information. They also have a right to restrict or object to processing and to data portability, where applicable. We may be legally required or permitted to deny or part of your request and, if we do deny your request, we will endeavor to explain the reasons underlying our decision.
7.6. Data Protection Authority and Representative. Subject to applicable law, you may also have the right to (i) restrict Directly’s use of certain data elements that constitute your Personal Data and (ii) lodge a complaint with your local data protection authority or the Irish Data Protection Commissioner, which is Directly’s lead supervisory authority in the European Union. If you are a resident of the European Economic Area and believe we maintain your Personal Data within the scope of the General Data Protection Regulation (GDPR), you may direct questions or complaints to our European GDPR representative. To find the data protection authority in your country, please refer to this contact list. Our GDPR Data Protection Representative is DPR group and can be contacted by sending an email to email@example.com quoting “Directly Software Inc.” in the subject line.
8. California Users – Do Not Track
Because there is no accepted standard on how to respond to Do Not Track signals, we respond to such signals.
10. Contact Us & FAQs
How does Directly and its Services Operate? As detailed in our Terms, Directly has entered into separate agreements with each Customer to govern the delivery, access and use of the Services including instructions for the processing of the personal data of their respective Customer end users. Each Customer licenses Directly technology and configures their help desks to enable its Customer end users to post Tasks to the Services for routing to Experts.
What Role does Directly serve in Data Protection? It is important to note that Directly acts as both as a Data Controller and as a Data Processor within the realm of GDPR compliance: As a Data Controller, Directly is responsible for safeguarding the data of our Experts as they interact directly with our marketplace platform and our visitors to directly.com. As a Data Processor, Directly is responsible for safeguarding the data of our Customers Users as it flows through our marketplace platform.
Who is my Data Controller? If you are a visitor to Directly.com or an Expert of the Services your Data Controller is Directly Software Inc., 333 Bryant Street, #250, San Francisco, CA 94107 USA. If you are Customer User (i.e., an individual that posted a support Request via a Customer’s website or digital property, then the Data Controller of your personal data is your respective Customer and you should direct all questions about your Personal Data to that Customer.
Duration of processing of Personal Data. Where Directly is processing and using your Personal Data as permitted by law or under your consent, we will store your Personal Data (i) only for as long as is required to fulfil the purposes set out below, (ii) until you object to Directly’s use of your Personal Data (where Directly has a legitimate interest in using your Personal Data), or (iii) until you withdraw your consent (where you consented to Directly using your Personal Data). However, where Directly is required by mandatory law to retain your Personal Data longer or where your Personal Data is required for Directly to assert or defend against legal claims, we will retain your Personal Data until the end of the relevant retention period or until the claims in question have been settled. See Section 3.2, “Retention Period,” above.
Why am I required to provide Personal Data? As a general principle, your granting of any consent and your provision of any Personal Data hereunder is entirely voluntary; there are generally no detrimental effects on you if you choose not to consent or to provide Personal Data. However, there are circumstances in which we cannot take action without certain Personal Data, for example, because this Personal Data is required to process your registration or provide you with access to our Services. In these cases, we cannot provide you with what you request without the relevant Personal Data.
Data subjects’ rights. Data protection law in certain jurisdictions differentiates between the “controller” and “processor” of data. Each Customer is the controller of its Customer end user’s Personal Data and in this context Directly serves as the processor of such personal data under instructions from each controller. Each Customer is also responsible for making sure that their respective customers or end user’s privacy rights are protected, including responding to data subject requests. Directly will respond to such data subject requests from Customer end users as a processor which means that it will contact and follow the advice of the controller Customer with respect to such requests. With respect to Personal Data of Experts, Directly serves as the controller of such data and will respond to data subject request rights. Please refer to Section 5 “Choices and Rights”, above, for additional information on your rights. Experts can request information about the Personal Data Directly stores about you, and the correction or deletion of such Personal Data. Please note, however, that we can delete your Personal Data only if there is no statutory obligation or prevailing right of Directly to retain it. If you request that Directly delete your Personal Data, you will not be able to continue to use the Services that requires Directly’s use of your Personal Data. See Section 5, “Choices and Rights,” above.
