This Privacy Policy has been prepared by Hubdoc Inc. “Hubdoc” as used in this Privacy Policy refers to Hubdoc Inc., and its affiliates, including its ultimate parent company, Xero Limited and all its subsidiaries. This Privacy Policy sets out the manner in which Hubdoc collects, uses, discloses and otherwise manages personal information. This Privacy Policy applies to the privacy practices on our website, www.hubdoc.com, and associated web and mobile applications (the “Services”).

If you are a resident of the European Union or the UK please refer to the section marked “Additional Information for European Residents” at the end of this policy for additional information about our compliance with the General Data Protection Regulation (“GDPR”).

We may collect your personal information when you, on behalf of yourself, your clients, or a third party on whose behalf you act:

Register for Our Services
You may be asked to provide certain personal information to sign up for our services, including your name and email address. The personal information collected during the registration process is used to manage your account with Hubdoc. We collect billing information such as credit card number and use this for billing purposes and to fulfill your orders.

Add an Account
When you add a third party account to your profile, such as a utility company or financial institution, we collect the third party account credentials (such as the username or account number and password). We use this personal information to access the online third party account on a regular basis and/or on-demand and retrieve any available information to present to you through our Services. For example, if you provide login credentials for a third party utility site, we use this information to gather, process and store the utility bills through our Services. Please note that you may remove your third party account information from our Services whenever you wish.

Upload or Email Documents to Our Services
When you email or upload documents to our Services via the web or mobile application, in addition to the document itself, we may collect data including the time and date the document was submitted and details related to the source of the document. These details include the email address or user ID of the individual who submitted the document and corresponding technical data, such as the operating system and screen resolution of the sending device.

Subscribe to One of Our Newsletters
If you wish to subscribe to one of our newsletter(s), we may collect your name and email address to send the newsletter to you. If you would like to no longer receive these emails you may follow the unsubscribe instructions contained in each of the emails you receive.

Post on One of Our Blogs or Forums
When you comment on our blog or other public forums, we may collect your name, email address as well as any comments, suggestions and other feedback you provide as postings. We may use your comments, suggestions or feedback to monitor and/or improve our product and service offerings and our Services. Please remember that any information that you provide in these comment areas is accessible to the public, and you should exercise caution when deciding to disclose any personal information about yourself or anyone else. To request removal of your personal information from our blog or community forum, contact us at Support Request. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why.

Contact Us
When you contact Hubdoc, we may collect data such as your name or the name of your business, your contact information, and the time, date and purpose of your contact.

We may use your personal information to contact you in connection with any purpose described in this Privacy Policy, and for marketing communications (about Hubdoc or another product or service we think you might be interested in) in accordance with your marketing preferences.

We may also use your personal information to develop, operate, enhance, or improve our websites and Services. For example, by tracking and monitoring your use of our websites and Services, we can perform technical analyses of our websites and Services so that we can improve and optimize your user experience and provide you with more efficient tools.

We will not disclose, trade, rent, sell or otherwise transfer personal information without your consent, except as otherwise set out herein.

Affiliates
We may disclose your personal information to Hubdoc Inc.’s affiliates, including its ultimate parent company, Xero Limited and all its subsidiaries, in connection with any purpose described in this Privacy Policy.

Service Provider Arrangements
We may transfer (or otherwise make available) personal information to third parties that provide services on our behalf. For example, we may use service providers to host our Services and send out email on our behalf. Personal information may be maintained and processed by service providers in the U.S. or other foreign jurisdictions, and personal information may be accessed by law enforcement authorities in such jurisdictions. Service providers are provided with the information they need to perform their designated functions, and we do not authorize them to use or disclose personal information for their own marketing or other purposes.

Sale of Business
We may transfer any information we have about you as an asset in conjunction with a merger or sale (including transfers made as part of insolvency or bankruptcy proceedings). You will be notified via email and/or a prominent notice on our Web site of any change in ownership or uses of your personal information, as well as any choices you may have regarding personal information.

Legal
In certain situations, Hubdoc may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Hubdoc and its service providers may provide personal information in response to a search warrant or other legally valid inquiry or order, or to an investigative body in the case of a breach of an agreement or contravention of law, or as otherwise required or permitted by applicable Canadian, U.S. or other law. We may also disclose personal information where necessary for the establishment, exercise or defence of legal claims, when we believe in good faith that disclosure is necessary to protect our rights, your safety or the safety of others, investigate fraud, respond to a government request, or as otherwise permitted by law.

