Privacy Policy

Privacy Policy

[Last Updated: August 03, 2023]

This Privacy Policy (“Privacy Policy”), describe how Panaya Ltd. and its affiliates (collectively, “Panaya” or “we”) collect, use and disclose certain information, including Personal Data (as defined below) and the rights granted with regards to your information.

Panaya provides subscription-based on-demand online services for testing and impact analysis of changes made to its Customers’ Systems (“Services“). When you use the Services (“Customer”), when you apply for a job through our website (“Job Candidates”), or merely when you engage with our blogs, news room, register to a webinar, or other similar forums as available through our website: https://www.panaya.com/ and landing pages (“Prospect” and collectively and separately with the Customer, and the Job Candidates, shall be referred to herein as “you”), you are trusting us with your information. This Privacy Policy is meant to help you understand what information we collect, why we collect it, how we safeguard it and how you can control it by exercising your rights.

1) Policy Amendments

We reserve the right to amend this Privacy Policy from time to time, at our sole discretion. The most recent version of this Privacy Policy will always be posted on the website and the update date will be reflected in the “Last Updated” heading. We will provide notice to you if these changes are material, and, where required by applicable law, we will obtain your consent. Any amendments to the Privacy Policy will become effective immediately, unless we notify otherwise. We recommend you review this Privacy Policy periodically to ensure that you understand our most updated privacy practices.

 

2) Contact Information and Data Controller Information

Panaya, a company incorporated under the laws of the state of Israel, is the Controller (as such term is defined under the EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”) or equivalent privacy legislation).

For any question, inquiry or concern related to this Privacy Policy or the processing of your Personal Data, you may contact as follows:

DPO Contact Information:  

By E-mail: [email protected]

By Mail: Panaya Ltd. 6 Haharash St. Hod Hasharon, Israel 4524079

 

Representative for data subjects in the EU Contact Information:
We value your privacy and your rights as a data subject and have therefore appointed our subsidiary – Panaya Germany GmbH (“Panaya Germany”) as our privacy representative and your point of contact. Panaya Germany gives you an easy way to exercise your privacy-related rights (e.g., requests to access or erase personal data). If you want to contact us via Panaya Germany please use the following means:

By Email: [email protected]

By Mail: Panaya Germany GmbH c/o RPI Roehm, Elsenheimerstr. 7, 80687 München, Germany

 

3) Data Processed by Panaya

We may collect two types of information from you, depending on your interaction with us.

The first type of information is non-identifiable and anonymous information (“Non-Personal Data”). We are not aware of the identity of the individual from who we have collected the Non-Personal Data. Non-Personal Data which is being gathered consists of technical information, and may contain, among other things, the type of operating system and type of browser, type of device, your action in the website or Services (such as session duration).

The second type of information is individually identifiable information, namely information that identifies an individual or may with reasonable effort identify an individual (“Personal Data”).

For the avoidance of doubt, any Non-Personal Data connected or linked to Personal Data shall be deemed as Personal Data as long as such connection or linkage exists.

The table below details the types of Personal Data we process, the purpose, lawful basis, and our processing operations:

Type of DataPurposes of ProcessingLegal Basis under the GDPR
PROSPECTS DATA
Website Interaction and Marketing:
When you interact with our website, we may collect your online identifiers, such as Internet Protocol (IP) address, Cookie ID and other unique identifiers (“Online Identifiers”).
 
