BombBomb, Inc. Privacy Notice
Effective Date: 04/03/2019
BombBomb, Inc. (“BombBomb”) has developed this privacy notice (“Privacy Notice”) to demonstrate our commitment to protecting the privacy of our users (a “User” or “you”). The Privacy Notice describes how BombBomb collects, uses, and shares personal information when you use the website, http://www.bombbomb.com, or BombBomb mobile applications (collectively referred to as the “Website”) or any services offered on the Website (“Services”) and your choices with respect to how we use this information.
We may update or modify this Privacy Notice from time to time. We will notify you of such changes, by posting a notification on our Website or by other means, and will give you an opportunity to review the changes before they go into effect.
Please see BombBomb’s Terms and Conditions for other terms governing the use of this Website.
What Types of Personal Information Does BombBomb Collect?
Through your use of the Website or Services, we collect personal information, which is information that identifies you as an individual or relates to you as an identifiable individual. While we do not require you to provide personal information in order to navigate the Website, we may need to collect personal information if you choose to engage in certain activities on our Website or use our Services. Below are the types of personal information that we collect.
Information You Provide
Account Information and Subscriber Information: In order to use the Services, you would need to provide two types of information: your personal account information (the “Account Information”) and the information of subscribers who are on your lists (the “Subscriber Information”).
- Account Information includes contact information, such as your name, e-mail address, physical address, telephone number, and fax number; billing information, such as your credit or debit card information; and information about your organization.
- Subscriber Information includes the names and e-mail addresses of the individuals whom you contact.
We need this information in order to provide you with the Services. If you do not provide this information we would not be able to provide these Services to you.
Social Media Accounts, photograph: If you wish, you may upload a photograph of yourself to your account and provide your social media account handles.
Purchase of Services: Services purchased from BombBomb via credit card are processed through Chargify. The card number is passed securely to Chargify and a token is received in return. At no time is your credit card number stored by BombBomb.
Contacting us, Interacting with the blog: If you provide us contact information to learn more about our Services or choose to send us a message with information about yourself, or interact with the blog by posting a comment or sharing a post, we will maintain records of your correspondence. This may include any of your questions, comments, posts, or suggestions or your responses to any surveys you complete. This information, without the parts that identify you, will be treated as non-confidential and non-proprietary and we may use them and share them with third parties. Also, please note that comments made to public areas will be visible to the public, so you should never share personal information that you would like to keep private.
Applying for a Job: If you apply for a job on our website you provide us with contact information as well as your resume.
Interacting with the Blog: If you choose to interact with our blog by posting a comment or sharing a post, we may collect the information that you post.
Information Provided by Third Parties
Information from other users: If you subscribe to emails from a BombBomb User, that User may provide us with your contact information.
Information we Collect Automatically
We or our third party providers automatically collect the following information through your use of the Website and Services:
- Usage Information: This includes which of the pages on the Website you access, the frequency of access, and what you click on while on our Website. We also collect information about your use of the Services, such as frequency of use.
- Location Information: We collect information about your actual location which may be determined from GPS and other sensors that may reveal information on nearby devices, Wi-Fi access points, and cell towers.
- Device Information: We collect information about the device you are using, such as hardware model, operating system, application version number, browser, and IP addresses. When you access our Website via a browser on your mobile device, we collect mobile network information including telephone number, the unique device identifier assigned to that device, mobile carrier, operating system, and other device attributes.
- Social Media Widgets: Our Website includes social media features, such as the Facebook “Like” button, and other widgets, such as the “Share” button or interactive mini-programs provided by third parties. These third parties collect information about you when you use our Website. The information they collect may be associated with your personal information or they may collect information, including Personal Information, about your online activities over time and across different websites and other online services.
