Buddy Punch LLC Privacy Policy

Last Updated: September 2020

Section 1 : Introduction

Protecting consumer privacy is important to Buddy Punch, LLC (“Buddy Punch”, “we”, “us”, or “our”). This Privacy Policy explains how Buddy Punch collects, uses and discloses information about you. This Privacy Policy applies to information we collect when you use our websites, mobile applications, and other products and services (collectively, the “Services” or “Applications”) or when you otherwise interact with us whether in electronic, paper or verbal format.

For the avoidance of doubt, this Privacy Policy does not apply to data collected by our clients who use our Services to track their employees’ time and schedule. If data is collected and processed by our client or its website, the client controls such data. Please contact the owner or operator of the applicable website directly for information about its privacy policies and how it processes personal data.

Buddy Punch is based in the United States and the information we collect is governed by United States (“US”) law. By accessing or using the Services or otherwise providing information to us, you consent to the processing and transfer of information in and to the US and other countries.
We may change this Privacy Policy from time to time. If we make changes, we will notify you by revising the date at the top of the policy and, in some cases, we may provide you with additional notice (such as by adding a statement to our websites or by sending you a notification). You should review the Privacy Policy whenever you access the Services to stay informed about our information practices and the ways you can help protect your privacy.

Buddy Punch values and respects the privacy of individuals and as a result we have updated our Privacy Policy to align with applicable data protection legislation (including the European General Data Protection Regulation (Regulation (EU) 2016/679) and the Privacy Act 2001 (Cth)) and any other legislation in force which applies relating to either or both privacy or the handling of personal data (the “Data Protection Legislation”).

This Privacy Policy aims to clearly outline our policies and procedures for collecting, using, storing and disclosing personal data of individuals. All of the different forms of data, content, and information described in this Privacy Policy are collectively referred to as “personal data”.

Buddy Punch’s service offering involves providing organizations and individuals within those organizations with access to and use of the Services through their devices (any device used to access the Applications, including without limitation a desktop, laptop, mobile phone, tablet, or other consumer electronic device (each a “Device”)). By using the Services, you agree to Buddy Punch’s collection, use, and disclosure of your personal information as described in this Privacy Policy. If you do not agree with such collection, use and disclosure of your personal information, please do not use the Services.

This Privacy Policy explains what we do with your personal data when:

  • Your organization signs up for the Services and you access the Applications using a business account via our website (www.buddypunch.com), subdomain (*.buddypunch.com), through applications on Devices, through an application program interface, or through third-parties (collectively, the “Application Users”);
  • You leave your organization and cease to access the Applications using a business account attached to your organization (“Former Application User”);
  • You visit our website (www.buddypunch.com) and subdomain (*.buddypunch.com) (the “Website”) while browsing the internet (collectively, the “Website Users”); and
  • You call or receive a call from our customer service team or sales team for any purpose (“Phone User”).

If you are an Application User, our primary purpose for using your personal data is to provide the Services to your organization. When we use your personal data to allow you to access and use the Applications, we do so on the instructions of your organization and on behalf of your organization. This makes us a “data processor” for the purposes of the Data Protection Legislation. However, there may be certain circumstances under which we use your personal data for purposes that are not on behalf of your organization or in accordance with instructions of your organization, for example, where we need to use it for our own purposes. Under these circumstances, we are a “data controller” for the purposes of the Data Protection Legislation. Please see Section 4 for more information.

If you are a Former Application User, we may retain your personal data to maintain a limited version of your business account profile and for our own purposes, for example, where we wish to offer you Services which we think you may be interested in. This makes us a “data controller” for the purposes of the Data Protection Legislation. Please see Section 4 for more information.

If you are a Website User, we use your information for our own purposes. This makes us a “data controller” for the purposes of the Data Protection Legislation. Please see Section 4 for more information.

If you are a Phone User, we may record your call for our own purposes. This makes us a “data controller” for the purposes of the Data Protection Legislation. Please see Section 4 for more information.

 

Section 2: What kind of information do we collect?