Further, we will collect your behavioral information, which is collected indirectly by our external marketing tools, or analytic tools. This information includes the referring URL (that is, the webpage directing you to our website, and other websites you visited in the session), your interests in our competitors, the web page you visited when you tapped/clicked on our ad, how you interact with our webpage, time, duration of use, pages you have viewed on our website (“Marketing Data”).
First, Online Identifiers and cookies are used, in particular to operate the website and enable its proper functionality, for security and fraud prevention purposes, debugging purposes and to resolve technical problems. For example, in order to automatically recognize you by the next time you enter the website or to confirm you are a real person.
Second, the Online Identifiers and the Marketing Data are indirectly processed by third-parties marketing and analytic tools, for analytic and remarketing purposes. We process this data to understand how Prospects use our website and to measure effectiveness of some ads we use in order to track conversions, build targeted audience, and remarket our Services to people who have taken some action on the website.
Online Identifiers which are collected through cookies we implement, which are strictly necessary for the proper and basic operation of the website will be processed in our legitimate interest.
Your Marketing Data which are collected through third-party cookies, including any targeting and marketing cookies, will be processed based on your consent which we will obtain through our cookie notice and consent management.
You may withdraw consent at any time by using the cookie preference settings as available in the footer of the website, or by managing opt-out through your browser or device.
Contact Information:
In the event you contact us with any inquiries, either through an online form available on the website (i.e., the contact us and support pages, the DSR form, etc.), by sending us an email or by any other means, you will be requested to provide us certain information such as your name, telephone number, email address (“Contact Information”).
We will use your Contact Information solely for the purpose of responding to your inquiries.
The correspondence and its contents with you may be processed and stored by us in order to improve our customer services and in the event we believe it is required to continue to store it, for example, in the event of any claims or in order to provide you with any further assistance (if applicable).
We process Contact Information subject to our legitimate interest.
Direct Marketing:
When registering for a free trial, demo session, webinars or other similar forums, we will send you service communications and marketing promotions, such as new features, additional offerings, special opportunities or any other information we think you will find valuable.  (“Direct Marketing”).
We will use your information in order to keep you updated with offers and content such as service updates, new capabilities and features, surveys, etc. We process your information subject to our legitimate interest. You can opt-out at any time through the “unsubscribe” link within the email or by contacting us directly. 
Newsletter:
In the event you sign up to receive our newsletter, blog updates or other marketing materials, you will be requested to provide your contact details, such as your email address. 
We use this information in order to send you the content you requested or other marketing materials.
We will further store this information in order to include you in our marketing lists, as well as the “opt-out” list (solely the necessary information for such purpose), and to ensure we respect your choice and comply with applicable laws in this regard.
We process such contact information subject to your consent. You may withdraw consent at any time through the “unsubscribe” link within the email.
Additional Features:
In the event you choose to provide feedback, post on our website or social media pages, you may be required to provide us with certain additional information such as your role, country, company name, etc.
We will use this information for the purpose of providing you with the services that you requested.We process this information subject to our legitimate interest.
Call Recordings:
When we contact you through your work phone, we may, subject to applicable laws, record our call (“Call Recordings”).
We use such Call Recordings in order to enhance our sales efforts, and in the event we believe it is required to continue to store it, for example, in the event of any claims or in order to provide you with any further assistance (if applicable).  Subject to applicable laws, we will process our Call Recordings based on your consent.
Free Trial:
In the event you choose to book a free trial you will be requested to provide us with certain information such as your name, your company email address, work phone, working company, your role, country, etc. (“Free Trial Information”).
We will use your Free Trial Information for the purpose of providing you with the free trial services as requested.
We will also use your Free Trial Information for Direct Marketing.
We process your Free Trial Information in order to take pre-contractual steps as you requested.          
We process your Free Trial Information for Direct Marketing purposes based on our legitimate interest. You can opt-out at any time through the “unsubscribe” link within the email or by contacting us directly. 
Demo Session:
In the event you choose to book a demo session you will be requested to provide us with certain information such as your name, your company email address, work phone, working company, your role, country, etc. (“Demo Session Information”).
We will use your Demo Session Information for the purpose of providing you with the demo services you have requested.
We will also use your Demo Session Information for Direct Marketing
We process your Demo Session Information in order to take pre-contractual steps as you requested.          
We process your Demo Session Information for Direct Marketing purposes based on our legitimate interest. You can opt-out at any time through the “unsubscribe” link within the email or by contacting us directly. 
Webinars and Events:
In the even you register for a webinar or event we host, you will be requested to provide us with certain information such as your name, your company email address, work phone, working company, your role, country, etc. (“Webinar Information”).
We will use your WebinarInformation for the purpose of providing you with the demo services you have requested.
