Rocketseed Privacy Notice

1. Background

Rocketseed provides first class email Signature and Marketing software, accompanied by services and support recognized for dedication and excellence. This is also reflected in our commitment to safeguard data and privacy as security is an imperative and integrated part of our business.

This Privacy Notice provides details on our information practices globally, what personal data we collect, how we use this data and who it might be shared with, how You might access it, and Your rights in relation to Your data.

1.1 Key elements for which Your personal data may be collected are:

a. To enable us to deliver our services to You in the capacity of Controller (to website Visitors, Staff, Contractors and Suppliers) or Processor (to Clients).

b. Where You have consented to doing so and only for the purpose for which they are collected.

c. Where it is in our legitimate interests to do so.

1.2 What we do not collect at any of our regions:

a. We do not collect or process personal data for any other purposes than what is outlined below or instructed by Controllers.

b. We do not collect or process personal data from children.

c. We do not collect or process any sensitive personal data such as:

  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade-union membership
  • genetic data
  • health-related data
  • data concerning sex life or sexual orientation

2. Definitions

Privacy laws in the regions where Rocketseed operates have similarities in fundamental principles regarding protecting personal data, and we have chosen to follow the terminology as used by GDPR and UK-GDPR. However, the Privacy Notice set out shows the principles of how we collect and process data, encompassing the various regulations.

2.1 Basic Terminology

  • Data Controller (or the term ‘Controller’) is a ‘natural and legal person, public authority, agency or other body which, alone or jointly, with others, determines the purposes and means of the processing of personal data. This corresponds to Responsible Party under POPIA.
  • Data Processor is a ‘natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller. This corresponds to Operator under POPIA.
  • Data Subject, is a person who can be identified, directly or indirectly, in particular by reference to a unique identifier.
  • GDPR means the General Data Protection Regulation (EU) 2016/679.
  • POPIA means the Protection of Personal Information Act (South Africa), 1 July 2020.
  • CCPA means California Consumer Privacy Act (CCPA), 1 January, 2020.
  • PIPEDA means The Personal Information Protection and Electronic Documents Act of Canada
  • Personal data (GDPR/UK-GDPR), same as Personal Information (POPI and CCPA).

3. Rocketseed Contact

Rocketseed is a global business with subsidiaries operating in different geographical regions, such as United States, United Kingdom, and South Africa.

Regarding any queries on this Privacy Notice, email Rocketseed at privacy@rocketseed.com, or fill out the Data Access Form under Section 8.

The entities covered by the Privacy Notice are:

GROUP

Rocketseed Limited
8 Sussex Mews East
W2 2TS
London

RocketDev (Pty) Limited
25 St Johns Wood Country Village
Franshoek Road, Durbanville Hills
7550, Cape Town

RocketFin (Pty) Limited
25 St Johns Wood Country Village
Franshoek Road, Durbanville Hills
7550, Cape Town

EMEA

Rocketseed (United Kingdom) Limited
11 Southwick Mews
W2 1JG
London

Rocketseed (South Africa) (Pty) Limited
25 St Johns Wood Country Village
Franshoek Road, Durbanville Hills
7550, Cape Town

RocketPad (Pty) Limited
25 St Johns Wood Country Village
Franshoek Road, Durbanville Hills
7550, Cape Town

RocketMailer (Pty) Limited
25 St Johns Wood Country Village
Franshoek Road, Durbanville Hills
7550, Cape Town

USA

Rocketseed (USA) Inc
473 Washington Street, Norwood, MA, 02062-2330, United States

4. What Personal Data Do We Collect?

4.1 Website Visitors – Use Of Cookies

Rocketseed does not make use of “cookies” for other reason than to compile aggregated statistics about website usage. A cookie is a text file that is placed on Your hard disk by a webpage server. Cookies cannot be used to run programs or deliver viruses to Your computer. They are uniquely assigned to You or Your computer and can only be read by a web server in the domain that issued the cookie to You.

The data collected are:

  • Date and time of retrieval of one of our web pages
  • Browser type and settings
  • Operating system
  • Last web page visited
  • Data transmitted and the access status
  • IP address

While cookies are only used for internal tracking purposes, You have the ability to opt-out of cookies being placed, choose what cookies You wish to allow, or fully clear cookies from Your computer through the settings on Your browser, although that may impact Your ability to make use of some features the websites.

