We recognise that as a CircleLoop user you entrust us with some of your personal information and it’s always been a priority for us to protect your data and to provide you with choices about controlling it.
Following the release of new EU GDPR regulations (May 2018) we have taken steps to provide complete transparency about how we use and protect your data. We’ve put this webpage together as a guide to answer some of the most common questions you might have.
Security and data centre location
CircleLoop’s primary data and servers are hosted at Amazon Web Services’ (AWS) data center (located in London and Dublin). We may add additional servers in other locations in the future and in the event that we choose to do this, we will appendix these locations to this policy.
AWS provides several security capabilities and services to increase privacy and control network access:
- Network firewalls built into Amazon VPC, and web application firewall capabilities in AWS WAF allow us to control access to our applications.
- We use data encryption protocols built into the specific AWS services in use.
We also use technical and physical controls designed to prevent unauthorised access to your personal data. We restrict access to personal data only to our employees who need to know this information in order to operate, develop or improve our service. These individuals are bound by confidentiality obligations and may be subject to discipline, including termination and criminal prosecution, if they do not meet these obligations.
CircleLoop collects and retains various elements of your data during your relationship with us. In general we retain this data for a maximum period of 90 days if you choose to cancel your account.
We have provided specific detail about the data that we collect and retain, and where we store it. You can find this information underneath the GDPR button above.
EU General Data Protection Regulation
What is GDPR?
The General Data Protection Regulation (GDPR) is a new privacy legislation that replaces the EU Data Protection Directive (Directive 95/46/EC) within the European Union. The GDPR regulates the collection, use, transfer, and sharing of personal data with the key purpose of protecting it.
Why is GDPR important?
GDPR adds some new requirements regarding how companies should protect individuals' data that they process. It also raises the stakes for compliance by increasing enforcement and imposing greater fines for breaches. We are following the developments about GDPR and are taking the necessary steps to become compliant.
What constitutes personal data?
Personal data includes any information related to a living resident or citizen of the EU that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, medical information, or even an IP address or cookie.
Who does the GDPR affect?
The GDPR affects companies processing the personal data of individuals residing in the European Union, regardless of a company’s location. It applies not only to organisations located within the EU, but also to organisations located outside of the EU if they offer goods or services to or monitor the behavior of EU residents and/or citizens.
What happens when the UK leaves the EU?
The UK is hoping for a unique status under GDPR and are working towards it. For the time being the UK has declared it will be GDPR compliant and its new data protection bill is in line with GDPR.
How will the GDPR affect businesses?
The GDPR requires organisations to be transparent on how personal data is collected, used, and stored. This requires transparency from organisations on what personal data is collected, purposes for which it is collected, and who it is shared with. It also requires companies to enable individuals whose personal data is being processed to exercise their rights in relation to their data. The GDPR also requires companies to ensure appropriate protections when EU personal data is transferred outside the EU (including transfers to the US).
What new user rights does GDPR regulate?
- Right to Access. EU residents and citizens (or “Data Subjects,” as they are called in the regulation) have the right to obtain confirmation from the organisation that has collected their data as to whether their personal data is being processed, where, and for what purpose. They also currently have (and will continue to have under the GDPR) the right to receive a copy of this personal data.
- Right to Be Forgotten (or Data Erasure). Data Subjects can demand that the organisations erase their personal data and cease further dissemination of the data.
- Data Portability. Data Subjects can receive the personal data concerning them (which they have previously provided) in a machine-readable format and have the right to transmit that data to another organisation.
How do we process your information?
Email Address (prospective customers): Prior to becoming a CircleLoop customer, you may choose to provide us with your email address to book a demo, ask a question, or download content from our website or blog. We will store your email address, and any other information you provide to us and use that data to contact you about CircleLoop. This data will be retained for 24 months, following which it is permanently deleted (unless you become a customer in that period). You can unsubscribe from our emails at any time.
Contact Name, Company Name, Email Address (customers): We collect this information from you when you either a) Engage with content that we provide via our website or blog, or b) sign up for a free trial of our software. If you cancel your CircleLoop account we will store this information for 90 days, following which the data is permanently deleted. If you wish for us to permanently delete your data prior to the end of this retention period, please just let us know.
