BombBomb, Inc. Privacy Notice

Effective Date: 02/14/2019

BombBomb, Inc. (“BombBomb”) has developed this privacy notice (“Privacy Notice”) to demonstrate our commitment to protecting the privacy of our users (a “User” or “you”). The Privacy Notice describes how BombBomb collects, uses, and shares personal information when you use the website, http://www.bombbomb.com, or BombBomb mobile applications (collectively referred to as the “Website”) or any services offered on the Website (“Services”) and your choices with respect to how we use this information.

We may update or modify this Privacy Notice from time to time. We will notify you of such changes, by posting a notification on our Website or by other means, and will give you an opportunity to review the changes before they go into effect.

Please see BombBomb’s Terms and Conditions for other terms governing the use of this Website.

What Types of Personal Information Does BombBomb Collect?

Through your use of the Website or Services, we collect personal information, which is information that identifies you as an individual or relates to you as an identifiable individual. While we do not require you to provide personal information in order to navigate the Website, we may need to collect personal information if you choose to engage in certain activities on our Website or use our Services. Below are the types of personal information that we collect.

Information You Provide

Account Information and Subscriber Information: In order to use the Services, you would need to provide two types of information: your personal account information (the “Account Information”) and the information of subscribers who are on your lists (the “Subscriber Information”).

We need this information in order to provide you with the Services. If you do not provide this information we would not be able to provide these Services to you.

Social Media Accounts, photograph: If you wish, you may upload a photograph of yourself to your account and provide your social media account handles.

Purchase of Services: Services purchased from BombBomb via credit card are processed through Chargify. The card number is passed securely to Chargify and a token is received in return. At no time is your credit card number stored by BombBomb.

Contacting us, Interacting with the blog: If you provide us contact information to learn more about our Services or choose to send us a message with information about yourself, or interact with the blog by posting a comment or sharing a post, we will maintain records of your correspondence. This may include any of your questions, comments, posts, or suggestions or your responses to any surveys you complete. This information, without the parts that identify you, will be treated as non-confidential and non-proprietary and we may use them and share them with third parties. Also, please note that comments made to public areas will be visible to the public, so you should never share personal information that you would like to keep private.

Applying for a Job: If you apply for a job on our website you provide us with contact information as well as your resume.

Interacting with the Blog: If you choose to interact with our blog by posting a comment or sharing a post, we may collect the information that you post.

Information Provided by Third Parties

Information from other users: If you subscribe to emails from a BombBomb User, that User may provide us with your contact information.

Information we Collect Automatically

We or our third party providers automatically collect the following information through your use of the Website and Services:

“Cookies” and Other Tracking Technologies

“Cookies” are small pieces of information that are stored by your web browser software on your computer’s hard drive or temporarily in your computer’s memory. BombBomb or our third party provider place and store Internet cookies on a User’s hard drive. Cookies can save any of the types of information noted above. Cookies enable us to personalize the viewing experience of a User of this Website. When a User revisits this Website, BombBomb can recognize the User by the cookie and customize the User’s experience at this Website accordingly. For example, BombBomb uses cookies to recognize User access privileges to this Website, track Website usage and traffic patterns, identify you and keep track of your preferences, prevent fraudulent activity or improve Website security, assess the performance of the Website, add advertisements for goods or services of interest, and estimate the Website’s audience size. BombBomb also uses cookies to store User names and passwords that are supplied at registration. In addition to the use of cookies, BombBomb may use a third party provider such as “AdRoll” for behavioral advertising or retargeting. This service is compliant with GDPR and can anonymize EU IP Addresses.

How BombBomb Uses Personal Information and the Legal Basis for This

We use the information we collect about you to provide the Services, to communicate with you, to provide technical support, and to improve our Services and customer relations. We do not share your information with third parties for purposes other than those outlined below.

We process your information for the following purposes as necessary to provide the Services to you and perform our contract with you:

We process your information for the following purposes as part of our legitimate interest in the improvement and marketing of our Services as well as in the security of our services. We apply appropriate safeguards to protect your information as described here:

How BombBomb Shares Personal Information and the Legal Basis for This

We share your information with our service providers, among our entities, in connection with a business transaction, to prevent harm, to comply with the law and to protect our legal rights. The legal basis for this is our legitimate interest in providing our services, complying with the law and protecting our rights and those of others. We apply appropriate safeguards for this sharing of your information as described below and in the security, choices, and rights section of this document.

Service Providers: We share information with service providers that help us perform Website functions and administer our Services. For example, we share your information with third party customer service providers.

Corporate Family: WWe share information within our corporate family, such as with subsidiaries, joint ventures, or affiliates, in order to efficiently carry out our business and to the extent permitted by law.

Corporate Structure: We will share information in connection with a merger, acquisition, consolidation, change of control, or sale of all or a portion of our assets or if we undergo bankruptcy or liquidation.

