At Manychat, Inc. (“Manychat,” “we, “us”) we consider the privacy and the security of personal data to be extremely important.
We process personal data for (1) our own purposes and (2) under instructions of our customers who use Manychat service (“Service”), upload and keep certain information in it. In the second case, we strictly adhere to customers’ instructions and do not use data for any other purposes than providing the Service (see details in Data Processing Addendum).
- our customers, their end users and representatives,
- website users,
- newsletter subscribers,
- potential customers,
- our counterparties and their representatives.
If you have any questions or suggestions concerning our privacy practices, please email us at firstname.lastname@example.org. Please also send us an email, if you would like to request data access or deletion, or to exercise other rights as a data subject.
Table of Contents
1. How We Collect Personal Data
What personal data we collect depends largely on the interaction that takes place between you and Manychat, most of which can be categorized under the following:
When you use Manychat Service. When you use Manychat Service, we store all the content you provide, including information related to you as a customer or an end user of the Service. We gather this information from you directly when you enter it, or from integrations that you linked to the Service (Facebook, Instagram, etc.). When you ask us to sign DPA or other documents, we also receive data about you and your representatives.
In some cases, we can receive information from third parties, e.g. from a payment service provider on whether your payment was successful.
When you send us emails or message us. When we receive emails or messages from you in the chat, we can store the content of such emails, attachments as well as your contact details.
When you submit forms on the Site or participate in our events. When you complete forms on the Site (contact us, subscription, demo request, event registration, etc.) we collect your contact details and information you complete in the form. If we arrange joint events together with our partners, we can receive information from our partners.
When you use the Site. When you use the Site, we collect certain information, as described in more detail below that may, alone or in combination with other information, constitute personal data (e.g. cookie files).
When you join our communities. When you join our Facebook and other groups, we can see data in your profile and process comments you posted in our groups. However, we don’t gather that information or copy it into our systems, but rather just have access to it.
2. What Types of Personal Data We Process
We collect and process the following personal data:
- Customer account details. To create or update your account and provide the Service we collect from you and third-party integrations (e.g. Facebook, Instagram) information about you, as a customer or end-user of the Service. This includes id, name, email, status, linked pages and accounts, products in use, location, etc.
- Financial information. To process your payments for the Service subscription, we need your credit card details (last four digits of the card number), account details and payment information.
- Contact details and business data. We receive information about our customers and potential customers for cooperation and communication purposes. This includes full name, title, company, email or other contact details as may be necessary.
- Requests, messages and submitted forms details. We receive and process your messages, support requests, emails and information you share with us via online forms or social media accounts. This includes the content of such communications as well as your contact details if any.
- Usage data, logs and other technical data. When you interact with the Service, metadata and log files are collected automatically. Log data may include the Internet Protocol (IP) address, your browser type and settings, the date and time you used the Service, information about browser configuration plugins, language preferences, the pages or features which you browsed, time spent on those pages or features, the frequency of pages and functions use, the links clicked on or used. If you use the Service from your phone, this may also include the type of device, operating system, device settings and device identifiers.
- Email performance data. To track engagement and performance metrics of our newsletters, we can use a ‘clear image’ (gif) in email communications. Much of this data is aggregated. If you wish to turn off this tracking, you can do so by turning off images in the email itself.
- Website cookies and similar technologies. We use cookie technology on the Site. See details in Cookie Statement.
- Customer Content. As you use our Service, you may import into our system personal data you have collected from your users, customers, prospective customers, social media and messaging platform contacts (collectively “Subscribers”) or other individuals. We process this data only on your behalf as our customer. We have no direct relationship with your Subscribers or any person other than you, and for that reason, you are responsible for making sure you have the appropriate permission and legal basis for us to collect and process information about those individuals. For information relating to how we process personal data relating to Subscribers, please see our Data Processing Addendum.
We ask that you not send or disclose to us any sensitive personal data (e.g., social security numbers, information related to racial or ethnic origin, political opinions, religion or other beliefs, health, biometrics or genetic characteristics, criminal background or union membership) on or through the Service or otherwise.
3. For Which Purposes We Use Personal Data
We collect and process your personal data for the following purposes:
To operate the Service: We use data to enter into the agreement with you as a customer and operate, maintain and administer your account in the Service, as well as to communicate with you regarding the account (sending announcements, technical notices, updates, security alerts, and support and administrative messages) and to respond to Service-related requests, questions and feedback. We also use your data to perform our billing obligations.
To provide the Service we process Customer Content information on your behalf as a customer (see details in Data Processing Addendum).
To communicate with you and inform you about the Service. If you request information from us, register for the Service, complete a form or feedback on a Site, or participate in our surveys, promotions or events, we may send you Manychat-related marketing communications if permitted by law. In all such communications, we will provide you with the possibility to opt-out.
To conduct events and communicate with you. We use your personal data, which you provided while registering for the event, to send you reminders about the event, communications related to the event and Manychat-related services. As well, we may ask for your feedback. In communications, we always provide the possibility to opt-out from communications.
