CatalystXL Privacy Policy

This is the Privacy Policy for CatalystXL and its Affiliates.

1. Definitions

• “Affiliates” means the legal entities owned directly or indirectly by CatalystXL, Inc. or that are otherwise in CatalystXL, Inc.’s corporate family.
• “CCPA” means the California Consumer Protection Act. If you are a California resident, you should read this Privacy Policy together with its Additional Privacy Details for California Residents section, which provides additional information about our California information practices, including a description of CCPA rights available to some Californians.
• “Controller” means the entity that has certain legal rights to determine the purposes for which Personal Data will be Processed and the means by which that Processing will happen.
• “Customer” means the entity that has contracted with CatalystXL to receive a free trial, or paid Platform Plan or other Service Offerings. For example: When a business purchases a Platform Plan and sets up accounts under that Platform Plan for employees, the business is the Customer, and each individual using the Platform under the Plan is a User. If a one-person business signs up for its own free Platform Plan, that person is both the Customer and the User.  If that person invites others to set up accounts under that Plan, those other people will be Users as well.
• “GDPR” means the EU General Data Protection Regulation.
• “Personal Data” means any information about an identified or identifiable individual, such as their name or contact information.
• “Platform” means CatalystXL mobile content and information platform, mobile apps powered by the mobile content and information platform, and CatalystXL.com website.
• “Platform Plan” means a Customer’s subscription to the Platform
• “Privacy Shield” means EU-U.S. and Swiss-U.S. Privacy Shield Principles described here.
• “Process,” “Processed,” and “Processing” refer to any means any operation or set of operations that can be performed on Personal Data or on sets of Personal Data. This includes, for example, collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure and destruction.
• “Processor” means an entity that Processes Personal Data on behalf of a Controller.
• “Service Data” is Personal Data or other information that Users: input directly into the Platform; create within or from their use of the Platform; send to the Platform through apps and integrations; or provide to CatalystXL through authorized methods as part of other Service Offerings. 
• “Service Offerings” means the Platform and CatalystXL’s related support and professional services.
• “User” means an individual who uses a Service Offering. Within the Platform, there are two types of Users: mobile app users and administrators, who have access to both the mobile app and administration panel.
• “Organization” means the Platform instance to which Customer gains access to the mobile content and information platform in order to manage content and app users. 
• “CatalystXL” means CatalystXL, Inc., whose contact information is at the end of this Privacy Policy.

2. Scope of this Privacy Policy, and a Note Regarding Service Data

Where indicated, this Privacy Policy applies to Service Data.  We do not control the content of Service Data, and, because of security features in the Platform, in some cases we are unable to read such content.  Under the GDPR and similar laws, CatalystXL is considered the Customer’s Processor of any Personal Data in the Service Data. 

CatalystXL Processes Personal Data in the Service Data under the instructions of the relevant Customer or as required by applicable law, as described in the CatalystXL Terms of Service at https://catalystxl.com/terms/ or the alternative agreement (if applicable) signed by CatalystXL and that Customer for the Service Offerings.  For any Organization on the Platform, the relevant Customer is the one that CatalystXL authorizes to control the administrator account.  Specifically, that Customer is the Controller for all information submitted by any User to that Organization.  The foregoing is true even when those Users happen to be employees of another Customer, as each Customer is a Controller of only its own Organization.  

CatalystXL may disclose any Service Data, including certain deleted Service Data, or data previously received from deactivated Users, to the relevant Customer, and CatalystXL provides the Customer with certain tools for modifying, deleting or taking other steps with Service Data.  Accordingly, Users and other individuals should contact the relevant Customer with any requests relating to Personal Data about them that may appear in that Customer’s Service Data.  If CatalystXL receives a request from a User to exercise rights in Service Data, we will refer the User’s request to the relevant Customer and cooperate with that Customer’s handling of the request, subject to any special contractual arrangement with that Customer.  For requests from Customer account administrators relating to their own Personal Data, CatalystXL may handle the request directly.  

