This policy (“Policy”) applies to Pastel Ventures, Inc. and its relevant affiliates (“Pastel”,” “us,” “we,” or “our”). Pastel is a software-as-a-service company that builds and supports a customer communication hub. Pastel is the controller of personal data described in this Policy, unless otherwise specified. If you are located in the European Economic Area, Switzerland or the United Kingdom, please refer to Section 15 of this Policy for more information about which specific entity or entities act as a controller in relation to your personal data.Our Services are intended for use by businesses. Where our Services are made available to you as an End User of Pastel through a Pastel Customer, that Customer is the data controller of your personal data and you should contact that Customer with questions or requests regarding your personal data. Pastel is not responsible for our Customers’ privacy or security practices which may be different from this Policy.As used in this Policy, “personal data” means any information that relates to, describes, or could be used to identify an individual, directly or indirectly. As used in this Policy, the “Websites” means Pastel’s websites including without limitation www.discoverpastel.com, www.trypastel.com, and any successor URLs, mobile or localized versions and related domains and subdomains. Capitalized terms not defined herein (such as Customer, Services, and other terms) have the meaning provided in our Terms of Service agreement.Applicability: This Policy applies to personal data that Pastel is the controller of, which may include: (i) data collected through the Websites, the Pastel mobile applications, our branded social media pages, and other websites which we operate (collectively, our “Digital Properties”); (ii) data collected in connection with digital communications, paper forms, in person interactions which may include marketing and outreach activities, like surveys, contests, promotions, sweepstakes, conferences, webinars, and events where we post a direct link to this Policy; (iii) Customer contact information; (iv) data collected about individuals who visit our offices or engage in commercial transactions with us; and (v) data collected through Pastel’s corporate activities.This Policy does not apply to the following information:Personal data about Pastel employees and candidates, and certain contractors and agents acting in similar roles.Personal data that Pastel processes on behalf of our Customers.Changes: We may update this Policy from time-to-time to reflect changes in legal, regulatory or operational requirements, our practices, and other factors. Please check this Policy periodically for updates. If any of the changes are unacceptable to you, you should cease interacting with us. When required under applicable law, we will notify you of any changes to this Policy by posting an update on our Website and updating the “Last Updated” date at the beginning of this Policy or in another appropriate manner.
2. Sources of Personal Data
3. Types of Personal Data We Collect
4. How We Use Your Personal Data
5. To Whom We Disclose Your Personal Data
We may share your personal data with the categories of recipients described below:Affiliates and subsidiaries. We may share your personal data within our group of companies at the end of this Policy (known as the “Pastel Group”), which includes parents and our ultimate holding companies, affiliates, subsidiaries, business units and other companies that we acquire in the future after they are made part of the Pastel Group, who will use it for the purposes described in this Policy.Service providers. We may share your personal data with service providers working on our behalf, such as hosting service providers, IT providers, operating systems and platforms, internet service providers, data analytics companies, and marketing providers. We may also contract with companies to provide certain services, such as identity verification, email distribution, market research, and promotions management. We provide these companies with only the information they need to perform their services and work with them to ensure that your privacy is respected and protected. These companies are prohibited by contract from using this information for their own marketing purposes or from sharing this information with anyone other than with us, unless at our direction as part of providing the service or with your agreement.With third parties at your direction or that are necessary to complete transactions. We may disclose your personal data to entities that assist us in fulfilling your orders and requests, such as credit card processors and partners that may supply part of your order. We may also disclose your personal data to third parties that you may direct (such as if you choose to participate in events, offers or promotions that are jointly offered with third parties).Business partners. We may also provide your personal data to business partners for their own purposes, such as:To event sponsors, in which case your information will be subject to the sponsors’ privacy statement(s). If required by applicable law, we will obtain your consent before sharing data with event sponsors.To a Customer, such as when sharing information about End Users of a Customer’s account.To channel partners (third-party organizations or individuals that market and sell products and services for us), for the purpose of enabling our channel partners to notify you about our Services. We require our channel partners to provide an opt-out option within their communications to you. By opting-out, you are opting out of receiving future communication from our channel partner.To third-party networks and websites for marketing and advertising on third-party platforms and websites.Professional advisors. We may share your personal data with various professional advisors such as lawyers, accountants, and auditors.For legal, security