To comply with law. We use your personal data as necessary to comply with applicable laws, including sanction requirements, accounting and tax obligations, legal processes or audits, to respond to subpoenas or legally binding requests from government authorities. Before disclosing any information to an authority upon its request, we check the validity of such request carefully.
To negotiate, enter and perform agreements. We have to collect and process information about our counterparties and their representatives to negotiate and enter into legally valid agreements and cooperate with them.
For compliance and safety. We use your personal data as we believe necessary or appropriate to (a) enforce the terms and conditions that govern the Service; (b) protect our rights, privacy, safety or property, and/or that of you or others; and (c) protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity.
4. How We Share Personal Data
We disclose personal data to third parties under the following circumstances:
Service Providers. We employ third-party companies and individuals to help us with performance of certain activities, e.g. payment service providers. We also use third-party software to process data (e.g. CRM, email agent, cloud storage solutions, etc.). See the list of all processors and sub-processors at www.manychat.com/legal/service-providers.
We also use third-party cookies on the Site. See more details in Cookie Statement.
These third parties are permitted to use personal data about you only to perform these tasks only for lawful business purposes in accordance with the terms of the agreement(s) we have in place with such service providers and for no other purpose.
Professional Advisors. We may disclose your personal data to professional advisors, such as lawyers, bankers, auditors and insurers, where necessary in the course of the professional services that they render to us.
Third-party Applications and Integrations. For the provision of the Service we receive and share data with integrations and apps linked by customers (Facebook, Instagram, Stripe, Paypal, etc.), as well as applications developed through “Manychat Developer Program”.
Compliance with Laws and Law Enforcement. Manychat may disclose information about you to government or law enforcement officials or private parties as required by law, and disclose and use such information as we believe necessary or appropriate to (a) comply with applicable laws and lawful requests and legal processes, such as to respond to subpoenas or requests from government authorities; (b) enforce the terms and conditions that govern the Service; (d) protect our rights, privacy, safety or property, and/or that of you or others; and (e) protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity.
Corporate Affiliates. We may share personal data with our corporate affiliates. See the list at www.manychat.com/legal/service-providers.
5. Your Data Protection Rights & Choices
You have the following rights:
- If you wish to access your personal data that Manychat collects, you can do so at any time by contacting us.
- You can also contact us to update, correct or delete information in your account. See more details on how to delete your account.
- If you are in the European Economic Area (“EEA”), the UK, or Switzerland, you can object to processing of your personal data, ask us to restrict processing of your personal data or request portability of your personal data where it is technically possible.
- Similarly, if you are in the EEA, the UK, or Switzerland, and provided we have collected and processed your personal data under your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal data conducted in reliance on other lawful processing grounds.
- You have the right to complain to a data protection authority about our collection and use of your personal data. Contact details for data protection authorities in the EEA, Switzerland and certain non-European countries (including the U.S. and Canada) are available here.
Access to Data Controlled by our Customers. We don’t have any direct relationships with customers’ Subscribers, i.e. the individuals whose personal data is stored by our customers the Service. An individual who seeks access, or who seeks to correct, amend, or delete personal data processed in the Service by our customers should direct their request to the customer directly.
6. For How Long We Retain Personal Data
We will retain and process personal data until you terminate the Agreement with us as set forth under the Terms of Service.
We may also store some data during a retention period required by law or timeframe necessary to resolve disputes, prevent abuse, and enforce our agreements.
7. Data Transfers
Your personal data may be stored and processed in any country where we have facilities or in which we engage service providers, including in the U.S.
8. Personal Data Transferred from the EA, the UK or Switzerland to the United States
Manychat operates in countries outside the EEA, the UK, and Switzerland, such as the U.S., and may utilize data processors and sub-processors located in third countries.
If you are located in the EEA, the UK, or Switzerland, this means that we may transfer personal data outside of your country. Such transfers are made using appropriate safeguards and supplementary measures. We enter into the EU Standard Contractual Clauses for data transfers with our customers, who use the Service (see Annex 3 to the Data Processing Addendum).
9. Children's Informataion
We believe it is important to provide added protection for children online. We encourage parents and guardians to spend time online with their children to observe, participate in and/or monitor, and guide their online activity. The Site and/or the Service are not intended for use by anyone under the age of 18, nor does Manychat knowingly collect or solicit personal data from anyone under the age of 18.
If you are under 18, you may not attempt to register for the Service or send any information about yourself to us, including your name, address, telephone number, or email address. In the event that we confirm that we have collected personal data from someone under the age of 18 without verification of parental consent, we will delete that information promptly. If you are a parent or legal guardian of a child under 18 and believe that we might have any information from or about such a child, please contact us. We do not sell any Personal Data of our customers, including those aged between 13 to 18.
Safeguarding Your Information
We take reasonable and appropriate measures to protect personal data from loss, misuse and unauthorized access, disclosure, alteration, and destruction, taking into account the risks involved in the processing and the nature of the personal data. See the list of measures in Annex 2 of the Data Processing Addendum.