We will also use your WebinarInformation for Direct Marketing purposes.
We process your WebinarInformation in order to take pre-contractual steps as you requested.  
We process your WebinarInformation for Direct Marketing purposes based on our legitimate interest. You can opt-out at any time through the “unsubscribe” link within the email or by contacting us directly. 
Sweepstake participation:
In the event you register for a sweepstake we conduct, you will be required to provide us with certain information such as your name, your working company name, business email address and phone number, your business role, country, etc. (“Sweepstake Information”).
We will use your Sweepstake Information in order to administer your participation in a sweepstake, contact you for winner notification, prize delivery confirmation (where applicable) or other promotional purposes.
We will also use your SweepstakeInformation for Direct Marketing purposes.
We process your Sweepstake Information in order to take pre-contractual steps as you requested.              
We process your Sweepstake Information for Direct Marketing purposes based on our legitimate interest. You can opt-out at any time through the “unsubscribe” link within the email or by contacting us directly. 
CUSTOMERS DATA
Customer Account:
In order to use our Services, you will be required to register and open an account. During the registration process you will be requested to provide us with certain information such as your name, company name, email address, role, and other similar contact information, and you will be able to create a user name and password.
(Collectively “Account Registration Data”). 
We use your Account Registration Data to create and designate your account, authentication and validate access, enable log-in, access and use of your account as well as to send you needed information related to our engagement (e.g., billing and invoicing).
In addition, we use this information for Direct Marketing purposes, meaning, as our Customer, we may send you marketing related communications (by email or other contact details you have provided), materials and content regarding the Services you are currently using or any services we may offer in the future to keep you up to date, and for example, offers and content such as software updates, new capabilities and features, surveys, etc.
We process your Account Registration Data for the purpose of performing our contract with you.
Processing of this information for Direct Marketing purposes is made subject to our legitimate interest. You can opt-out at any time using the “unsubscribe” option within the body of the message.
Please note that if you choose to unsubscribe from our Direct Marketing, we will still retain your contact details and send you service-related emails, such as invoices.
Customer Support:
When you contact us for customer support, we will process your Contact Information.
We will use the Contact Information to provide you with the customer support needed. We will retain such correspondence for as long as needed, and to evidence the support was provided.We process such information to provide the required support services and fulfill the contractual obligations.
Usage Data:
When you use our Services, information regarding such use is automatically generated and collected, which may include the click stream within the Services, the use of the Services (i.e., accessed or used by Customer) and the time spent on those pages or features, crash data and analytics, etc.
We record how you interact with the Services. We log crashes, interaction with the Services, how often you use the Services, how long you are on the Services, etc.
(Collectively “Usage Data”)
We use your Usage Data to help us understand how you are using our Services, and how to better provide and improve our Services. This helps us to better understand our business, analyze our operations, maintain, improve, innovate, plan, design, and develop the Service and our new products.
In addition, we process Usage Data for security, operation and debugging purposes, and for example, to resolve technical errors. 
Where we collect Usage Data for operation and security purposes, we process your data based on our legitimate interest.
Where we collect Usage Data for analytic and marketing purposes, we process such data based on your consent which we will obtain through our cookie notice and consent management tool.
You may withdraw consent at any time by using the cookie preference settings available in the footer of the website, or by managing opt-out through your browser or device.
CANDIDATES DATA
Career:
When you apply for a job at Panaya, we will process your CV (and the information included therein), as well as additional information such as your contact information (name, email address and phone number), information regarding your education and skills, employment history, and your photo (to the extent provided by you).
Further, where required by law, we may process diversity and inclusion data regarding your candidacy, such as ethnicity, gender, or any disability.
In addition, we may collect other information from public and online sources, referees, background checks where applicable, and former employers and combine such data with the data you provided us (collectively, “Recruitment Data”).
For additional information please review Panaya’s Job Candidates Privacy Policy, which governs the collection and use of data concerning Candidates.
We will use your Recruitment Data to process your job application and for our internal recruitment management purposes, for further recruitment steps (e.g., interview), and to enable Panaya to comply with corporate governance and legal and regulatory requirements.
Following the completion of the recruitment process, we may further retain and store the Recruitment Data (including other interactions with us under such process) as part of our internal records keeping, including for legal defense from any future claim, as well as, and subject to applicable law requirements, to contact you in the future for other position we believe you qualify for.
If you are hired, your Recruitment Information will be kept on our HR systems as part of your employment and our corporate management.
We currently use Comeet which processes your Recruitment Information on our behalf based on their Privacy Notice available here, and pursuant with Comeet’s contractual commitments under this data processing agreement.
We process Recruitment Data subject to our legitimate interest.
In some cases, for example, where we will ask you to provide health related information or diversity and inclusion data, we will process such data based on our obligations in employment and the safeguarding of your fundamental rights.
 