and safety purposes. We may share your personal data to respond to lawful requests by law enforcement or other government authority in accordance with our Law Enforcement Data Request Guideline. We may also share such information if we believe it is necessary in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person; to enforce or apply our Terms of Service agreement, End User Conduct and Content Policy, and other agreements; and to protect our rights and our property or safety of our users or third parties; or to otherwise establish, exercise and defend against legal claims (including by sharing data with opposing or other related parties to the proceedings and their professional advisors); and as otherwise required by law.In connection with a corporate transaction. If we sell/acquire some or all of our assets, merge or are acquired by another entity (including through a sale or in connection with a bankruptcy), or engage in other similar forms of corporate change, we will share your personal data with that entity. The public. There may be opportunities for you to make public comments regarding us or our products. If you provide testimonials or provide feedback we may post your name along with your consent. We may post anonymized testimonials and content feedback without your consent. Our Websites may offer publicly accessible blogs, community forums, comments sections, discussion forums, or other interactive features (“Interactive Areas”). You should be aware that any information you post in an Interactive Area might be read, collected, and used by others who access it.Consent. We may disclose your information to other third parties with your consent. We may also de-identity, anonymize, or aggregate personal data to share with third parties for any legally permitted purpose. To assist us in meeting business operations needs and to perform certain services and functions, we may share Personal Data with service providers, including web hosting, debugging services, email and productivity services, survey providers, data base and sales/customer relationship management services, customer service providers, payment processors; web and app analytics services, and data brokers. We share Email Content Data with our hosting provider (Google, Inc.) and with our AI provider (OpenAI, Inc.). Pursuant to our instructions, these parties will access, process or store Personal Data in the course of performing their duties to us.
6. Cookies and Tracking Technologies
7. Security and Retention
We maintain reasonable security procedures and technical and organizational measures to protect your personal data against accidental or unlawful destruction, loss, disclosure, alteration, or use.Where Pastel is the controller of personal data, your personal data will be generally retained as long as necessary to fulfill the purposes we have outlined in Section 4 of this Policy. This includes retaining your data to provide you with the Services requested and to interact with you; to enable your participation in an event; to maintain a business relationship with you/your company; to improve our business over time; to ensure ongoing legality, safety and security of our services and relationships or otherwise in accordance with our internal retention procedures.Once you or your company has terminated the contractual relationship with us or otherwise ended your relationship with us, we may retain your personal data in our systems and records in order to: ensure adequate fulfillment of surviving provisions in terminated contracts, or for other legitimate business purposes, such as in order to evidence our business practices and contractual obligations, to provide you with information about our products and services, or to comply with the applicable legal, tax or accounting requirements. Likewise, we will retain your personal data during the applicable statute of limitation period for the establishment, exercise or defense of potential legal claims.When we have no ongoing legitimate business need nor lawful legal ground to process your personal data, we will delete, anonymize, or aggregate it or, if this is not possible (for example, because your personal data has been stored in backup archives), then we will securely store your personal data and isolate it from any further processing until deletion is possible. If you would like to know more about retention periods applicable to your particular circumstance, you can contact us using details provided in Section 12 below.
8. User Research Participation
We collect your information when you participate in a user research project, and we will only use the information for the project you are participating in and to reach out to you about future research opportunities. We will retain your information for as long as we have a legitimate purpose for doing so, and process your information in accordance with this Policy.
9. Children’s Privacy
Our Websites and Services are not directed to children under the age of 16 and we do not knowingly collect online personal data directly from children. If you are a parent or guardian of a minor child and believe that the child has disclosed online personal data to us, please contact firstname.lastname@example.org.
10. External Links
When interacting with us you may encounter links to external sites or other online services, including those embedded in third party advertisements. We do not control and are not responsible for the privacy and data collection policies for such third party sites and services. You should consult such third parties and their respective privacy notices for more information or if you have any questions about their practices.
The Terms of Service agreement can be found on our website.
12. Contact Info
If you have questions or complaints regarding this Policy or about the Pastel Group’s privacy practices, please contact us by email at: email@example.com or at:Pastel Ventures, Inc.
