Last Updated May 18, 2018
A. General. We, the team of Thrive for Email GmbH, FN 476962s, Kornstraße 7A, 4060 Leonding, Austria (the “Company“), email address: email@example.com (the ”Email-Address“), process personal data when you use our product, the Thrive for Email Software (“Product”) and website (the “Website”). The processing of your personal data takes place in compliance with the General Data Protection Regulation (“GDPR“) and the Austrian data protection act in its current form.
II. Concerning Art. II on User Data (as defined below), the Company is controller within the meaning of Art. 4 sec. 7 GDPR.
III. Concerning Art. III, the User is controller and the Company is processor within the meaning of Art. 4 sec. 7 and 8 GDPR.
C. Principal Contract. The Parties entered into an Agreement over the use of the Product as set forth in these Terms and Conditions https://www.thrive.email/tos (the „Principal Contract“). This contract supplements the Principal Contract.
D. Subject. In fulfillment of the Principal Contract the Company processes personal data of the User and of the User’s customers by the User’s order. This Contract regulates rights and obligations of the Parties concerning the fulfillment of the Principal Contract.
E. Processing Agreement. Art. III of this Contract constitutes a processing agreement within the meaning of Art 28 of the GDPR.
I.1. In this Contract, except where a different interpretation is necessary in the context, capitalized terms shall have the meaning assigned to them expressly in the Contract, including the section entitled “Definitions” set forth in Schedule § 1.1.
II.1. Data Protection Officer. Our data protection officer within the meaning of the GDPR can be contacted under firstname.lastname@example.org. Should you have any questions regarding the processing of your personal data, please do not hesitate to contact him.
(a) Data when using the Website. If you visit the Website, we process only personal data that your browser communicates to our server. We collect the following data (the “Website Data”), which is necessary for us in order to display the website correctly and guarantee the necessary stability and safety (lawfulness of processing pursuant to Art. 6 sec. 1 subsec f).
• date and time stamp;
• time difference to GMT;
• requested site;
• access status/HTTP status code;
• transmitted data volume;
• site from which the request was sent;
• operating system and interface; and
• language and version of the browser software.
(b) Data when using the Product. If you use the Product, we process the following of your personal data (“User Data”) as controllers:
• unique identification (unique user ID; unique number used to build a “one-click sign-in link”);
• personal details (first and last name, email address, admin [y/n], invited [y/n]), payment plan, time zone, trial end date);
• date until activation has to happen;
• connected programs (if calendar/email/salesforce are connected);
• organization/team details (organization ID, organization name, team sign-up URL, team size,
• initial information (date, location, referring website, landing page, browser, device type, platform, full IP Address.
(c) Purposes and Lawfulness of Processing.
i. Obtaining the Website Data is technically necessary for us in order to display the Website to you and guarantee stability and safety (lawfulness of processing pursuant Art. 6 sec. 1 subsec. F GDPR).
ii. Processing the User Data is necessary to provide the Product, analyze it and constantly improve it (lawfulness of processing pursuant Art. 6 sec. 1 subsec. a and f GDPR).
iii. We also process Website Data and User Data for advertising and tracking purposes (lawfulness of processing pursuant Art. 6 sec. 1 subsec. a and f GDPR). Please see our section on cookies and how to disable them in this regard.
BY ACCEPTING THIS CONTRACT, YOU AGREE TO OUR PROCESSING AS DESCRIBED IN THIS ART. II. THIS CONSENT CONSTITUTES LAWFULNESS OF PROCESSING PURSUANT ART. 6 PARA.1 SUBPARA. A GDPR.
(d) Safety Measures. To avoid unauthorized access to Data and generally secure the Data, we apply the safety measures described in Schedule § 3.5(c)i.
II.3. Use and Transfer.
(a) Use. We use User Data only for the Purposes.
(b) Transfer General. We transmit User Data to third parties only, if this is necessary for the Purposes, due to a request from a national authority, due to a court ruling, or if you have consented beforehand. We also use external service providers for the processing of User Data and Website Data.