Where you provided your consent, we will process your Recruitment Data in order to contact you with further job offers which we believe you might be interested in.

Please note that the actual processing operation per each purpose of use and lawful basis detailed in the table above may differ. Such processing operation usually includes a set of operations made by automated means, such as collection, storage, use, disclosure by transmission, erasure, or destruction. The transfer of Personal Data to third-party countries, as further detailed in Section 10 “DATA TRANSFER” below, is based on the same lawful basis as stipulated in the table above.

In addition, we may use certain Personal Data to prevent potentially prohibited or illegal activities, fraud, misappropriation, infringements, identity thefts, and any other misuse of our Services, and to enforce our terms of use and other policies, as well as to protect the security or integrity of our databases all systems, and to take precautions against legal liability. Such processing is based on our legitimate interests.

 

4) How We Collect Information

Depending on the nature of your interaction with Panaya, we may collect information as follows:

Automatically – we may use cookies (as elaborated below) or similar tracking technologies to gather some information automatically when you interact with our website.

Provided by you voluntarily – we will collect information if and when you choose to provide us with the information, such as when you apply for a job, contact us communications, account registration, sweepstake participation, etc.

Provided by third parties – such as third parties listed on your CV for professional reference, etc.

 

5) Cookies and Tracking Technologies

We use “cookies” (or similar tracking technologies) when you interact with our website. The use of cookies is a standard industry-wide practice. A “cookie” is a small piece of information that a website assigns and stores on your computer while you are viewing a website. Cookies can be used for various purposes, including allowing you to navigate between pages efficiently, for statistical purposes, as well as for advertising purposes.

You can find more information about cookies here: www.allaboutcookies.org.

Please see our cookie declaration available here, which details the cookies we use on our website, as well as our cookie setting tool available through our website footer enabling you to change your settings and preferences ant any time 

Also note that, most browsers will allow you to erase cookies from your computer’s hard drive, block acceptance of cookies, or receive a warning before a cookie is stored. You may set your browser to block all cookies, including cookies associated with our website, or to indicate when a cookie is being used by us, by adjusting the privacy and security settings of your web browser. Please refer to the support page of your browser to learn more about how you can adjust your privacy and security settings. Please note that once you choose to opt out or disable cookies, some features of our website may not operate properly and your online experience may be limited. In addition, even if you do opt-out, you may still receive some content and advertising, however, it will not be targeted content or advertising.

Where we use third-party advertising cookies, such third-party may independently collect, through the use of such tracking technologies, some or all types of Personal Data detailed above, as well as additional data sets, including to combine such information with other information they have independently collected relating to your online activities across their network of websites, for the purpose of enhanced targeting functionality and delivering personalized ads, as well as providing aggregated analytics related to the performance of our advertising campaign you interacted with. These third parties collect and use this information under their own privacy policies, and are responsible for their practices.

 

6) Sharing Personal Data

We share your Personal Data with third parties, including our partners or service providers that help us provide our Services. You can find in the table below information about the categories of such third-party recipients.

Category of RecipientData That Will Be SharedPurpose of Sharing
Service providers    All types of Personal Data We employ other companies and individuals to perform functions on our behalf. Examples include: outsource consultants, sending communications, processing payments, analyzing data, providing marketing and sales assistance (including advertising and event management), identifying errors and crashes, conducting customer relationship management, and providing training. These third-party service providers have access to Personal Data needed to perform their functions, but they are prohibited, through contractual obligations, from using your Personal Data for any purposes other than providing us with requested services.
Affiliated CompaniesAll types of Personal DataWe may share your Personal Data with our affiliated companies including our parent company, for sales and marketing purposes, providing customer relationship services, etc.
Any acquirer of our businessAll types of Personal DataWe may share Personal Data, in the event of a corporate transaction (e.g., sale of a substantial part of our business, merger, consolidation or asset sale). In the event of the above, our affiliated companies or acquiring company will assume the rights and obligations as described in this Privacy Policy.
governmental agencies, law enforcements or authorized third partiesAll types of dataWe may disclose Personal Data to enforce our policies and agreements, as well as defend our rights, including the investigation of potential violations thereof, alleged illegal activity or any other activity that may expose us, you, or other users to legal liability, and solely to the extent required. In addition, we may disclose Personal Data to detect, prevent, or otherwise address fraud, security, or technical issues, solely to the extent required.
We may also share certain data when we believe it is appropriate to do so in order to comply with the law enforcement, or protect the rights, property, or security of Panaya, our Customers or others.