Below are links for details on how to manage cookies in each of the major web browsers and on various devices:

4.2 Users Of Services

If You use our services, personal data is required to fulfil the requirements of a contractual or service relationship, which may exist between You and our organization. We collect:

  • Financial Details
  • Identification Number
  • Location Information
  • Banking Details
  • Confidential Correspondence
  • Email, Social Networks
  • Name
  • Telephone contact details

4.3 Branding Interaction In B2B Emails

Our technology allows us, and other Users/Clients of the Rocketseed software product, to help track interest in features through interactive branding, in order to further improve services with pertinent content. Users and Recipients of emails are businesses who engage with each other and already have an established connection and route of communication.

Apart from normal information needed to send emails (such as an email address), the following data is stored for analytical purposes only;

  • IP address
  • Time of click
  • URL served – i.e. where the branding redirects the recipient as defined by the Client.

In the case of providing Data Analytics as a Processor, Rocketseed can only do so if requested by Client. Hence, Clients should present in their Privacy Note on their website if they are collecting data for Analytical purposes.

The Rocketseed Software also allows for depersonalization of such data, in which case, the information stored is limited to:

  • Domain name (e.g. Gmail, Yahoo, Hotmail)
  • Time of click
  • URL served – i.e. where the branding redirects the recipient as defined by the Client

4.4 Newsletters

Recipients of our newsletters have had to express a legitimate interest and have either:

  • Opted in to receive newsletters, or;
  • Established a clear business relationship or interest by being a customer.

Our newsletter servers for European Clients are hosted in USA, but are covered by the adequacy decision made for the EU-U.S. Data Privacy Framework.

Our newsletter services for African Clients, are hosted on South African Servers and we do not transfer data outside of South Africa.

5. What We Do With Your Personal Data

The purpose is dependent on whether You use only our website, or additionally, our services.

If You visit our website, You do not need to provide us with any personal data. However, Your browser transmits some data automatically as shown below in the section of “Use of Cookies”.

If You use our services, including signing up to newsletters, You are required to register, and we collect Your personal data. We use this personal data for the provision of the service or the performance of the contract. We may use Your personal data for other similar purposes, including marketing and communications, but that will only occur in the case we have Your consent or another legal justification for doing so.

a. From our Customers/Clients we process and retain personal data for the following purposes and periods, with the applicable legal basis.

  • The processing of subject data is done for the purpose of contact management, sales and distribution of products and services, as well as for communication and marketing.
  • These steps are required prior to a contract with the data subject, and retention of such data for a maximum of six years, or what is required for tax and legal purposes.

b. From our Staff/Contractors/Suppliers we process and retain personal data for the following purposes and periods, with the applicable legal basis.

  • Organization’s administration and management.
  • These steps are required prior to a contract with the data subject.
  • The data is retained for a maximum of six years, or what is required for tax and legal purposes.

6. Who Might We Share Your Personal Data With?

To maintain and improve our services, Your personal data may need to be shared with or disclosed to service providers, other Controllers or, in some cases, public authorities. We may be mandated to disclose Your personal data in response to requests from a court, police services or other regulatory bodies. Where feasible, we will consult with You prior to making such disclosure and, in order to protect Your privacy, we will ensure that we will disclose only the minimum amount of Your information necessary for the required purpose.

Data storage and where processing takes place, unless specifically requested by a client to be on a dedicated server within their own premises, are hosted by sub-processors (data centres), which have been assessed having rigorous safety environment, ISO certifications and stringent breach management and prevention procedures. These sub-processors can be found on our website, along with their locations and Data Protection Policies.

7. How Do We Look After Personal Data?

We limit the amount of personal data collected only to what is fit for the purpose, as described above. We restrict, secure and control all of our information assets against unauthorized access, damage, loss or destruction; whether physical or electronic. We retain personal data only for as long as is described above, to respond to Your requests, or longer if required by law. If we retain Your personal data for historical or statistical purposes, we ensure that the personal data cannot be used further. While in our possession, together with Your assistance, we try to maintain the accuracy of Your personal data.

8. How Can You Access Your Personal Data?

If You would like to make a request to see what personal data of Yours we might hold, You may make a request by filling out the Data Subject Request Form. You may also request:

  • Your Right to Rectification – We should correct Your information that is incorrect or outdated.
  • Your Right to Erasure – We should stop using it or even delete it completely if it is used improperly.
  • Your Right to Restriction – Where You have previously given Your consent to process Your personal data, You have the right to request that we port or transfer it to a different service provider or to Yourself.
  • Your Right to Portability – Where You have given consent to use Your personal data, You have the right to withdraw that consent at any time without affecting the lawfulness of processing based on consent before Your withdrawal.

