Volantio, Inc.
GDPR & Data Privacy Framework Notice
Effective Date: October 10, 2023

Scope of the GDPR & Data Privacy Framework Notice
This GDPR & Data Privacy Framework Notice is included in our Privacy Policy and applies to the “personal data,” as defined in the GDPR, of natural persons located in the European Economic Area (“EEA Individuals,” “you,” or “your”). Any capitalized terms or other terms not defined herein shall have the meaning ascribed to them elsewhere in the Privacy Policy or, if not defined herein or elsewhere in the Privacy Policy, the GDPR. If you are located elsewhere, please see the rest of our Privacy Policy here.

The term “European Economic Area” (or “EEA”) shall mean the then-current member states and member countries of the European Union and European Economic Area, respectively, Switzerland, and, upon its withdrawal from the European Union, the United Kingdom.

With respect to any combination of conflict between the provisions of the GDPR Privacy Notice (the “GDPR Notice”), Data Privacy Framework Notice, and any other provision of the Privacy Policy, the following will control in order of precedence from highest to lowest (with (1) being the highest and (3) being the lowest) only with respect to EEA Individuals and their personal data: (1) the GDPR Notice, (2) the Data Privacy Framework Notice, and then (3) any other provision of the Privacy Policy.
‍
GDPR Privacy Notice
Processor Disclosure: Except as otherwise described herein, we are a data processor of the personal data collected through our Services (“Platform Data”). When serving as a processor, we have certain obligations under GDPR including only processing personal data at our customers’ instructions reflected in the applicable Master Services Agreement, providing assistance with fulfilment of rights requests, and implementing appropriate security for personal data. We will forward any inquiries, complaints, or requests received from data subjects with respect to the Platform Data to the appropriate customer and await instructions before taking any action.

Controller Disclosure & Details:  We are a data controller of personal data regarding the following categories of EEA Individuals: Prospective/current customers and vendors, as applicable (collectively, “Business Contacts”), and our Website visitors (“Site Visitors”) for the purposes and under the legal bases described in the table below. Please note that, in some cases, the categories of data subjects above may overlap (e.g., Business Contacts using the Website are also Site Visitors).

EU Representative:
Our representative in the European Union is:
Jack Baylor
2 Ashton Grove
Gardiner’s Hill,
Cork, Ireland

Data Protection Officer (DPO) Contact Details: ​

privacy@volantio.com

Recipients: Volantio personnel shall receive and process your personal data for the purposes described herein. Such personal data is also disclosed to the following recipients to effectuate the purposes described herein:
​
Amazon Web Services, Inc. (Cloud Storage and Computing)
MailChimp (Email Marketing Service)
Google Suite (Google Productivity Applications)
Salesforce (Customer Relationship Management)
Hubspot (Customer Relationship Management)
Slack (Internal Communication)

Retention:  Please see below for our general retention periods. Please note that the below retention periods may be extended or shortened, as appropriate, based on the context of our relationship with an EEA Individual (e.g., negotiations for a sale, interest in the Service), and for compliance with legal obligations (e.g., accounting, finances, tax).

We will retain the personal data of prospective customers for approximately three (3) years. At that point, the prospective customer will have to re-sign up for marketing or re-demonstrate interest in the Services, as applicable.

Current customers’ personal data will be retained until the relationship terminates, at which point their personal data will be retained for approximately seven (7) years for finance and tax purposes and in case of repeat business.

Personal data contained within contractual and other legal documentation, such as with our Business Contacts, will be retained permanently.

Your GDPR Rights: As a natural person, you have a right to: (i) request access to, correction, and/or erasure of your personal data; (ii) object to processing of your personal data; (iii) restrict processing of your personal data; and (iv) request a copy of your personal data, or have a copy thereof sent to another controller, in a structured, commonly used and machine readable format under the right of data portability. You may exercise these rights and submit a GDPR complaint by contacting: privacy@volantio.com with the subject line “GDPR Notice.”  

You also have the right to lodge a complaint about the processing of your personal data with an appropriate data protection authority, and, as applicable, to exercise third-party beneficiary rights under Volantio’s Standard Contractual Clauses.

Objecting to Legitimate Interest/Direct Marketing: You may object to personal data processed pursuant to our legitimate interest. In such case, we will no longer process your personal data unless we can demonstrate appropriate, overriding legitimate grounds for the processing or if needed for the establishment, exercise, or defense of legal claims. You may also object at any time to processing of your personal data for direct marketing purposes by clicking “Unsubscribe” within an automated marketing email or by submitting your request to privacy@volantio.com with the subject line “GDPR Notice” (the latter for instances where, for example, you would not like to receive follow-ups from our sales team). In such case, your personal data will no longer be used for that purpose.

Transfer of Personal Data outside the EEA: We are self-certified under the EU-US and Swiss-US Data Privacy Framework for appropriate transfer of your personal data, such as to our US data centers, pursuant to Article 45(1); in these instances, you may have specific rights under the Data Privacy Framework (see E.U.-U.S. and Swiss-U.S. Data Privacy Framework Notice below). In other instances, however, we may alternatively rely on appropriate Standard Contractual Clauses to ensure adequate protection for your personal data.

Disclosure to Public Authorities: Volantio may be required to disclose personal data in response to lawful requests by public authorities, including for the purpose of meeting national security or law enforcement requirements. We may also disclose personal data to other third parties when compelled to do so by government authorities or required by law or regulation including, but not limited to, in response to court orders and subpoenas.