For the avoidance of doubt, we may transfer and disclose or otherwise use Non-Personal Data or information which is linked to anonymous random identifiers or information that is aggregated in a non-identifiable way, at its own discretion.

We acknowledge that different people have different privacy concerns and preferences. Our goal is to be clear about what information we collect so that you can make meaningful choices about how it is used. We allow you to exercise certain choices, rights, and controls in connection with your information. Depending on your relationship with us, your jurisdiction and the applicable data protection laws that apply to you, you have the right to control and request certain limitations or rights to be executed.

Certain rights can be easily executed independently by you without the need to fill out the DSR form, and for example:

If you are our Customer, you can correct certain data provided under your Customer account (such as contact information) through the account settings;

You can you can opt-out from receiving our marketing emails by clicking “unsubscribe” link;

You can use the cookie settings tool available on the footer of the website to change your cookies preferences.

In the event you are a Customer – note that termination of the engagement or closing your account does not automatically resolve in deletion of data. If you wish to delete the data, please ensure to contact us with such request.

In the table below you can review your rights depending on your interaction with us, how you can exercise them, and appeal a decision we take in this regard, any specification per geo-location or territory are available below the table:

RIGHT TO BE INFORMED, RIGHT TO KNOWYou have the right to confirm whether we collect Personal Data about you, if you wish to know if we collect Personal Data about you, please review this Privacy Policy.
ACCESS RIGHTSYou further have the right to know which Personal Data we specifically hold about you, and receive a copy of such or access it, if you wish to receive a copy of the Personal Data or Personal Information, please submit a Data Subject Request form (“DSR”) as available here.
RIGHT TO CORRECTIONYou have the right to correct inaccuracies in your Personal Data, taking into account the nature and purposes of each processing activity. Please submit a DSR as available here.
RIGHT TO BE FORGOTTEN, RIGHT TO DELETIONIn certain circumstances, you have the right to delete the Personal Data we hold about you. Please submit a DSR as available here.
RIGHT TO PORTABILITYYou have the right to obtain the Personal Data in a portable, and to the extent technically feasible, readily usable format that allows you to transmit the data to another entity without hindrance. We will select the format in which we provide your copy. If you wish to exercise this right, please submit our DSR as available here.
RIGHT TO OPT OUT UNDER THE EU, AND SPECIFICALLY IN THE US THE RIGHT TO OPT OUT FROM:
(I) SELLING PERSONAL DATA;
(II) RIGHT TO OPT OUT FROM TARGETED ADVERTISING; AND
(III) RIGHT TO OPT OUT FROM PROFILING AND AUTOMATED DECISION MAKING
Direct Marketing: You have the right to opt-out from Direct Marketing, by unsubscribing through the email received.
Newsletter: You have the right to withdraw consent when you no longer wish to be in our newsletter list.
Cookies: When you no longer wish for cookies to track your behavior for analytic and marketing purpose, change your preferences through the cookie settings available on our website footer. 
Sale of Personal Data for targeted advertising, monetary gain or profiling, or Share or Sale of Personal Information for analytic or marketing: If and to the extent applicable, you have the right to opt out of the sale of your Personal Data, for the purposes of targeted advertising, sale to a third party for monetary gain, analytic, etc. as detailed under the here or through the cookie settings available on our website footer. 
Last, you are able to install privacy-controls in the browser’s settings to automatically signal the opt-out preference to all websites you visit (like the “Global Privacy Control”). We honor the Global Privacy Control, where applicable, subject to your jurisdiction, as a valid request to opt-out of the sharing of information linked to your browser.
Note you may have the right to authorize another person acting on your behalf to opt out (including by technical tools and opt out signals). 
RIGHT TO APPEAL OR COMPLAINTIf we decline to take action on your request, we shall so inform you without undue delay as required under applicable laws. The notification will include a justification for declining to take action and instructions on how you may appeal, if applicable. Under the EU you have the right to lodge a complaint with the supervisor authority or the Information Commissioner in the UK.
NON-DISCRIMINATIONSuch discrimination may include denying a service, providing a different level or quality of service, or charging different prices. We do not discriminate our customers or users.

8) Data Retention

We retain Personal Data we collect as long as it remains necessary for the purposes set forth above, all in accordance with applicable laws, or until an individual expresses a preference to opt-out.