- Google Analytics: We use a tool called “Google Analytics” to collect some information we listed above about your use of the Services. We use the information we get from Google Analytics to improve the Services. In order to collect this information, Google Analytics may set cookies on your browser or mobile device, or read cookies that are already there. Google Analytics may also receive information about you from apps you have downloaded, that partner with Google. We do not combine the information collected through the use of Google Analytics with personally identifiable information. Google’s ability to use and share information collected by Google Analytics about your visits to the Services to another application which partners with Google is restricted by the Google Analytics Terms of Use and the Google Privacy Policy. Please review those and see see Google’s Privacy & Terms for information about how Google uses the information provided to Google Analytics and how you can control the information provided to Google. To prevent your data from being used by Google Analytics, you can download the Google Analytics opt-out browser add-on for Google Analytics which can be found here: Google Analytics Opt-Out..
“Cookies” and Other Tracking Technologies
“Cookies” are small pieces of information that are stored by your web browser software on your computer’s hard drive or temporarily in your computer’s memory. BombBomb or our third party provider place and store Internet cookies on a User’s hard drive. Cookies can save any of the types of information noted above. Cookies enable us to personalize the viewing experience of a User of this Website. When a User revisits this Website, BombBomb can recognize the User by the cookie and customize the User’s experience at this Website accordingly. For example, BombBomb uses cookies to recognize User access privileges to this Website, track Website usage and traffic patterns, identify you and keep track of your preferences, prevent fraudulent activity or improve Website security, assess the performance of the Website, add advertisements for goods or services of interest, and estimate the Website’s audience size. BombBomb also uses cookies to store User names and passwords that are supplied at registration. In addition to the use of cookies, BombBomb may use a third party provider such as “AdRoll” for behavioral advertising or retargeting. This service is compliant with GDPR and can anonymize EU IP Addresses.
How BombBomb Uses Personal Information and the Legal Basis for This
We use the information we collect about you to provide the Services, to communicate with you, to provide technical support, and to improve our Services and customer relations. We do not share your information with third parties for purposes other than those outlined below.
We process your information for the following purposes as necessary to provide the Services to you and perform our contract with you:
- Provide Services: We use your Personal Information to provide you with the Services.
- Communicate and provide technical support:We use Personal Information to communicate with you about the Website or Services, to send you account updates or other communications regarding your account or to inform you of any changes to our Website or Services, and to provide you support or other services you request. For example, we may need your information to provide technical support or answer questions about our Website.
- Process your job application if you have applied for a position with us.
We process your information for the following purposes as part of our legitimate interest in the improvement and marketing of our Services as well as in the security of our services. We apply appropriate safeguards to protect your information as described here:
- Communicate about new features: With permission you give when accepting our Terms of Service, BombBomb uses the personal information it collects to send Users notifications about new features or information available through the Website or that BombBomb feels might be of interest to Users. You can opt-out and/or manage your preferences by clicking on the unsubscribe link provided at the bottom of any email you receive from us. You may also contact us as set out in the “Have an Inquiry or Complaint?” section below.
- Maintenance and Improvement: BombBomb uses personal information to identify the interests and needs of Users in order to provide our Users with more personalized, relevant, and intelligent Services. We also use information that we collect to diagnose any problems with our Website and to improve the user experience.
- Benchmarking: We aggregate personal information for the purpose of research and benchmarking. For example, to calculate the percentage of users in a particular ZIP code.
How BombBomb Shares Personal Information and the Legal Basis for This
We share your information with our service providers, among our entities, in connection with a business transaction, to prevent harm, to comply with the law and to protect our legal rights. The legal basis for this is our legitimate interest in providing our services, complying with the law and protecting our rights and those of others. We apply appropriate safeguards for this sharing of your information as described below and in the security, choices, and rights section of this document.
Service Providers: We share information with service providers that help us perform Website functions and administer our Services. For example, we share your information with third party customer service providers.
Corporate Family: We share information within our corporate family, such as with subsidiaries, joint ventures, or affiliates, in order to efficiently carry out our business and to the extent permitted by law.
Corporate Structure: We will share information in connection with a merger, acquisition, consolidation, change of control, or sale of all or a portion of our assets or if we undergo bankruptcy or liquidation.
To Prevent Harm: We will share information if we believe it is necessary to detect, investigate, prevent, or take action against illegal activities, fraud, or situations involving potential threats to the rights, property, or personal safety of any person.
