Last updated as of 27 Sep, 2023.
Please read this document carefully. This Policy applies to you when you simply surf the Site, contact us or obtain our Services.
Please note that this Policy does not apply to the data Tomi.ai processes in the role of a processor on behalf of its customers, including data of the visitors and users of its customers’ mobile applications, websites or platforms (“Customer Data”). We are not responsible for the privacy or data security practices of our customers.
If you want to know more about our processing of personal data on behalf of the Customer, please visit the Data Processing Addendum page.
Please contact the respectful customer directly if you are interested in details of its privacy practices or would like to exercise your legal rights regarding customer data.
The Site is not intended for or targeted at children under 16, and we do not knowingly or intentionally collect personal data about children under 16. If you are a parent or legal guardian and you learn that your child is using our Platform and you do not want it to, please contact us at firstname.lastname@example.org, so that we may delete the data of your child.
We use the following definitions in this Policy:
“personal data” shall mean any information relating to an identified or identifiable natural person (“data subject”) such as name, last name, an online identifier, email, location data, etc.
“data subject” shall mean any identified or identifiable natural person, whose personal data is processed by the controller responsible for the processing.
“Customer” shall mean an individual entrepreneur, legal entity or individual who signs up to the Platform in order to receive Services.
“Visitor” shall mean a person who simply surfs the Platform without creating an Account.
“controller” shall mean the natural or legal person, public authority, agency or other body, which (either alone or jointly with others) determines the purposes and means of the processing of personal data.
“processor” shall mean the natural or legal person, public authority, agency or other body, which processes personal data on behalf of the data controller.
“processing” shall mean any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“third party” shall mean a natural or legal person, public authority, agency or body other than the data subject, data controller, data processor and persons who, under the direct authority of the data controller or data processor, are authorized to process personal data.
2. What Data We Collect
We collect personal data you provide to us directly, such as the information you enter yourself, and personal data we obtain automatically, such as information about your device and what parts of our Site you interact with. We may share your personal data with third parties solely as defined herein.
We do not sell your data. We do not use automated decision-making and profiling.
2.1. Personal data collected directly from you
When you register with us and create an account, contact us via email or other means available on the Platform, request a demo-version of our Services, we may require that you provide to us your contact information, such as your full name, login credentials, company name, phone number, email address.
We do not request other personal data. However, you may also provide us with additional information by contacting us by email or when filling the registration or “get your free demo” forms on the Platform (“message information”). Message information may contain your personal data, and we kindly ask you not to disclose any sensitive data in it.
You may also voluntarily submit certain information when filling out a survey about your user experience or expectations (“survey information”), therefore we collect the information you have provided as part of that survey.
If you purchase our Services due to one of the plans as provided on the Platform, you will need to provide payment information (bank account or credit card information) so we are able to fulfil your purchase request, maintain the records of your purchases and charge you under the relevant subscription plan.
We use a third-party service provider to manage credit card processing. This service provider is not permitted to store, retain, or use information you provide except for the sole purpose of credit card processing on our behalf.
We will also process your data when you apply for the job offered and send us your CV containing personal information such as full name, photo, phone number, email address, date of birth, education, specialization, etc. (“CV information”).
2.2. Automatically collected personal data
We gather certain information automatically when you visit our Sites or use our Services:
- IP address,
- identification numbers,
- operating system,
- browser ID, and
- other information about your device and connection.
b. Usage data
- time spent on the Site,
- frequency of visits to the Site,
- language preferences,
- types of content you interact with,
- pages visited,
- features used,
- click data, and
- pages that led or referred you to Site, date, and time.
2.3. Personal data we collect from other sources
We collect some information about American residents that are potential customers of Tomi.ai from other sources, namely, third parties from whom we purchase some pieces of personal data. This data includes contact information (name, email, phone number).
2.4. Customer Data
3. Purposes of Personal Data Collection and the Legal Bases We Rely On
We collect and process your personal data for the following purposes:
|Performance of a contract
|We process your contact information to provide customer support, handle your requests and respond to your questions submitted to us via the means of communication available on the Platform.
|Performance of a contract
|Performance of a contract
|We process our customers’ contact information collected while providing Services to send marketing e-mails and other communications about our Services. You may opt-out of receiving such communications at any time.
|Our legitimate interest
|We process survey information to determine the gaps in user experience, understand your expectations and accordingly improve our Platform and Services.
|We process identifiers and usage data to ensure the functionality of the Site, to prevent any fraudulent actions or intervention of the malware, to detect security incidents, to protect against malicious or illegal activity.
|Our legitimate interest
|We process identifiers and usage data to improve our Site and Services, the functionality of the Site, identify future opportunities for the development of the Services and provide you with a better user experience.
|We process identifiers and usage data to provide personalized advertisements and information about our Services, special offers on and off our Site, or conduct marketing campaigns.
|We collect personal information to record the processing activities under art. 30 of the GDPR and comply with other applicable laws.