Other circumstances in which we will retain your Personal Data for longer periods of time include: (i) where we are required to do so in accordance with legal, regulatory, tax, or accounting requirements; (ii) for us to have an accurate record of your dealings with us in the event of any complaints or challenges; or (iii) if we reasonably believe there is a prospect of litigation relating to your Personal Data. Please note that except as required by applicable law, we may at our sole discretion, delete or amend information from our systems, without notice to you, once we deem it is no longer necessary for such purposes.

 

9) Security

At Panaya, security is our highest priority. We design our systems with your security and privacy in mind. We have implemented physical, technical, and administrative security measures for the Services that comply with applicable laws and industry standards.

Note that we cannot be held responsible for unauthorized or unintended access beyond our control, and we make no warranty, express, implied, or otherwise, that we will always be able to prevent such access.

Please contact us at: [email protected], if you feel that your privacy was not dealt with properly, in a way that was in breach of our Privacy Policy, or if you become aware of a third party’s attempt to gain unauthorized access to any of your Personal Data. We will make a reasonable effort to notify you and the appropriate authorities (if required by applicable law) in the event that we discover a security incident related to your Personal Data.

10) Data Transfer

We may store or process your Personal Data in the EU, the United States or in other countries. Thus, any information you provide us may be transferred to and processed in countries other than the country from which you accessed our Services. We will take appropriate measures to ensure that your Personal Data receives an adequate level of data protection upon its transfer. When Personal Data that was collected within the EEA is transferred outside the EEA, we will take necessary steps in order to ensure that sufficient safeguards are provided during the transferring of such Personal Data, such as pursuant with the EU standard contractual clauses as approved by the European Union (SCCs).

Additionally, following the withdrawal of the United Kingdom (UK) from the European Union on January 31, 2020, the UK is no longer considered to be a part of the EEA and therefore, the transferring of Personal Data from the EEA to the UK will also be subject to the SCCs or other contractual clauses that will ensure the security of the Personal Data (pending an adequacy decision from the European Commission). Further, the transfer of Personal Data collected within the UK to countries outside the UK, will be provided with sufficient safeguards as required under applicable laws, including pursuant with the UK standard contractual clauses (UK SCCs) as approved by the UK Information Commissioner Office (ICO).

 

11) Children

Our website and Services are not intended for use by children and we do not knowingly collect or maintain information about anyone under the age of 16. Please contact us at: [email protected], if you have reason to believe that a child has shared any information with us.

 

12) JURISDICTION-SPECIFIC NOTICES

 

A. ADDITIONAL NOTICE TO CALIFORNIA RESIDENTS

This section applies to California residents only pursuant to the California Consumer Privacy Act of 2018 (“CCPA”) effective November 2020, and as amended by the CPRA, effective January 1, 2023.

Please see the CCPA Privacy Notice here which discloses the categories of Personal Information collected, purpose of processing, source, categories of recipients with whom the Personal Information is shared with for a business purpose, whether the Personal Information is sold or shared, the retention period, and how to exercise your rights as a California resident.

B. ADDITIONAL NOTICE TO COLORADO RESIDENTS

GENERAL:

Under the Colorado Privacy Act (“CPA”) if you are a resident of Colorado, acting as an individual or in the household context only (and not in a commercial or employment context, as a job applicant or as a beneficiary of someone acting in an employment context), your rights with respect to your Personal Data are described below.

Personal Data” as defined in the CPA means: “information that is linked or reasonably linkable to an identified or identifiable individual” and does not include publicly available information, de-identified or aggregated consumer, and information excluded from the CPA scope, such as: health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPPA) or 42 CFR Part 2- “Confidentiality Of Substance Use Disorder Patient Records”, Personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or and the Driver’s Privacy Protection Act of 1994, Children’s Online Policy Protection Act of 1998 (COPPA), Family Educational Rights and Privacy Act of 1974, national Security Exchange Act of 1934, higher education data and employment data.

Sensitive Data include (i) racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life or sexual orientation; (ii) Genetic or biometric data that can be processed to uniquely identify an individual; or (iii) child data. We do not process or collect any sensitive data.

In Section 3 to the Privacy Policy, we describe our collection and processing of Personal Data, the categories of Personal Data that are collected or processed, and the purposes for which Personal Data is processed, stored or used. We will not collect additional categories of Personal Data or use the Personal Data we collected for materially different, unrelated, or incompatible purposes without obtaining your consent. Additionally, Section 6 to this Privacy Policy details and discloses the categories of third-parties we share for business purposes. Section 7 to this Privacy Policy details and discloses your rights and Personal Data shared or sold for targeted advertising.

