Aheeva Technology, Inc. (“Aheeva”), a corporation organized under the laws of Quebec with a place of business at 300-150, de la Côte-Vertu Blvd., Saint-Laurent, QC, H4N 1C6, CANADA, provides a cloud-based contact center software-as-a-service (“Aheeva Services”) directly to customers (“Customer(s)”, “You”) or through authorized partners.

At Aheeva Technology, Inc., we take the protection of personal information provided to us by our customers and website visitors very seriously. Aheeva regularly reviews and updates its privacy policy, procedures, and guidelines to strengthen its commitment to relevant Privacy and Data Protection legislation and regulations, and better protect customers personal information when processing personal data as a controller. Data subjects whose personal information is processed by a customer of Aheeva as a data controller, must consult that customer’s privacy policies.

Aheeva must act as both a data processor and a data controller. Aheeva stores and process personal information on behalf of its customers and determines the purpose and means of the data processing (e.g. for billing purposes).

Nothing in this Policy has the effect of creating obligations for Aheeva beyond those imposed by applicable laws and regulations pertaining to protection of personal data.

‍

1. Aheeva as data controller

Aheeva limits collection of information about Customers only to what is relevant, proportional, adequate, and necessary for identified operating the Aheeva Services. Aheeva considers the requirements of the jurisdiction that govern the information collection and proceeds according to applicable privacy & data protection legislation.

1.1   Data that Aheeva collects directly from Customers

Aheeva collects personal information that You voluntarily provide when You

1. register on the Aheeva website for the Aheeva Services,
2. request information about Aheeva, Aheeva services and Aheeva products,
3. request a demo of the Aheeva Services,
4. interact with Aheeva social media campaigns via social networks,
5. register in Aheeva events,
6. apply for job offers,
7. download Aheeva software and documents, or use resources available in Aheeva website or
8. contact Aheeva using the official contact channels available (phone, chat, email).

The information that Aheeva collects is

• identification data (first name, last name),
• contact data (business email address, business phone number), and
• professional details (functional role, company name, country).

When applying for a job offer, Aheeva collects the information provided in the resume, cover letter and LinkedIn profile. Aheeva also collects the information that you choose to share when contacting us through our official contact mechanisms.

‍

1.2 Data that Aheeva obtains from third-party sources

Aheeva may use business contact information collected by third parties, including your employer, reseller partners, trusted strategic alliances, and acquired professional contacts databases. Appropriate privacy and security assessments are performed to ensure compliance with applicable laws and regulations and to ensure the collection of the data is lawful and uses fair means, including the existence of notice and collection of consent for sharing with third parties (Aheeva), when required by the applicable laws.

The information used is

• identification data (first name, last name),
• contact data (business email address, business phone number),
• professional details (functional role, company name), and
• LinkedIn Profile.

1.3 Data that Aheeva obtains from public sources

Aheeva may also collect data from publicly accessible sources such as LinkedIn. The personal information collected is primarily identification and contact data, and job and skills details to support recruitment processes.

‍

1.4 Purposes of processing personal information

Some of the purposes for processing personal information are:

• Be able to get in touch with you to respond to your requests (information, demo, or services);
• Talent recruitment;
• To support the sales effort, including to getting feedback from the engagement process in a B2B perspective;
• To send marketing information on our products and services marketing (including telemarketing) in a B2B perspective;
• Customer relationship and contractual management which could include payment information;
• To provide support and information to customers;
• Management of business relationships with prospective customers, vendors, suppliers, resellers, or partners;
• Events registrations (including webinars, conferences, roundtables, and others);
• Access to our offices and online resources for onsite or remote work;
• Provide access to Aheeva training materials;
• Navigation and usage of Aheeva website;
• Cookies usage (specific policy shared on the site);
• To ensure compliance with applicable laws and regulations, and to assert Aheeva’s rights or to defend Aheeva against any legal claim.