(c) Transfer Specific.
i. Recipients. User Data may be transferred to the recipients listed in Schedule § 2.3(c)i; they are processors or other third-party recipients. Please also see § 2.6 and § 2.7 in this respect.
ii. Third countries. User Data is also transferred to recipients in third countries, namely the United States. For the transfer to the third country, there exists an adequacy decision of the Commission (EU-US Privacy Shield) or standard data protection clauses.
II.4. Storage and Deletion.
(a) General. We store User Data as long as you are a registered user of the Product. Beyond that, we only store User Data in non-anonymized form, if it is legally necessary (because of warranty, limitation or retention periods, e.g. seven years for tax purposes) or otherwise required.
(b) Deletion. User Data will be deleted if you (a) revoke your consent to the storage (b) User Data is not needed to fulfill the contract concerning the Product anymore, or (c) the storage is or becomes legally impermissible. A deletion request does not affect User Data, if the storage is legally necessary, for example for accounting purposes.
II.5. Information about Rights.
(a) The GDPR equips you with the following rights concerning User Data, which are further described in Schedule § 2.5:
i. revocation of consent to our use of your User Data;
ii. right of access;
iii. right to rectification of inaccurate User Data;
iv. right to erasure;
v. right to restriction of processing;
vi. right to data portability;
vii. right to object to the processing; and
viii. right to lodge a complaint.
(b) To exercise any of the rights in § 2.5(a)i to § 2.5(a)vii, please send a request to the Email-Address.
II.6. Facebook Plugin.
We currently use the visitor conversion pixel of Facebook, Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA (“Facebook”). It helps to track the behavior of users after they have been redirected to the website of the vendor when they klick on a Facebook advertisement. Thereby the effectiveness of Facebook advertisements can be evaluated for statistical and market research purposes, leading to an optimization of future marketing measures.
The processed data is anonymous for us as website operator and we cannot make any conclusion to the identity of the user. Yet, the data are stored and processed by Facebook, so that a connection to the respective Facebook user account is possible and Facebook may use the data for own advertisement purposes pursuant to the Facebook data policy (https://www.facebook.com/about/privacy/). Thereby Facebook can place advertisements on Facebook pages and outside of Facebook. The processing of this data cannot be influenced by us as website operators.
Furthermore, you can deactivate the remarketing function “custom audiences” in the settings section for ad preferences (https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen). You have to be logged-in to Facebook in order to do this.
If you do not have a Facebook Account, you can deactivate user-based advertising of Facebook on the website of the European Interactive Digital Advertising Alliance (http://www.youronlinechoices.com/de/praferenzmanagement/).
(a) What are Cookies. The Website uses ‘cookies’ ─ small text files that are placed on the user’s computer, smartphone and/or stored by the browser. If the respective server of our Website is again accessed by the user of the Website/Product, the user’s browser sends the afore received cookie back to the server. The server can evaluate the information received in this manner in various ways. Cookies can, for example, be used in order to manage advertisements on the Website or to facilitate navigation on a webpage.
(b) Cookies Used. We use the cookies listed in Schedule § 2.6. Please see the information there on which cookies collect personal data.
(c) Disabling of Cookies. The user can disable the installation of cookies by entering the corresponding settings in his/her browser software (e.g. in Internet Explorer, Mozilla Firefox, Opera, or Safari). However, in this case the user may jeopardize his/her use of the complete range of functions on the Website.
III. Data Processing Agreement
III.1. Details of the Processing.
(a) Subject. Subject of this Contract is provision of the Product.
(b) Categories of Data. For the provision of the Product the categories of data listed in Schedule § 3.1(b) (the „Data“) are processed.
(c) Way and Purpose. The Processing is performed in the way and for the purposes described in Schedule § 3.1(c).
(d) Categories of Data Subjects. The Processing concerns categories of Data Subjects as set forth in Schedule § 3.1(d).
III.2. Duration. This Contract is binding for the duration of the Principal Contract. During the duration of the Principal Contract this Contract can only be terminated for good reason. If the Principal Contract is terminated by a Party, this Contract ends automatically. The obligation pursuant to § 3.5(b) continues to exist even in case of termination.