9. Data Protection In Operating Locations

9.1 United Kingdom

The transition of the UK out of the EU added another dimension to the questions regarding safe data transfer. The new UK-GDPR and amended Data Protection Act 2018 took effect on January 1, 2021, which greatly overlaps with the European GDPR, but changed to accommodate domestic areas of law.

Certain areas expanded upon by the UK-GDPR are National Security, Intelligence Services and Immigration, but overall, it automatically recognizes all EU countries as adequate, along with all existing EU adequacy decisions.

However, after December 31, 2020, the only governing body and authority regarding data privacy in the UK, will be the Information Commissioner’s Office (ICO) and the Secretary of State with power to determine or revoke adequacy decisions on behalf of the UK-GDPR (even bypassing the consultation of the ICO if need be).

Similar to the European GDPR, the UK-GDPR has extraterritorial reach necessitating any website or company anywhere in the world, collecting or processing personal data of individuals inside the UK, to comply with the UK-GDPR.

9.2 United States and Canada

The United States does not have any centralized, formal legislation at the federal level regarding data privacy, but does insure the privacy and protection of data through the United States Privacy Act, the Safe Harbor Act and the Health Insurance Portability and Accountability Act.

On July 10, 2023, European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework. The decision concludes that the United States ensures an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to US companies under the new framework. On the basis of the new adequacy decision, personal data can flow safely from the EU to US companies participating in the Framework, without having to put in place additional data protection safeguards.

The California Consumer Privacy Act (CCPA) is a state-wide data privacy law that regulates how businesses all over the world are allowed to handle the personal information (PI) of California residents. The effective date of the CCPA is January 1, 2020. This landmark law secures new privacy rights for California consumers, including:

  • The right to know about the personal information a business collects about them and how it is used and shared;
  • The right to delete personal information collected from them (with some exceptions);
  • The right to opt-out of the sale of their personal information; and
  • The right to non-discrimination for exercising their CCPA rights.

The Personal Information Protection and Electronic Documents Act is a Canadian law relating to data privacy, and proposed to be replaced by the Consumer Privacy Protection Act (CPPA) in due course. PIPEDA governs how private sector organizations collect, use and disclose personal information in the course of commercial business and was deemed adequate by the EU. The Office of the Privacy Commissioner of Canada provides advice and information for individuals about protecting personal information. We also enforce two federal privacy laws that set out the rules for how federal government institutions and certain businesses must handle personal information.

9.3 South Africa

In South Africa, the Protection of Personal Information Act (POPIA) impacts technology, processes and the manner in which employees process personal information, in the very same way as GDPR protects personal data in Europe. The Rocketseed POPIA Statement and Summary can be viewed and downloaded from our website. The eight fundamental principles of POPIA are set out below:

  1. Accountability – the head of the company is ultimately responsible for complying
  2. Processing Limitation – usage must be lawful, with the minimal amount of information necessary
  3. Purpose Specification – collected, used and retained for a specific purpose, related to Your organization’s activity
  4. Further Processing Limitation – further processing must be compatible with the original purpose for collection
  5. Information Quality – ensure that the personal information is up-to-date, complete and accurate
  6. Openness – things You need to tell the person when You collect their personal information
  7. Security Safeguards – measures to prevent loss of or unauthorized access to personal information
  8. Data Subject Participation – the information does, after all, belong to someone else –they must be able to access it.

10. Supervisory Authorities

You have the right to lodge a complaint with any Supervisory Authority. See our Supervisory Authority contact details below:

UNITED KINGDOM
Information Commissioner’s Office

Water Lane, Wycliffe House, Wilmslow – Cheshire SK9 5AF
+44 1625 545 745
Contact/complaint:
international.team@ico.org.uk
www.ico.org.uk

SOUTH AFRICA
Information Regulator
JD House, 27 Stiemens Street, Braamfontein, 2001, Johannesburg
Contact/complaint:
complaints.IR@justice.gov.za
www.justice.gov.za/

UNITED STATES
Office of The Attorney General
455 Golden Gate Ave #11000, San Francisco, CA 94102
+1 916-210-6276
Contact/complaint:
https://oag.ca.gov/contact/consumer-complaint-against-business-or-company
https://oag.ca.gov/

CANADA
Office of the Privacy Commissioner of Canada

30 Rue Victoria, Gatineau, QC J8X 2A1, Canada
+1 819-994-5444
Contact/complaint:
https://www.priv.gc.ca/en/report-a-concern/file-a-formal-privacy-complaint/
https://www.priv.gc.ca/en/contact-the-opc/