Aheeva collects the minimum amount of data needed for the purposes listed above. The legal basis of each processing is to perform contractual obligations, the advancement of a legitimate plan or interest, or with explicit consent.

Personal data processing for the purpose of marketing or product awareness, may rely on a legitimate interest of Aheeva or your consent. Aheeva requires your consent according to the applicable laws but may rely on legitimate interest when the applicable law allows and when you already have shown Aheeva interest in the Aheeva products or Aheeva Services. In communications related to marketing and/or product & brand awareness purposes, Aheeva also provides a choice to opt-out of further marketing and product awareness communications.

Aheeva may conduct automated screenings against applicable sanctioned-party lists with regard to Aheeva’s processing of personal data for the purpose of export control and sanctions laws’ compliance. In case of a possible match, Aheeva may ask for clarifications.

‍

1.5 Personal information limited use, disclosure, and retention

Aheeva does neither use nor process personal information for other purposes, and does not sell or allow its sub-processors to sell personal information. Personal information will not be processed for purposes other than those for which it was collected, except with your consent or as required by law.

Except as otherwise set out herein, Aheeva will not disclose, trade, rent, sell, or otherwise transfer to a third person your personal information unless you consent thereto, or such disclosure or use is provided for by law.

Aheeva and its service providers may be compelled to disclose personal information in response to a search warrant or any other legally-valid inquiry or order, or to an investigative body in the case of a breach of an agreement or breach of law, or as otherwise required by applicable law.

Personal information may also be disclosed without your consent for research purposes if the documents containing the data are not structured so as to allow retrieval by reference to your name or identifying code or symbol and the personal information cannot be retrieved by means of such a reference.

Any person holding Personal Data on behalf of Aheeva may refer to the latter every request for access or rectification received from an individual to whom Personal Data relates.

Personal information will be retained only as long as necessary for the fulfilment of those purposes in a form which permits your identification for no longer than is necessary for the purposes for which the personal information is processed.

‍

1.6 Rights of data subjects

A data subject has the following rights:

• Access data: Right to request and receive confirmation of whether their personal data is held, and, where that is the case, request and receive a copy of the data.
• Have data transferred: Right to receive the data they have provided in a structured, commonly-used and machine readable format.
• Have data rectified: Right to have their personal data amended where it is inaccurate or added to where it is incomplete.
• Restrict processing: Right to restrict the processing of the personal information to the extent permitted by law and in accordance with Aheeva contractual and legal commitments.
• Have data erased: Right to the erasure of personal information concerning the data subject.
• Objections: Right to object to the processing of the data for particular reasons.
• Withdraw consent: Right to remove consent for specific processing.
• Complaints: Right to send complaints to the competent authority.

In addition, data subjects have the right to opt-in to receive marketing communication from Aheeva, and opt-out of email marketing messages by clicking on the unsubscribe link in the email, and when using the Aheeva website, data subjects can accept or decline cookies.

‍

1.7 Exercise the rights

Data subjects can exercise their rights by submitting a request to: privacy@aheeva.com

‍

1.8 Personal information transfer

Aheeva holds the right to share, transfer, or disclose personal information in specific situations to particular categories of recipients:

1. Aheeva’s trusted SaaS third parties providers, acting as processors and according to Aheeva instructions;
2. Aheeva reseller partners, trusted strategic alliances that may support Aheeva sales effort and according to privacy laws and regulations;
3. Aheeva affiliates and according to Aheeva’s security and privacy policies and applicable laws and regulation of each region;
4. Government entities where the transfer of information is legally required under local laws or required to comply with legal requests;
5. Potential buyers in connection to a merger & acquisition or any form of transfer or sale.

Aheeva does not sell and does not allow its sub-processors to sell personal information. A list of Aheeva‘s processors can be requested by email to: privacy@aheeva.com.

2 AHEEVA AS DATA PROCESSOR/SUB-PROCESSOR

Aheeva as a provider of a cloud-based contact center as a service solution becomes a date processor, and occasionally a data sub-processor. At all times, the data collected by Aheeva’s customers when using Aheeva products is under the customer’s responsibility.