The Privacy Policy also applies to our handling of Personal Data that is not Service Data, such as Personal Data about:

• Visitors to our websites and events;
• Prospective Customers and their personnel;
• People who sign up for our newsletters or other marketing; and
• Current Customers and Users, in relation to their procurement of Service Offerings and management of the relationship with CatalystXL.

However, this Privacy Policy does not cover any data we Process in the context of our own recruiting and human resources management activities.

3. Types of Personal Data We Collect

Because we designed the Platform to be content- and data-agnostic, our Customers are empowered to provide us with any kind of Personal Data in the Service Data. 

In addition to Service Data, we collect contact details, professional details such as title and name of company, information about the browsers and devices individuals use to interact with us, information about an individual’s interactions with CatalystXL or our partners, and payment information.

We obtain much of this data directly from the relevant individuals, including in some cases with the technology described in the “Cookies and Automated Data Collection” section further below. We also obtain Personal Data directly from our current or prospective Customers and from other third-party sources such as resellers, distributors, list vendors and marketing companies, as well as from publicly available sources such as prospective Customer websites and third-party sites like LinkedIn.

4. How We Use Personal Data

CatalystXL uses Personal Data as follows:

• To provide and improve our Service Offerings, including internal analysis of aggregate usage patterns;
• To respond to questions, concerns, or customer service inquiries, and to otherwise fulfill individuals’ requests;
• To send information about our current and future Service Offerings, including marketing communications by phone, email, online display advertising, and other channels;
• To analyze market conditions and use of our Service Offerings;
• To customize the content and advertising individuals see on our websites, across the Internet, and elsewhere;
• To enforce the legal terms that govern our business and online properties;
• To comply with law and legal process and protect rights, safety and property; and
• For other purposes requested or permitted by our Customers, Users or other relevant individuals, such as website visitors.

5. Disclosures of Personal Data

We share Personal Data as follows:

• For the uses of information described above, including to make appropriate disclosures in response to lawful requests by public authorities, such as to meet national security or law enforcement requirements; and
• In connection with capital raising and/or a business sale, merger, consolidation, change in control, transfer of substantial assets or reorganization.

For those purposes, we may share information with our Affiliates and other entities that help us with any of the above, such as our sub processors or our CRM system provider, our payment processor, and the marketing and analytics companies described in Section 7 below.

6. Legal Bases for Processing Personal Data

The laws in some jurisdictions require companies to tell you about the legal grounds they rely on to use or disclose your Personal Data. To the extent those laws apply, our legal grounds for Processing Personal Data are as follows:

• To honor our contractual commitments to an individual: Some of our Processing of Personal Data is to meet our contractual obligations to the individuals to whom the Personal Data relate, or to take steps at their request in anticipation of entering into a contract with them.  For example, when an individual purchases admission to a CatalystXL event, we may Process their payment information on this basis.
• Consent: Where required by law, and in some other cases, we handle Personal Data on the basis of consent.  For example, some of our direct marketing activities happen on the basis of opt-in consent, such as sending marketing emails to individuals who have requested them.
• Legitimate interests: In many cases, we handle Personal Data on the ground that it furthers our legitimate interests in commercial activities, such as the following, in ways that are not overridden by the interests or fundamental rights and freedoms of the affected individuals: Customer support; Marketing, including, in some cases, direct marketing such as via email; Protecting our Customers, Users, personnel and property; Analyzing and improving our business and Service Offerings; and Managing legal issues. We may also Process Personal Data for the same legitimate interests of our Customers and business partners.
• Legal compliance: We need to use and disclose Personal Data in certain ways to comply with our legal obligations.

7. Cookies and Automated Data Collection

In our websites, apps, and emails, we and third parties may collect certain information by automated means such as cookies, Web beacons, JavaScript, mobile device functionality, browser-based or plugin-based local storage such as HTML5 storage or Flash-based storage, and other similar techniques and technologies. 