Aggregate Data
Hubdoc and our third party tracking-utility partners may generate certain data related to your use of the Services. This information may include internet protocol (IP) addresses, browser type, internet service provider (ISP), referring/exit pages, device type, operating system, date/time stamp, and clickstream data. We may use this data to troubleshoot issues that may arise, to further enhance our Services, and better understand how our customers use our Services.

“Tracking Technologies”
Technologies such as cookies, beacons, tags and scripts are used by Hubdoc and our partners, affiliates, and service providers. These technologies are used in analyzing trends, administering the site, tracking users’ movements around the site and to gather demographic information about our user base as a whole. We may receive reports based on the use of these technologies by these companies on an individual as well as aggregated basis.

We use cookies to remember users’ settings (e.g. language preference) and for authentication purposes. Users can control the use of cookies at the individual browser level. If you reject our cookies, you may still use our website, but your ability to use some features or areas of our site may be limited.

Third parties with whom we partner to provide certain features on our website also use HTML5 to collect and store information. Various browsers may offer their own management tools for removing HTML5.

Third Party Links
Our Services may contain links to other sites that Hubdoc does not own or operate. Except as provided herein, we do not provide your personal information to these third parties without your consent. We provide these links as a convenience. The linked websites have separate and independent privacy statements, notices and terms of use, which we recommend you carefully review. We do not have any control over such websites, and therefore have no liability or responsibility for the linked websites’ personal information practices.

We have implemented measures designed to help protect personal information in our custody and control. We maintain reasonable administrative, technical and physical safeguards in an effort to help protect against unauthorized access, use, modification and disclosure of personal information in our custody and control. When you provide us with sensitive information (such as credit card numbers and your third party account credentials), we encrypt the transmission of that information using transport layer security (TLS) technology. No collection or transmission of information over the Internet or other publicly accessible communications networks can be guaranteed to be fully secure, however, and therefore, we cannot ensure or warrant the security of any such information. If you have any questions about security on our Services, you can contact us at the information at the end of this Privacy Policy.

Upon request, Hubdoc will provide you with information about whether we hold any of your personal information. You have the right to access, update, correct, and delete inaccuracies in your personal information in our custody and control, subject to certain exceptions prescribed by law. You may request access, updating, corrections, or deletions of inaccuracies by contacting us at the contact information provided below or by logging into your account and making the applicable changes in your Profile. You may also request that we delete a third party account and we will cease collecting your personal information from the third party account and delete relevant account credentials. We will respond to your request to access personal information within 30 days.

We have personal information retention processes designed to retain personal information of our customers for as long as your account is active or as needed to provide you services. We will retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

This Privacy Policy may be updated periodically to reflect changes to our personal information practices. The revised Privacy Policy will be posted on our Services. If we make any material changes we will notify you by email (sent to the email address specified in your account) or by means of a notice on this Site prior to the change becoming effective. We strongly encourage you to review the Privacy Policy often for the latest information about personal information practices.

If you have any questions about this Privacy Policy, the practices described herein or how our foreign-based service providers process your personal information, you may contact us at: Support Request.

If you are a resident of the UK, the European Economic Area or a European Union member state then the following paragraphs will apply. We comply with the GDPR and other applicable data protection legislation.

GDPR Representative
Our GDPR representative who has been appointed in accordance with Article 27 of the GDPR is Hubdoc Limited. Our GDPR representative is entitled to represent us and act on our behalf with respect to data subjects who are resident in the UK, the European Economic Area or a European Union member state.

Our GDPR representative can be contacted at Support Request.

Legal Basis
We will only process personal data:

• to perform a contract with you, or
• where we have legitimate interests to process the personal data and they’re not overridden by your rights, or
• in accordance with a legal obligation, or
• where we have your consent.