III.3. Place of Processing. We try to process your data in the EU. When this is not possible, the Processing of Data can also take place outside the EU and the EEA. Countries, in which the Processing takes place, and the basis for an appropriate level of data security are listed in Schedule § 3.3.
III.4. Rights and Obligations of the User.
(a) Assignment. The User has instructed the Company with the Processing of Data.
(b) Right to Information. The User has the right to receive all information required to prove compliance with the Company’s obligations listed in Art. § 3.5 and to perform reviews, including inspections, by himself or through an assigned investigator.
(c) Obligations as User. The User is aware of ITS obligations AS “controller” pursuant to the GDPR.
III.5. Rights and Obligations of the Company.
i. The Company will process Data with the User’s prior written assignment only. This also applies to (i) the transfer of Data to a third country or to an international organization and (ii) the Processing of Data for the Company’s own purposes.
ii. § 3.5(a)i does not apply to the Processing of Data, if the Company is legally obliged to do so. In these cases, the Company informs the User about its obligation before Processing, if no important public interest prohibits such information.
(b) Data Confidentiality. The Company and its coworkers are obliged to maintain data confidentiality pursuant to Art 6 of the Austrian Data Protection Act in the version of May 25, 2018. The Company must contractually bind its employees to maintain data confidentiality, if they are not legally obliged to do so already. This obligation has to remain in effect even if the employment relationship is terminated. The Company declares to comply with these obligations.
(c) Technical and Organizational Measures.
i. The Company declares explicitly to have taken the necessary measures to obtain security of Processing of Data according to Art. 32 GDPR. A complete list of those measures can be found in Schedule § 3.5(c)i (the “Measures”).
ii. Should any change of the Measures reduce the safety standard regarding the Processing of Data, the Company will coordinate these changes with the User.
iii. The User has the right to be informed about the actuality of the Measures and to obtain a copy of the current version of those Measures by the Company.
(d) Support of the User.
i. The Company will support the User as far as possible, by taking appropriate technical and organizational measures, to fulfill the User’s obligation of responding to the requests of data subjects according to Art. 3 GDPR. Should such a request have been sent to the Company instead of the User by accident, the Company shall forward it to the User immediately and inform the applicant about this proceeding.
ii. The Company shall, considering the nature of the processing and information available, support the User to fulfill its obligations under Art. 32 to 36 GDPR (guaranteeing the security of Processing, notifications or communications to the supervisory authority or data subjects, data protection impact assessment including prior consultation).
(e) Processing after Termination. When the Processing of Data is finished, the Company shall, depending on the User’s decision, either return to it or delete all Data. This does not apply, if the Company is legally obliged to store the Data.
(f) Obligation to Inform. The Company ensures the execution of the right to information pursuant to § 3.4(b).
(g) Unlawful Instructions. The Company will inform the User promptly, if it considers an instruction to be unlawful under the data protection legislation of the EU or applicable law of member states.
(h) Record of Processing Activities. The Company keeps a record of Processing activities pursuant to Art. 30 GDPR.
(a) Right to Engage Sub-Processors. The Company has the right to engage another processor for the operation of the Product (a “Sub-Processor”), including the Processing of Data, without the User’s previous consent. In the case of an intended change regarding the Sub-Processor, the Company will inform the User in due time.
(b) List of Sub-Processors. A list of all currently engaged Sub-Processors can be found in Schedule § 3.6(b).
(c) Types of Data. The Company transmits the types of Data listed in Schedule § 3.6(c) to the Sub-Processors.
(d) Obligations. In case a new Sub-Processor is engaged, the Company concludes all required agreements according to Art. 28 sec 4 GDPR with the Sub-Processor. These agreements must bind the Sub-Processors to the same data safety obligations as determined in this Contract, especially concerning guarantees for appropriate technical and organizational measures.
(e) Liability. If a Sub-Processor does not comply with its data safety obligations, the Company is fully responsible for the compliance with these duties to the User.
IV. Final Provisions
IV.1. The clauses in Schedule § 4.1 concerning governing law, form, and other regulations stated therein are applicable.