2 Harrison St, Suite 700
San Francisco, California 94015
13. Your Data Protection Rights
Laws in certain jurisdictions may provide individuals with rights relating to personal data, such as those listed below. We will honor these rights to the extent required by law.Access. You may have the right to obtain confirmation from us if personal data is being processed, and related information; and the right to obtain a copy of your personal data undergoing the processing.Rectification. You may have the right to request the rectification of inaccurate personal data and to have incomplete data completed.Objection. You may have the right to object to the processing of your personal data for compelling and legitimate reasons relating to your particular situation, except in cases where legal provisions expressly provide for that processing. You also have the right to object / opt-out to the processing of your personal data for direct marketing purposes by clicking the unsubscribe link at the bottom of the email marketing communication received or by emailing us at firstname.lastname@example.org.Portability. You may have the right to receive your personal data that you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit it to other data controllers without hindrance. This right only exists if the processing is based on your consent or a contract and the processing is carried out by automated means.Restriction. You may have the right to request to restrict the processing of your personal data in certain cases.Erasure. You may request to erase your personal data if (i) it is no longer necessary for the purposes for which we have collected it, (ii) you have withdrawn your consent and no other legal ground for the processing exists, (iii) you objected and no overriding legitimate grounds for the processing exist, (iv) the processing is unlawful, or erasure is required to comply with a legal obligation.Right to lodge a complaint. You also may have the right to lodge a complaint with a supervisory authority in the country where you reside. The contact details for data supervisory authorities in the EEA, Switzerland, and the UK are available here. Right to refuse or withdraw consent. In case we ask for your consent to processing, you are free to refuse to give consent and you can withdraw your consent at any time without any adverse negative consequences by contacting us using the contact information provided above. The lawfulness of any processing of your personal data that occurred prior to the withdrawal of your consent will not be affected.Automated decision-making. We hereby inform you that the types of automated decision-making referred to in Article 22(1) and (4) GDPR do not take place on our Websites or in our Services. Should this change, we will inform you about it and the fact that you have the right not to be subject to those types of decisions based solely on automated processing and to be given more information about why any such decision was made.In order to exercise your rights (or other rights that may be available to you under your local data protection laws), please contact us by emailing us at email@example.com. We try to respond to all legitimate requests within one (1) month of receipt of the request or as otherwise required under applicable law. If the response will take us longer, we will notify you. If we have reasonable doubts concerning your identity, we may request you to provide us with additional information to verify your identity.
14. Supplemental Terms for California Residents
Pursuant to the California Consumer Privacy Act (“CCPA”), this section applies to certain personal data collected about California residents where Pastel acts as a “business” and supplements the rest of our Policy above. This section does not apply to the following information:Information about individuals who are not California residents;Information about our own employees, contractors, agents, and job applicants. Such information is subject to a separate privacy notice that we will make available to individuals;Information we collect from individuals with whom we engage in solely business-to-business communications and transactions, such as information about the employees of our business partners and customers; andInformation that we process as a “service provider” to our business customers. In such cases, we follow the instructions of the business that engaged us when processing your personal data, and you should contact that business for more information about how your personal data is processed.Sources of personal data: See Section 2 above.Uses of personal data: The business and commercial purposes for which we collect personal information are detailed in Sections 4 and 6 above.Disclosing personal data: Our data disclosure practices are detailed in the chart below and align with the information provided above in Section 3 (Types of Personal Data We Collect), Section 5 (To Whom We Disclose Your Personal Data), and Section 6 (Cookies and Tracking Technologies). We do not sell (as such term is defined under the CCPA) personal data, including personal data about individuals under the age of 16.Categories of PersonalInformation We CollectCategories of Third Parties With Whom We Disclose Personal Information for a Business PurposeIdentifiersAffiliates and subsidiariesService providersWith third parties at your direction or that are necessary to complete transactionsWith business partners for their own purposesProfessional advisorsProviders of legal, security, and safety assistance and resourcesEntities involved in a corporate transactionCompanies that operate cookie and Tracking Technologies described in Section 6Entities to