Rocketseed Privacy Notice

Rocketseed provides first class email Signature and Marketing software, accompanied by services and support recognized for dedication and excellence. This is also reflected in our commitment to safeguard data and privacy as security is an imperative and integrated part of our business.

This Privacy Notice provides details on our information practices globally, what personal data we collect, how we use this data and who it might be shared with, how you might access it, and your rights in relation to your data.

Key elements for which your personal data may be collected are:

  1. To enable us to deliver our services to you in the capacity of Controller (to website Visitors, Staff, Contractors and Suppliers) or Processor (to Clients).
  2. Where you have consented to doing so and only for the purpose for which they are collected.
  3. Where it is in our legitimate interests to do so.

What we do not collect at any of our regions:

  1. We do not collect or process persona data for any other purposes than what is outlined below or instructed by Controllers.
  2. We do not collect or process personal data from children.
  3. We do not collect or process any sensitive personal data such as:
    • racial or ethnic origin
    • political opinions
    • religious or philosophical beliefs
    • trade-union membership
    • genetic or biometric data
    • health-related data
    • data concerning sex life or sexual orientation

Definitions

Privacy laws in the regions where Rocketseed operates have similarities in fundamental principles regarding protecting personal data, and we have chosen to follow the terminology as used by GDPR and UK-GDPR. However, the Privacy Notice set out shows the principles of how we collect and process data, encompassing the various regulations.

Basic Terminology

  • Data Controller (or the term ‘Controller’) is a ‘natural and legal person, public authority, agency or other body which, alone or jointly, with others, determines the purposes and means of the processing of personal data. This corresponds to Responsible Party under POPIA.
  • Data Processor is a ‘natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller. This corresponds to Operator under POPIA.
  • Data Subject, is a person who can be identified, directly or indirectly, in particular by reference to a unique identifier.
  • GDPR means the General Data Protection Regulation (EU) 2016/679.
  • POPIA means the Protection of Personal Information Act (South Africa), 1 July 2020.
  • CCPA means California Consumer Privacy Act (CCPA), 1 January, 2020.
  • Personal data (GDPR/UK-GDPR), same as Personal Information (POPI and CCPA).

1. Rocketseed

Rocketseed is a global business with subsidiaries operating in different geographical regions, such as United States, United Kingdom, and South Africa. The contact information to entities covered by the Privacy Notice are:

GROUP

Rocketseed Limited
8 Sussex Mews East
W2 2TS
London

RocketDev (Pty) Limited
25 St Johns Wood Country Village
Franshoek Road, Durbanville Hills
7550, Cape Town

RocketFin (Pty) Limited
25 St Johns Wood Country Village
Franshoek Road, Durbanville Hills
7550, Cape Town

USA

Rocketseed (USA) Inc
Suite 219
300 E. State Street, Redlands, 92374
California

EMEA

Rocketseed (United Kingdom) Limited
11 Southwick Mews
W2 1JG
London

Rocketseed (South Africa) (Pty) Limited
25 St Johns Wood Country Village
Franshoek Road, Durbanville Hills
7550, Cape Town

RocketPad (Pty) Limited
25 St Johns Wood Country Village
Franshoek Road, Durbanville Hills
7550, Cape Town

RocketMailer (Pty) Limited
25 St Johns Wood Country Village
Franshoek Road, Durbanville Hills
7550, Cape Town

You can contact us about any queries you have regarding this Privacy Notice through the offices above or by emailing us at privacy@rocketseed.com.

2. What Personal Data Do We Collect?

2.1 Website Visitors – Use Of Cookies

Rocketseed does not make use of “cookies” for other reason than to compile aggregated statistics about website usage. A cookie is a text file that is placed on your hard disk by a webpage server. Cookies cannot be used to run programs or deliver viruses to your computer. They are uniquely assigned to you or your computer and can only be read by a web server in the domain that issued the cookie to you. The data collected are:

  • Date and time of retrieval of one of our web pages
  • Browser type and settings
  • Operating system
  • Last web page visited
  • Data transmitted and the access status
  • IP address

While cookies are only used for internal tracking purposes, you have the ability to opt-out of cookies being placed, choose what cookies you wish to allow, or fully clear cookies from your computer through the settings on your browser, although that may impact your ability to make use of some features the websites.

