Last revised: September 11, 2020
This policy describes how Cultify Lda (“Cultify” / “we” / “our” / “us/”), based in Rua Duarte Barbosa 364 3º D 4150-282 Porto, collects, uses, maintains and discloses personal data (any information relating to an identifiable natural person) collected from users (“you”) through our website, www.skoach.com (the “Site”) or through our App on Slack or Microsoft Teams (the “App”) via interaction with our chat bot Skoach (“Skoach”).
What we do
Skoach is a change management tool, promoting alignment of vision, culture and objectives between companies and their remote and in-office teams.
Skoach starts by diagnosing the company’s strengths and areas for development through a survey answered by every employee. After analyzing the results, and together with people in charge of this initiative within your employer, our team defines an action plan. Skoach then sends every team member under the contract frequent challenges to be applied on the job and thus promote the acquisition of best-practice habits that promote the wanted change. Skoach will send you challenges at the beginning of the week, give you time to apply them on-the-job for some days and later ask you if you completed the challenge. Completed challenges earn points to your team and a graph ranking teams in participation is shared on a recurrent basis to promote challenge completion. Skoach talks to every team member one on one and the whole conversation is confidential. There is only one part of the engagement between you and Skoach that is shared with your employer: which challenges you complete. Every week, your employer will have visibility over who completed each challenge, so that they get a sense of the engagement our product is getting.
Data we collect about you and how we collect it
We will collect and process the following personal data about you:
Information your employer gives us. Your employer may give us information about you:
- when giving us access to your Employer’s Slack or Microsoft Teams, in order to enable you to access the App (whether on a trial or full basis), we will have access to your slack or Microsoft Teams profile. Depending on what you include in your Slack or Teams profile, this may include your name, photo, company email address, company telephone number, job title and department, time zone and preferred communication language;
- additional information may be shared by your employer to allow for answer analysis and reporting in a confidential and useful manner. This information may include your name, age, date of birth, company email address, company telephone number, job title, level of seniority, department, team, work start date, education level, primary office location, as well as the Skoach sub-product(s) you’ll be working with.
Information you give us. You may give us information about you:
- when using the App, including answering questions or completing surveys. This information may include your name, age, date of birth, company email address, company telephone number, job title, level of seniority, department, team, work start date, education level, primary office location, the Skoach sub-product(s) you’ll be working with, as well as any views/comments you provide to us about you in your role, or information regarding your employer, your colleagues or other third parties during the course of completing surveys or otherwise using the App;
- if you contact or correspond with us (for example, using any support function made available by us) and we may keep a record of that correspondence;
- any comments, opinions and/or feedback you provide to us regarding the App, for example during any trial or beta period that you may participate in, when providing NPS scores or participating in research panels or interviews.
Information we collect about you. Each time you interact with Skoach via the App, we may automatically collect the following information:
- when you use the App, we will keep a record of the details of that usage, including the date, time, location, frequency and duration of the usage;
- when you use the App, we will keep a record of the details of that usage, including the date, time, location, frequency and duration of the usage;
- we may obtain further information about you from your employer, for example to verify your eligibility to access and use the App;
- information provided by the communication channel used, like your ID within that channel, Slack profile information including timezone, locale, display name and photo, and some Microsoft Teams info like your tenant’s ID and name and your email address within that tenant;
- other information about your use of the App, including the number of completed challenges, the relevance you give to each challenge, the duration of the interactions with Skoach on the App, data files you have uploaded to the App. This information may be linked to your user profile (where relevant).
How we use your personal data
Where we have collected, received or generated your personal data, we will process it to:
- carry out our obligations arising from the contract with you or your Employer, such as:
- ask you to answer survey questions about how you think of your organization, including for example, your workplace culture, your team dynamic and your role in it;
- create reports based on aggregated and anonymized answers to those surveys- and (where relevant) compare this data with past employee responses and/or industry benchmarks suggest you certain action plans and send you challenges accordingly;
- monitor your interactions with Skoach, e.g. your participation in each challenge and the relevance you attribute to each challenge;
- create a personal dashboard with your progress which is accessed by you only;
- create team and org-wide dashboards for managers and human resources personnel to access aggregated data and analysis of your use of the App, like who is completing the challenges;
- evaluate the impact of our Services;
- optimize your experience while using our App:
- adapt the interactions Skoach has with you based on what you tell us about you, your starting point and your preferences;
- create a profile based on your initial answers, so that we can understand, right at the start, if some challenges and tips are relevant for you or not. Besides that, this will allow us to identify patterns in user engagement and help us improve our product for future users, by adapting the challenges we send each user type. There are two ways in which your initial profile can affect your experience and neither produces legal effects concerning you:
- We skip challenges that are not relevant for you, e.g., if you reply to the survey saying that you already conduct 1:1s with your manager, Skoach will automatically choose a program that does not suggest you start conducting 1:1s with you manager.