To Prevent Harm: We will share information if we believe it is necessary to detect, investigate, prevent, or take action against illegal activities, fraud, or situations involving potential threats to the rights, property, or personal safety of any person.

Legal Purposes: We will share information where we are legally required to do so, such as in response to court orders or legal process; to establish, protect, or exercise our legal rights; to defend against legal claims or demands; or to comply with the requirements of any mandatory applicable law.

With Your Consent: Apart from the reasons identified above, we may request your permission to share your Personal Information for a specific purpose. We will notify you and request consent before you provide the Personal Information or before the Personal Information you have already provided is shared for such purpose. You may revoke your consent at any time.

How Long Do We Keep Your Information?

We retain your personal information as long as we are providing the Services to you. We retain your personal information after we cease providing Services to you, even if you delete your account, to the extent necessary to comply with our legal and regulatory obligations, for the purpose of fraud monitoring, detection and prevention, to comply with our tax, accounting, and financial reporting obligations; or where we are required to retain the data by our contractual commitments to our partners. Where we retain data, we do so in accordance with any limitation periods and records retention obligations that are imposed by applicable law. Even if you delete your account and we delete your information from our systems, keep in mind that the deletion by our third party providers may not be immediate and that the deleted information may persist in backup copies for a reasonable period of time. We will securely store any personal information persisting in backup and isolate it from any further processing until deletion is possible. For any privacy or data-protection-related questions, please write tocompliance@bombbomb.com.

Data Use Relating to Google Application Programming Interfaces

Google APIs is a set of application programming interfaces (APIs) developed by Google which allow communication with Google Services and their integration into other services. BombBomb uses Gmail and Google Contacts APIs to provide and improve certain user-facing features that are prominent in the BombBomb interface.

Although use of the APIs may require a user to enter a username and password, Bombomb does not receive user passwords at any time. Instead, users obtain authentication and authorization via the Google OAuth 2.0 protocol, pursuant to which BombBomb receives an access “token” from the Google Authentication Server. Tokens are different for every API used and can be revoked by the user if they wish. When BombBomb stores tokens, they are encrypted.

BombBomb uses the Gmail API so that users can access their emails directly from the BombBomb interface. BombBomb receives and stores usernames, but it does not receive users’ passwords. BombBomb accesses some email metadata, such as sender and recipient email addresses, so that BombBomb can provide users with information and analysis regarding the performance of the user’s email campaign, but email content is not used by BombBomb in any other way. BombBomb mobile apps will store user emails locally on the user’s device, but users can remove this data by logging out of the Gmail API in the BombBomb app or by deleting the BombBomb app from their device.

BombBomb uses the Google Contacts API to suggest recipients for new emails. BombBomb does not use the Google Contacts API in any other way. BombBomb receives and stores usernames, but it does not receive users’ passwords.

BombBomb does not transfer any data received from use of the Google APIs, but it may transfer data as necessary to comply with applicable law or as part of a merger, acquisition, or sale of assets with notice to users. BombBomb does not transfer the data received from the use of the Google APIs for serving ads, including retargeting, personalized, or interest-based advertising. BombBomb does not allow humans to read the data received from use of the Google APIs unless: (i) BombBomb first obtains the user’s affirmative agreement for specific messages; (ii) it is necessary for security purposes; (iii) it is necessary to comply with applicable law; or (iv) BombBomb’s use is limited to internal operations and that data, including derivations thereof, have been aggregated and anonymized. To the extent users provide BombBomb with certain Google-related information separate and apart from the Google API context (for example, providing a Google username and/or email address as part of a user’s Account Information), BombBomb will access, use, store, or share such information consistent with the provisions of this Privacy Notice.

What About Third Party Websites?

To the extent that the Website contains hyperlinks to third party websites, Users should be aware that these third party websites are not controlled by BombBomb and, therefore, are not subject to this Privacy Notice. Users should check the privacy policies of these individual websites to see how their personal information will be utilized by the proprietors of those third party websites.

What Does BombBomb Do to Keep this Website Secure?

BombBomb has implemented a number of security features throughout the Website designed to prevent the unauthorized disclosure of or access to personal information. For example, BombBomb grants access to any stored personal information BombBomb may collect on its Users only to authorized personnel. Moreover, when a User registers on-line or accesses his or her account information through this Website, BombBomb offers the User the ability to use a secure server. The secure server encrypts all information a User inputs before it is sent to BombBomb.

Please be advised, however, that although BombBomb has endeavored to create a secure and reliable Website for its Users, the confidentiality of any communication or material transmitted to/from BombBomb via this Website or e-mail cannot be guaranteed.

Your Rights with Respect to Your Information

You may access your account on the Services to access, correct or delete the information you provided to us, or information we hold about you, and which is associated with your account. For instructions on accessing your information or otherwise for assistance with these rights please contact us at support@bombbomb.com.