This information includes unique browser identifiers, unique device identifiers such as the Apple Advertising Identifier or Android Advertising ID, IP address, browser and operating system information, geolocation, other device information, Internet connection information, as well as details about individuals’ interactions with our apps, websites and emails.  Such details include, for example, the URL of the third-party website from which you came, the pages that you visit on our websites, and the links you click on in our websites. 

As part of this, we and third parties may use automated means to read or write information on your device, such as in various types of cookies and other local storage.  Cookies and local storage are files that can contain data, such as unique identifiers or other information, that we or a third party may transfer to or read from a user’s device for the purposes described in this Privacy Policy. 

The cookies and other technologies described here fall into four basic categories:

• Essential: These are strictly necessary to provide you with our online presence, such as access to secure areas that require registration. Users cannot refuse them without impacting functionality.
• Functional: These allow Users to browse or benefit from some of its features, such as setting language preferences. Similar to the essential technology described above, if these are disabled, it could impact your experience to use some functionality.
• Analytics: These allow us or our third-party analytics providers to collect statistics on the use of our Service Offerings and website.

You may be able to set your web browser to refuse certain types of cookies, or to alert you when certain types of cookies are being sent.  Some browsers offer similar settings for HTML5 local storage, and Flash storage can be managed as described here.  

8. Personal Data Rights and Choices (Including Direct Marketing Opt-Out)

All Users can:

• Review and update certain User information by logging in to the relevant portions of the Platform.
• Deactivate their accounts by contacting us at support at https://success.catalystxl.com/, subject to any contractual provisions between CatalystXL and the Customer responsible for the account. Except when the Customer has requested closure of all its User accounts, information in a deactivated User account may be available to the Customer for some time. 

Controls related to cookies and other automated data collection are described in the “Cookies and Automated Data Collection” section above. Anybody can unsubscribe from marketing emails by clicking the unsubscribe link they contain.

Residents of the European Economic Area, the UK and many other jurisdictions have certain legal rights to do the following with Personal Data we control:

• Obtain confirmation of whether we hold Personal Data about them, and to receive information about its Processing;
• Obtain a copy of the Personal Data, and in some cases, receive it in a structured, commonly used and machine-readable format, or have it transmitted to a third party in such form;
• Update, correct, or delete the information;
• Object to the Processing of the information;
• Withdraw consent previously provided for the Processing of the information;

For example, those individuals have a right to opt out of CatalystXL’s Processing of their Personal Data for direct marketing purposes.

Residents of the European Economic Area, the UK and Switzerland also have certain rights under the Privacy Shield, as described in the “International Data Transfers” section below.

To exercise any of those rights with respect to the Personal Data CatalystXL controls, individuals should contact us as described at the end of this Privacy Policy.

To exercise any rights relating to Service Data, Users should contact the relevant administrator for the Organization associated with the Service Data, not CatalystXL.  If you are a Customer account administrator or Customer account owner and require assistance with this process, such as if you want to make a request with respect to your own User data, you may contact us as described below. 

Many of the rights described above are subject to significant limitations and exceptions under applicable law.  For example, objections to the Processing of Personal Data, and withdrawals of consent, typically will not have retroactive effect.

Every individual also has a right to lodge a complaint with the relevant supervisory authority.

9. Security

To provide security for Service Data within the Platform, we maintain physical, organizational and technical safeguards, which are subject to periodic changes.  Customers’ use of available safeguards will impact the level of protection available for the Service Data.  Communications with CatalystXL through other methods such as email or phone are not subject to those protections.  Third-party software and services integrated into our Service Offerings, such Google Drive, Box, Dropbox anor, are handled by such third parties subject to their own privacy and security procedures, which we do not control.

We use different safeguards to help secure the other Personal Data we handle.

No security method is perfect, and we cannot guarantee that any data will remain secure.

10. Data Retention

We hold Personal Data for as long as necessary to fulfill the purposes set forth in this Privacy Policy. Information may persist in copies made for backup and business continuity purposes for additional time.

11. International Data Transfers

We are headquartered in the United States, and recipients of the data disclosures described in this Privacy Policy are located in the United States and elsewhere in the world, including where privacy laws may not provide as much protection as those of your country of residence. Eligible Customers can arrange to have their Organization’s stored in our data center located in Europe.