Privacy Rights
With respect to your personal data, you have the right to:

• request that your personal data will not be processed;
• ask for a copy of any personal data that we have about you;
• request a correction of any errors in or update of the personal data that we have about you;
• request that your personal data will not be used to contact you for direct marketing purposes;
• request that your personal data will not be used for profiling purposes;
• request that your personal data will not be used to contact you at all;
• request that your personal data be transferred or exported to another organisation, or deleted from our records; or
• at any time, withdraw any permission you have given us to process your personal data

All requests or notifications in respect of your above rights may be sent to us in writing at the contact details listed below. We will endeavour to comply with such requests as soon as possible but in any event we will comply within one month of receipt (unless a longer period of time to respond is reasonable by virtue of the complexity or number of your requests).

Data Breaches
If personal data we hold about you is subject to a breach or unauthorised disclosure or access, we will report this to the UK’s Information Commissioner’s Office (ICO). If a breach is likely to result in a risk to your data rights and freedoms, we will notify you as soon as possible.

Data Transfers
From time to time we will transfer personal data to our sub-processors which will include Amazon Web Services (“AWS”), Salesforce and other service and technology providers. If we do supply your personal information to a third party we will take steps to ensure that your privacy rights are protected and that third party complies with the terms of this notice (see below for more information relating to AWS and Salesforce). A full list of our sub-processors can be found here.

As part of the services offered to you the information you provide to us will be transferred to, and stored at, countries outside of the UK, European Union or European Economic Area (referred to as the "EU"). By way of example, this may happen if any of our servers are from time to time located in a country outside of the EU or one of our service providers is located in a country outside of the EU (currently our server infrastructure is located in the United States, please see the next paragraph for more information). If we transfer your information outside of the EU in this way, we will take steps with the aim of ensuring that your privacy rights continue to be protected as outlined in this Privacy Policy.

Our server infrastructure is provided by Amazon Web Services and is currently based in the United States (although servers may from time to time be based in other countries). Please note that Amazon Web Services transfer and store data outside of the EU in accordance with EU law by operating in accordance with ‘model clauses’ approved by the EU’s Article 29 Working Party. More information can be found at the following link: http://aws.amazon.com/compliance/eu-data-protection/.

Data may also be transferred and processed by Salesforce who transfer and store data outside of the EU in accordance with EU law by means of model clauses’ approved by the EU’s Article 29 Working Party and binding corporate rules.

If you use our Site or service while you are outside the EU, your information may be transferred outside the EU in order to provide you with those services.

By submitting your personal information to us you agree to the transfer, storing or processing of your information outside the EU in the manner described above.

Retention Periods
We will retain personal data relating to our agreement with our customer (“collected customer data”) for seven years following the end of our contract with that customer.

Any personal data which is contained in data which our customer has uploaded and we host on behalf of our customer (“customer organization data”) will be held for seven years following the end of our contract with our customer (unless we notify the customer of an earlier date of deletion).

Information which comprises sales and marketing leads will be held for 3 years from the last date that the data subject submitted a form or gave consent for the collection of their data. After the three year period has elapsed the sales lead’s data will be deleted or anonymised.

We will retain personal data relating to our suppliers (“supplier data”) for seven years following the end of our contract with that supplier.

For any category of personal data not specifically defined in this notice, and unless otherwise specified by applicable law or regulations, the required retention period for any personal data will be deemed to be 7 years from the date of receipt by us of that data.

The retention periods stated in this notice can be prolonged or shortened as may be required (for example, in the event that legal proceedings apply to the data or if there is an on-going investigation into the data).

We review the personal data (and the categories of personal data) we are holding on a regular basis to ensure the data we are holding is still relevant to our business and is accurate. If we discover that certain data we are holding is no longer necessary or accurate, we will take reasonable steps to correct or delete this data as may be required.

Cookies
On our website, we use cookies to track users' progress, allowing us to make improvements based on usage data. A cookie helps you get the best out of the website and helps us to provide you with a more customised service. Once you close your browser, our access to the cookie terminates. You have the ability to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. To change your browser settings you should go to your advanced preferences.

If you choose not to accept the cookies, this will not affect your access to the majority of information available on our website but certain services may not be available.

Contact and Complaints
If you have any query or complaint in relation to data protection or your data rights please contact our GDPR representative at Support Request.

If we are unable to resolve any issues you may have or you would like to make a further complaint, you can contact the UK Information Commissioner’s Office by visiting http://www.ico.org.uk/ for further assistance.