Despite these efforts to store personal data collected on and through the Site and/or the Service and otherwise by us in a secure operating environment that is not available to the public, we cannot guarantee the security of personal data during its transmission or its storage in our systems. Further, while we attempt to ensure the integrity and security of personal data, we cannot guarantee that our security measures will prevent third-parties such as so-called hackers from illegally obtaining access to personal data. We do not warrant or represent that personal data about you will be protected against, loss, misuse, or alteration by third parties.
The credit card processing vendor we work with uses security measures to protect your information both during the transaction and after it is complete.
If you have any questions about the security of your personal data, you may contact us by email email@example.com.
Notice of Breach of Security
If a security breach causes an unauthorized intrusion into our system that materially affects you or your Subscribers, then we will notify you as soon as possible and later report the action we took in response.
11. Legal Basis for Processing Your Personal Data (EEA Visitors/Customers Only)
If you are a person located in the EEA or the UK our legal basis for collecting and using the personal data described above will depend on the purpose of processing and personal data concerned:
- We process data to perform a contract with you on use of the Service (Art. 6(1)(b) of the GDPR or UK GDPR);
- We also process data based on our legitimate interest (Art. 6(1)(f) of the GDPR or UK GDPR) in the following cases:
- to communicate with you and inform about our Service;
- to comply with the law we are subject to;
- to conduct events and communicate with you;
- to negotiate, enter and perform agreements;
- for compliance and safety.
- We process some types of cookie files based on your consent (Art. 6(1)(a) of the GDPR or UK GDPR). See more details in Cookie Statement.
If we ask you to provide personal data to comply with a legal requirement or to enter into a contract with you, we will make this clear at the relevant time and advise you whether the provision of your personal data is mandatory or not (as well as of the possible consequences if you do not provide your personal data). Similarly, if we collect and use your personal data in reliance on our legitimate business interests, we will make clear to you at the relevant time what those legitimate business interests are.
You are not obliged to provide your personal data to us. However, if we need personal data in order to enter and perform the contract with you and you do not provide this data, we may not be able to perform the contract we have or are trying to enter into with you.
If you have questions about or need further information concerning the legal basis on which we collect and use your personal data, you may contact us by email at firstname.lastname@example.org.
12. For California Residents
If you are a resident of California, California Civil Code Section 1798.83 permits you to request information regarding how we disclosed your personal data to third parties for such parties' direct marketing purposes during the preceding calendar year. To request the above information, please contact us at email@example.com. We will respond to such requests for information access within 30 days following receipt at the e-mail or mailing address stated below. Please note that we are only required to respond to an individual once per calendar year.
Besides, California Data Protection Laws (California Consumer Privacy Act of 2018 and the California Privacy Rights Act of 2020, as each may be amended or replaced from time to time) give you the following specific rights as a California resident:
1. Requests to Know
You have the right to request that we disclose:
- The categories of personal data we have collected about you;
- The categories of personal data about you we have sold or disclosed for a business purpose;
- The categories of sources from which we have collected personal data about you;
- The business or commercial purposes for selling, sharing or collecting personal data about you;
- The categories of personal data sold or shared, if any, about you, as well as the categories of third parties to whom the personal data was disclosed, by category of personal data for each party to whom personal data was sold; and
- The specific pieces of personal data collected.
You may submit a request to know via this "Manage my Data Link" or contacting us at firstname.lastname@example.org. The delivery of our response may take place electronically or by mail. We are not required to respond to requests to know more than twice in a 12-month period.
2. Requests to Delete
You have the right to request that we delete any personal data about you that we have collected. Upon receiving a verified request to delete personal data, we will do so unless otherwise required or authorized by law. You may submit a request to delete personal data via this "Manage my Data Link" or by contact us at email@example.com.
3. Authorized Agents
You may designate an authorized agent to make requests on your behalf. You must provide an authorized agent written permission to submit a request on your behalf, and we may require that you verify your identity directly with us and confirm with us that you provided the authorized agent permission to submit the rights request. This verification process is not necessary if your authorized agent provides documentation reflecting that the authorized agent has the power of attorney to act on your behalf under Cal. Prob. Code §§ 4121 to 4130.
4. Methods for Submitting Consumer Requests and Our Response to Requests
Upon receipt of a request, we may ask you for additional information to verify your identity. Any additional information you provide will be used only to verify your identity and not for any other purpose.
We will acknowledge the receipt of your request within ten (10) business days of receipt. Subject to our ability to verify your identity, we will respond to your request within 45 calendar days of receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. In order to protect your privacy and the security of personal data about you, we verify your request by email.
Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request's receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable.
We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
We do not currently alter our practices when a Do Not Track signal is received, because at this time no formal “Do Not Track” standard has been adopted. To learn about Do Not Track and for information about how to opt-out of receiving targeted advertising, please click www.aboutads.info/choices.
5. The Right to Non-Discrimination
You have the right not to be discriminated against for the exercise of your California privacy rights described above. Unless permitted by the California Consumer Privacy Act, we will not:
- Deny you goods or services.
- Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
- Provide you with a different level or quality of goods or services.
- Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.
14. How to Contact Us
For EEA data subjects we have also appointed Rechtsanwaltsgesellschaft m.b.H to be our representative in the EU. You can contact the representative by email: firstname.lastname@example.org.