‍

2.1 Collected Data

The information being collected can include

• Contacts: These are usually the end customers, or prospects, of Aheeva’s customers. The customer is responsible for determining the types of contacts for which service is provided using the Aheeva Services. Contacts can include the name, phone number and email.
• Agents: These are employees of the customer that uses Aheeva Services to handle incoming and outgoing communications using different channels. Information on agents can include the name, email address, phone number, and date of birth.
• Interactions metadata: Metadata such as a contact phone number, agent ID and phone number, date and time, duration, and context of the interaction.
• Interactions recordings: Audio recordings of all audio/video calls, transcripts of all text-based interactions, files attached and exchanged during a communication, and, when configured, screen captures of the agent screen are collected.
• Content data: Audio recordings of all audio/video calls, transcripts of all text-based interactions (chat, email, SMS, WhatsApp, Facebook Messenger, Twitter, Telegram, and other possible social media communication channels), files attached and exchanged during a communication, screen captures of the agent screen when configured, and call transcriptions when such functionality is used for a customer, are collected.

Aheeva restricts the collection of the information to the minimum amount required to provide its services and it will be processed according to the purposes for which it was collected.

‍

2.2 Purposes of collecting personal information

Aheeva collects some personal information to provide the service of Contact Center as a Service and to support and troubleshoot issues reported by customers.

‍

2.3 Personal information limited use, disclosure, and retention

Aheeva customers acting as data controllers define the retention period for the information collected. On the other hand, when the contract between Aheeva and a customer is terminated, the personal information is removed according to the Master Subscription Agreement, or earlier if requested by the customer. However, Aheeva may keep anonymized information (that will not identify directly or indirectly any agent, contact, or customer) for longer periods for analysis of how service is used and for the improvement of it.

‍

2.4 Rights of data subjects

A data subject has the following rights:

• Access data: Right to request and receive confirmation of whether their personal data is held, and, where that is the case, request and receive a copy of the data.
• Have data transferred: Right to receive the data they have provided in a structured, commonly-used and machine readable format.
• Have data rectified: Right to have their personal data amended where it is inaccurate or added to where it is incomplete.
• Restrict processing: Right to restrict the processing of the personal information to the extent permitted by law and in accordance with Aheeva contractual and legal commitments.
• Have data erased: Right to the erasure of personal information concerning the data subject.
• Objections: Right to object to the processing of the data for particular reasons.
• Withdraw consent: Right to remove consent for specific processing.
• Complaints: Right to send complaints to the competent authority.

‍

2.5 Exercise the rights

When Aheeva processes information on behalf of a customer, all data subject rights must be addressed directly to the customer.

‍

2.6 Personal information transfer

As a service provider/processor, Aheeva only uses data to provide the service agreed and according to customer instructions and Aheeva does not sell the information its customers collect while using Aheeva Service.

Aheeva holds the right to share, transfer, or disclose personal information in specific situations to particular categories of recipients:

1. Aheeva’s trusted SaaS third parties’ providers, acting as processors and according to Aheeva instructions;
2. Aheeva reseller partners, trusted strategic alliances that may support Aheeva sales effort and according to privacy laws and regulations;
3. Aheeva affiliates and according to Aheeva’s security and privacy policies and applicable laws and regulation of each region;
4. Government entities where the transfer of information is legally required under local laws or required to comply with legal requests;
5. Potential buyers in connection to a merger & acquisition or any form of transfer or sale.

Aheeva does not sell and does not allow its sub-processors to sell personal information. A list of Aheeva‘s sub-processors can be requested by email to: privacy@aheeva.com.