Note your rights are not absolute, and we may, depending on the applicable right you wish to exercise, deny your exercise request, in full or in part, in certain limited events, as described under the DSR available here.

We will respond to your request within 45 days after receipt of a verifiable Consumer Request (no more than twice in a twelve-month period). We reserve the right to extend the response time by an additional 45 days when reasonably necessary and provided consumer notification of the extension is made within the first 45 days. If we refuse to take action on a request, you may appeal our decision within a reasonable period time by contacting us at privacy@panaya.com and specifying you wish to appeal. Within 60 days of our receipt of your appeal, we will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, you may submit a complaint as follows: Colorado AG at https://coag.gov/file-complaint/

If you have an account with us, we may deliver our written response to that account or via email at our sole discretion. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. You do not need to create an account for submitting a request.

Any disclosures we provide will only cover the 12-months period preceding our receipt of your request. The response we provide will also explain the reasons we cannot comply with a request, if applicable.

C. ADDITIONAL NOTICE TO VIRGINIA RESIDENTS

Under the amended Virginia Consumer Data Protection Act (“VCDPA”), if you are a resident of Virginia acting solely in an individual or household context (and not in an employment or commercial context), you have the following rights with respect to your Personal Data.

Personal data” means any information that is linked or reasonably linkable to an identified or identifiable natural person. “Personal data” does not include de-identified data or publicly available information. Personal Data does not include de-identified data or publicly available data, and information excluded from the scope such as: HIPAA, GBPA, non-profit entities, higher education, employment data and FCRA, Driver’s Privacy Protection Act of 1994, Family Educational Rights and Privacy Act, Farm Credit Act.

In Section 3 to the Privacy Policy, we describe our collection and processing of Personal Data, the categories of Personal Data that are collected or processed, and the purposes for which Personal Data is processed, stored or used. We will not collect additional categories of Personal Data or use the Personal Data we collected for materially different, unrelated, or incompatible purposes without obtaining your consent. Additionally, Section 6 to this Privacy Policy details and discloses the categories of third-parties we share for business purposes. Section 7 to this Privacy Policy details and discloses your rights and Personal Data shared or sold for targeted advertising.

Note your rights are not absolute, and we may, depending on the applicable right you wish to exercise, deny your exercise request, in full or in part, in certain limited events, as described under the DSR, available here.

We will respond to your request within 45 days after receipt of a verifiable Consumer Request (no more than twice in a twelve-month period). We reserve the right to extend the response time by an additional 45 days when reasonably necessary and provided consumer notification of the extension is made within the first 45 days. If we refuse to take action on a request, you may appeal our decision within a reasonable period time by contacting us at [email protected] and specifying you wish to appeal. Within 60 days of our receipt of your appeal, we will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, you may submit a complaint to the Virginia Attorney General at https://www.oag.state.va.us/consumercomplaintform.

If you have an account with us, we may deliver our written response to that account or via email at our sole discretion. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. You do not need to create an account for submitting a request.

Any disclosures we provide will only cover the 12-months period preceding our receipt of your request. The response we provide will also explain the reasons we cannot comply with a request, if applicable.

We shall provide information in response to your request free of charge, up to twice annually, unless requests are manifestly unfounded, excessive or repetitive. If we are unable to authenticate your request using commercially reasonable efforts, we may request additional information reasonably necessary to authenticate you and your request. If we cannot authenticate you and your request we will not be able to grant your request.

D. ADDITIONAL NOTICE TO CONNECTICUT RESIDENTS

Under the Connecticut Data Privacy Act, Public Act. No. 22-14 (the “CDPA”) if you are a resident of Connecticut, acting in an individual or household context (and not in a commercial or employment context or as a representative of business, non-profit or governmental entity), your rights with respect to your personal data are described below.

Personal Data” means any information that is linked or reasonably linkable to an identified or identifiable individual. It does not include de-identified data or publicly available information. If further does not include information excluded from the scope such as: HIPAA, GBPA, non-profit entities, higher education, employment data and FCRA, Driver’s Privacy Protection Act of 1994, Family Educational Rights and Privacy Act, Farm Credit Act.