If EU data protection laws apply:
You can also:

Where the processing of your personal information is based on your previously given consent, you have the right to withdraw your consent at any time. You may also have the right to object to the processing of personal information on grounds relating to your particular situation.

In order to exercise these rights, you may contact us as described in the “Have an Inquiry or Complaint?” section below. You also have control over how we use your information as described in “Your Choices with Respect to Your Information” section below. We take each request seriously. We will comply with your request to the extent required by applicable law and in accordance with the provisions of the How Long Do We Keep Your Information?”. We will not be able to respond to a request if we no longer hold your personal information.

If you feel that you have not received a satisfactory response from us, you may file a complaint with the data protection authority in your country. Please also see the “Have an Inquiry or Complaint?” section.

For your protection, we may need to verify your identity before responding to your request, such as verifying that the email address from which you send the request matches your email address that we have on file. If we no longer need to process personal information about you in order to provide our Services, we will not maintain, acquire or process additional information in order to identify you for the purpose of responding to your request.

Your Choices with Respect to Your Information

What About Transfers of Your Personal Information?

Transfers of Information from the European Economic Area

We will conduct any transfers of personal information from the European Economic Area (EEA) or from Switzerland to the US in compliance with the EU–US Privacy Shield Framework and the Swiss–U.S. Privacy Shield Framework (“Privacy Shield”) as set forth by the U.S. Department of Commerce regarding the collection, use and retention of personal information from European Union member countries and Switzerland transferred to the United States pursuant to Privacy Shield. BombBomb has certified to the Department of Commerce that we adhere to the Privacy Shield Principles with respect to such data. If there is any conflict between the policies in this Privacy Policy and data subject rights under the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov/.

With respect to personal data received or transferred pursuant to Privacy Shield, BombBomb is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission. If we become subject to an FTC or court order based on non-compliance, BombBomb shall make public any relevant Privacy Shield-related sections of any compliance or assessment report submitted to the FTC, to the extent consistent with confidentiality requirements.

In certain situations, BombBomb may be required to disclose personal information in response to lawful requests by public authorities, including in order to meet national security or law enforcement requirements. For more information, please see the section above titled “How BombBomb Shares Personal Information and the Legal Basis for This”

When we receive personal information under the Privacy Shield, and then transfers it to third party services, we are liable for any processing of personal information by such third parties that is inconsistent with the Privacy Shield Principles unless we are not responsible for the event giving rise to any alleged damage.

Transfers of information not from the EEA

To the extent that personal information is transferred to the United States from countries other than countries within the European Economic Area and Switzerland, including personal information that is transferred from Canada, we employ similar safeguards such as selecting third party vendors carefully, ensuring personal information will be used and disclosed only as set out in this Privacy Notice and that it is protected by appropriate security safeguards.

However, in connection with these transfers of personal information, your personal information may be subject to privacy laws that may not provide the same protection as your country of residence. For example, government entities in such other countries may have certain rights to access your personal information. We will use and protect your information in accordance with this Privacy Notice. By using the Services you are consenting to this transfer of your personal information.

What About the Collection of Personal Information from Children?

This Website is not intended for individuals under the age of eighteen (18) years. Accordingly, BombBomb does not knowingly collect or share information from children without parental or guardian consent. If you have reason to believe that a child under the age of [16] has provided personal information to BombBomb, please contact us using the information below, and we will delete that information from our databases.

Does the Website Respond to “Do Not Track” Signals?

The Website is not currently configured to respond to Do Not Track signals sent by Internet browsers.

Have an Inquiry or Complaint?

BombBomb welcomes questions or comments Users might have regarding this Privacy Notice or the use of your Personal Information. Please send any questions or comments to BombBomb at the following e-mail address: support@bombbomb.com. 90 South Cascade Avenue, #700, Colorado Springs, CO 80903.

GDPR

What is GDPR?

The General Data Protection Regulation (GDPR) is a regulation that protects consumer rights and requires businesses to protect the data of citizens a part of the European Union (EU). This means that all EU businesses and any businesses that support transactions with EU citizens must be GDPR compliant.
As of May 25th, 2018, the GDPR will be enforced and will replace Data Protection Directive 95/46/EC.

What is BombBomb doing?

At BombBomb, we care about your privacy and your personal data and strive to maintain a high standard of security to protect it. BombBomb is not a data controller, but we are a data processor – this means that although we do not control data, we do process data on behalf of a data controller. To support this new regulation, we are taking the necessary measures to ensure we are GDPR compliant and are moving forward with the understanding that you have every right to access, edit, or remove your data from our systems, if you choose.

To exercise your right to have your data removed from our system, please send a request via email to the BombBomb Compliance Team at forgetme@bombbomb.com. We will delete that data within 30 days.

Other Resources