Zotabox GDPR Data Processing Agreement

General

Zotabox (hereafter referred to as “processor”) is committed to ensuring the privacy, confidentiality and security of website owner’s data (hereafter referred to Merchants or “controllers”) and also the data of visitors to Merchant websites (hereafter referred to as website visitors or customers).

Zotabox has less than 250 employees but we strive to provide as much information as possible regarding our GDPR compliance.  

The Controller (Merchant) processes Personal Data in connection with its business activities;

The Processor (Zotabox) processes Personal Data on behalf of other businesses and organisations;

The Controller wishes to engage the services of the Processor to process personal data on its behalf;

Definitions

In this Agreement the following words and phrases shall have the following meanings, unless inconsistent with the context or as otherwise specified:

“Personal data” shall mean any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic cultural or social identity;

“Processing of personal data” shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;

“Sub-contract” and “sub-contracting” shall mean the process by which either party arranges for a third party to carry out its obligations under this Agreement and “Sub Contractor” shall mean the party to whom the obligations are subcontracted; and

“Technical and organisational security measures” shall mean measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access and against all other unlawful forms of processing.

Consideration

In consideration of the Controller engaging the services of the processor to process personal data on its behalf the Processor shall comply with the security, confidentiality and other obligations imposed on it under this Agreement.

Customer Data Use and Storage:

• Zotabox as the ‘processor’ of basic customer data primarily forwards this data to the merchant when a website visitor enters their information via Zotabox tools on the merchant website, and stores the customer data (for a period of 90 days) for the merchant to download and use according to the conditions the customer agreed to when providing the data on their website.
• All non-basic customer personal data (such as custom fields on contact forms) is encrypted and not accessible by Zotabox with rare exceptions to fix bugs or recover lost data.
• Zotabox never shares merchant’s customer data with any 3rd parties.
• Zotabox never accesses Merchant customer data for any purpose other than debugging or recovery purposes for the Merchant’s benefit.
• For merchants using our email capture tools such as popup, bar and slider, Zotabox only collects and stores basic data from your customers for 90 days including name, email, ip address, timestamp and record of consent to collect data from your customer.

• For merchants using our contact form, merchants may ask or require customers to enter more customized or personalized information. Zotabox encrypts these messages sent to Merchants and stored on our servers.
  • • Zotabox STRONGLY recommends NOT requesting and saving personal and financial information from customers using our contact form. We recommend merchants NOT save personal data on Zotabox servers but redirect customers to their secure payment page or submit private information directly through email.
    • Merchants may save customer submissions on their private form data page. Customized information is encrypted and unaccessible to Zotabox employees except in extreme cases of bug fixing or data recovery when an error log will not suffice.

Time Limitations

• Contact form submissions from customers to merchants are encrypted when sent and logs of encrypted customer messages are kept for up to 90 days (for recovery or bug fixing) then permanently deleted from Zotabox servers.
• Zotabox will store customer data (entered via email capture tools) for a period of 90 days after submission on our servers and available to Merchants in their Zotabox account on the subscribers page or form data table.
• After the period of 90 days, customer data will be permanently deleted from Zotabox servers and will no longer be accessible to the Merchant or Zotabox.
  • Important: If the merchant chooses to forward this data to their company or personal email address or integrates with an email service provider such as Mailchimp, this data may then be available on those servers. Zotabox is not responsible for data on Merchant’s servers or other processors authorized by the Merchant.
• Zotabox will automatically delete Merchant accounts with no website traffic or logins to their Zotabox account for 6 consecutive months. Merchants in this case would need to create a new Zotabox account.

Delete or Edit Data Request

• Your website visitor may request the edit or deletion of customer data by contacting Zotabox directly at customerservice@zotabox.com FROM the customer email address they wish to have deleted (for verification purposes).
• Website visitors may see their rights and request edit or deletion of their data here .

Security and Privacy

• Zotabox servers are located in the United States. Zotabox uses encrypted secure connections with all our tools that collect customer data on Merchant websites and we are committed to complying with standard data protection requirements when transferring data from the EU to the United States.
  • You may request a signed copy of this Data Processing Agreement at customerservice@zotabox.com  
• Zotabox uses dedicated servers accessible only to Zotabox employees.
  • Zotabox employees are committed to the privacy and confidentiality of your customer data and will not access customer data or private Zotabox accounts unless it is for debugging or recovery purposes only.
  • Zotabox also does not share this data with other 3rd parties or use sub-processors.
• Zotabox does not use any sub-processors to process customer data. If Zotabox engages a sub-processor in the future to processor customer data, Zotabox will ensure the sub-processor is also GDPR compliant.
• Zotabox shall at all times endeavour to provide an adequate level of protection for the Customer Data processed, in accordance with the requirements of Data Protection Laws
• Appropriate technical and organisational measures have been taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
• Zotabox is always updating and reviewing our security safeguards and will update our security as new technology becomes available.

