Privacy Policy

Last updated November 2020

sonarCX (“we,” “us,” or “our”) provides a SaaS customer relationship management platform that elevates the customer experiences that our business clients (“Client,” “you,” or “your“) provide the customers/end-users of their products and services (“Customers“). sonarCX does this by allowing our business clients to collaborate and organize their work, collect, and centralize customer information, and optimize communications between our business clients and the customers / end-users of their products and services. This Product Privacy Statement explains how SonarCX collects, uses, discloses, and otherwise processes Customers’ personal information or personal data on behalf of our Clients in connection with our Clients use of our products and services (collectively, the “Services“).

Scope

Personal information or personal data refers to any data or information that can be used to identify a natural person, and are subject to applicable data protection laws, such as the EU General Data Protection Regulation 2016/679 (“GDPR”) or the California Consumer Privacy Act (Assembly Bill 375), as amended (“CCPA”). We use the term “Personal Data” throughout this Product Privacy Statement to mean, as applicable, “personal data” (under the GDPR), “personal information” (under the CCPA), or similarly defined personally identifiable information governed by an applicable data protection law that is made available to SonarCX in connection with the Services.

With respect to cases in which SonarCX collects or receives Personal Data under and/or pursuant to the direction of our Clients, SonarCX is acting as a data processor (under GDPR) or service provider (under CCPA),and our Clients are the data controllers (under GDPR) or businesses (under CCPA) with respect to such Personal Data. To this end, if not stated otherwise in this Product Privacy Statement or in a separate disclosure, we process such Personal Data as a processor/service provider on behalf of our Clients (and their affiliates) who are the controller/business that have collected the Personal Data.

SonarCX’s processing of Personal Data in connection with the Services is governed by this Product Privacy Statement and our agreements with each Client, including our Master Subscription Agreement and our Data Processing Policy (in each case, a “Client Agreement”).In the event of any conflict between this Product Privacy Statement and the corresponding Client Agreement, the Client Agreement will control to the extent permitted by applicable law.

For detailed privacy information related to a Client who uses our Services to process Personal Data, please contact our Clients directly. We are not responsible for and have no control over the privacy or data security practices of our Clients, which may differ from those explained in this Product Privacy Statement. This Product Privacy Statement is also not a substitute for any privacy notice that our Clients are required to provide to their Customers, employees and other personnel authorized to use the Services (“Client Users”), or other end-users. An individual who seeks access, or who seeks to correct, amend, or delete Personal Data that is stored in our Services on behalf of our Clients, in each case as permitted by applicable data protection laws, should direct their query to our Clients (the data controller/business).

This Product Privacy Statement does not apply to any personal information or personal data collected by SonarCX on our websites or through other channels for marketing purposes.

What Personal Data Does SonarCX Collect or Receive through the Services?

SonarCX receives or collects Personal Data which is stored in or transmitted via the Services by, or on behalf of, our Clients. This may include Personal Data such as contact information of our Client’s Customers (first and last name, email or physical address, social media handle, telephone number and IP address), gender, SSN, Drivers License, other information depending on the insurance policy being sold, conversation history, between Client Users and their Customers, medical information (for Clients who are covered entities and have engaged SonarCX as a business associate under HIPAA) and other data our Clients collect about their Customers’ use of their products and services.  This Personal Data may be provided to us directly by our Clients or through third-party services such as connections and/or links to third party websites and/or services that SonarCX enables Client to integrate with and access through the Services, including, without limitation, via application programming interfaces, workflows or webhooks (“Third-Party Applications”).

We also collect Personal Data from Client Users such as name, email address, third-party account credentials and data about Client Users’ devices (such as browser type, operating system, device identification number and IP address) and usage of our Services (such as pages viewed, date/time stamps and searches performed) through log files and other technologies, some of which may qualify as Personal Data. This Personal Data may be received or collected by us directly from our Clients and Client Users, through Third-Party Applications or by automated means, such as cookies (e.g. essential cookies) and web beacons through our use of sub-processors.

How Does SonarCX Use Personal Data?

We use the data we collect at the instruction of our Clients and in accordance with our Client Agreements, to operate and provide the Services and for related internal purposes, including: (a) enabling Client Users to access and use the Services; (b) maintain the security of the Services; (c) providing information about the Services, responding to inquiries, complaints, and requests for support; (d) as we believe necessary or appropriate to comply with applicable law, enforce the terms and conditions that govern the Services, protect our rights, privacy, safety or property, and/or that of you or others, and protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity; and (e)improving our Services, including by using aggregated and/or de-identified data.

How Does SonarCX Share Personal Data?

We share the Personal Data we collect with (a) our Clients and Client Users, to the extent the Personal Data pertains to Client Users and Client’s Customers; (b) sub-processors that help us provide, manage, secure and improve the Services and (c) Third-Party Applications that you have set up for integration.

Client Users that register, install or access any Third Party Applications may be required to accept privacy notices provided by those Third Party Applications. Please review those notices carefully, as SonarCX does not control and cannot be responsible for these Third Party Applications’ privacy or information security practices.

We may also share Personal Data with government, law enforcement officials or private parties as required by law, when we believe such disclosure is necessary or appropriate to (a) comply with applicable law; (b) enforce the terms and conditions that govern the Services;(c) protect our rights, privacy, safety or property, and/or that of you or others; and (d) protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity, in the event of active or prospective litigation or arbitration, for regulatory compliance efforts and/or audit.