Legal Purposes: We will share information where we are legally required to do so, such as in response to court orders or legal process, in order to meet national security or law enforcement requirements; to establish, protect, or exercise our legal rights; to defend against legal claims or demands; or to comply with the requirements of any mandatory applicable law.
With Your Consent: Apart from the reasons identified above, we may request your permission to share your Personal Information for a specific purpose. We will notify you and request consent before you provide the Personal Information or before the Personal Information you have already provided is shared for such purpose. You may revoke your consent at any time.
How Long Do We Keep Your Information?
We retain your personal information as long as we are providing the Services to you. We retain your personal information after we cease providing Services to you, even if you delete your account, to the extent necessary to comply with our legal and regulatory obligations, for the purpose of fraud monitoring, detection and prevention, to comply with our tax, accounting, and financial reporting obligations; or where we are required to retain the data by our contractual commitments to our partners. Where we retain data, we do so in accordance with any limitation periods and records retention obligations that are imposed by applicable law. Even if you delete your account and we delete your information from our systems, keep in mind that the deletion by our third party providers may not be immediate and that the deleted information may persist in backup copies for a reasonable period of time. We will securely store any personal information persisting in backup and isolate it from any further processing until deletion is possible. For any privacy or data-protection-related questions, please write tocompliance@bombbomb.com.
Data Use Relating to Google Application Programming Interfaces
Google APIs is a set of application programming interfaces (APIs) developed by Google which allow communication with Google Services and their integration into other services. BombBomb uses Gmail and Google Contacts APIs to provide and improve certain user-facing features that are prominent in the BombBomb interface.
Although use of the APIs may require a user to enter a username and password, Bombomb does not receive user passwords at any time. Instead, users obtain authentication and authorization via the Google OAuth 2.0 protocol, pursuant to which BombBomb receives an access “token” from the Google Authentication Server. Tokens are different for every API used and can be revoked by the user if they wish. When BombBomb stores tokens, they are encrypted.
BombBomb uses the Gmail API so that users can access their emails directly from the BombBomb interface. BombBomb receives and stores usernames, but it does not receive users’ passwords. BombBomb accesses some email metadata, such as sender and recipient email addresses, so that BombBomb can provide users with information and analysis regarding the performance of the user’s email campaign, but email content is not used by BombBomb in any other way. BombBomb mobile apps will store user emails locally on the user’s device, but users can remove this data by logging out of the Gmail API in the BombBomb app or by deleting the BombBomb app from their device.
BombBomb uses the Google Contacts API to suggest recipients for new emails. BombBomb does not use the Google Contacts API in any other way. BombBomb receives and stores usernames, but it does not receive users’ passwords.
BombBomb does not transfer any data received from use of the Google APIs, but it may transfer data as necessary to comply with applicable law or as part of a merger, acquisition, or sale of assets with notice to users. BombBomb does not transfer the data received from the use of the Google APIs for serving ads, including retargeting, personalized, or interest-based advertising. BombBomb does not allow humans to read the data received from use of the Google APIs unless: (i) BombBomb first obtains the user’s affirmative agreement for specific messages; (ii) it is necessary for security purposes; (iii) it is necessary to comply with applicable law; or (iv) BombBomb’s use is limited to internal operations and that data, including derivations thereof, have been aggregated and anonymized. To the extent users provide BombBomb with certain Google-related information separate and apart from the Google API context (for example, providing a Google username and/or email address as part of a user’s Account Information), BombBomb will access, use, store, or share such information consistent with the provisions of this Privacy Notice.
What About Third Party Websites?
To the extent that the Website contains hyperlinks to third party websites, Users should be aware that these third party websites are not controlled by BombBomb and, therefore, are not subject to this Privacy Notice. Users should check the privacy policies of these individual websites to see how their personal information will be utilized by the proprietors of those third party websites.
What Does BombBomb Do to Keep this Website Secure?
BombBomb has implemented a number of security features throughout the Website designed to prevent the unauthorized disclosure of or access to personal information. For example, BombBomb grants access to any stored personal information BombBomb may collect on its Users only to authorized personnel. Moreover, when a User registers on-line or accesses his or her account information through this Website, BombBomb offers the User the ability to use a secure server. The secure server encrypts all information a User inputs before it is sent to BombBomb.