CatalystXL complies with legal requirements for cross-border data protection, including through the use of European Commission-approved Standard Contractual Clauses and contract language required by the Privacy Shield, which is described below.

CatalystXL complies with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework regarding the collection, use, and retention of personal information from European Economic Area member countries, the United Kingdom, and Switzerland transferred to the United States pursuant to Privacy Shield. CatalystXL has certified that it adheres to the Privacy Shield Principles with respect to such data. If there is any conflict between the policies in this privacy policy and data subject rights under the Privacy Shield Principles, the Privacy Shield Principles shall govern with respect to data subject to the Privacy Shield. To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov/

The following statements apply to all EEA, UK and Swiss Personal data that is received by CatalystXL in the United States pursuant to the Privacy Shield:

• CatalystXL is subject to the jurisdiction and enforcement authority of the United States Federal Trade Commission.
• EEA, Swiss and UK individuals have the right to access their personal data that has been transferred into the United States and to correct or update that information. Individuals also have the right to erase information that has been processed in violation of the Privacy Shield Principles. To exercise any of these rights, which are subject to exceptions under the Privacy Shield Principles, individuals should refer to the contact information at the end of this policy.

Our Privacy Shield certification is available at https://www.privacyshield.gov/list.  To learn more about the Privacy Shield program, please visit https://www.privacyshield.gov.  When CatalystXL receives Personal Data under the Privacy Shield and then transfers it to a third-party service provider acting as an agent on CatalystXL’s behalf, CatalystXL has certain responsibility under the Privacy Shield if both (i) the agent Processes the information in a manner inconsistent with the Privacy Shield, and (ii) CatalystXL is responsible for the event giving rise to the damage. 

Covered European residents should direct any questions, concerns or complaints regarding CatalystXL’s compliance with the Privacy Shield to CatalystXL as described at the bottom of this Policy.  CatalystXL will attempt to answer your questions and satisfy your concerns in a timely and complete manner as soon as possible.  If, after discussing the matter with CatalystXL, your issue or complaint is not resolved, CatalystXL has agreed to participate in the Privacy Shield independent dispute resolution mechanisms listed below, free of charge to you.  Please contact CatalystXL first.

• For human resources Personal Data that CatalystXL receives under the Privacy Shield (defined under Privacy Shield essentially as information about an employee collected in the context of the employment relationship): cooperation with the EEA data protection authorities (DPAs), the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC).
• For other Personal Data CatalystXL receives under the Privacy Shield: CatalystXL has further committed to refer unresolved privacy complaints under the EU-U.S. and Swiss-U.S. Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://www.bbb.org/EU-privacy-shield for more information and to file a complaint. This service is provided at no charge to you. Please do not submit human resources complaints to BBB EU Privacy Shield.

If your Privacy Shield complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See Privacy Shield Annex 1 at https://www.privacyshield.gov/article?id=ANNEX-I-introduction.

Please note that CatalystXL’s Customers may transfer Personal Data to CatalystXL on the basis of other legal mechanisms approved by the European Commission and other relevant authorities for cross-border data transfers, such as Standard Contractual Clauses.  To exercise any legal right to see copies of the data transfer mechanism documents that CatalystXL uses to transfer data to third parties, please contact us.  Our Service Offerings allow our Customers and Users to make international data transfers to third parties, such as to other Users, or to providers of integrations, for which they are solely responsible.

12. Notification of Changes

CatalystXL may periodically change this Privacy Policy to reflect changes in the law, our data handling practices or the features of our business. The updated Privacy Policy will be posted on CatalystXL.com.

13. Contact Information

If you have questions, requests or complaints relating to a Customer’s handling of your Service Data, please contact the relevant Customer.  If you have questions regarding our practices or this Privacy Policy, or to send us requests or complaints relating to Personal Data, please contact us: 

CatalystXL, Inc.