We only process your personal data if we have a lawful basis for doing so. The legal grounds for processing your personal data are as follows:
- Performance of a contract
2. Your consent
Some kinds of personal data you choose to give us are collected and processed based on the consent you expressly grant to us at the time we collect such data.
We require the minimum amount of your personal data that is necessary to fulfill the purpose of your interaction with our Site. For example, you may consent to receive marketing messages from us.
You may withdraw your consent to the processing of your personal data at any time. Please remember that the withdrawal of consent does NOT automatically mean that the processing before the withdrawal is considered unlawful. You may withdraw the consent to the processing of your personal data by contacting us via e-mail available on the Site.
3. Legitimate interest
Sometimes the processing of personal data is essential to meet our legitimate interests, such as securing our Platform, preventing any fraudulent actions or security threats and providing you with the desired information and Services. Also, we need some data to enable our Site to run smoothly and give you a pleasant user experience. We use only strictly necessary data under this legal ground.
4. Legal obligation
We process your personal data to fulfill the applicable legal obligations arising mainly from the GDPR or national law. If you send us the request to fulfil your rights, we may ask you for some personal data we already have to identify you and achieve compliance with the applicable law.
Cookies are small pieces of data that websites send to your browser and that are stored on your device. A pixel tag (also known as a web beacon) is a piece of code embedded in the Services that collects information about your engagement on that web page. We use them to record, for example, that you have visited a particular web page or clicked on a particular advertisement.
When you visit our Site, we, or an authorized third party, may place a cookie on your device that collects information, including personal data, about your online activities. Cookies help us enhance your user experience and remember your choices and other information, namely as follows:
- to recognize your device and settings;
- to define you as a unique user to personalize your user experience (e.g. keep the language preference);
- to store your preferences and settings;
- to analyze your usage of the Site to improve our Site and services;
- to ensure the functionality of the Site;
- to prevent fraud;
- for marketing purposes.
We use both session cookies that exist only during a single session and persistent cookies that remain on your device after you close your browser or turn your device off.
You may disable the cookies (opt-out)
5. Data Sharing and Disclosure
We may share your personal data with our contractors, third-party service providers and other third parties. Where possible, we always sign data processing agreements (DPAs) and Non-Disclosure Agreements (NDAs) with third parties who we share data with.
Sharing personal data with other data controllers
We may share and disclose your personal data to other data controllers:
Sharing personal data with data processors
There are cases when we are unable to provide you with the full range of the Site features and functionalities solely on our own. This is why we may share your data with third parties who perform services on our behalf, like fraud and abuse prevention, data storage, analytics tracking, marketing services, communication tools services, email and hosting services. They will have access to your personal data to the extent necessary to perform their function, but they are prohibited from using your information for other purposes unless you have specifically given them consent to do so.
Therefore, we may share and disclose your personal data to other data processors, namely:
- PandaDoc (PandaDoc, Inc., USA): to enable document management of Tomi.ai and
- Our Contractors. Subject to reasonable organizational and technical safeguards, we may disclose some of your personal data to our employees and contractors located in the US, Mexico, Spain, Portugal, Kazakhstan, and Turkey, namely:
(a) technical specialists (software developers, support specialists, system administrators) to improve our Site and your experience, provide client support as well as to deliver the functionality of the Site;
(b) sales and marketing specialists to provide you with better client service;
(c) legal and accounting professionals to make our business accurate and transparent.
Limited Use Requirements
Tomi.ai’s use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including the Limited Use requirements.
6. Transferring Your Personal Data Outside of the European Economic Area
Your personal data may be transferred to and stored by us in the countries outside the EU or the EEA, particularly if our service suppliers and contractors are non-EU/EEA based as disclosed in Section 5. Where these countries do not fall under Article 45 of the GDPR on the adequate level of data protection, we may transfer your personal data if the appropriate safeguards were put in place as determined under Article 46 of the GDPR.
These steps include implementing the Standard Contractual Clauses (SCC) approved by the European Commission. We put supplementary measures in place when transferring data outside the EU and the EEA, where appropriate.
In a specific situations when we may not rely on Articles 45 and 46 of the GDPR, we may transfer your personal data under Article 49 of the GDPR on the derogations for specific situations, namely:
- your consent;
- performance of the contract to which you and we are parties or you asked us to take steps to enter into an agreement;
- protection of your vital interests, if applicable.
Disclosure of personal data to other data controllers and/or data processors will be done in accordance with the applicable personal data laws and regulations.
