Iteration X, (“Iteration X”, “us”, “we”, or “our ”) operates websites including www.IterationX.com (each a “Website”) and provide browser extensions (together with our Websites, our “Platform”) that allows the users (“you”, or “users”) of our Platform to (i) access to and download of certain information we provide through the Platform and (ii) the ability of users of our Platform to use the services provided therein and or to contact us electronically, including ,transmission, storage, and display of information from each user (collectively ,the "Services"). This document sets out our privacy and security policy (the “Policy”) and, among other things, informs you of our policies regarding the collection, use and disclosure of Personal Information (as defined below) when you access any of our Platform (whether directly or indirectly) or in any manner use our Services.
Please note that third party persons concerned by data or information can be processed by our users, acting as data controllers and us as their data processor.
For more information about the relations and responsibilities between us and our users, please consult the section 2 of this Policy and our Data Protection Addendum, available at this URL : www.iterationx.com/dpa-scc.
The following information in this Policy is designed to help you better understand what information we gather from you and through your access to the Platform or use of our Services, how we use and disclose this information, who we might share this information with, and to describe generally what security steps we take. By accessing our Platform, downloading any information made available via any of our Platform (e.g., guidelines, reports), and/or by using our Services in any manner (inclusive of downloading, installing, and using any of our Extensions), users provide us data that is necessary for us to collect and process in order to provide the Services and the Platform, in accordance with the statements of our Terms of Services.
Note, if you are a resident of the State of California, you may have additional personal information rights and choices. Please see the Your California Privacy Rights section below for more information.
Note also, if you are an European Union resident, you have specific rights over your personal data. Please see the GDPR rights section below for more information.
For the proper functioning of our Platform and Services, we rely on the supply of third-party providers. For more information about them, please see the Data recipients section below.
Except as expressly stated herein, this Policy does not apply to any third-party applications or technologies that integrate with our Services (e.g., social media websites), or any other third-party products, services, or businesses, or to third-part websites that you access via links or otherwise while using the Online Platforms or our Services (“Third Party Services”).
Except for the scope of the data processing activities ruled by this Policy, this latest does not apply to data collected from, or provided by users to Third Party Services, and instead, such data is subject to the practices of the provider(s) of the applicable Third Party Services. You should review the privacy policies of such Third Party Services (and any other applicable terms and conditions) to determine how your data will be used before sharing any of your data with them.
1- The parties acknowledge and agree that with regard to the processing of Personal Data, Customer may act either as a controller or processor and, except as expressly set forth in this Addendum or the Terms of Service, Iteration X is a processor.
2- Customer shall, in its use of the Services, at all times process Personal Data, and provide instructions for the processing of Personal Data, in compliance with Data Protection Laws. Customer shall ensure that the processing of Personal Data in accordance with Customer’s instructions will not cause Iteration X to be in breach of the Data Protection Laws. Customer is solely responsible for the accuracy, quality, and legality of (i) the Personal Data provided to Iteration X by or on behalf of Customer, (ii) the means by which Customer acquired any such Personal Data, and (iii) the instructions it provides to Iteration X regarding the processing of such Personal Data. Customer shall not provide or make available to Iteration X any Personal Data in violation of the Terms of Service or otherwise inappropriate for the nature of the Services, and shall indemnify Iteration X from all claims and losses in connection therewith.
3- Iteration X shall not process Personal Data:
(i) for purposes other than those set forth in the Terms of Service and/or Annex I, (ii) in a manner inconsistent with the terms and conditions set forth in this Addendum or any other documented instructions provided by Customer, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by Supervisory Authority to which the Iteration X is subject; in such a case, the Iteration X shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest, or
(iii) in violation of Data Protection Laws.
Customer hereby instructs Iteration X to process Personal Data in accordance with the foregoing and as part of any processing initiated by Customer in its use of the Services.
4- The subject matter, nature, purpose, and duration of this processing, as well as the types of Personal Data collected and categories of Data Subjects, are described in Annex I to this Addendum.
5- Following completion of the Services, at Customer’s choice, Iteration X shall delete or return Customer’s Personal Data, unless further storage of such Personal Data is required or authorized by applicable law. If destruction or return is impracticable or prohibited by law, rule or regulation, Iteration X shall take measures to block such Personal Data from any further processing (except to the extent necessary for its continued hosting or processing required by law, rule or regulation) and shall continue to appropriately protect the Personal Data remaining in its possession, custody, or control. If Customer and Iteration X have entered into Standard Contractual Clauses as described in Section 6 (Transfers of Personal Data), the parties agree that the certification of deletion of Personal Data that is described in Clause 8.1(d) and Clause 8.5 of the EU SCCs (as applicable) shall be provided by Iteration X to Customer only upon Customer’s request.