(a) Application Users:

We need to use personal data about you in the course of providing the Services to your organization and for ancillary purposes set out in this Privacy Policy. Depending on the relevant circumstances and requirements, we may collect some or all of the personal data listed below to help us with this:

  • Name
  • Phone number
  • Date of Birth
  • Credit card details or other billing information
  • Email address
  • Home and business physical addresses
  • Photos for profile and Facial Recognition use
  • Social networking information (if we are provided with access)
  • Any further personal data contained in any files that you upload, download, or create (“Files”) within the Buddy Punch Applications
  • Log data from your Device, its software, and your activity using the Applications including the Device’s Internet Protocol (“IP”) address, browser type, locale preferences, geo-Location Information, identification numbers associated with your Device, your mobile carrier, date and time stamps associated with transactions, system configuration information, metadata concerning your Files (as defined below), and other interactions with the Applications.

(b) Former Application Users:

We will retain the following personal data listed below:

  • Name
  • Phone number
  • Date of Birth
  • Credit card details or other billing information (if you were the primary account holder in relation to your business account)
  • Email address
  • Home and business physical addresses
  • Photos for profile and Facial Recognition use
  • Any further personal data contained in any files that you uploaded, downloaded, or created (“Files”) within the Buddy Punch Applications
  • Log data from your Device, its software, and your activity when you used the Applications including the Device’s IP address, browser type, locale preferences, geo-Location Information, identification numbers associated with your Devices, your mobile carrier, date and time stamps associated with transactions, system configuration information, metadata concerning your Files, and other interactions with the Applications.

(c) Website Users:

We collect a limited amount of personal data from our Website Users which we use to help us improve your experience when using our Website and to help us manage the Services we provide. This includes log data such as your Device’s IP address, browser type, the web page visited before you came to our website, information you search for on our website, locale preferences, identification numbers associated with your Devices, your mobile carrier, date and time stamps associated with transactions, system configuration information and other interactions with the Website. If you contact us via the website (including via any chat widget), we will collect any information that you provide to us, for example your name and contact details.

    (d) Phone Users:

    We do not record phone calls. During the course of the phone call we will collect limited categories of personal data including name, phone number, and email address to assist us in confirming the identity of the caller.

     

    Section 3: How do we collect your personal data?

    (a) Application Users:

    We collect your personal data in three primary ways:

    • Personal data that you provide to us;
    • Personal data that we receive from your organization and other sources; and/or
    • Personal data that we collect automatically.

    (b) Personal data you give to us:

    • Where you provide personal data to us when you use the Buddy Punch Applications;
    • Where you contact us via the Buddy Punch Application; and/or
    • Where you upload, download, or create Files within Applications.

    (c) Personal data we receive from your organization and other sources:

    • Where we receive personal data about you from your organization; and/or
    • Where we receive personal data (for example, your email address) through other Application Users, if they have invited you to their Buddy Punch account

    (d) Personal data that we collect automatically:

    • When you use the Applications, where we automatically record personal data in the form of log data from your Device, its software, and your activity using the Applications; and/or
    • Where we collect your personal data automatically via cookies, in line with cookie settings in your browser. If you would like to find out more about cookies, including how we use them and what choices are available to you, please see Section 11

    (e) Former Application Users:

    We will have collected your personal data during the period that you were an Application User in the manner described above.

    (f) Website Users:

    When you visit our Website there is certain personal data in the form of log data that we may automatically collect, whether or not you use the Applications. We also collect some limited personal data automatically via cookies, in line with cookie settings in your browser. If you would like to find out more about cookies, including how we use them and what choices are available to you, please see Section 11.

    (g) Phone Users:

    As set out in Section 2 above, we collect a limited amount of personal data from a Phone User. We do not record phone conversations

    The Applications may contain links to other sites. Buddy Punch is not responsible for the privacy practices or the content of such websites

     

    Section 4: How do we use your personal data?

    (a) Application Users:

    Our primary purpose for using your personal data is to provide the Services to your organization. When we use your personal data to allow you to access and use the Applications, we do so on the instructions of your organization and on the behalf of your organization. This makes us a “data processor” for the purposes of the Data Protection Legislation. Activities that we may carry out on this basis include

    • Allowing you to access and use the Applications;
    • Providing you with assistance (including technical assistance) in relation to your use of the Applications:
    • Personalizing and optimizing your experience of the Applications and providing you with software updates; and;
    • Ensuring compliance with the terms of our agreement with your organization.