‍

3 SAFEGUARDS

‍

3.1 Security measures

Aheeva will take the security measures necessary to ensure the protection of the personal data processed and that are reasonable given the sensitivity of the personal data, the purposes for which it is to be used, the quantity and distribution of the personal data and the medium on which it is stored. The security safeguards of Aheeva will protect personal data against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. The nature of the safeguards will vary depending on the sensitivity of the personal data that has been collected, the amount, distribution and format of the personal data and the method of storage.

The methods of protection will include

• physical measures (such as restricted access to offices);
• organizational measures (such as security clearances); and
• technological measures (such as the use of passwords).

Aheeva provides access to personal data only to employees and authorized intermediaries who require this personal data for the purposes described in this policy. Aheeva will make its employees aware of the importance of maintaining the confidentiality of personal data, and care will be used in the disposal or destruction of personal data, to prevent unauthorized parties from gaining access to the personal data.

Aheeva will implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with applicable laws and regulations, considering the nature, scope, context, and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons. Those measures will be reviewed and updated where necessary.

Considering the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Aheeva will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

1. the encryption of the databases used by Aheeva service;
2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
4. a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

All personal data collected by Aheeva is stored on private servers which are not accessible to the public. For increased security, authorized users must protect access to their online accounts by selecting a password of their choosing.

‍

3.2 Intermediaries

Where processing is to be carried out on behalf of Aheeva, Aheeva will use only intermediaries providing sufficient guarantees regarding the implementation of appropriate technical and organizational measures in such manner that processing will meet the requirements of the applicable laws and regulations and ensure the protection of customer’s rights. The intermediary will not engage another intermediary without prior specific or general written authorization of Aheeva. Processing by an intermediary will be governed by a contract that is binding on the intermediary with regard to Aheeva and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of individuals and the obligations and rights of Aheeva. All Aheeva’s suppliers sign and consent to a non-disclosure agreement regarding all the personal data. Our Aheeva’s suppliers agree not to disclose any Aheeva or Aheeva’s clients’ protected information, including personal data to any third party, whether directly or indirectly. Where an intermediary engages another intermediary for carrying out specific processing activities on behalf of Aheeva, the same data protection obligations as set out in the contract between Aheeva and the intermediary will be imposed on that other intermediary by way of a contract. The intermediary and any person acting under the authority of Aheeva or of the intermediary, who has access to personal data, will not process those data except on instructions from Aheeva, unless legally required to do so by a statutorily-empowered public authority. Aheeva may transfer your personal data to intermediaries such as providers of payment processing services. Processing of your personal data may take place in the United States or in Canada by our affiliates and other third-party service providers.

‍

3.3 Notification of personal data Breach

No data transmission over the Internet may be guaranteed to be entirely secure. As a result, Aheeva does not represent, warrant or guarantee that personal data will be protected against all loss, misuse or alteration and accepts no liability for personal data submitted by you, nor for the use or misuse of such personal data by you or by third parties.

Aheeva will document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken without undue delay and, where feasible, not later than seventy-two (72) hours after having become aware of it, notify the personal data breach to the statutorily-empowered public authority appropriate in accordance with applicable laws and regulations, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Such notification will at least:

1. describe the nature of the personal data breach including where possible, the categories and approximate number of individuals concerned, and the categories and approximate number of personal data records concerned;
2. communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
3. describe the likely consequences of the personal data breach; and
4. describe the measures taken or proposed to be taken by Aheeva to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Aheeva will communicate the personal data breach to customers without undue delay when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons. Such communication will describe in clear and plain language the nature of the personal data breach, and contain at least the information and measures referred to in points (b), (c) and (d) above.

‍

4 HOW TO CONTACT AHEEVA

For questions or complaints regarding this privacy policy, you can contact us:

by email at: privacy@aheeva.com

or by mail at our address:

Aheeva Technology, Inc.
300-150, de la Côte-Vertu Blvd
Saint-Laurent, QC, H4N 1C6
CANADA

‍

5 LANGUAGE

The parties confirm that it is their wish that this policy be written in the English language only. Les parties confirment leur volonté que la présente politique soit rédigée en anglais seulement.