Right to lodge a complaint. If you believe that Directly is not processing your Personal Data in accordance with the requirements set out herein or applicable EEA data protection laws, you can at any time lodge a complaint with the data protection authority of the EEA country in which you live or our GDPR Data Protection Representative. See Section 11 for Details.
Effective April 12, 2018. Directly Software Inc. (“Directly”, “we”, “our” or “us”) has subscribed to the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework (collectively, “Privacy Shield”). Directly adheres to the Privacy Shield Principles including the Supplemental Principles, (collectively, the “Privacy Shield Principles”) for Personal Data received from entities in the European Economic Area (the “EEA”) and Switzerland.
Privacy Shield Principles
If you are a Customer, Directly may act as an agent for you in relation to the Personal Data that you provide or make available to Directly. Directly usually does not have a relationship with any users or customers of our Customers and each Customer is responsible for ensuring that their users are provided with appropriate notice and choice with respect to their Personal Data.
2. Data Integrity and Purpose Limitation. We only collect Personal Data that is relevant to providing our website and associated Services. We process Personal Data in a way that is compatible with us providing the Services to you, or in other ways, for which we will provide you notification. We take reasonable steps to ensure that the Personal Data received under the Privacy Shield is needed for Directly to provide its Services, and to ensure data is accurate, complete, and current.
4. Data Security. We use reasonable and appropriate physical, electronic, and administrative safeguards to protect Personal Data from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into account the nature of the Personal Data and the risks involved in processing that information.
When Directly acts on behalf of its Customers, Directly will assist Users in responding to individuals exercising their rights under the Privacy Shield Principles.
If you are a user or customer of any Directly Customer, please contact the Customer directly with your request to access or limit the use or disclosure of your Personal Data. If you contact us with the name of the Customer to which you provided your Personal Data, we will refer your request to that Customer and support them in responding to your access request.
6. Recourse, Enforcement and Dispute Resolution. If you have any questions or concerns, please write to us at the address listed below. We will investigate and attempt to resolve complaints and disputes regarding use and disclosure of Personal Data in accordance with the Privacy Shield Principles.
In the event we are unable to resolve your concern, you may contact JAMS, which provides an independent third-party dispute resolution body based in the United States, and they will investigate and assist you free of charge. A binding arbitration option may also be available to you in order to address residual complaints not resolved by any other means. Directly is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (“FTC”).
7. Contact Information. If you have any questions regarding this Privacy Shield Policy, please contact us by email at firstname.lastname@example.org, or please write to the following address: Directly Software, Inc. Attention: Directly Legal 333 Bryant Street, #250, San Francisco, CA 94107
Expert Data Protection Addendum
This Directly Data Processing Addendum (the “DPA”) supplements, and is incorporated into, the Terms of Service (the “Terms”) between Directly and you as an Expert. The parties agree as follows:
1. Purpose and Scope.
1.1 Except as modified below, the Terms shall remain in full force and effect; if there’s any conflict between this DPA and the Terms or any other agreement between the parties, the provisions of this DPA shall take precedence.
1.2 The European Union General Data Protection Regulation 2016/679 (“GDPR”) requires all Experts to contractually undertake certain data protection commitments with respect to “Personal Data” (as defined below) they may Process on Directly’s behalf. To ensure compliance with the GDPR, Experts must agree to the terms of this DPA.
All capitalized terms used but not defined in this DPA shall have the meaning given to them in the Terms.
2.1 “Confidential Information” means the definition ascribed in the Terms (see Terms, Section 7, Confidential Information).
2.2 “Data Protection Laws” means (a) any applicable law with respect to any Personal Data to which Directly is subject and (b) European Data Protection Laws.
2.3 “Data Subject Request” means a data subject’s request to exercise that person’s rights under Data Protection Laws in respect of that person’s Personal Data, including, without limitation, the right to access, correct, amend, transfer, obtain a copy of, object to the Processing of, restrict the Processing of or delete such Personal Data.
2.4 “European Data Protection Laws” means the GDPR, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), any national laws or regulations implementing the foregoing Directives, any applicable legislation of European Union Member States passed to implement the foregoing, and any other applicable data protection, privacy or data security laws or regulations in the European Economic Area, United Kingdom, Switzerland, or any other applicable European jurisdiction, in each case, as they may be amended, replaced or supplemented from time to time.