In Section 3 to the Privacy Policy, we describe our collection and processing of Personal Data, the categories of Personal Data that are collected or processed, and the purposes for which Personal Data is processed, stored or used. We will not collect additional categories of Personal Data or use the Personal Data we collected for materially different, unrelated, or incompatible purposes without obtaining your consent. Additionally, Section 6 to this Privacy Policy details and discloses the categories of third-parties we share for business purposes. Section 7 to this Privacy Policy details and discloses your rights and Personal Data shared or sold for targeted advertising. Note, under CDPA consent can be withdrawn within 15-days of notice at any time.

Note your rights are not absolute, and we may, depending on the applicable right you wish to exercise, deny your exercise request, in full or in part, in certain limited events, as described under the DSR available here.

We shall respond to your request within 45 days of receipt. The response period may be extended once by 45 additional days when reasonably necessary, taking into account the complexity and number of requests and we inform you of such extension within the initial 45 days response period, together with the reason for the extension.

If we decline to take action on your request, we shall so inform you without undue delay, within 45 days of receipt of your request. The notification will include a justification for declining to take action and instructions on how you may appeal. Within 60 days of our receipt of your appeal, we will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, you may submit a complaint to the Connecticut Attorney General at link: https://www.dir.ct.gov/ag/complaint/ or (860) 808-5318.

We shall provide information in response to your request free of charge, up to twice annually, unless requests are manifestly unfounded, excessive or repetitive. If we are unable to authenticate your request using commercially reasonable efforts, we may request additional information reasonably necessary to authenticate you and your request. If we cannot authenticate you and your request, we will not be able to grant your request.

E. ADDITIONAL INFORMATION FOR UTAH RESIDENTS

*Effective January 2024

Under the Utah Consumer Privacy Act (“UCPA”) if you are a resident of Utah, acting in an individual or household context (and not in a commercial or employment context) your rights with respect to your personal data are described below.

Personal Data” means data which is linked or reasonably linkable to an identifiable individual, and does not include de-identified data and publicly available data or data that is processed not within the scope of UCPA.

Sensitive Data” means Personal Data that reveals an individual’s racial or ethnic origin; religious beliefs; sexual orientation; citizenship or immigration status; information regarding an individual’s medical history, mental or physical health condition, or medical treatment or diagnosis by a health care professional; the processing of genetic personal data or biometric data, if the processing is for the purpose of identifying a specific individual; or specific geolocation data.

The UCPA requires Panaya to disclose the categories of Personal Data processed, purpose of processing, how you can exercise your rights, including your opt-out rights from the sale of Personal Data or processing for targeted advertising, the categories of Personal Data shared with third parties and with whom, and if Panaya sells Personal Data to third parties or processes Personal Data for targeted advertising. Note, under the UCPA, Panaya does not “sell” your Personal Data.

In Section 3 to the Privacy Policy, we describe our collection and processing of Personal Data, the categories of Personal Data that are collected or processed, and the purposes for which Personal Data is processed, stored or used. We will not collect additional categories of Personal Data or use the Personal Data we collected for materially different, unrelated, or incompatible purposes without obtaining your consent. Additionally, Section 6 to this Privacy Policy details and discloses the categories of third-parties we share for business purposes. Section 7 to this Privacy Policy details and discloses your rights if and to the extent applicable under the UCPA.

Note your rights are not absolute, and we may, depending on the applicable right you wish to exercise, deny your exercise request, in full or in part, in certain limited events, as described under the DSR, available here.

We will respond to your request within 45 days after receipt of your request (no more than twice in a twelve-month period). We reserve the right to extend the response time by an additional 45 days when reasonably necessary and provided consumer notification of the extension is made within the first 45 days. If we refuse to take action on a request, we will provide with the reasoning for our refusal.

If you have an account with us, we may deliver our written response to that account or via email at our sole discretion. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. You do not need to create an account for submitting a request.

Any disclosures we provide will only cover the 12-months period preceding our receipt of your request. The response we provide will also explain the reasons we cannot comply with a request, if applicable.

We shall provide information in response to your request free of charge, up to twice annually, unless requests are manifestly unfounded, excessive or repetitive. If we are unable to authenticate your request using commercially reasonable efforts, we may request additional information reasonably necessary to authenticate you and your request. If we cannot authenticate you and your request, we will not be able to grant your request.

Skip to content