Schedule § 1.1 – Definitions
GDPR – GDPR means the EU-regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
Processing – Processing means Processing of Data according to Art. 4 Z2 GDPR.
Schedule § 2.3(c)i – Recipients
1. Appcues, Inc.;
2. Cronofy Ltd.;
3. DokDok Inc. (Context.io);
4. Facebook Inc. (Facebook Pixel);
5. Google Corporation (AdWords; Google Analytics, BigQuery);
6. Amplitude, Inc.;
7. Instapage, Inc.;
8. Intercom, Inc.;
9. Microsoft Corporation (Bing Ads);
10. One More Company, Inc (Evercontact.com);
11. Peaberry Software Inc. (Customer.io);
12. Salesforce.com, Inc.;
13. Segment.io, Inc;
14. Stripe, Inc.;
15. Zendesk Inc;
16. Liidio Oy (Leadfeeder.com)
Schedule § 2.5 – Information about User Rights
1. Revocation of Consent. You can revoke the consent for future data processing at any time. However, this does not affect the lawfulness of User Data processing based on the consent before the revocation.
2. Right of Access. You have the right to obtain (i) confirmation as to whether or not your User Data is being processed by us and, if so, (ii) more specific information on the User Data. The more specific information concerns, among others, processing purposes, categories of User Data, potential recipients or the duration of storage.
3. Right to Rectification. You have the right to obtain from us the rectification of inaccurate User Data concerning you. In case the User Data processed by us is not correct, we will rectify these without undue delay and inform you of this rectification.
4. Right to Erasure. Should you decide, you do not want us to process your User Data any further, please contact us under our current contact details (https://www.thrive.email/imprint). We will erase your User Data immediately and inform you of this process. Should mandatory provisions of law prevent such erasure, we will inform you without undue delay thereof.
5. Right to Restriction of Processing. You have the right to obtain from us a restriction of processing of your User Data in the following cases:
5.1. You make an inquiry pursuant para. 3 above, if you so request;
5.2. you are of the opinion, that the processing of your User Data is unlawful, but are opposed to an erasure of User Data;
5.3. you still require the User Data for the establishment, exercise or defence of legal claims; or
5.4. you have objected to the processing pursuant para. 7 below.
6. Right to Data Portability. You have the right to (i) receive your User Data in a structured, commonly used and machine-readable format and (ii) transmit those User Data to another controller without hindrance from us.
7. Right to Object. You have the right to object at any time to the processing of User Data.
8. Right to Lodge a Complaint. You have the right to lodge a complaint with a supervisory authority (in Austria: Datenschutzbehörde), if you think that the processing of User Data infringes applicable law, especially the GDPR.
Schedule § 2.6 – Cookies Used
2. Opt-Out. You can prevent the collection of data through the cookie concerning your use of the website (incl. your IP-address) as well as its processing of this data by Google, by downloading and installing the following browser plug-in: https://tools.google.com/dlpage/gaoptout?hl=en.
3. Purpose. We use Google Analytics to analyse and be able to constantly improve the use of our Website. Through the statistics we are able to improve our services and make them more interesting for users. In those special cases in which personal data is transmitted to the USA, Google is certified via EU-US privacy shield. The basis for the processing is Art 6 sec 1 subsec f GDPA.
1. General. We use Google Adwords to call attention to our offers on third-party sites with the help of marketing measures (so-called Google Adwords). We can, in relation to the data of the marketing campaigns, determine how successful certain marketing measures are. We want to show you advertisements that could be of interest to you, in order to make our Website more appealing to you and achieve a fair calculation of marketing costs.
2. Cookies. These marketing measures are delivered by Google through so-called “Ad Servers”. We use Ad Server Cookies through which certain parameters for performance measurement, such as showing the ads or the clicks by users, can be measured. Should you visit our Website via Google advertisement, a cookie will be saved on your computer by Google. This cookie will usually be deleted after 30 days and is not there to personally identify you. Together with the cookie usually the unique Cookie-ID, the number of ad impressions per placement (frequency), last impression (relevant for post-view-conversions), and opt-out information (marker, that the user does not want to be contacted anymore) are saved as analytical values.