Below are links for details on how to manage cookies in each of the major web browsers and on various devices:

2.2. Users Of Services

If you use our services, personal data is required to fulfil the requirements of a contractual or service relationship, which may exist between you and our organization. We collect:

  • Financial Details
  • Identification Number
  • Location Information
  • Banking Details
  • Confidential Correspondence
  • Email, Social Networks
  • Name
  • Telephone contact details

2.3. Branding Interaction In B2B Emails

Our technology allows us, and other Users/Clients of the Rocketseed software product, to help track interest in features through interactive branding, in order to further improve services with pertinent content. Users and Recipients of emails are businesses who engage with each other and already have an established connection and route of communication.

Apart from normal information needed to send emails (such as an email address), the following data is stored for analytical purposes only;

  • IP address
  • Time of click
  • URL served – i.e. where the branding redirects the recipient as defined by the Client.

In the case of providing Data Analytics as a Processor, Rocketseed can only do so if requested by Client. Hence, Clients should present in their Privacy Note on their website if they are collecting data for Analytical purposes.

The Rocketseed Software also allows for depersonalisation of such data, in which case, the information stored is limited to:

  • Domain name (e.g. Gmail, Yahoo, Hotmail)
  • Time of click
  • URL served – i.e. where the branding redirects the recipient as defined by the Client

2.4. Newsletters

Recipients of our newsletters have had to express a legitimate interest and have either:

  • Opted in to receive newsletters, or;
  • Established a clear business relationship or interest by being a customer.

Our newsletter servers for European Clients (see section 4), which are hosted in USA, are covered by Standard Contractual Clauses (SCCs), to ensure appropriate safeguards for the purposes of transfers of personal data. SCCs apply to UK controllers and processors as recommended by the ICO. Transferring personal data outside of the UK and EU to the US is no longer covered by the Privacy Shield framework (see section 7.2).

Our newsletter services for African Clients, are hosted on South African Servers (See section 4) and we do not transfer data outside of South Africa.

3. What We Do With Your Personal Data?

The purpose is dependent on whether you use only our website, or additionally, our services.

If you visit our website, you do not need to provide us with any personal data. However, your browser transmits some data automatically as shown below in the section of “Use of Cookies”.

If you use our services, including signing up to newsletters, you are required to register, and we collect your personal data. We use this personal data for the provision of the service or the performance of the contract. We may use your personal data for other similar purposes, including marketing and communications, but that will only occur in the case we have your consent or another legal justification for doing so.

  • From our Customers/Clients we process and retain personal data for the following purposes and periods, with the applicable legal basis.
  1. The processing of subject data is done for the purpose of contact management, sales and distribution of products and services, as well as for communication and marketing.
  2. These steps are required prior to a contract with the data subject, and retention of such data for a maximum of six years, or what is required for tax and legal purposes.
  • From our Staff/Contractors/Suppliers we process and retain personal data for the following purposes and periods, with the applicable legal basis.
  1. Organisation’s administration and management.
  2. These steps are required prior to a contract with the data subject.
  3. The data is retained for a maximum of six years, or what is required for tax and legal purposes.

4. Who Might We Share Your Personal Data With?

To maintain and improve our services, your personal data may need to be shared with or disclosed to service providers, other Controllers or, in some cases, public authorities. We may be mandated to disclose your personal data in response to requests from a court, police services or other regulatory bodies. Where feasible, we will consult with you prior to making such disclosure and, in order to protect your privacy, we will ensure that we will disclose only the minimum amount of your information necessary for the required purpose.

Data storage and where processing takes place, unless specifically requested by a client to be on a dedicated server within their own premises, are hosted by sub-processors (data centres), which have been assessed having rigorous safety environment, ISO certifications and stringent breach management and prevention procedures. These sub-processors can be found here, along with their locations and Data Protection Policies.

5. How Do We Look After Personal Data?

We limit the amount of personal data collected only to what is fit for the purpose, as described above. We restrict, secure and control all of our information assets against unauthorised access, damage, loss or destruction; whether physical or electronic. We retain personal data only for as long as is described above, to respond to your requests, or longer if required by law. If we retain your personal data for historical or statistical purposes, we ensure that the personal data cannot be used further. While in our possession, together with your assistance, we try to maintain the accuracy of your personal data.