    However, there may be certain circumstances under which we use your personal data for purposes that are not on behalf of your organization or in accordance with instructions of your organization. Under these circumstances, we are a “data controller” for the purposes of the Data Protection Legislation. Activities that we may carry out on this basis include:

    • Making announcements to you regarding our products and service offerings (see Section 5 below);
    • Providing you with any service offering outside of the Applications directly;
    • Ensuring compliance with our own obligations under applicable law and regulations;
    • Using your personal data to help us to establish, exercise or defend legal claims; and
    • Analyzing log data/user statistics with the aim of improving the Applications for all Application Users.

    We may use your personal data for these purposes if we have a legal basis for doing so. If you would like to know more about what this means, please see Section 12. If you are not happy about this, in certain circumstances you have the right to object and can find out more about how and when to do this in Section 9.

    (b) Former Application Users:

    If we retain your personal data once you have left your organization and cease to use your Buddy Punch Account for our own purposes, we are a “data controller” for the purposes of the Data Protection Legislation. Activities that we may carry out on this basis include:

    • Making announcements to you regarding our products and service offerings (see Section 5 below);
    • Providing you with any service offering outside of the Applications directly;
    • Ensuring compliance with our own obligations under applicable law and regulations; and
    • Using your personal data to help us to establish, exercise or defend legal claims.

    We may use your personal data for these purposes if we have a legal basis for doing so. If you would like to know more about what this means, please see Section 12. If you are not happy about this, in certain circumstances you have the right to object and can find out more about how and when to do this in Section 9.

    (c) Website Users:

    We use your personal data to help us improve your experience of using our Website. This makes us a “data controller” for the purposes of the Data Protection Legislation.

    (d) Phone Users:

    We use your personal data to help assist with questions about the Applications. This makes us a “data controller” for the purposes of the Data Protection Legislation.

    Information and data gathered solely by Buddy Punch through the Applications will never be sold, traded or shared with third-parties for any reason other than for assisting Buddy Punch in its analysis, research, promotional needs, and responses to compliments and complaints.


    Section 5: Marketing

    If you are an Application User or a Former Application User, we may wish to use your personal data in order to let you know about, and invite you to participate in, our products and service offerings. We need your consent for some aspects of these activities which are not covered by our legitimate interests (in particular, the delivery of direct marketing to you through digital channels) and, depending on the situation, we’ll ask for this via an opt-in or soft opt-in (which we explain further below).

    Soft opt-in consent is a specific type of consent which applies where you have previously engaged with us (for example by signing up to the Applications or requesting more information about our service offerings), and we are marketing service offerings similar to those you have previously engaged with us above. Under ‘soft opt-in’ consent, we will take your consent as given unless or until you opt out. For other types of e-marketing, we are required to obtain your explicit consent.

    We will not, as a matter of course, seek your consent when sending marketing materials to a corporate email address. If you are not happy about this, you have the right to opt out of receiving marketing materials from us and can find out more about how to do so in Section 9. If you want to know more about how we obtain consent, please see Section 12. If you are not happy about our approach to marketing, you have the right to withdraw your consent at any time and can find out more about how to do so in Section 9.

     

    Section 6: Information Sharing and Disclosure

    Where appropriate and in accordance with applicable laws and requirements (and where we use your personal data as a data processor on behalf of and under the instructions of your organization in accordance with our obligations under our agreement with your organization), we may share your personal data in the following ways:

    • Your Use: We will display your personal data on your profile page and this may be accessed by other persons to whom you are connected within your organization depending on their access level.
    • Service Providers, Business Partners and Third Parties: We may use certain trusted third party companies and individuals to help us provide, analyze, and improve the Applications (including but not limited to data storage, maintenance services, database management, web analytics, payment processing, and improving the features of the Applications). These third parties may have access to your personal data only for purposes of performing these tasks on our behalf and under obligations similar to those in this Privacy Policy.
    • Other Service Providers, Business Partners and Third Parties: We may share your personal data with our agents or third-party service providers (Including professional advisors and telecommunication service providers) which require your personal data to provide their services to Buddy Punch. Such agents and third-party service providers will not be permitted to use your personal data for any other purpose.
    • Third-Party Applications: We may share your information with a third-party application with your consent, for example when you choose to access Buddy Punch through such an application. We are not responsible for what those parties do with your information, so you should make sure you trust the application and that it has a privacy policy acceptable to you before allowing this feature to be employed.
    • Compliance with Laws and Law Enforcement Requests: We may disclose to parties outside Buddy Punch, Files stored in the Applications and personal data about you that we collect when we have a good faith belief that disclosure is reasonably necessary to (a) comply with a law, regulation or compulsory legal request; or (b) to protect Buddy Punch’s intellectual property rights. If we provide your Files to a law enforcement agency as set forth above, we will remove Buddy Punch’s encryption from the files before providing them to law enforcement.
    • Business Transfers: If we are involved in a merger, acquisition, or sale of all or a portion of our assets, your personal data may be transferred as part of that transaction, but we will notify you and/or your organization (for example, via email and/or a prominent notice on our website) of any change in control or use of your personal data or Files, or if either become subject to a different privacy policy.
    • Non-private or Non-Personal data: We may disclose your non-private, aggregated, or otherwise non-personal data, such as usage statistics of the Applications.

     

    Section 7: How do we safeguard your personal data?

    We are committed to taking all reasonable and appropriate steps to protect the personal data that we hold from misuse, loss, destruction or unauthorized access. We do this by having in place a range of appropriate technical and organizational measures. These include measures to deal with any suspected data breach. If you enter payment details onto our payment pages, we encrypt the transmission of that information using secure socket layer technology (SSL) which is PCI DSS compliant.

    Section 8: How long do we keep your personal data?

    We will not keep your personal data for longer than we are permitted to do so under our agreement with your organization or as is necessary for the purposes for which we have collected it unless we believe that the law or other regulation requires us to preserve it (for example, because of a request by a tax authority or in connection with any anticipated litigation) or if we require it to enforce our agreements.

    When we are no longer permitted under our agreement with your organization or it is otherwise no longer necessary to retain your personal data, we will delete the personal data that we hold about you from our systems. While we will endeavor to permanently erase your personal data once it reaches the end of its retention period, some of your personal data may still exist within our systems, for example if it is waiting to be overwritten. For our purposes, this data has been put beyond use, meaning that, while it still exists in the electronic ether, our employees will not have any access to it or use it again.

    Section 9: How can you access, amend, or take back the personal data?

    Buddy Punch recognizes that Customer Data may include the Personal Data of Authorized Users based in the European Union to which the Data Protection Legislation applies. The obligations under Section 9 shall only apply to the parties where the Data Protection Legislation is engaged in respect of Buddy Punch’s processing of Personal Data of Authorized Users in the European Union.

    You have various rights in relation to the personal data that we hold about you. To get in touch about these rights, please contact us or your organization. If you are an Application User and you wish to make a request in relation to our use of your personal data for the purposes of providing the Services to your organization (and in respect of which we are a data processor), please contact your organization in the first instance to handle your request. If you contact us, we will refer your request to your organization. If you are an Application User and you wish to make a request in relation to our use of your personal data which is unconnected to your organization or you are a Former Application User or a Website User, please contact us and we will handle your request. The Data Protection Legislation gives you the following rights in relation to your personal data:

    • Right to object: this right enables you to object to us processing your personal data.
    • Right to withdraw consent: Where we have obtained your consent to process your personal data for certain activities (for example, sharing your information with a third party application), you may withdraw this consent at any time and we will cease to carry out that particular activity that you previously consented to unless we consider that there is an alternative legal basis to justify our continued processing of your personal data for this purpose, in which case we will inform you of this condition.
    • Data Subject Access Requests (DSAR): You may ask us to confirm what information we hold about you at any time, and request us to modify, update or delete such information. You may also request a copy of the information we hold about you.
    • Right to erasure: You have the right to request that we “erase” your personal data in certain circumstances. We will try to delete your personal data quickly upon request and if desired make it available to you. While we will endeavor to permanently erase or return your personal data upon request, some of your personal data may still exist within our systems, for example if it is waiting to be overwritten. For our purposes, this personal data has been put beyond use, meaning that, while it still exists in the electronic ether, our employees will not have any access to it or use it again. We may retain and use your personal data if we believe that the law or other regulation requires us to preserve it (for example, because of a request by a tax authority or in connection with any anticipated litigation) or if we require it to enforce our agreements. If you are an Application User connected with an organization, we will not delete or edit your personal data without the approval of your organization.
    • Right to restrict processing: You have the right to request that we restrict our processing of your personal data in certain circumstances, for example if you dispute the accuracy of the personal data that we hold about you or you object to our processing of your personal data for our legitimate interests. If we have shared your personal data with third parties, we will notify them about the restricted processing unless this is impossible or involves disproportionate effort. We will, of course, notify you before lifting any restriction on processing your personal data.
    • Right to rectification: You also have the right to request that we rectify any inaccurate or incomplete personal data that we hold about you, including by means of providing a supplementary statement. If we have shared this personal data with third parties, we will notify them about the rectification unless this is impossible or involves disproportionate effort. You may also request details of the third parties to whom we have disclosed the inaccurate or incomplete personal data. Where we think that it is reasonable for us not to comply with your request, we will explain our reasons for this decision.
    • Right of data portability: If you wish, you have the right to request that we transfer your personal data to another third party. To allow you to do so, we will provide you with your personal data in a commonly used machine-readable format so that you can transfer the data. Alternatively, we may directly transfer the personal data for you. This right of data portability only applies to certain types of personal data.
    • Right to lodge a complaint with a supervisory authority: You also have the right to lodge a complaint with the relevant supervisory authority in your jurisdiction.


    Section 10: How do we store and transfer your personal data?

    In order for us to carry out the functions described in this Privacy Policy your personal data may be processed by us (or our third party service providers) outside of the United States of America. We want to make sure that your personal data is stored and transferred in a way which is secure.


    Section 11: Cookies

    We also use “cookies” to collect information and improve our Services. A cookie is a small data file that we transfer to your Device. We may use “persistent cookies” to save your registration ID and login password for future logins to the Service. We may use “session ID cookies” to enable certain features of the Service, to better understand how you interact with the Service and to monitor aggregate usage and web traffic routing on the Service. You can instruct your browser, by changing its options, to stop accepting cookies or to prompt you before accepting a cookie from the websites you visit. If you do not accept cookies, however, you may not be able to use all aspects of the Application.

    Online Tracking: We may use internal and external analytic and product platforms to better understand usage patterns on our website so that we can improve the design and usability of our products. Some web browsers may transmit “do-no-track” signals to websites with which the browser communicates. Our website does not currently respond to these “do-not-track” signals.


    Section 12: Legal basis for us processing your personal data.

    Where we process your personal data as a data processor on behalf of and under the instructions of your organization, your organization is responsible for ensuring that there is a legal basis for us processing your personal data on their behalf.

    Where we process your personal data as a data controller, we need to ensure that there is a legal basis to justify our processing of your personal data. There are a number of different ways that we are lawfully able to process your personal data. We have set these out below.

    Where processing your personal data is necessary for us to carry out our obligations arising from any contracts entered into between you and us:

    • We process certain personal data where it “is necessary for the performance of a contract to which [you] are a party.”
    • If you enter into a contract with us in relation to any service offerings outside of the Applications, we may process certain personal data about you in order to perform our obligations under this Privacy Policy.

    Where processing your personal data is within our legitimate interests:

    • We can process certain personal data where it “is necessary for the purposes of the legitimate interests pursued by [us] or by a third party, except where such interests are overridden by the interests or fundamental rights or freedoms of [you] which require protection of personal data.”
    • We may process your personal data for the purposes of our legitimate interests to enforce the terms of our website and to analyze log data/user statistics to improve the Applications for all Authorized Users.