Backups

• Zotabox continually backs up all customer data for 30 days to ensure reliable service and in case of damage or loss to the main server. If a request is made to remove data, data on primary servers will immediately be removed but data on backups will remain for 30 days and then permanently and automatically deleted.

Legal Obligations

• Nothing in this agreement shall prevent either party from complying with any legal obligation imposed by a regulator or court. Both parties shall however, where possible, discuss together the appropriate response to any request from a regulator or court for disclosure of information.

Breach Notification

• In cases of data breaches, Zotabox will report to the merchant within 72 hours if it is determined the privacy of customer data is at risk.

Third Party Integrations

• Merchant at their own discretion may integrate Zotabox with their email service provider or other data services. (Ex. Mailchimp, Shopify, Google Sheets, Zapier etc). Merchant is responsible for ensuring their 3rd party service provider is GDPR compliant and must contact them IF a customer requests their customer data be removed from their databases. Zotabox can not request removal of customer data from the merchant’s other service providers.

Note about Social Accounts

• Tools such the facebook live chat and social buttons tools allow your website visitors to ‘login’ to their social account (if they are not already logged in in their browser) to ‘chat’ with the merchant OR ‘share’ or follow Merchant’s social account.
  • ALL sharing/following/live chat etc is completed ‘within and by the social account’. No personal data is shared with Zotabox or stored on Zotabox servers.
  • Please refer to the GDPR compliance policies of each social network.

Cookies

• Zotabox places non-identifable cookies on Merchant website visitor’s browsers to enable the proper functioning of Zotabox tools.
  • Example: To ensure popups only display once per ‘session’ and not on every page load and to display according to the display options the merchant has set on the Zotabox tool setting page. Ex. Display tools maximum once per month etc.
  • Zotabox also uses cookies to track tool impressions, clicks etc for reporting purposes to the Merchant.
  • Zotabox does not collect the IP address of the website visitor with cookies with the exception of tools that display to EU customers only. In this case Zotabox will ‘check’ the IP address to ensure the proper display of our tools but will not ‘save’ the IP address to our servers.

Responsibility of Merchant

• Zotabox can not offer merchants legal advice to become GDPR compliant on their websites but we strongly encourage merchants to enable the “I agree to’ checkbox’ on the Zotabox setting page to appear to EU customers on our email capture and contact form tools (and provide clear and specific examples of what customer emails will be used for: Ex. marketing of merchant website products).
  • Zotabox can not take responsibility for each merchant’s actions or non-actions in this regard.
• Merchant is responsible for providing clear and specific details to their customers on how merchant will use data at the time of requesting personal information from customer on their websites using Zotabox tools.
• Merchant is also responsible for informing customer how to delete data on Zotabox servers and other processors.
  • Zotabox can NOT request data deletion from other data processors (ex. Mailchimp) on behalf of the merchant or customer.
• If Merchant does not agree to these terms, Merchant may request a refund for the last payment made to Zotabox (prorated for time used) and will be refunded at earliest possible time.
• A password will be emailed to the merchant when they create a Zotabox account or download or install a Zotabox app or plugin on their website. These passwords are one-way encrypted and cannot be unencrypted by Zotabox. If a merchant forgets their password, they must ‘reset’ their password when attempting to login (A secure password will then be sent to the email address associated with their Zotabox account)
• Merchants may be required under GDPR guidelines to list Zotabox as a data processor on their privacy page. Merchants can link to Zotabox’s privacy policy their website visitors here.

Note about tools set to display to EU visitors only

• Zotabox checks but does not store your website visitors IP address to determine if website visitor resides in EU in order to display selected merchant tools.

Limitations of Liability

• Zotabox’s liability is limited to actual proven losses that can be directly attributed to data loss or breach of customer data under the responsibility of Zotabox (and not through possible breach of Merchant Zotabox account by unauthorized access using the Merchants private Zotabox password – which is one way encrypted and not accessible by Zotabox).

Updates

This agreement maybe updated as new technology and regulations arise.

Term and Termination

This Agreement shall continue in full force and effect for so long as the Processor is processing personal data on behalf of the Controller.

Delete ALL Zotabox Merchant and Customer Data

• Merchant may retrieve (or delete) customer data from the past 90 days by going to their email subscribers page – https://zotabox.com/dashboard/subscriber/ or their form data page if selected on the setting page (for contact form entries) – https://zotabox.com/dashboard/form/data
• Merchant may at any time delete ALL merchant and customer data by going to their account page – https://zotabox.com/customer/account/ (top right corner of dashboard).
  • ALL customer data will be permanently deleted from Merchant account. See notes regarding backups above.

Signed Copy of Agreement

Please contact Zotabox at customerservice@zotabox.com if you require a signed copy of the above agreement. Please provide your company name, website url and name of signing officer.