6. How Can You Access Your Personal Data?

If you would like to make a request to see what personal data of yours we might hold, you may make a request from here by filling out the Data Subject Request Form. You may also request that:

  • You Right to Rectification – We should correct your information that is incorrect or outdated.
  • Your Right to Erasure – We should stop using it or even delete it completely if it is used improperly.
  • Your Right to Restriction – Where you have previously given your consent to process your personal data, you have the right to request that we port or transfer it to a different service provider or to yourself.
  • Your Right to Portability – Where you have given consent to use your personal data, you have the right to withdraw that consent at any time without affecting the lawfulness of processing based on consent before your withdrawal.

7. Data Protection in Operating Locations

7.1. United Kingdom

The transition of the UK out of the EU added another dimension to the questions regarding safe data transfer. The new UK-GDPR and amended Data Protection Act 2018 took effect on January 1, 2021, which greatly overlaps with the European GDPR, but changed to accommodate domestic areas of law. The changes to the UK-GDPR can be found here.

Certain areas expanded upon by the UK-GDPR are National Security, Intelligence Services and Immigration, but overall, it automatically recognises all EU countries as adequate, along with all existing EU adequacy decisions.

However, after December 31, 2020, the only governing body and authority regarding data privacy in the UK, will be the Information Commissioner’s Office (ICO) and the Secretary of State with power to determine or revoke adequacy decisions on behalf of the UK-GDPR (even bypassing the consultation of the ICO if need be).

Similar to the European GDPR, the UK-GDPR has extraterritorial reach necessitating any website or company anywhere in the world, collecting or processing personal data of individuals inside the UK, to comply with the UK-GDPR.

7.2. United States

The United States does not have any centralized, formal legislation at the federal level regarding data privacy, but does insure the privacy and protection of data through the United States Privacy Act, the Safe Harbor Act and the Health Insurance Portability and Accountability Act.

On July 16, 2020, the European Court of Justice invalidated the Privacy Shield on the grounds that the framework did not guarantee an adequate level of data protection as defined under the GDPR, and consequently, this was adopted and applies within the UK-GDPR also. Hence, transfer of data between US and EU/UK will need to be underpinned by SCCs (see section 2.4).

The California Consumer Privacy Act (CCPA) is a state-wide data privacy law that regulates how businesses all over the world are allowed to handle the personal information (PI) of California residents. The effective date of the CCPA is January 1, 2020. This landmark law secures new privacy rights for California consumers, including:

  • The right to know about the personal information a business collects about them and how it is used and shared;
  • The right to delete personal information collected from them (with some exceptions);
  • The right to opt-out of the sale of their personal information; and
  • The right to non-discrimination for exercising their CCPA rights.

7.3. South Africa

In South Africa, the Protection of Personal Information Act (POPIA) impacts technology, processes and the manner in which employees process personal information, in the very same way as GDPR protects personal data in Europe. The fundamental principles of POPIA are set out below:

  • Personal information may only be used for the purpose agreed with your customers and employees.
  • Marketing by means of unsolicited e-mail is prohibited unless certain provisions apply – organisations need to implement opt-in and opt-out strategies.
  • Personal information may only be retained for as long as necessary – organisations need to specify retention periods.
  • Organisations should not process more personal information than is necessary.
  • Processing of special personal information is prohibited unless certain provisions apply.

8. Supervisory Authorities

You have the right to lodge a complaint with any Supervisory Authority. See our Supervisory Authority contact details below:

United Kingdom

Information Commissioner’s Office
Water Lane, Wycliffe House
Wilmslow – Cheshire SK9 5AF
+44 1625 545 745
international.team@ico.org.uk
www.ico.org.uk

United States

Office of The Attorney General
455 Golden Gate Ave #11000
San Francisco
CA 94102
+1 916-210-6276
https://oag.ca.gov/contact/consumer-complaint-against-business-or-company
https://oag.ca.gov/

South Africa

Information Regulator
JD House, 27 Stiemens Street
Braamfontein, 2001
Johannesburg
complaints.IR@justice.gov.za
www.justice.gov.za/