6- CCPA. Except with respect to Customer Account Data and Customer Usage Data, the parties acknowledge and agree that Iteration X is a service provider for the purposes of the CCPA (to the extent it applies) and is receiving personal information from Customer in order to provide the Services pursuant to the Terms of Service, which constitutes a business purpose. Iteration X shall not sell any such personal information. Iteration X shall not retain, use or disclose any personal information provided by Customer pursuant to the Terms of Service except as necessary for the specific purpose of performing the Services for Customer pursuant to the Terms of Service, or otherwise as set forth in the Terms of Service or as permitted by the CCPA. The terms “personal information,” “service provider,” “sale,” and “sell” are as defined in Section 1798.140 of the CCPA. Iteration X certifies that it understands the restrictions of this Section 2.5.
To provide you with our Platform and Services, we need to process the Personal Data. This is why we implement data processing activities, which can be performed by us as being a data processor of our users or as an independent data controller, depending on which data processing activity is considered
As a data processor of our Users, here are the data processing activities that are implemented by us on their behalf :
- We store and host the Personal Data contained in the content generated by users of our Services and Platform;
- We collaborate with our users when they ask us to do so and if we can when a Personal Data subject exercised one of his or her individual rights.
On our sole responsibility of data controller we only :
- Handle the login and authentication credentials of our users;
- Perform a technical monitoring of the infrastructure;
- Analyze habits of the way our products is used by users;
- Perform audience and usage monitoring of the Platform using Plausible.io services;
- Handle the users' rights request related to Personal Data protection (CCPA, GDPR and Canadian individual rights);
- Send emails to our users;
- Send messages to our Website’s chat users; and manage the Users’ accounts creation.
Please note that the Personal Data that can be processed by users using our Services and Platform are sole data controllers of the processing they decide to perform via our Services and Platform.
Thus, in case Personal Data subjects are not users, please note that the responsibility of being the data controllers of the data processing performed using our Platform and Services is assumed by our users who process the Personal Data of these data subjects. We propose to our Users, acting as data controllers, to agree to our Data Protection Addendum that is publicly available here : www.iterationx.com/dpa-scc
This Data Protection Addendum provides the statements ruling the relations between us and our users using our Services and Platform to perform such data processing activities.
As part of our commitment to your privacy, we process your data for various lawful reasons:
Contractual Obligations: We process your data to:
Legitimate Interests: We process your data to:
Consent: We may seek your consent to:
For registered users, Iteration X might occasionally email updates about security, features, or news. You can opt out of emails anytime via the unsubscribe link at the bottom of our emails. If you reach out to us (e.g., for support), we may share your request to aid our response or assist others, but your personal details will always remain private.
1- Customer acknowledges and agrees that Iteration X may:
(i) engage its affiliates and the Authorized Sub-Processors on the List (defined below) to access and process Personal Data in connection with the Services and
(ii) from time to time engage additional third parties for the purpose of providing the Services, including without limitation the processing of Personal Data. By way of this Addendum, Customer provides general written authorization to Iteration X to engage sub-processors as necessary to perform the Services.
2- A list of Iteration X’s current Authorized Sub-Processors will be made available to Customer at Data Processors. Such List may be updated by Iteration X from time to time. Iteration X will notify by email Customer of new Authorized Sub-Processors and Customer. At least ten (10) days before enabling any third party other than existing Authorized Sub-Processors to access or participate in the processing of Personal Data, Iteration X will add such third party to the List and notify subscribers, including Customer, via the aforementioned notifications. Customer may object to such an engagement by informing Iteration X in writing within ten (10) days of receipt of the aforementioned notice by Customer, provided such objection is in writing and based on reasonable grounds relating to data protection. Customer acknowledges that certain sub-processors are essential to providing the Services and that objecting to the use of a sub-processor may prevent Iteration X from offering the Services to Customer.
3- If Customer reasonably objects to an engagement in accordance with Section 4.2, and Iteration X cannot provide a commercially reasonable alternative within a reasonable period of time, Customer may discontinue the use of the affected Service by providing written notice to Iteration X. Discontinuation shall not relieve Customer of any fees owed to Iteration X under the Terms of Service.
4- If Customer does not object to the engagement of a third party in accordance with Section 4.2 within ten (10) days of notice by Iteration X, that third party will be deemed an Authorized Sub-Processor for the purposes of this Addendum.