3. Processing. These Cookies enable Google to recognize your browser. If a user has visited certain webpages of an Adword client and the cookie saved on his computer is still active, the client and Google can see, that the user clicked on an advertisement and was redirected to this page. Each Adwords client is assigned a different cookie. Therefore, cookies cannot be tracked over the websites of Adwords clients. We ourselves do not collect and process personal data in the advertising measures; we only receive anonymized statistical data by Google. This enables us to see, which of our advertising measures are especially effective. We so not receive any further information from the use of advertising measures, especially is it not possible for us to identify users based on the data.
4. Scope. Due to the marketing tools used, your browser automatically makes a direct connection with the Google server. We do not have any influence on the scope and the further use of the data that is collected by Google through these tools and hence inform you to the best of our knowledge: By using AdWords Conversion, Google receives the information, that you have visited the respective webpages or clicked on one of our advertisements. Should you be registered with a Google product, Google can connect the visit to your account. Even if you are not registered with Google or are not logged-in, there is a chance that the provider will find out your IP-address and store it.
5. Opt-Out. You can prohibit the participation in the tracking process in a number of ways: a) through respective adjustment of your browser-software, especially the suppressing of third-party cookies results in you no longer getting ads from third parties anymore; b) through deactivating the cookies for conversion tracking, by configuring your browser in a way that blocks cookies from the domain “www.googleadservices.com” via https://www.google.at/settings/ads/, whereas this setting is deleted if you delete your cookies; c) by deactivating the interest-based ads of the providers, that are part of the self-regulation campaign “About Ads”, via http://www.aboutads.info/choices, whereas this setting is deleted if you delete your cookies; or d) by permanently deactivating in your browsers via http://www.google.com/settings/ads/plugin, in this case not all functions of the Product and/or Website may be fully available.
6. Further information. The basis for the processing is Art 6 sec 1 subsec f GDPA. For further information on data protection at Google, please visit: https://www.google.com/intl/de/policies/privacy/ and http://services.google.com/sitestats/de.html. Alternatively, you can visit the website of the Network Advertising Initiative (NAI) here: http://www.networkadvertising.org. Google is self-certified under the EU-US Privacy Shield.
1. General. We use the Universal Event Tracking of the Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA (“Microsoft”), to analyze and be able to constantly improve the use of our Website. Through the statistics we are able to improve our services and make them more interesting for users.
2. Cookies. These marketing measures are delivered through cookies, if you have accessed our Website via a Microsoft Bing ad. Microsoft and we can see in this way, that someone has clicked on an ad by us, was redirected to our page, and has reached a certain previously determined conversion site. We especially gain information on how many users have visited a certain webpage or area of our Website, for how long users have stayed on our Website and how many pages of our Website a user has visited. We receive no information on personal data. Specifically, the Microsoft cookies served for this purpose are named “MUID”, “MUIDDB”, and “_uetsid“.
3. Scope. We do not have any influence on the scope and the further use of the data that is collected by Microsoft through these tools and hence inform you to the best of our knowledge.
5. Further information. The basis for the processing is Art 6 sec 1 subsec f GDPA. In those special cases in which personal data is transmitted to the USA, Microsoft is certified via EU-US privacy shield.
We also use the following cookies. Please note, that you can always prohibit the installation of cookies through respective settings in your browser software.
Schedule § 3.1(b) – Categories of Data
1. Contact data at registration: name, email address, team size
2. Email content data:
2.1. always: name and email-address;
2.2. for relevant contact: body and header
3. CRM data via token from the User’s provider
4. Calendar data for relevant contacts via token from the User’s provider
5. Accounting data.
Schedule § 3.1(c) – Way and Purpose
1. Types of Processing: collection, recording, organization, structuring, storage, alignment, transmission, and destruction.
2. Purposes of Processing: Fulfillment of the Principal Contract
Schedule § 3.1(d) – Categories of Data Subjects
2. clients of User
Schedule § 3.3 – List of Countries for Data Processing incl. Foundations
1. USA pursuant Privacy Shield List (Google LLC; Appcues, Inc.; Amplitude, Inc.; Peaberry Software, Inc.; Intercom, Inc.; Stripe, Inc.; Zendesk, Inc.).