How Does SonarCX Secure and Protect Personal Data?

The security of Personal Data is important to us. SonarCX uses generally accepted physical, electronic, and procedural safeguards to protect Personal Data submitted to us (both during transmission and once it is received) from loss, theft, misuse, and unauthorized access, disclosure, alteration, and destruction in accordance with applicable law to protect the Personal Data.

If Client Users access the Services via a third party site or service, they may have additional or different sign-on protections via that third party site or service. Clients must prevent unauthorized access to Client Users’ account and Personal Data stored in the Services by selecting and protecting your password and/or other sign-on mechanism appropriately and limiting access to your computer or device and browser by signing off after you have finished accessing your account. We also recommend that our Clients take steps to protect against unauthorized access to any devices, networks and applications (including Third Party Applications)connected to, or integrated with, the Services.

We endeavor to protect the privacy of Client Users accounts and the Personal Data we store in the Services. Unfortunately, we cannot guarantee that any safeguards or security measures will be sufficient to prevent a security problem.

Cross-Border Data Transfers

The Services are hosted and operated in the United States (“U.S.”) and the European Union (“EU”) through SonarCX and our sub-processors. In order to provide the Services, SonarCX or our sub-processors may transfer Personal Data outside of the country in which Customers and Client Users are located, including to the U.S. or to other jurisdictions that may not be subject to equivalent data protection laws. See the Client Agreements for additional information regarding how SonarCX safeguards Personal Data transferred across borders, including the additional protections we offer to safeguard the privacy rights of EU residents.

Data Retention

We retain Personal Data that we process on behalf of our Clients so long as SonarCX’s contractual obligations remain with our Clients. We endeavor to delete Personal Data as soon as reasonably practicable, but in no event more than ninety (90) days following the termination of our contractual relationship with a Client unless a longer retention period is requested by a Client and agreed to by us. For deletion of all other Personal Data and/or for deletion of your entire SonarCX instance at the end of your contractual relationship, please email support@sonarCX.com. Afterwards, where permitted by applicable law, we may retain some information in aggregated and/or de-identified form but not in a way that would identify Client or individuals personally.

For Client User Personal Data that is shared with us (1) in connection with responding to Client User inquiries, complaints, and requests for support of the Services (2) on order forms and as part of contracts (e.g. contact information on statements of work, etc.) and (3) for invoicing purposes, including Client financial information, we may retain such Personal Data beyond the end of our contractual obligations with our Clients, if doing so is necessary to comply with our legal obligations, resolve disputes or collect fees owed, or is otherwise permitted or required by applicable law, rule or regulation. Additionally, like most hosted service operators, we retain some of the device and usage data collected by the Services in log files beyond the end of our contractual obligations with our Clients, whether alone or in conjunction with other data. This log file data may be aggregated in a way that would not identify Client Users personally but certain log file data could be personally identifying to a Client User. To the extent we retain any such data beyond the end of our contractual obligations, we will continue to treat such data in accordance with this Product Privacy Statement.

Please see your Client Agreements for additional information regarding SonarCX’s data retention practices. In the event of any conflict with the above, such Client Agreements shall control.

Data Subject Rights under GDPR & CCPA

Clients are the data controllers/businesses of Customer’s Personal Data. As such, Clients are responsible for receiving and responding to requests from their Customers and other individuals to exercise any rights afforded to them under applicable data protection laws. If requested to remove Personal Data by a Client, we will respond within a reasonable timeframe and in accordance with the Client Agreements.

Because we may only access a Client’s data upon their instructions, if SonarCX receives a data subject request directly from a Customer, SonarCX will inform the Customer to contact the Client directly about any request relating to his/her Personal Data such as access or deletion, and to the extent that the applicable data protection law does not prohibit SonarCX from doing so, we will refer their request to the Client they specify in their request. SonarCX will not further respond to a data subject request without Client’s prior consent and will assist Clients in responding to such requests as set forth in the Client Agreement.

Additional Information regarding Personal Data of Residents of California

SonarCX understands and will comply with the foregoing restrictions and the applicable requirements of the CCPA. For the purposes of the CCPA, Clients as the “Business” under the CCPA bear the primary responsibility for ensuring that their processing of Personal Data is compliant with relevant data protection law, including the CCPA. SonarCX collects, accesses, maintains, uses, processes, transfers and shares the Personal Data of our Client’s Customers and Client Users processed through the Services solely for the purpose of performing our obligations under the Client Agreements; SonarCX does not receive any Personal Data, as defined by the CCPA, from its Clients as consideration for the Services.

We do not “sell” Client Users’ or Customer’s Personal Data as currently defined under the CCPA, meaning that we also do not rent, disclose, release, transfer, make available or otherwise communicate that Personal Data to a third party for monetary or other valuable consideration. We may share aggregated and/or anonymized information regarding use of the Service(s)—which is not considered Personal Data under the CCPA—with third parties to help us develop and improve the Services and provide our Clients with more relevant content and service offerings as detailed in our Client Agreements.

Do Not Track

Client Users’ browsers may offer a “Do Not Track ”or “DNT” option, which allows individuals to signal to operators of websites and web applications and services that such individual does not wish such operators to track certain online activities over time and/or across different websites. Because we consider certain tracking of Client User activity as necessary for the proper performance and functioning of our Services, our Services do not respond to, and we do not support, Do Not Track requests at this time.