Privacy Policy

Last updated on October 31, 2023

At Frello, data privacy and data security are really important to us and we want to make sure that you trust us with your Personal Data. This Privacy Policy describes what kind of Personal Data we gather, how we use it, how we share it with others, how we protect it and how you can access and control it.

When handling your Personal Data, we will comply with the New Zealand Privacy Act 2020 and, where applicable, other Data Protection Laws, such as the EU GDPR or the UK GDPR.

If you have any questions or complaints about this Policy or our data protection processes, please get in touch with us at privacy@getfrello.com.

Definitions

"Administrator" means any individual acting on behalf of a Customer and who has certain elevated permissions within the Services.

"Child" means any individual under the age of 16.

"Customer" means any organisation that signs up to our Services and that holds an organisational account with Frello.

"Data Protection Laws" means the data protection and privacy laws applicable to the processing of Personal Data that we are legally obliged to comply with, including (as applicable):

the Privacy Act 2020 (New Zealand);
the EU GDPR;
the UK GDPR; and
any other applicable privacy legislation.

"EU GDPR" means the General Data Protection Regulation of the European Union.

"EU SCCs" means the standard contractual clauses as approved by the European Commission pursuant to its decision 2021/914 of 4 June 2021, as may be amended, superseded or replaced from time to time.

"Frello", "we", "us", "our" means Frello Ltd, a limited liability company duly incorporated in New Zealand.

"Member" means any individual who is associated with a Customer organisation, either by means of membership or as a casual participant, and whose data was entered into our Services, either by themselves or by another User.

"Personal Data" means any information about an individual by which that person can be identified. This does not include data where the identity has been removed, for example anonymous data.

"Policy" means this Privacy Policy.

"Security Incident" means any unauthorised or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to Personal Data.

"Sensitive Data" means Personal Data of a sensitive nature, and includes data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic data, biometric data, data concerning health, or data concerning sexual orientation.

"Services" means any application or online service operated by Frello.

"UK IDTA" means the International Data Transfer Agreement or the International Data Transfer Addendum issued by the Information Commissioner’s Office under the UK Data Protection Act 2018, as may be amended, superseded or replaced from time to time.

"UK GDPR" means the General Data Protection Regulation of the United Kingdom as defined in the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.

"User" means any individual who accesses and uses our Services, including Members and Administrators.

"Visitor" means any individual that visits our Websites, but who is not a User.

"Websites" means any website operated by Frello.

Beside these specific definitions, we will use the meanings as defined in applicable Data Protection Laws.

What information we collect about you

Depending on the circumstances, we may collect, store, and use the following Personal Data about you:

• Personal details like your name, gender and date of birth
• Contact details like your address, telephone number and email address
• Your IP address

In addition, we may collect and store other Personal Data or even Sensitive Data about you, if that data has been imported or entered into Frello by you or other Users of our Services.

Information you provide to us

Information you provide through our Websites

In specific cases you provide Personal Data to us through our Websites. For example, you may provide your contact details when you sign up to our newsletter or when you fill out a contact form.

Information you provide through our Services

You provide Personal Data to us when you register for and use our Services. For example, you provide us with information when you sign up for an account, when you enter or update Member information (for yourself or on behalf of another Member, which may include Children), when you add notes or comments, or when you use our Services on an ongoing basis as part of the general features of the Services.

Information you provide through our support channels or direct communication

You may provide us with Personal Data about yourself and possibly about other Members related to the case you are contacting us about through our support channels, which include live chat, phone and email communication.

Payment information

When setting up a paid account with our Services, you provide us with payment information that allow us to charge you on a one-off or recurring basis.

Information we collect automatically

Cookies and other tracking technologies

Cookies are small pieces of text sent by your web browser by a website you visit. A cookie file is stored in your web browser and allows our Websites or a third-party to recognize you and make your next visit easier and the Websites more useful to you.

We use cookies and other tracking technologies in order to provide our Services, give you a better website experience and to improve our Websites and Services. In our cookie policy you can get more information and see the list of cookies/integrations/tags that we have implemented within our Websites and Services. This includes the use of third-party analytics services like Google Analytics and others.

Information on how you use our Services

When you visit and interact with our Services we collect certain information in the background in order to optimize and improve the Services going forward. This includes for example things like device information, log data, logins, page views, API (Application Programming Interface) calls, usage of specific features and error logging.

Information from other sources

Other Users of our Services

Other Users of our Services may provide us with Personal Data about you, when they add you as a Member of their organisation, or when they create a User account for you so that you can use our Services. You may also be mentioned by other Users in notes and comments, or in support or sales conversations with our team.

Connecting via social networks

If you connect to our Services with any of your social network or Single Sign-On (SSO) accounts (for example Facebook or Google) and grant us permission, we get access to Personal Data about you via the social network interfaces. Such data can include your name, contact details and your profile photo. When you connect our Services to the social networks, you will be shown exactly what data you are sharing with us.