5- Iteration X will enter into a written agreement with the Authorized Sub-Processor imposing on the Authorized Sub-Processor data protection obligations comparable to those imposed on Iteration X under this Addendum with respect to the protection of Personal Data. In case an Authorized Sub-Processor fails to fulfill its data protection obligations under such written agreement with Iteration X, Iteration X will remain liable to Customer for the performance of the Authorized Sub-Processor’s obligations under such agreement.
6- If Customer and Iteration X have entered into Standard Contractual Clauses as described in Section 6 (Transfers of Personal Data), (i) the above authorizations will constitute Customer’s prior written consent to the subcontracting by Iteration X of the processing of Personal Data if such consent is required under the Standard Contractual Clauses, and (ii) the parties agree that the copies of the agreements with Authorized Sub-Processors that must be provided by Iteration X to Customer pursuant to Clause 9(c) of the EU SCCs may have commercial information, or information unrelated to the Standard Contractual Clauses or their equivalent, removed by the Iteration X beforehand, and that such copies will be provided by the Iteration X only upon request by Customer.
For the good functioning of our Platform that makes the Services available to the Users, we rely on third-party companies and individuals to facilitate our Services and manage our Platform and to provide our Services on our behalf. In the strict frame of the provision of services, these third parties (also called “our Data Processors”) might have access to your PersonalInformation only to perform specific tasks on our behalf and are obligated not to disclose or use your information for any other purpose.
You can find the list of our Data Processors, implementing data processings on behalf of us, hereinafter :
- We use Amazon Web Services (AWS) to host our data and our application.
- We use Calendly to schedule meetings and events.
- We use Crisp to communicate with our customers for support reasons, and collect feedback on our application.
- We use Customer.io to notify users about news and releases related to the product.
- We use Data dog to monitor the production environment.
- We use Figma to work on and design the product.
- We use GitHub to work on and design the product.
- We use Google Workspace to communicate with customers, schedule meetings and host some documentation.
- We use Hubspot to follow relationships with customers.
- We use Mixpanel and June.so to understand how the product is used.
- We use Notion to host documentation.
- We use Plausible to understand how the website is used.
- We use Segment to understand how the product is used.
- We use Stripe to provide online payments.
- We use Webflow to edit and host the website.
For more information about all our data processors, please visit our page dedicated to give more details about them : www.iterationx.com/data-processors
To pursue the purposes exposed in section 3 of this Policy, we collect the categories of Personal data detailed in its section 2.
However, we also want to inform you that we don’t store this data for an unlimited period. Hereinafter you will find the details of the duration rules that we respect in terms of retention of these Personal data.
Generally, we don’t retain data more than the period of time that is necessary to achieve our purposes detailed in section 3.
So first, all the data processed to ensure security are stored for a 12 months period.
The relevant data processed to improve the experience and enrich our products are stored for a 6 months period, except if the users resigned their contract and deleted their account.
Concerning the data that are necessary to process for making our users able to actually use our Platform and Services, we store their data only for the period of time that corresponds to the moment when they created their account until the one when they resigned their account.
The data processed for making us able to inform our users about changes in our public legal documents is also only stored for this period of time.
Concerning the data processed to notify our users about the eventual occurrence of data breaches, we store it for a period of 5 years (the duration of limitation duration for legal actions in France).
The data processed to promote our products is stored from the moment of their collection (they are provided by the users during the subscription process) until 2 years after they resigned their account.
All the data processed to interact by messages, be it through emails or our chat available on the Website, is stored for 12 months, except if the users have an account, in this case the data is stored until they resign their account.
Finally, all the data we process to respond to data subject requests are stored for a period of 1 year after the receipt of each request.
The security of your Personal Information is important to us, and we strive to implement and maintain reasonable, commercially acceptable security procedures and practices appropriate to the nature of the information we store, in order to protect it from unauthorized access, destruction, use, modification, or disclosure. Substantially all information we receive from you or via your use of our Services are copied, stored and managed through computer servers owned or controlled by us.
For example, our servers are not located at our principal place of business but rather are managed and located at a third-party Infrastructure-as-a-Service provider (an “IAAS”). We have taken commercially reasonable steps to choose a professional IAAS provider, whose name you may find in the section “Recipients of the Personal Data”, but we cannot guarantee the performance of the IAAS provider, its security measures, or the actions or inactions it takes in the future. By using our services, you understand and agree that we have no liability for the actions, behaviors or failings of our IAAS provider.
While we attempt to employ security techniques commensurate with industry norms to protect your Personal Information and all other information we may host from unauthorized access by users inside and outside the organization, you should be aware that"perfect security" does not exist on the internet or any other method of electronic transmission or storage; third parties may unlawfully or improperly intercept or access transmissions, personal information, or private communications. As such, we cannot make any assurances or guarantee in any manner that a security breach will not occur that may expose your personally identifiable information to others.