7. Data Security, Integrity, and Retention
We will only store and process your personal data for a period of time consistent with the original purpose(s) for which it was collected, as determined in this Policy.
After the expiry of the applicable retention periods, we will securely delete or anonymize your data (so that we or anyone else can no longer identify you based on it) unless we are required to retain the data longer to comply with our legal obligations or as expressly permitted by law. However, we may not delete or anonymize your data if we are compelled to keep it under Article 30 of the GDPR and (or) other applicable laws.
We cannot foresee the precise term we need to process your personal data. However, we write down the pointers and criteria to help you envisage the retention period:
|Contact information and payment information
|As long as we have an ongoing relationship with you and as needed to provide you Services (namely, while your Account is active) and for six months after you delete your Account unless a longer storage period is required or expressly permitted by law.
|For six months. After the expiry of the retention period, we either delete or anonymize this data so we cannot trace you back and retrieve the personality of the respondent.
|As long as our message communication is active and for two months after the last message was sent.
|If you are not offered a job, we will store your personal data for six months once the hiring process ends, unless you give us consent to store such personal data for a longer period of time for the purpose of future suitable job vacancies.
If you are offered a job, we will store your personal data from your CV and any additional personal data collected in connection with the hiring process for the employment period and for a period of time thereafter as required or expressly permitted by law.
|Automatically collected data
You may request to delete your personal data by sending us a request at email@example.com.
We have implemented appropriate organizational, technical, administrative, and physical security measures that are designed to protect your personal data from unauthorized access, disclosure, use, and modification. We regularly review our security procedures and policies to consider appropriate new technology and methods. Please be aware that, despite our best efforts, no system can be 100% secured from unauthorized access to your data by third parties, but we do our best to early detect and mitigate the likely risks.
8. Your Rights
Please note that if your personal data has been provided to us by Tomi.ai Customer and we act as a data processor with respect to this data, you may exercise your rights under the GDPR in respect of and against a respectful Tomi.ai Customer who is a data controller.
Right of access
You may ask us to provide you with a copy of your personal data collected, along with information regarding the nature, processing and disclosure of that personal data. When we act as a controller of your personal data, you have a right to obtain at any time information about:
- whether or not your personal data is being processed;
- your personal data stored;
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to request from the controller rectification or erasure of personal data, or restriction of processing of personal data concerning the data subject, or to object to such processing;
- the existence of the right to lodge a complaint with a supervisory authority;
- where the personal data are not collected from you, any available information as to their source;
- the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject;
- whether personal data is transferred to a third country or to an international organization and of the appropriate safeguards relating to the transfer if it occurs.
Right to rectification
You may ask us to update, correct or supplement your personal information if it is inaccurate or incomplete.
Right to erasure (“right to be forgotten”)
You may ask us to delete your personal data collected, except for the cases it is prohibited by appropriate laws. Once we get an appropriate request from you, we will immediately delete your personal data, providing that one of the following grounds applies:
- the personal data is not necessary in relation to the purposes for which they were collected or otherwise processed;
- you withdraw your consent to which the processing is based, and where there is no other legal ground for the processing;
- you object to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) of the GDPR (see “Right to object” below);
- the personal data has been unlawfully processed.
The personal data also must be erased for compliance with a legal obligation in Union or Member State law to which we are subject.
Please note that after your personal data is deleted, we will probably not be able to provide our Services to you.
Right to restriction of processing
You may ask us to restrict further processing where:
- your personal data is not correct or outdated;
- the processing is unlawful (and you oppose the erasure of the personal data and request the restriction of its use instead);
- we no longer need the personal data for the purposes of the processing, but it is required by you for the establishment, exercise or defence of legal claims;
- you have objected to processing pursuant to Article 21(1) of the GDPR (see “Right to object” below) pending the verification whether the legitimate grounds of the controller override yours.
Right to data portability
You may ask us to transfer a copy of your personal data to another organization or to you in a structured, commonly used and machine-readable format. You may also transmit such data to another controller.
This shall apply where the processing is based on consent or on a contract AND the processing is carried out by automated means, as long as the processing is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Right to object
Where the processing of your personal data is based on the necessity for the performance of a task carried out in the public interest or of our legitimate interests, or for direct marketing purposes, you may raise objections to such processing on grounds relating to your particular situation. This also applies to profiling based on these provisions, if any.
We will no longer process your personal data in the event of the objection unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.
Right not to be subject to a decision based solely on automated processing, that significantly affects you
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you, or similarly significantly affects you, as long as the decision (1) is not is necessary for entering into, or the performance of, a contract between you and us, or (2) is not authorized by Union or Member State law to which we are subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests, or (3) is not based on your explicit consent.
Automated decision-making currently does not take place on our Site or in our Services.