How your Personal Data is processed by the social networks or SSO services is regulated by the terms between yourself and the relevant social networks or SSO service.

Public information

In some cases we may find public information about you, for example via LinkedIn or similar services where you provide your information publicly with intention.

Payment providers

If you make an online payment through our Services we may collect data about your transactions, including the brand and last 4 digits of your credit or debit card number and other details pertaining to the transaction.

Other partners

We may receive Personal Data about you through other third-party partners, such as technology partners we work with.

How we use the information we collect

We use your Personal Data provided to us only for specific purposes of the corresponding processing activities and only where we have a lawful basis to do so under Data Protection Laws. Unless expressly mentioned otherwise in this Policy, these processing activities are necessary for the purposes of a legitimate interest pursued by Frello, and we have assessed that such interests are not overridden by the interests or fundamental rights and freedoms of the persons to whom the Personal Data relates.

Once the purpose for a processing activity is not applicable anymore and we no longer have a lawful basis for retaining a copy of your data, we will delete your Personal Data accordingly.

With respect to Personal Data entered into our Services by or for Customers, we are a joint data controller alongside the relevant Customer. However, the Customer is responsible for determining the legal basis upon which that Personal Data is processed. Please see the final section in this Policy, which outlines the Customer’s obligations in this regard.

In the following sections we list the specific cases in which we use your Personal Data.

Provision of our Websites

We use information you delivered to us in order to provide our Websites, including customer support, log files, rendering fonts and to operate and maintain the Websites. We also use your Personal Data in order to personalize your experience when you visit our Websites.

Provision of our Services

We use information you gave to us (or that another User gave to us on your behalf) in order to provide our Services. This includes account creation, authentication, customer support, log files, rendering fonts, and general operation and maintenance of our Services. We also use your Personal Data in order to personalize your experience whilst using our Services.

Improving our Services

We strive to continuously improve our Services, that’s why we use your information to improve our Services on an ongoing basis. For example, we may track how you use and navigate through our Services and how and if you use a specific feature.

Communicating with you about our Services

We use your contact information in order to communicate with you about our Services. For example, we may send you emails for confirmations, customer support, updates to our Services, technical notices and security notifications.

Contact form

When you fill out a contact form on our Websites, we use the contact details you provide us to get in touch with you to resolve your query.

Demo or walkthrough requests

When you request a demo or walkthrough, we get in touch with you in order to understand your use case and schedule and deliver a web conference in order for you to decide if our Services fulfill your needs.

Customer support

We use your information in order to provide you with customer support. For example, when you use the chat plugin in our Websites or Services, we use the information you provided in order to resolve your case and guide you to the right resources or contacts within Frello.

Marketing and promotion of our Services

We may use your Personal Data in order to send promotional information to you that may be of specific interest to you. Our goal is to make the communicated information as meaningful as possible for you. You can always unsubscribe from our marketing emails if you no longer wish to receive them.

Newsletter

In case you signed up for our newsletter, we will send you regular email updates about our Services and other information that is interesting in the scope of our company. You can always unsubscribe from our newsletters if you no longer wish to receive them.

Cookies and other tracking technologies

We use your information in combination with cookies and tracking technologies with the goal of providing you an improved Websites and Services experience.

Cookies

We use cookies to store information and identify you across our Websites and Services. For example, to identify or authenticate you in our Services, or to track your activity in order to improve the Websites and Services. You can find the full list of cookies in our cookie policy.

Web analytics

We use anonymised data that we gather through web analytics scripts that we embed in our Websites. For example, we use Google Analytics to analyze user behavior with the goal to improve our Websites.

Remarketing

We use remarketing in order to promote our Services to you in a personalized way. For example, we use Google Analytics/Google Adwords to build remarketing lists and Facebook ads technology (including the Facebook pixel and custom audiences) to show you ads on other platforms and re-engage you with our Websites and Services.

Safety and security

We use information about you to increase the safety and security of our Websites and Services. For example for verifying your account, detecting fraudulent activities and anything else that would make our Services more secure.

How we share information we collect

We will not sell, rent, share, or otherwise disclose any Personal Data to anyone except to provide our Services to you and for the lawful purposes as described in this Policy.

Service providers and third parties

We work with third-party service providers for various tasks within our organization, including billing, marketing, customer support, analysis, accounting and others. If we transfer your Personal Data to a service provider in order to fulfill a task, we will make sure that the service provider only processes the data based on our instructions and by guaranteeing the same safeguards as we do. On top of that we have signed a data processing agreement with every service provider that makes sure that the partner is bound to the strict rules under the applicable Data Protection Laws. We have created a separate list of all our sub processors, so that you can see who we share your Personal Data with and for what purposes.