We endeavor to only require the collection of as much Personal Information as required to provide you access to our Services, ensure our ability to send you the communications described above, and meet our legal obligations. In addition, we will use commercially reasonable efforts to attempt to store Personal Information in a secure location. We do not represent that any Personal Information provided to us will be encrypted in any manner.
All information you provide to us, including Personal Information, is transferred, processed, and stored in the European Union.
However, we are an American company. This means that all the Personal data we process might be subject to potential transfers outside the EU, for reasons related to the legal obligations that apply to us.
To secure these data transfers, we provide to our users a document based on the Standard Contractual Clauses agreed by the European commission. You can take a look at it at the following URL : www.iterationx.com/dpa-scc
If we are involved in a merger, acquisition or asset sale, your Personal Information maybe transferred as a business asset. In such cases, we will attempt in good faith to provide notice before your Personal Information is transferred and/or becomes subject to a different Policy.
Our Services and our Online Platforms may contain links to other websites that are not operated by us. If you click on a third-party link, you will be directed to that third-party's Online Platforms. We strongly advise you to review the Policy of every Online Platforms you visit. We have no control over, and assume no responsibility for the content, privacy policies or practices of any third-party websites or services.
Only persons age 18 or older have permission to access our Services. Our Services are meant for working professionals only and, therefore, are not meant to be used or accessed in any manner by anyone under the age of 16 ("Children"). We do not knowingly collect personally identifiable information from Children. If you are a parent or guardian and you learn that your Children have provided us with Personal Information, please contact us. If we become aware that we have collected Personal Information from children under age 16 without verification of parental consent, we take steps to remove that information from our servers.
This Policy is effective as of the date listed at the top of this Policy and will remain in effect except with respect to any changes in its provisions in the future, which will be in effect immediately after being posted on this page.
We reserve the right to update or change our Policy at any time and you should check thisPolicy periodically. Your continued use of our Services after we post any modifications to the Policy on this page will constitute your acknowledgment of the modifications and your consent to abide and be bound by the modified Policy.
If we make any material changes to this Policy, we will notify you either through the email address you have provided us, or by placing a prominent notice on our Websites.
For each one of the eventual data processing activities subject to the Policy and legally grounded upon the collection of the consent of the users, these latests can revoke their consent by sending us an email to firstname.lastname@example.org.
Additionally, upon receipt of any electronic communication from us to you, to unsubscribe from future communications, you can click on the link that says words substantially to the effect of "If you do not wish to receive these emails in the future, You can click here to unsubscribe."
Because we provide our California users with the ability to exercise his or her "opt out" rights as described above, pursuant to Section1798.83(c)(2) of the California Civil Code, we are in compliance with theCalifornia "Shine the Light" law and are not obligated to provideCalifornia users with the names and addresses of all the third parties that received personal information from the Company for the third parties' direct marketing purposes during the preceding calendar year.
Canadian residents have a right to request access or correction of Personal Information held by us. We will endeavor to process any requests for access or correction to Personal Information within a reasonable period of time. Where possible, we will provide you with access to that PersonalInformation either by providing you with copies of the information requested, allowing you to inspect the information requested, or providing you with a summary of the information held. If we need to deny your request for access we will let you know why and inform you how you may lodge a complaint regarding this decision.
We will otherwise try to ensure that all Personal Information we collect, use or disclose about you is accurate, complete, up-to-date and relevant to the service being provided.
Please forward your request for access or correction to our Data Protection Officer in writing at the relevant address or email address below.
In accordance with GDPR provisions, you have the right to ask for access to your Personal Data. You can use your right to rectify your personal data. Moreover, you can ask for the erasure of your personal data and also send us a request to use your right to object to one or more of the processing activities that are performed on your personal data.
You also have the right to ask for the portability of your Personal Data.
While using one of the rights mentioned above, you have the right to ask for the restriction of the performance of the processing activities concerning your Personal Data.
Furthermore, if you encounter any problem concerning the processing of your Personal Data, you can file a complaint to your national data protection authority in charge of data protection.
Our leading national data protection authority within the EU is the CNIL, remaining at 3 Place de Fontenoy, TSA 80715, 75334 PARIS CEDEX 07.
We appointed the french company DATAJURISTES SAS, located at 14 rue du vieux faubourg in Lille (France, 59000) and represented by its President François-Xavier Cao, as our Data Protection Officer.
You may contact our Data Protection Officer at email@example.com
Enforcement starting date : August, 15 2022