    Where you give us your consent to process your personal data:

    • In certain circumstances, we will seek to obtain your opt-in consent before we undertake certain processing activities with your personal data.
    • We will obtain your opt-in consent prior to sharing your personal data with third party applications and carrying out certain marketing activities.
    • As and when we introduce these particular processing activities, we will provide you with more information so that you can decide whether you want to opt-in.
    • You have the right to withdraw your consent to these activities. You can do so at any time, and details of how to do so can be found above at Section 9.

    We do not think that any of the above activities prejudice you in any way. However, you do have the right to object to us processing your personal data in certain circumstances. If you would like to know more about these circumstances and how to object to our processing activities, please see Section 9.

    Section 13: Who is responsible for processing your personal data.

    If you would like further information about how we handle your personal data, if you have any concerns regarding this Privacy Policy or if you wish to exercise your legal rights, please contact support@buddypunch.com. Please outline to us your concerns and our legal team or Buddy Punch representative will be in touch to discuss the matter.

    Section 14: Your California Privacy Rights

    Residents of California are protected by the California Consumer Privacy Act of 2018 (“CCPA”), effective January 1, 2020. We adopt this Privacy Policy to comply with the CCPA and any terms defined in the CCPA have the same meaning when used in this section of the Privacy Policy. All information provided in this section below shall apply to California residents.

    Buddy Punch may use or disclose the personal information we collect for one or more of the following business purposes:

    • To fulfill or meet the reason you provided the information;
    • To provide, support, personalize, and develop the Applications and Services;
    • To create, maintain, customize, and secure your account with us;
    • To provide you with support and to respond to your inquiries, including to investigate and address your concerns and monitor and improve our responses;
    • To personalize your Application experience and to deliver content and product and service offerings relevant to your interests, including targeted offers and ads through the Applications, third-party sites, and via email or text message (with your consent, where required by law);
    • To help maintain the safety, security, and integrity of the Applications, products and services, databases and other technology assets, and business;
    • For testing, research, analysis, and product development, including to develop and improve the Applications, products, and services.

    Buddy Punch will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice.

    The CCPA provides California residents with specific rights regarding their personal information. You have the right to request that Buddy Punch disclose certain information to you about our collection and use of your personal information over the past twelve (12) months. Once we receive and confirm your verifiable consumer request, we will disclose to you:

    • The categories of personal information we collected about you;
    • The categories of sources for the personal information we collected about you;
    • Our business or commercial purpose for collecting or selling that personal information;
    • The categories of third parties with whom we share that personal information;
    • The specific pieces of personal information we collected about you (also called a data portability request);
    • If we sold or disclosed your personal information for a business purpose, two separate lists disclosing:
      • sales, identifying the personal information categories that each category of recipient purchased; and
      • disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained.

    You have the right to request that Buddy Punch delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies.

    We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:

    1. Complete the transaction for which we collected the personal information, provide the Services that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you;
    2. Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities;
    3. Debug products to identify and repair errors that impair existing intended functionality;
    4. Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law;
    5. Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.) or the CCPA;
    6. Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent;
    7. Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us;
    8. Comply with a legal obligation; and
    9. Make other internal and lawful uses of that information that are compatible with the context in which you provided it.

    To exercise the access, data portability, and deletion rights described above, please submit a verifiable consumer request to us by either:

    1. Call us at 773-309-1624
    2. Emailing us at support@buddypunch.com

    If you are sixteen (16) years of age or older, you have the right to direct us to not sell your personal information at any time (the “right to opt-out”). We do not sell the personal information of consumers we actually know are less than sixteen (16) years of age, unless we receive affirmative authorization (the “right to opt-in”) from either the consumer who is between thirteen (13) and sixteen (16) years of age, or the parent or guardian of a consumer less than thirteen (13) years of age. Consumers who opt-in to personal information sales may opt-out of future sales at any time. To exercise the right to opt-out, you (or your authorized representative) may submit a request to us by emailing us at support@buddypunch.com.

    Section 15: Copyright Ownership

    Buddy Punch retains full copyright ownership, rights and protection in all materials contained in the Applications.