Note that if you disclose your Personal Data to third parties yourself, or if you are directed to a third party website from our Services, that third party’s privacy notices and practices will apply.

Intercom

We provide a limited amount of your Personal Data (such as sign-up date and your email address) to Intercom, Inc. (“Intercom”) and utilize Intercom to collect data for analytics purposes when you visit our Websites or use our Services.

As a data processor acting on our behalf, Intercom analyzes your use of our Website and/or Services and tracks our relationship by way of cookies and similar technologies so that we can improve our Services for you. Find out more about Intercom’s cookie policy.

We may also use Intercom as a medium for communications, either through email, or through messages within our Websites or Services.

As part of our service agreements, Intercom collects publicly available contact and social information related to you, such as your email address, gender, company, job title, avatar, website URLs, social network handles and physical addresses, to enhance your user experience. Find out more about the privacy practices of Intercom.

If you would like to opt out of having this information collected by or submitted to Intercom, please contact us at privacy@getfrello.com. Please note that we only provide data to Intercom of Administrators or Visitors that contact us through Intercom via our Websites or Services. We do not send data of regular Members or Users that use our Services to Intercom.

Integration partners

You also have the option to enable additional integrations when using our Services, which are either built-in or work through our APIs or via webhooks. We do not directly evaluate or attest to the qualification of applicable Data Protection Laws of integration partners. You are responsible for evaluating any third-party integration partner before creating or enabling an integration. You should ensure you establish a direct contractual privacy agreement with any third-party that you ask Frello to transmit Personal Data to. These integration partners include, but are not limited to:

• Stripe
• POLi
• Mailchimp
• Xero
• Google

Change of ownership

We may share Personal Data in the case of any merger, sale, financing or acquisition of a part or the whole of any Frello business. We will notify you accordingly in case this situation should arise.

Law enforcement and compliance

We will share your information with a third-party (including law enforcement authorities) if we believe that sharing is necessary to comply with any applicable law or governmental requests.

How we secure information we collect

We use robust and state-of-the-art technical and organizational measures to secure any Personal Data that we have on file about you. We review our data protection processes regularly in order to make sure that we protect your Personal Data in the best possible way. If we use sub contractors and service providers to fulfill a specific task based on your Personal Data, we will make sure that the partner has similar state-of-the-art data protection processes in place.

Your responsibilities in terms of data security

When you use our Services, you have a responsibility to keep your account secure. Please stick to the following best practices to help us keep your Personal Data secure:

• Make sure you choose a strong password that can’t be easily guessed.
• Always keep your password safe and don’t share it with others (including us).
• Make use of our Google or Facebook sign in to avoid the need for a password altogether.
• Change your username and password if you think someone knows your account sign in details.
• Notify us if you think your account may have been breached.
• Sign out of your session if you are using a shared device or public computer.

Lastly, always keep your email address up-to-date so that we can contact you and send you notifications if needed in the event of a Security Incident or concern.

How long we store your information

We store your Personal Data only for as long as we need access to it in order to fulfil the lawful purpose of the specific data processing activity. As the data retention period is different from use case to use case we have created a list of sub processors, in which you can find the exact period for each of the processing activities that we perform. Where possible, we also delete or anonymise all Personal Data after 3 months from the date your account with us is cancelled. Exceptions to that only apply if there are technical limitations to guarantee this or where specific laws expect from us that we store certain data for a longer time (for example requirements from tax authorities for storing documents).

Your rights

We respect that your Personal Data is yours and therefore give you full control to decide what happens with your Personal Data.

Access, correction and deletion

You have the right to request a copy of your readily retrievable Personal Data and to ask for it to be corrected if you think it is wrong or to be deleted.

If you need to correct your data, you can usually do this yourself within our Services by navigating to your personal profile page and making the necessary changes.

If you are based in the European Union or the United Kingdom you have the right, under the EU GDPR or the UK GDPR (as applicable), to:

• in certain circumstances, have your Personal Data erased;
• restrict the processing of your Personal Data;
• move, copy or transfer your Personal Data easily for your own purposes across different services in a safe and secure way;
• object to processing where we rely on our legitimate interests as the lawful basis for processing; and
• withdraw your consent at any time, where our processing of your Personal Data is based on consent.

We will respond to any request made in respect of the above in accordance with applicable Data Protection Laws.

To action such requests, please send an email to our privacy officer at privacy@getfrello.com and we will do our best to give you a meaningful response as soon as possible after we have verified your identity. In some cases we may be limited in providing information to you, if fulfilling your request would reveal information about another individual or if we are permitted by law or legitimate interest to keep it. In certain circumstances we may refuse to respond to a rights request where we have the right to do so under the EU GDPR or the UK GDPR (as applicable), for example, where a request is manifestly unfounded or excessive.