which you have consented to the disclosureTo the public if you choose to make such information availableCustomer recordsAffiliates and subsidiariesService providersWith third parties at your direction or that are necessary to complete transactionsWith business partners for their own purposesProviders of legal, security, and safety assistance and resourcesEntities involved in a corporate transactionCompanies that operate cookie and Tracking Technologies described in Section 6Entities to which you have consented to the disclosureDemographic InformationAffiliates and subsidiariesService providersWith third parties at your direction or that are necessary to complete transactionsWith business partners for their own purposesProviders of legal, security, and safety assistance and resourcesEntities involved in a corporate transactionEntities to which you have consented to the disclosureCommercial information and preferencesAffiliates and subsidiariesService providersWith third parties at your direction or that are necessary to complete transactionsWith business partners for their own purposesProviders of legal, security, and safety assistance and resourcesEntities involved in a corporate transactionCompanies that operate cookie and Tracking Technologies described in Section 6Entities to which you have consented to the disclosureTo the public if you choose to make such information availableInternet or other electronic network activity information and device informationAffiliates and subsidiariesService providersWith third parties at your direction or that are necessary to complete transactionsWith business partners for their own purposesProviders of legal, security, and safety assistance and resourcesCompanies that operate cookie and Tracking Technologies described in Section 6Entities involved in a corporate transactionEntities to which you have consented to the disclosureGeolocation informationAffiliates and subsidiariesService providers With third parties at your direction or that are necessary to complete transactionsWith business partners for their own purposesProviders of legal, security, and safety assistance and resourcesEntities involved in a corporate transactionCompanies that operate cookie and Tracking Technologies described in Section 6Entities to which you have consented to the disclosureAudio, electronic, visual, and other sensory informationAffiliates and subsidiariesService providersWith third parties at your direction or that are necessary to complete transactionsWith business partners for their own purposesProviders of legal, security, and safety assistance and resourcesEntities involved in a corporate transactionCompanies that operate cookie and Tracking Technologies described in Section 6Entities to which you have consented to the disclosureTo the public if you choose to make such information availableInferencesAffiliates and subsidiariesService providersWith third parties at your direction or that are necessary to complete transactionsWith business partners for their own purposesProviders of legal, security, and safety assistance and resourcesEntities involved in a corporate transactionCompanies that operate cookie and Tracking Technologies described in Section 6Entities to which you have consented to the disclosureYour Rights:Subject to legal limitations, certain California residents may exercise the following rights by emailing us at firstname.lastname@example.org.Right to Know. You have the right to request information about the categories of personal data we have collected about you, the categories of sources from which we collected the personal data, the purposes for collecting the personal data, the categories of third parties to whom we have disclosed your personal data, and the purpose for which we disclosed your personal data (“Categories Report”). You may also request information about the specific pieces of personal data we have collected about you (“Specific Pieces Report”).Right to Delete. You have the right to request that we delete personal data that we have collected from you.Right to Opt Out. We do not sell personal information.We will not discriminate against you, in any manner prohibited by applicable law, for exercising these rights.Verification: In order to process requests, we will need to obtain information to locate you in our records or verify your identity depending on the nature of the request. In most cases, we will request information about you, which may include your name, email address, or other information. If you submit a request, we may also request a signed declaration, under penalty of perjury, that you are who you say you are. We may request alternative information under certain circumstances and/or use third parties to help verify your identity.Authorized Agents: Authorized agents may exercise rights on behalf of California consumers, but we reserve the right to also verify the consumer’s identity directly as described above. Authorized agents must contact us by submitting a request emailing us at email@example.com and indicate that they are submitting the request as an agent. Agents must provide evidence of the agent’s identity, proof of registration with the California Secretary of State (if the agent is a business), and at least one of the following documents evidencing proof of the agent’s legal authority to act on the behalf of the individual consumer: (i) Power of Attorney that we can reasonably verify; or (ii) Signed permission by the Consumer.Timing: We will respond to Requests to Delete and Requests to Know within forty-five (45) days, unless we need more time in which case we will notify you and may take up to ninety days total to respond to your request.