In-app activity, device model, operating system (customers): We collect this information whilst you are actively using any of our applications - MacOS, Windows, iOS or Android. We update and store this information in real-time whilst you are using CircleLoop. If you cancel your CircleLoop account we will store this information for 90 days, following which the data is permanently deleted. If you wish for us to permanently delete your data prior to the end of this retention period, please just let us know.
Payment card details (customers): Your payment card details are not stored on our own systems. They are collected either via our Desktop or Android app, or via our admin website. The information is passed directly to Stripe (our payment processor - see section below).
Calls, Call Activities & Messages (customers): We store your call activities, voicemail activities, SMS activities (where relevant) and Call recordings in your CircleLoop account, to allow accurate billing and enable your call analytics. We also collect and store call statistics for quality and platform stability analysis. These statistics are not deleted, but are anonymised in the event that you cancel your account. CircleLoop staff are able to view activities on your account, but are not able to listen to call recordings, voicemails, or to read any transcriptions of activity, without your explicit permission (which will be sought and logged if such an activity review is necessary). We store these records for the life of your account, but you have the option to delete these at any time.
Your customers’ contact data (customers): CircleLoop allows you to synchronise and save your contact data in your account. CircleLoop staff are able to view phone numbers, for example when reviewing call activity on your account for problem resolution purposes. This data will never be used to contact your customers and the data will never be shared outside of CircleLoop. We store these call records for the life of your account, but you have the option to delete these at any time.
Data sharing (prospective customers & customers): We do not and will not share any of your data with any third party other than the sub-processors detailed below. The only exception to this is if we receive a Police or UK Security Services request for information relating to a phone number on your CircleLoop account, in which case we are legally-bound to provide this information to the requestor.
Software integrations (customers): CircleLoop allows integration with a number of third party software systems such as Hubspot, Capsule, Pipedrive and Zoho. CircleLoop posts call activity and call recordings (on demand) into your CRM system. As explained above call data and call recordings are permanently deleted after 90 days if you close your CircleLoop account, however CircleLoop is not able to delete the call activity that has been posted into your CRM system, so you will need to delete that information yourself, if you wish to do so.
Who are our sub-processors?
We share certain information with companies that may be considered our "sub-processors" under GDPR. This information is limited to the following:
- Chargebee - for billing. We process your company name, billing address and subscription details. All data is deleted when the CircleLoop account is deleted. Please follow the link to see their security policies.
- Stripe - for payments. We process your company name & billing address. Your payment card details are passed directly to Stripe - they do not pass through our systems. All data is deleted when the CircleLoop account is deleted. Please follow the link to see their privacy policies.
- Postmark - for notification emails. Details of notifications (e.g. missed calls, voicemails), which may include names and CircleLoop phone numbers, are logged. Postmark stores content and data for 45 days before deletion, with the exception of bounced notifications which are stored for up to 1 year. Please follow the link to see their privacy policies.
- Hubspot - for pre customer marketing and new customer onboarding & support. We process your company name, email address and subscription details (excluding payment details). Data will be removed after 90 days when a client is deleted.
*Note - collection and retention information for sub-processors above was correct at the time of publishing (11/05/2018). For the most up to date information please use the links provided.
How do we manage access to your information?
Our intention is to service access to information requests (such as delete and export) manually. If you have an account with us, you may access, correct, or request that we delete your personal data by contacting us at firstname.lastname@example.org.
This request can include personal data of other individuals, like your employees or customers that you have provided to us and who have requested this of you. We will respond to all requests within 14 days or less, which is well within the GDPR requirement of 30 days.
What has CircleLoop done to comply with GDPR?
We have implemented and are implementing changes
Our information security team is working to prepare CircleLoop for GDPR. We have already fully reviewed our data processing activities, and are making any changes that are needed.
We only process data that is necessary
We only store and process data that is necessary to fulfill our contract with you. For any data that falls outside of this, we will seek and record your consent to do so.
Data Processing Agreement
As CircleLoop may be considered a sub-processor of your own customer data, we are offering a data processing addendum (DPA) for customers on request.
If you would like to receive a DPA, please email us at email@example.com