Please be advised, however, that although BombBomb has endeavored to create a secure and reliable Website for its Users, the confidentiality of any communication or material transmitted to/from BombBomb via this Website or e-mail cannot be guaranteed.
Your Rights with Respect to Your Information
You may access your account on the Services to access, correct or delete the information you provided to us, or information we hold about you, and which is associated with your account. For instructions on accessing your information or otherwise for assistance with these rights please contact us at support@bombbomb.com.
If EU data protection laws apply:
You can also:
- request confirmation of whether we hold personal information relating to you and if so to request a copy of this information
- request that we rectify or update your personal information that is inaccurate, incomplete or outdated;
- request that we delete your personal information in certain circumstances provided by law; or
- object to our use or request that we restrict our use of your personal information in certain circumstances (for example – objecting to receipt of direct marketing: see section “Your Choices with Respect to Your Information”)
Where the processing of your personal information is based on your previously given consent, you have the right to withdraw your consent at any time. You may also have the right to object to the processing of personal information on grounds relating to your particular situation.
In order to exercise these rights, you may contact us as described in the “Have an Inquiry or Complaint?” section below. You also have control over how we use your information as described in “Your Choices with Respect to Your Information” section below. We take each request seriously. We will comply with your request to the extent required by applicable law and in accordance with the provisions of the How Long Do We Keep Your Information?”. We will not be able to respond to a request if we no longer hold your personal information.
If you feel that you have not received a satisfactory response from us, you may file a complaint with the data protection authority in your country. Please also see the “Have an Inquiry or Complaint?” section.
For your protection, we may need to verify your identity before responding to your request, such as verifying that the email address from which you send the request matches your email address that we have on file. If we no longer need to process personal information about you in order to provide our Services, we will not maintain, acquire or process additional information in order to identify you for the purpose of responding to your request.
Your Choices with Respect to Your Information
- Delete your account: You may request that we delete your account by contacting us at support@bombbomb.com. If you choose to delete your account, we will begin the process of deleting your account from our systems. We will retain your information after your account is deleted under the circumstances described in “How Long Do We Keep Your Information?”.
- Emails: You can opt out of receiving promotional e-mails from us by clicking the “unsubscribe” link provided in each e-mail or by contacting us at support@bombbomb.com. We will continue to send you notifications necessary for the Services related to this e-mail address.
- Cookies: You may decline the placement of a cookie on your hard drive by using the appropriate feature(s) of your web browser software (if available) or delete any existing cookies. Please note that certain functions of this Website may not function properly if your web browser does not accept cookies. If you choose to opt out, we will place an “opt-out cookie” on your computer. The “opt-out cookie” is browser specific and device specific and only lasts until cookies are cleared from your browser or device. The opt-out cookie will not work for some cookies that are important to how our websites and mobile apps work (“essential cookies”). If the cookie is removed or deleted, if you upgrade your browser or if you visit us from a different computer, you will need to return and update your preferences.
- Google Analytics: See Google’s Privacy & Terms for information about how Google uses the information provided to Google Analytics and how you can control the information provided to Google. To prevent your data from being used by Google Analytics, you can download the Google Analytics opt-out browser add-on for Google Analytics which can be found here: Google Analytics Opt-Out.
What About Transfers of Your Personal Information?
Transfers of Information from the European Economic Area
We will conduct any transfers of personal information from the European Economic Area (EEA) or from Switzerland to the US in compliance with the EU–US Privacy Shield Framework and the Swiss–U.S. Privacy Shield Framework (“Privacy Shield”) as set forth by the U.S. Department of Commerce regarding the collection, use and retention of personal information from European Union member countries and Switzerland transferred to the United States pursuant to Privacy Shield. BombBomb has certified to the Department of Commerce that we adhere to the Privacy Shield Principles with respect to such data. If there is any conflict between the policies in this Privacy Policy and data subject rights under the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov/.
With respect to personal data received or transferred pursuant to Privacy Shield, BombBomb is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission. If we become subject to an FTC or court order based on non-compliance, BombBomb shall make public any relevant Privacy Shield-related sections of any compliance or assessment report submitted to the FTC, to the extent consistent with confidentiality requirements.