Should you at any point believe that we have not complied with Data Protection Laws or this Policy in connection with your Personal Data, you can lodge a complaint with the corresponding supervisory authorities.

Opting out for specific use cases

You may opt-out of specific processing activities by using different methods, such as:

• Blocking cookies in your browser
• Managing your cookie settings in our Websites and Services
• Installing third-party browser extensions to block certain scripts (for example Google Analytics)
• Clicking on unsubscribe links in marketing email that we sent
• Managing your notification and email settings in our Services

How we transfer information internationally

We use third party service providers and sub processors that are based in various locations around the world. Regardless of the country of operation of the sub processor, we will always endeavour to ensure that your Personal Data is treated securely and in accordance with this Policy as well as applicable Data Protection Laws.

We have created a separate list of sub processors that include all the processors we use, their country of origin and corresponding safeguards.

By using our Services, you consent to the rights of access, processing and disclosure to overseas locations on the basis specified in this list. If you object to us processing your information through any of the listed sub processors, please contact our privacy officer at privacy@getfrello.com.

If you are located in the European Union, your Personal Data may be transferred outside of the European Economic Area (EEA). If we transfer Personal Information to a third party located in a country outside the EEA that the European Commission has not recognised as providing adequate protection, we will enter into an agreement with that third party that contains the EU SCCs.

If you are located in the United Kingdom, your personal Data may be transferred outside of the United Kingdom that the European Union (as at 31 December 2020) or the United Kingdom Government has not recognised as providing adequate protection, we will enter into an agreement with that third party that contains the UK IDTA.

Some of the Personal Data we collect is processed in New Zealand. New Zealand is recognised by the European Commission and the Information Commissioner’s Office (UK) as a country that has an adequate level of data protection and we rely on that decision in transferring Personal Data to New Zealand.

Other important privacy information

Minors and children

While our Websites and Services are not directed at Children, Personal Data of Children may be entered into the Services, or a Child may access and use the Services.

If you are inputting Personal Data of a Child into the Service or otherwise providing us with access to the Personal Data of a Child, you must have obtained, and you undertake to us that you have obtained, the consent of the Child’s legal guardians to such disclosure, before making the disclosure.

If you become aware that a Child is using our Services, or that someone has provided us with Personal Data of a Child without consent from their legal guardian, please contact our privacy officer immediately at privacy@getfrello.com.

Sensitive Data

Your express consent is required before we are able to process any of your Sensitive Data via our Services. You will be required to provide this consent when you register to use the Services.

If you are a Member, Sensitive Data may be entered into the Service by another User if it is relevant to your membership or association with a Customer organisation. However, Sensitive Data must not be entered into the Service by another User unless you have provided your express consent to that User or to the relevant Customer organisation.

If you become aware that at any stage your Sensitive Data has been entered into the Service without your express consent, please contact our privacy officer immediately at privacy@getfrello.com.

Changes to this policy

Frello reserves the right to change this Privacy Policy. We will provide notification of material changes through our website at least 30 days prior to the change taking effect. Your continued use of the Websites and Services after the update has become effective indicates that you have read, understood and agreed to the new version of this Policy.

Your responsibilities as a Customer

If you are a Customer, you acknowledge and agree that, with respect to all Personal Data (including the Personal Data of Children) that your Administrators or any of your other Users (including your Members) enter into our Services, you are acting as a joint data controller along with Frello with respect to such Personal Data.

As a data controller, you have the following responsibilities that you must adhere to:

Comply with all Data Protection Laws

You must comply with your obligations under all applicable Data Protection Laws.

Obtain consent

You have obtained or shall obtain all consents necessary under Data Protection Laws, for Frello to process the Personal Data through our Services as you direct, and that such consent is obtained from the correct person. For example, from the relevant legal guardian of a Child (where the Personal Data of Child is being entered into the Service) or the express consent of a User (where Sensitive Data of a User is being entered into the Service).

Withdrawn consent or objection to processing

You must notify us without undue delay if any User withdraws their consent, or any part of their consent, or objects to any processing of Personal Data through our Services. This shall include any withdrawal of consent, or objection received by you from a Child to whom the Personal Data relates.

Accuracy of Personal Data

You will make sure to update any Personal Data stored within your account that relates to another person when requested to do so by that person.

Security breach

Upon becoming aware of a Security Incident, or any other (suspected) breach of your security safeguards, you must notify us without undue delay and shall provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by us.

Sensitive Data

You will not input or transfer (or allow any User to input or transfer) Sensitive Data into our Services, unless the necessary consents have been obtained.

Security

You are responsible for your and your Users secure use of our Services, including securing your account authentication credentials and following data security responsibilities as outlined above.

Evaluation of our Services

You are responsible for reviewing the information made available by Frello relating to data security and making an independent determination as to whether our Services meet your requirements and legal obligations under Data Protection Laws.