2.5 “Expert” means a natural person who is a party to this DPA.
2.6 “Personal Data” means any information about an identified or identifiable natural person and any other “personal data” governed by applicable Data Protection Laws that Expert Processes in connection with the Expert’s performance of the Services.
2.7 “Privacy Shield” means the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks established respectively by the European Commission and the United States Department of Commerce and the Swiss Administration and the United States Department of Commerce
2.8 “Process” means any operation or set of operations which is performed on Restricted Information or sets of Restricted Information, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
2.9 “Restricted Information” refers collectively to “Confidential Information” and “Personal Data” of any source and includes any information Processed by Expert in connection with the Expert’s performance of the Services.
2.10 “Security Incident” means a reasonably suspected breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
2.11 “Services” means Expert’s authorized participation, activity and content on and through the platform Directly provides to its customers, including but not limited to, responses relating to tasks and questions about specific products and services for which the Expert is approved.
3. Your Data Protection Duties.
You acknowledge and agree to the following:
3.1 You will Process Personal Data only in accordance with the Terms, Data Protection Laws and Directly’s written instructions communicated by Directly to you from time to time in writing.
3.2 Without limiting the generality of sub-section 3.1, you agree as follows:
3.2.1 You will keep all Restricted Information in strictest confidence and will not copy, use, store, disclose or otherwise Process any Restricted Information except to perform the Services;
3.2.2 You will take appropriate technical and organizational measures (including but not limited to the Expert Standards (which are incorporated herein and may be updated by Directly from time to time)) to ensure the confidentiality, integrity and availability of any computers or other systems that you use to perform the Services and protect against the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, any Restricted Information transmitted, stored or otherwise Processed;
3.2.3 You will only subcontract, delegate or engage any other individual or entity to assist with performance of the Services with the prior written approval of Directly, and pursuant to the completion of a prior data protection and security audit, the implementation of additional data protection and security safeguards and other such measures as Directly reasonably determines is necessary under applicable law.
3.2.4 You will only subcontract, delegate or engage any other individual or entity to assist with performance of the Services with the prior written approval of Directly, and pursuant to the completion of a prior data protection and security audit, the implementation of additional data protection and security safeguards and other such measures as Directly reasonably determines is necessary under applicable law.
3.2.5 You will make available to Directly all information necessary to demonstrate compliance with the obligations set forth in this DPA and the Data Protection Laws and to allow Directly to conduct audits, including inspections, of your compliance with the obligations set forth in this DPA;
3.2.6 If instructed by Directly, you agree to promptly notify Directly and cooperate to provide the circumstances underlying any receipt or access of Personal Data and to confirm you have promptly and permanently deleted any such Personal Data in your possession, together with any existing copies, unless directed otherwise;
3.2.7 If you receive any request, demand, or inquiry regarding Personal Data (“Personal Data Request”) other than from Directly, including, without limitation, any Data Subject Request or other request received from a regulator or other governmental body, you agree to NOT respond to any such Personal Data Request except in accordance with Directly’s written instructions or as otherwise required by the Data Protection Laws;
3.2.8 You will promptly and without undue delay cooperate, assist, and take such action as Directly may reasonably request to allow Directly to fulfil its obligations to Customers and their Data Subjects or under Data Protection Laws in respect of such a Personal Data Request, including, without limitation, meeting any deadlines imposed by such obligations; You will notify Directly without undue delay and in no event later than 48 hours upon your becoming aware of a Security Incident, and provide Directly with sufficient information to allow it to meet any legal or contractual obligations to report the Security Incident;
3.2.9 You will cooperate with Directly and its authorized agents and representatives to take such reasonable steps as are directed by Directly to assist in the investigation, mitigation and remediation of any Security Incident;
3.2.10 You will provide reasonable assistance to Directly and its Customers with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Directly or its Customer reasonably considers to be required by the Data Protection Laws;
3.2.11 You will immediately inform Directly, in writing, if in your opinion, an instruction violates Data Protection Laws;
4. General Terms.
4.1 The parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Terms with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity.
4.2 This DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in Terms, or if different, the laws required to govern under European Data Protection Laws.
4.3 Directly may amend this DPA from time to time as is reasonably necessary to comply with Data Protection Laws and such amendments shall become binding upon giving Expert notice of such changes.