- We send you challenges that we believe would be beneficial to you, based on your profile, e.g., if you tell us, based on several answers to the initial survey that you have a hard time dealing with negative events, then we will send you a challenge to help you handle constructive feedback, while other users might not get it.
- contact you for your feedback on our services and to help us evaluate and improve our services, for example by acting on any information you have provided to us;
- notify you about changes to the App and any other services of ours that you use, including informing you about new versions of the App and about new features, functionality and service offerings; or
- deal with any enquiries, correspondence, concerns or complaints you have raised, or that have been raised by your employer and any issues caused by your use of the App.
- administer and improve the App and other services:
- ensure that content is presented in the most effective manner for you and for your computer or device;
- improve internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
- continue our efforts to keep the App safe and secure; or
- compile reports (which do not personally identify you) of usage of the App.
Lawfulness of processing
We consider the processing of your personal data for these purposes to be necessary:
- for the performance of a contract with you or your employer;
- in order to take steps at your or your employer’s request prior to entering into a contract;
- for the compliance with a legal obligation;
- Or for the pursuit of our legitimate interest;
Where consent is required for our use of your personal data, by ticking the appropriate consent box or otherwise communicating your consent to us (whether by phone, email or other means), you consent to our use of that personal data as set out in this policy.
You have the right to withdraw your consent at any time.
Who we share your personal data with
DATA WE WILL SHARE WITH YOUR EMPLOYER:
Except where you are explicitly told otherwise prior to providing your response, your survey answers are anonymized and your Employer will not have access to any personal information you have chosen to provide us. Only aggregated data will be presented to your Employer, in such a way that no answer should be traced back to an individual.
Only data collected from you and other employees or personnel may be used by us in an aggregated and anonymized form for statistical and benchmarking purposes including enabling comparisons to other organisations.
Your individual participation in each challenge will be shared with authorized users at your Employer who have accountabilities and/or responsibilities for managing the initiative internally.
DATA WE WILL SHARE WITH THIRD PARTIES:
We may share your personal data with selected third parties in accordance with this policy, as identified below:
- sub-processors, service providers (for example of IT services) and/or suppliers for the performance of any contract that we enter into with you or your employer, namely:
- Amazon Web Services, Inc who provide cloud hosted infrastructure and services used by us to operate the App as a hosted solution; and
- Microsoft Corporation who enable our connection to the Microsoft Teams channel via their Bot Framework and Azure platform;
- Wit.ai, Inc., who provide Natural Language Processing as a service by extracting intents and important terms from free text communications received by our App;
- Amplitude, Inc, Segment.io, Inc, who provide us with usage analytics on select interactions with our App, and with whom we’ve signed a Data Processing Agreement in accordance with EU Data Protection Laws;
- Google LLC who provide us with usage and geographical analytics on our website;
- government or other law enforcement agencies, in connection with the investigation of unlawful activities or for other legal reasons (this may include your location information).
We only contract with third party service providers that take appropriate and stringent security measures to protect your personal data in line with our policies.
We may also disclose your personal data to other third parties in the following circumstances:
- if we sell or buy any business assets, we may disclose your personal data to the actual buyer, seller of such business or assets;
- if Cultify Lda or substantially all of its assets are acquired by a third party, in which case personal data held by us, including your data and data about our customers, suppliers and correspondents will be one of the transferred assets;
- we may disclose your personal data to our legal advisers if they need to have access to this information in order to advise us on our legal rights and obligations; and
International Data Transfers
For the good functioning of our app, we resort to service providers to process data, whose headquarters are outside the European Economic Area (“EEA”), specifically in the United States. After the invalidation of the Privacy Shield, we decided to either 1) request that your personal data be processed and stored inside of the EEA (like in the case of AWS, in Ireland, since August 9th 2020) or 2) refrain from sending your personal data to these providers: In the latter case, we are referring to our analytics services providers, to whom we only send app activity data linked to an internal ID and no personal data whatsoever, since September 10th 2020.
We also resort to an NLP service provider that is based in the US, however, we only send free text without any identifiers to them.