Schedule § 3.5(c)i – Measures
1.1. encryption of stored passwords via salted password hashing;
1.2. encryption of data when transmitting to third parties.
2.1. Entrance Control.
2.2. Admission Control.
2.2.2. secure password policies;
2.2.3. password management system;
2.2.5. multi-factor authentication;
2.2.6. registration mechanisms;
2.2.7. individual user profiles;
2.2.8. authentication via user name and password.
2.3. Access Control.
2.3.1. internal classification in levels of confidentiality with different access rights; and
2.3.2. amount of User Data accessible by employees of the Company reduced on “need to know” basis.
3.1. Input Control.
3.1.1. traceability of input via user names.
3.2. Transfer Control.
3.2.1. authorization process; and
4.1 password management system for employees; and
5.1.1. data saved on external servers (Google Cloud).
5.2.1. automatic destruction of backups on Google Cloud within 180 days.
6.1. Security Audits.
6.1.1. regular automatic security audits; and
6.1.2. records of the security audits.
7.1 We have appointed a Data Protection Officer, who can be contacted via email@example.com.
Schedule § 3.6(b) – List of Sub-Processors
1. Appcues, Inc.;
2. Google LLC (Bigquery);
3. DokDok Inc. (Context.io);
4. Peaberry Software, Inc. (Customer.io);
5. One More Company, Inc (Evercontact.com);
6. Instapage, Inc. (Instapage.com);
7. Intercom, Inc. (Intercom);
8. Segment.io, Inc (Segment.com);
9. Stripe, Inc. (Stripe);
10. Cronofy Ltd. (Cronofy); and
11. Zendesk, Inc. (Zendesk).
Schedule § 3.6(c) – Types of Data
1. Unique user id;
2. email address;
3. unique number used to build a “one-click signin link”;
4. unique number used to build a “one-click signin link”;
5. activation deadline;
6. name of team administrator;
7. calendar connected [Yes / No];
8. email connected [Yes / No]
10. invited [Yes / No]
11. is admin [Yes / No]
12. unique company identifier;
13. name of organization/company;
14. payment plan;
15. salesforce connected [Yes / No];
16. expected team size in increments;
17. time zone;
18. trial end date
19. date first seen;
20. initial location (city/county/country);
21. initial referring website if any;
22. first landing page;
23. initial browser and version;
24. initial device type (desktop/tablet/mobile);
25. initial platform (operating system and version); and
26. full initial IP address.
Schedule § 4.1 – Final Provisions
1. Confidentiality. The Parties agree to handle all information received in relation to the Contract in a confidential way for an indefinite period of time and use this information for the fulfillment of the Contract only. This information shall be used for the referred purposes only and must not be disclosed to third parties. This does not apply, if (a) the obligated Party obtains information demonstrably form a third party, to which it is not obliged to confidentiality, (b) if the information was publicly available or (c) the disclosure was legally required or demanded by the authorities.
2. Entry into Force. The Contract enters into force once the User has accepted the Contract during registration on the website or on its mobile device.
3. Written Form. Any adjustments, amendments or a revocation of the contract requires written form. or, if the Contract was entered into via electronic means, a similar form to the conclusion of the Contract. This also applies to any regulation intending to change the written form requirement.
4. Severability. In the event that individual provisions of this Contract shall be or become invalid or unenforceable, all other terms and conditions shall remain in full force and effect. The Parties agree to replace the invalid or unenforceable clause with a valid and enforceable clause, that has the same economic sense. This rule also applies in case a regulatory gap occurs.
5. Legal Foundation. Only the provisions of this contract and, additionally, the legal regulations shall apply.
6. Governing Law. This Contract and all correlating contractual relations and litigation shall be governed by Austrian law, excluding the conflict of law-provisions of the United Nations Convention on Contracts for the International Sale of Goods.
7. Court of Jurisdiction. Exclusive court of jurisdiction for any legal disputes with regards to this Contract shall be, to the extent legally permissible, the Regional Court Linz, Austria.