In certain situations, BombBomb may be required to disclose personal information in response to lawful requests by public authorities, including in order to meet national security or law enforcement requirements. For more information, please see the section above titled “How BombBomb Shares Personal Information and the Legal Basis for This”
When we receive personal information under the Privacy Shield, and then transfers it to third party services, we are liable for any processing of personal information by such third parties that is inconsistent with the Privacy Shield Principles unless we are not responsible for the event giving rise to any alleged damage.
Transfers of information not from the EEA
To the extent that personal information is transferred to the United States from countries other than countries within the European Economic Area and Switzerland, including personal information that is transferred from Canada, we employ similar safeguards such as selecting third party vendors carefully, ensuring personal information will be used and disclosed only as set out in this Privacy Notice and that it is protected by appropriate security safeguards.
However, in connection with these transfers of personal information, your personal information may be subject to privacy laws that may not provide the same protection as your country of residence. For example, government entities in such other countries may have certain rights to access your personal information. We will use and protect your information in accordance with this Privacy Notice. By using the Services you are consenting to this transfer of your personal information.
What About the Collection of Personal Information from Children?
This Website is not intended for individuals under the age of eighteen (18) years. Accordingly, BombBomb does not knowingly collect or share information from children without parental or guardian consent. If you have reason to believe that a child under the age of [16] has provided personal information to BombBomb, please contact us using the information below, and we will delete that information from our databases.
Does the Website Respond to “Do Not Track” Signals?
The Website is not currently configured to respond to Do Not Track signals sent by Internet browsers.
Have an Inquiry or Complaint?
BombBomb welcomes questions or comments Users might have regarding this Privacy Notice or the use of your Personal Information. Please send any questions or comments to BombBomb at the following e-mail address: support@bombbomb.com. 90 South Cascade Avenue, #700, Colorado Springs, CO 80903.
GDPR
What is GDPR?
The General Data Protection Regulation (GDPR) is a regulation that protects consumer rights and requires businesses to protect the data of citizens a part of the European Union (EU). This means that all EU businesses and any businesses that support transactions with EU citizens must be GDPR compliant.
As of May 25th, 2018, the GDPR will be enforced and will replace Data Protection Directive 95/46/EC.
What is BombBomb doing?
At BombBomb, we care about your privacy and your personal data and strive to maintain a high standard of security to protect it. BombBomb is not a data controller, but we are a data processor – this means that although we do not control data, we do process data on behalf of a data controller. To support this new regulation, we are taking the necessary measures to ensure we are GDPR compliant and are moving forward with the understanding that you have every right to access, edit, or remove your data from our systems, if you choose.
To exercise your right to have your data removed from our system, please send a request via email to the BombBomb Compliance Team at forgetme@bombbomb.com. We will delete that data within 30 days.
Other Resources
PRIVACY SHIELD
Privacy Shield Compliance Frameworks:
BombBomb abides by and has certified adherence to the principles of the EU-U.S. and Swiss-U.S. Privacy Shield frameworks as set forth by the U.S. Department of Commerce. The Federal Trade Commission has investigation and enforcement authority over our compliance with the Privacy Shield. For more information on the Privacy Shield frameworks, and to view the scope of BombBomb’s certification, please visit https://www.privacyshield.gov/. BombBomb has further committed to refer unresolved Privacy Shield complaints to JAMs, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please visit https://www.jamsadr.com/eu-us-privacy-shield for more information or to file a complaint. The services of JAMs are provided at no cost to you. For residual Privacy Shield disputes that cannot be resolved by the methods above, you may be able to invoke a binding arbitration process under certain conditions. To find out more about the Privacy Shield’s binding arbitration scheme, please visit: https://www.privacyshield.gov/article?id=ANNEX-I-introduction. If we have received your personal information under the Privacy Shield and subsequently transfer it to a third party service provider for processing, we will remain responsible if they process your personal information in a manner inconsistent with the Privacy Shield Principles, unless we prove that we are not responsible for the event giving rise to the damage.