Corporate Restructuring:  In the event of a merger, reorganization, dissolution, or similar corporate event, or the sale of all or substantially all of our assets, we expect that the information that we have collected, including personal data, would be transferred to the surviving entity in a merger or the acquiring entity. All such transfers shall be subject to our commitments with respect to the privacy and confidentiality of such personal data as set forth in this GDPR Notice.

Updates to this GDPR Notice: If, in the future, we intend to process your personal data for a purpose other than that which it was collected, we will provide you with information on that purpose and any other relevant information at a reasonable time prior to such processing. After such time, the relevant information relating to such processing activity will be revised or added appropriately within this GDPR Notice, and the “Effective Date” at the top of this page will be updated accordingly.

How to Contact Us: Please reach out to privacy@volantio.com for any questions, complaints, or requests regarding this GDPR Notice; please include the subject line “GDPR Notice.”
‍
The EU-U.S., The UK Extension, and the Swiss-U.S. Data Privacy Framework Notice
‍
Note: For the avoidance of doubt, we separately mention Switzerland and United Kingdom for purposes of this Notice.

Volantio complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Volantio has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Volantio has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

In compliance with the EU-US Data Privacy Framework Principles, Volantio commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to the DPF Principles.  European Union, Swiss and United Kingdom individuals with DPF inquiries or complaints should first contact Volantio at privacy@volantio.com.
‍
Volantio has further committed to refer unresolved privacy complaints under the DPF Principles to an independent dispute resolution mechanism, Data Privacy Framework Services, operated by BBB National Programs. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://bbbprograms.org/programs/all-programs/dpf-consumers/ProcessForConsumers for more information and to file a complaint. This service is provided free of charge to you.

If your  DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms.  See https://www.dataprivacyframework.gov/s/article/G-Arbitration-Procedures-dpf?tabset-35584=2

Onward Transfer to Third Parties under the Data Privacy Framework: Like many businesses, we hire other companies to perform certain business-related services. We may disclose personal information to certain types of third party companies but only to the extent needed to enable them to provide such services. The types of companies that may receive personal information and their functions are: hosting providers, information security providers, business management services providers, marketing assistance (including CRMs), and SMS messaging providers. Where such third parties function as our agents, they perform services at our instruction and on our behalf pursuant to contracts which require they provide at least the same level of privacy protection as is required by this Privacy Policy and implemented by Volantio. We may also share your personal information with any of our parent companies, subsidiaries, affiliates, or other companies under common control with us for the purposes described in our Privacy Policy.In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. We may also disclose personal data to other third parties when compelled to do so by government authorities or required by law or regulation including, but not limited to, in response to court orders and subpoenas.

Our accountability for personal data that we receive under the Data Privacy Framework and subsequently transfer to a third party is described in the Data Privacy Framework Principles. In particular, we remain responsible and liable under the Data Privacy Framework Principles if third-party agents that we engage to process the personal data on our behalf do so in a manner inconsistent with the Principles, unless we prove that we are not responsible for the event giving rise to the damage.

Opt-In and Opt-Out to Certain Onward Transfers under the Data Privacy Framework: We provide an individual with the opportunity to opt-out before we share your personal data with third parties other than our agents, or before we use it for a purpose that is materially different from which it was originally collected or subsequently authorized. To request to limit the disclosure of such personal data, please submit a written request to privacy@volantio.com, with the subject line, “Data Privacy Framework”  

We will not disclose your sensitive personal information to any third party without first obtaining your opt-in consent, and shall also obtain your opt-in consent before we use sensitive data for a purpose other than which it was originally collected or subsequently authorized, unless an exception applies pursuant to the “Sensitive Data” Data Privacy Framework Supplemental Principal. In each instance, please allow us a reasonable time to process your response.

Where we serve as a Processor, Volantio will need to consult and coordinate with its customers (which act as controller) to properly effectuate your opt-out/opt-in rights described herein.

Your Data Privacy Framework Rights: Upon request to privacy@volantio.com with the subject line “Data Privacy Framework,” we will provide you with confirmation as to whether we are processing your personal data pursuant to the Data Privacy Framework, and will communicate such data to you within a reasonable time. You have the right to access your personal information processed pursuant to the Data Privacy Framework, and you have the right to correct, amend, or delete the personal data processed pursuant to the Data Privacy Framework where it is inaccurate or has been processed in violation of our privacy disclosures to you. We may require payment of a non-excessive fee to defray our expenses in this regard. Please allow us a reasonable time to respond to your inquiries and requests.Where we serve as a Processor, Volantio will need to consult and coordinate with its customers (which act as controller) to properly effectuate your rights described herein.

Retention of Personal Information under the Data Privacy Framework: We will retain the personal information processed pursuant to the Data Privacy Framework in a form that identifies you pursuant to our data retention periods in Retention above, as subsequently authorized, or, where we serve as a processor, as dictated in our relationships with our customers (e.g., pursuant to GDPR Article 28(3)(g)). We may continue processing such personal information for longer periods, but only for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research and statistical analysis, and subject to the protection of our privacy disclosures. After such time periods have expired, we may either delete your personal information or retain it in a form such that it does not identify you personally.

How We Protect Your Personal Information under the Data Privacy Framework: Volantio takes very seriously the security and privacy of the personal information that it collects pursuant to the Data Privacy Framework. Accordingly, we will implement reasonable and appropriate security measures to protect your personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into account the risks involved in processing and the nature of such data, and comply with applicable laws and regulations.