The European Union's General Data Protection Regulation ("GDPR") is in effect as of May, 2018. This act applies to the processing of User Personal Data by ShipLeaf if these processing activities relate to an establishment of the User in the European Union ("EU"), European Economic Area ("EEA"), Switzerland or the United Kingdom. ShipLeaf Users that offer goods or services to data subjects in the EU, EEA, Switzerland, or the United Kingdom are subject to the new regulations imposed by the GDPR.
In respect of the GDPR Activities described, if the User is a data processor, the User warrants to ShipLeaf that they have all necessary instructions and authorizations from the data controller to appoint ShipLeaf as a data subprocessor of the User Personal Data.
All processing of User Personal Data will be carried out by trusted employees, staff, agents, contractors, service providers, and sub-processors who will be subject to a duty of confidence.
ShipLeaf will only process User Personal Data on the instructions of the User unless required by law to act without such instructions.
By using the ShipLeaf Service, the User agrees to the ShipLeaf Terms, including this addendum, and instructs ShipLeaf to process User Personal Data as follows:
- to provide the Service to the User;
- as further instructed by the User through use of the Service, including by instructions given on the ShipLeaf interface, by the uploading of CSV files to the ShipLeaf Service, or importing data from other sources;
- as set our in the Terms and this addendum; and
- as otherwise instructed in writing by the User, which ShipLeaf acknowlesdges to be instructions for the purposes of this addendum.
Types of Personal Data
The User can submit User Personal Data to ShipLeaf to an extent determined and controlled by the User in its sole discretion, and which may include (but not necessarily limited to) personal data on the following categories of data subjects:
- the User's end customers, suppliers, and business partners;
- employees and points of contact of the User's end customers, suppliers, and business partners; and
- the User's employees, agents, advisors, and contractors, including but not limited to those with authorized access to the Service.
Data Retention and Deletion
The User may delete User Personal Data in a manner consistent with the functionality of the Service during the term of service. If the User uses a Service function to delete any User Personal Data in such a way that it can not be recovered by the User, this will constitute an instruction to ShipLeaf to delete the relevant data from its systems in accordance with applicable law.
If the User wishes to delete User Personal Data that can not be deleted via functionality provided by the Service, the User should send a deletion request to [email protected]. ShipLeaf will strive to respond to all such requests as soon as reasonably practical.
If the User ceases to subscribe and use the Service, or ShipLeaf permanently discontinues access to the User's account, all User Personal Data will be deleted or anonymized unless ShipLeaf is required by applicable law to retain the data.
Data Security Measures
ShipLeaf follows industry standards on information security management to safeguard sensitive information, such as User Personal Data. Our information security systems apply to people, processes and information technology systems on a risk management basis.
Because no method of transmission over the Internet, or method of electronic storage, is 100% secure, ShipLeaf cannot guarantee that unauthorised parties will not gain access to User Personal Data. To the extent permitted by applicable law, ShipLeaf expressly excludes any liability arising from any unauthorised access to User Personal Data.
Incidents and Notification
In the unlikely event of any accidental, unauthorized, or unlawful processing of, disclosure of, or access to User Personal Data, ShipLeaf will notify any Users responsible for impacted data as soon as reasonably practical. Notice of any data breaches or security incidents do not constitute an admission of responsibility by ShipLeaf.
Data Subject Rights
ShipLeaf will pass on to the User any requests they receive from data subjects and the User's end customers to exercise any data rights. The User accepts and acknowledges that it is the User's sole responsibility to respond to any data rights requests with the data subjects and end customers directly, or to instruct the relevant data controller to respond to these requests.
ShipLeaf will, taking into account the nature of the processing activity, assist the User in responding to such data rights requests by building appropriate functionality into the Service, such as the ability to delete and/or amend User Personal Data. The User agrees to exhaust all possible means of responding to a data subject’s data rights request using the Service’s functionality before contacting ShipLeaf for help to respond to such requests by email at [email protected]. ShipLeaf reserves the right to refuse assistance if, in its sole discretion, the User is able to respond to the data rights request using the Service’s functionality, or to seek reimbursement from the User of reasonable costs incurred by ShipLeaf in providing assistance to the User under this clause.
ShipLeaf uses the following subprocessors for User data:
- Aircall (User Support)
- Amazon Web Services (Cloud Infrastructure Provider)
- Datadog (Analytics)
- Digital Ocean (Cloud Infrastructure Provider)
- EasyPost (Fulfillment Services)
- Google (User Support and Analytics)
- Intercom (User Support and Analytics)
- Postmark (Email Delivery Provider)
- Slack (User Support and Analytics)
- Stripe (Payment Gateway)
Limitation of Liability
ShipLeaf and all of its entities' aggregate liability to the User, arising from or related to this addendum, are subject to the "Limitation of Liability" section of the Terms.