Please refer to the service providers detail page for more information.
In any case, in the eventuality that we do have to transfer personal data to companies located in the USA or other non-EU countries, we will only do so after ensuring the full legality of such procedures, namely through Data Processing Agreements (DPAs) that include the European Standard Contractual Clauses for data transfers between EU and non-EU countries.
If you require further information about these protective measures, please contact us at email@example.com.
Implemented Security Measures
We maintain appropriate technical and organisational measures to ensure an appropriate level of security in respect of all personal data we process, including:
- training of our employees involved in data analysis;
- ensuring the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- ensuring that only people authorised to process the personal data will have access to personal information you may have provided;
- all our staff members have committed themselves to confidentiality through legally binding contracts.
We may use session and persistent cookies or other technologies, such as Google Analytics, to automatically collect certain information when you visit our Site, such as your browser type, operating system, software version, URL clickstreams and Internet Protocol (“IP”) address. We also may collect information about your use of the Site, including the date and time of access, the areas or pages that you visit, the amount of time you spend using the Site, the number of times you return and other Site usage data. These cookies are only stored on your browser with your explicit consent.
You can find a complete list of the cookies used here.
How long we keep your personal data for
We will retain your personal data for a period of two years or until six months after our relationship with your employer has ended (whichever is sooner). After this period, your personal data will be anonymized or deleted.
You have the below rights in regards to your personal data. Please contact your employer directly if you would like to exercise any of these rights (other than a change to your marketing preferences, which should be notified directly to us).
- Access. You have the right to obtain confirmation as to whether or not your personal data is being processed and, when that is the case, access to the personal data and the following information: purpose of processing, categories, entities with whom we’ve shared it, retention period, your rights, respective source if not you, existence of automated individual decisions, including the definition of profiles and, in this case, information about the underlying reasoning to such processes as well as their importance and foreseeable consequences. We reserve the right to charge a reasonable fee in response to unreasonable or repetitive requests, or requests for further copies of the same information.
- Right to object to processing. You have the right to object to processing of your personal data where that processing is being undertaken by us on the basis of our legitimate interest. In such a case we are required to cease processing your data unless we can demonstrate compelling grounds which override your objection. You also have the right to object at any time to the processing by us of your personal data for direct marketing purposes.
- Rectification. Rectification. You have the right to obtain the rectification of any inaccurate personal data that we process about you. You also have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
- Erasure. To the extent permitted by applicable data protection laws, you have the right to request that we erase any personal data that we hold about you, based on one of a number of grounds, including the withdrawal of your consent (where our processing of that data is undertaken on the basis of your consent), or if your object to our continued processing (as mentioned above). The right of erasure does not apply whenever the processing is necessary for any of the following purposes: (I) Complying with a legal obligation that requires such processing and is applicable to us; (II) Establishing, exercising or defending legal claims. This right does not extend to information which is not personal data.
- Request to restriction of processing. This enables you to ask us to restrict the processing of your personal data in certain circumstances, for example if you want us to establish its accuracy or the reason for processing it, we no longer need the personal data but they have to be kept for the purposes of establishing, exercising or defending a legal claim; or you have objected to the processing of your data, and we are verifying whether your legitimate grounds override ours.
- Portability. You have the right to obtain copies of your personal data to enable you to reuse your personal data across different services and with different companies. You may also request that your personal data is transmitted directly to another organisation where this is technically feasible using our data processing systems.
- Right to Withdraw Your Consent. In case the processing of your personal data is based on your consent, you have the right to withdraw your consent at any time.The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
- Automated Processing. Not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects ("Automated Decision-Making"). Automated Decision-Making currently does not take place on our App or in our services.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is manifestly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
Please note that if you exercise any of the above rights to require us to restrict or cease processing or to delete personal data, and this type of processing is required in order to facilitate your use of the App, you will no longer be able to use the App following the date on which we action your request. This does not include your right to object to direct marketing which can be exercised at any time without restriction. Please allow at least 5 working days for your request to be actioned.
How do you complain?
If you are not happy with the way your personal data is being handled, or with the response received by us, you have the right to lodge a complaint with your national data protection supervisory authority.
How to contact us
To exercise any of these rights or ask us for any clarification, please contact us at firstname.lastname@example.org. Please allow for 15 business days for us to get back to you.
We are committed to resolving any privacy concerns you have. However, if you feel we have not addressed your specific concern, you have the right to make a complaint at any time to the relevant supervisory authority in your country responsible for data protection issues.