Right to withdrawal of consent
You may withdraw the consent when your personal data are processed upon it (see section “Purposes of Personal Data Collection and the Legal Bases on Which We Rely”). However, it does not automatically make the processing of personal data prior to the withdrawal illegal.
Right to lodge a complaint
You may lodge a complaint with the supervisory data protection authority pertaining to the processing of your personal data.
How to exercise your rights
You may enjoy the bunch of rights with respect to your personal data as provided above by submitting a request at firstname.lastname@example.org. Your personal data may be processed in responding to these requests.
Please be aware that in some cases we may ask you to provide us with additional information in order to verify your identity and proceed with your request.
9. Additional Disclosures for California Residents
“Personal data” shall mean “personal information” as defined in CCPA.
9.1. What Categories of Personal Data We Collect
We collect and process the equivalent information about all of our Customers, including those who are California residents, as outlined in the section “What Data We Collect”. However, since the CCPA provides some unique definitions, we will use them to make it easier for you to understand this section.
In the last twelve (12) months, we may have collected the following categories of personal data about you:
- Identifiers: full name, login credentials, phone number, company name, email address, online identifiers (see “Identifiers” in the section “What Data We Collect”).
- Commercial information: records of purchases of our Services.
- Internet activity information (see “usage data” in the section “What Data We Collect”).
- Professional or employment-related information, education information (see “CV information” in the section “What Data We Collect”).
- Other personal data: (i) information on our communications (see “message information” in the section “What Data We Collect”), payment information (see “payment information” in the section “What Data We Collect”), survey information (see “survey information” in the section “What Data We Collect”).
We will not collect additional categories of personal data or use the personal data we collected for materially different purposes without providing prior notice.
9.2. Categories of Sources from which Personal Data is Collected
We collect personal data as follows:
- Directly from you when you visit the Site, register an Account, purchase our Services, communicate with us by means available on the Platform, apply for a job;
- When you use our Platform, some pieces of personal data is collected automatically and provided by our server provider and analytics service;
- From third-party service supplies namely payment processor and survey maintenance platform;
- From third parties who sell contact information.
9.3. Purposes for Collection and Processing of Personal Data
The business and commercial purposes for which we collect your personal data are described in Section “Purposes of Personal Data Collection and the Legal Bases on Which We Rely” of this Policy.
9.4. Third Parties We Share Your Personal Data With
The categories of third parties to whom we disclose your personal data for business and commercial purposes are outlined in Section “Data Sharing and Disclosure” of this Policy.
9.5. Your Rights
To the extent provided for by law and subject to applicable exception, California residents have the following privacy rights in relation to the personal data we collect and process:
9.5.1. Right to Access
You have the right to request that we disclose certain information about our collection and use of your personal data over the past twelve (12) months. Once we receive and confirm your verifiable consumer request, we will disclose:
(a) The categories of personal data we collected about you.
(b) The categories of sources from which the personal data were collected.
(c) Our business or commercial purpose for collecting or selling that personal data.
(d) The categories of third parties with whom we share that personal data.
(e) The specific pieces of personal data we collected about that consumer (also called a data portability request).
9.5.2. Right to Deletion of Personal Data
You may choose to request deletion of your personal data that we have collected and retained, subject to certain exceptions.
Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers and/or customers to delete) your personal data from our records, unless an exception applies.
9.5.3. Right to non-discrimination
The right to non-discrimination means that you will not receive any discriminatory treatment when you exercise one of your privacy rights.
California residents can exercise their rights according to the CCPA by sending a request at email@example.com.
You may alternatively designate an authorized agent to exercise the said rights on your behalf. Please note that to protect your personal data, we will verify your identity by a method appropriate to the type of request you are making.
For the purposes of this section, California resident means every individual who is in California for other than a temporary or transitory purpose, and every individual who is domiciled in California while being outside California for a temporary or transitory purpose.
In any case, we encourage you to regularly review this Policy to check for any changes.
11. Data Protection Authority
We kindly invite you to share your concerns with us in the first place regarding any issue related to your personal data processing. You may use the following channels to address your inquiries: firstname.lastname@example.org.
In case you believe that we are somehow infringing your personal data rights granted by the GDPR, you may submit the complaint with the Data Protection Authority (however, be aware that some supervisory authorities insist on you contacting us first). For more information, please contact your national data protection authority. We will cooperate with the appropriate governmental authorities to resolve any privacy-related complaints that cannot be amicably resolved between you and us.
12. Contact Us
If you have any privacy-related questions or unresolved issues, please do not hesitate to contact us by email email@example.com or other means of communication that are available on the Site.
You may also contact us using the following details:
Address: 440 N. Wolfe Rd., Sunnyvale, CA 94085
tel: (+1) 917-720-3264