15. Supplemental Information for the EEA, Switzerland, and the UK
The following terms supplement the Policy with respect to our processing of European Economic Area (i.e., European Union Member States, Iceland, Liechtenstein and Norway), Swiss, and UK personal data. To the extent applicable, in the event of any conflict or inconsistency between the other parts of the Policy and the terms of this Section 15, Section 15 shall govern and prevail with regard to the processing of EEA, Swiss and UK personal data.Data Controller: The Pastel entity with which you have a primary relationship with (such as the entity that concluded sales/services/supply contract with you; the entity that has provided you with marketing and promotional materials and communications; the primary entity in the region where you access our Website) is the controller of personal data collected from individuals within the scope of this Policy. In the majority of cases, this will be Pastel Ventures, Inc., unless we specifically inform you otherwise. On some occasions, more than one Pastel entity may process your personal data as independent controllers. If you have any questions about controllership, please contact us (see Section 12 for contact information).Legal bases for processing: We rely on the following legal grounds for the collection, processing, and use of your personal data:The processing is necessary for the performance of a contract to which you are a party or to take steps at your request prior to entering into a contract. This includes instances when we need to enable interactions between you and us and to provide our services to you; when we need to facilitate our business relationship with you or companies acting as our investors, suppliers and other business partners; and when we conclude and fulfill our part of the contract with our customers.The processing is necessary for compliance with a legal or statutory obligation to which we are subject. This includes instances when we are required by various business laws to carry out various compliance checks (such as export controls) related to our customers, investors, suppliers, and other business partners. It may also include various local tax and accountancy compliance obligations we have to comply with due to the operation of our business.The processing is necessary for the purposes of the legitimate interests pursued by us or by a third party. This includes instances where we process your personal data for our own internal business-improvement purposes, certain survey and questionnaires we may carry out, and our marketing activities (for example by sending you digital direct marketing related to similar products/services we have provided to you), unless consent is required under applicable laws. We may also provide some of the auxiliary support to our services based on our legitimate business interest to do so, even though we are not required to do so under our contracts, including through various digital communication and other tools we provide in the course of our business relationship with you.Where you provided us with your consent to the processing of your data for one or more specific purposes. This includes digital direct marketing communications where your consent is required by law or in other instances where we asked for your consent in order to collect and process your personal data (we will inform you at each such occasion).The processing is necessary for reasons of public interest in the area of public health. This may include our legitimate interests and legal obligations in the collection and processing of health data from office visitors or event attendees in the context of a pandemic or related health threatening scenarios in order to protect individuals against serious cross-border threats to health or ensuring high standards of quality and safety of health care;The processing is necessary for our legitimate interests in the establishment, exercise or defense of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.International Transfers of Personal Data: Due to the global nature of our operations, some of the recipients mentioned in Section 5 of the Policy may be located in countries outside the EEA, Switzerland, or the UK, which do not provide an adequate level of data protection as defined by data protection laws in the EEA, Switzerland and the UK. Certain third countries have been officially recognized by the EEA, Swiss and UK authorities as providing an adequate level of protection and no further safeguards are necessary. The below outlines how we protect your personal data when transferring it outside those countries.Intra-group: Intra-group international transfers will be to countries where Pastel entities are located, in particular the United States of America. The transfer of your personal data outside the EEA, Switzerland and the UK to our group companies located in third countries which do not offer an adequate level of protection in comparison with the EEA, Swiss or UK privacy standards will be based on the following safeguards:The UK Standard Contractual Clauses, as applicable. We may also utilize addendums and other data transfer agreements specific to certain countries.Third parties: Some of the third parties with whom we share personal data are also located outside the EEA, Switzerland or the UK in third countries, which do not provide an adequate level of data protection as defined by data protection laws in the EEA, Switzerland or the UK. Transfers to third parties located in such third countries take place using an acceptable data transfer mechanism, such as the EU/UK Standard Contractual Clauses, approved Codes of Conduct and Certifications, on the basis of permissible statutory derogations, or any other valid data transfer mechanism issued by the EEA, Swiss or UK authorities. Please reach out to us using the Contact Info above, if you want to receive further information or, where available, a copy of the relevant data transfer mechanism.Pastel Ventures, Inc., abides by and has certified adherence to the principles of the EU-U.S. and the Swiss-U.S. Privacy Shield frameworks as set forth by the U.S. Department of Commerce; however, we do NOT rely on the Privacy Shield as a lawful mechanism to transfer personal data from the EU, UK, or Switzerland. For more information on the Privacy Shield frameworks, and to view the scope of Pastel’s certification, please visit https://www.privacyshield.gov/list.
16. Supplemental Information for Other Regions
17. English Version Controls
Non-English translations of this Policy are provided for convenience only. In the event of any ambiguity or conflict between translations, the English version is authoritative and controls.