Attention: Legal and Compliance

707 North Wells St, Unit 1104

Chicago, IL 60654

info@catalystxl.com 

14. Additional Privacy Details for California Residents

The subsections below apply only to “personal information” about California residents (as that term is defined in the CCPA) and they supplement the information in the rest of our Privacy Policy above.  Data about individuals who are not residents of California is handled differently and is not subject to the same rights described below. These subsections also do not apply to Service Data, which is handled as described in Section 2 of our Privacy Policy, even when the Service Data is about a resident of California.

CCPA categories of California personal information we collect: 

In the main part of our Privacy Policy, we describe the specific pieces of personal information we collect from and about California residents.  The information collected in the last 12 months generally falls into the following CCPA categories, to the extent that any of the following are personally identifiable: identifiers (such as name, address, email address and other contact information); commercial information (such as transaction data, and information about an individual’s interactions with CatalystXL or our partners); financial data (such as payment card information); internet or other network or device activity, and other information described in the Cookies and Automated Data Collection section of our Privacy Policy; geolocation information; professional or employment related data (such as title); and other information that identifies or can be reasonably associated with you.

CCPA description of uses of California personal information:  

In CCPA terms, we and our service providers use and disclose (and in the past 12 months have used and disclosed) all of the categories of California personal information that we collect for all of the purposes described in the How We Use Personal Information section of our Privacy Policy.  In CCPA terms, these purposes, which are described more that section of the Privacy Policy, include but are not limited to the following examples:

• Auditing related to a current interaction with you and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with the CCPA and other standards;
• Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity;
• Debugging to identify and repair errors that impair existing intended functionality;
• Short-term, transient uses;
• Performing or using services, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing or using advertising or marketing services, providing or using analytic services, or providing or using similar services;
• Undertaking internal research for technological development and demonstration;
• Undertaking activities to verify or maintain the quality or safety of services and devices, and to improve, upgrade, or enhance services and devices; and
• Facilitating the operational purposes of CatalystXL or our service providers.

The extent to which our service providers engage in the uses and disclosures described above varies from provider to provider.

CCPA “sale” of California personal information

The CCPA requires businesses that “sell” personal information, as the term “sell” is defined under the CCPA, to provide an opt-out from such sales.  Some people have taken the position that when a website or app uses third-party cookies and similar technology for its own analytics or advertising purposes, the website/app is engaged in a “sale” under the CCPA if the third parties have some ability to use, disclose or retain the data to improve their service or to take steps beyond the most narrowly drawn bounds of merely providing their service to the website/app.  Some take this position even when the website/app pays the third party (not vice versa), and in most cases merely provides the third party with an opportunity to collect data directly, instead of providing personal information to the third party.  If you take the position that any of the relationships described above involve a “sale” within the meaning of the CCPA, then you may consider CatalystXL to have “sold” what the CCPA calls “identifiers” (like IP addresses), “internet or other electronic network activity information” (like information regarding an individual’s browsing interactions on CatalystXL.com), and “commercial information” (like the fact that a browser visited a page directed to people who are considering purchasing from us) to those sorts of companies. As we await clarity on this point and, if applicable, the arrival of a proven method for handling CCPA-like choice options for it, we continue to offer opportunities to limit and/or opt out of the collection and/or use of data via certain third-party cookies and similar technology for analytics and advertising purposes, as described in the Cookies and Automated Data collection section of our Privacy Policy.

California Privacy Rights

If you are a California resident, California law may permit you to request that we:

• Provide you the categories of personal information we have collected or disclosed about you in the last twelve months; the categories of sources of such information; the business or commercial purpose for collecting or selling your personal information; and the categories of third parties to whom we have “sold” or otherwise disclosed personal information.
• Provide access to and/or a copy of certain information we hold about you.
• Delete certain information we have about you.

Certain information is exempt from such requests under applicable law.  You also may have the right to receive information about the financial incentives that we offer to you (if any). You also have certain rights under the CCPA not to be subject to certain negative consequences for exercising CCPA rights.

To request to exercise any of these rights, please email requests to info@catalystxl.com

LAST UPDATED June 18, 2020.