Privacy Policy - Topbox

Topbox privacy policy


At Topbox, we take great efforts to ensure that your Personal Data is safe and is used properly.

This policy is intended to inform you (collectively “Consumers” or “Users”) about Topbox’s collection, use and disclosure of information that we receive through the services that we provide to our Clients and through our corporate websites,, and (“Websites”). We process your Personal Data (as defined below) subject to the terms of this policy. By using the Topbox Websites, you consent to the data practices described in this statement.

It is important to note that Topbox’s Websites and Services are operated via servers situated in the United States. If you are located outside of the United States, please be aware that any information which you or your agents supply to Topbox, including Personal Data, may be transferred to, processed, and used in the United States. By accessing and/or using Topbox’s Website and Services (as defined below), you irrevocably and unconditionally consent to the transfer, processing, and use of such information in accordance with this Privacy Policy.

Personal Data

Personal Data refers to data that personally identifies an individual such as name, physical address, email address, phone number. We may collect Personal Data from Users in a number of ways, including but not limited to, when Users visit our Websites, register on the Websites, subscribe to our content, fill out a form, and in connection with other activities, services, features or resources we make available on our Websites. Additionally, when you or someone on your behalf contacts our Clients, we may receive certain Personal Data that may be used by Topbox to provide our Services to you.

Information about your computer hardware and software may be automatically collected by Topbox. This information can include: your IP address, browser type, type of computer, internet service provider, domain names, access times and referring website addresses. This information is used for the operation of our Websites and Services, to maintain their quality, for B2B marketing, and to provide general statistics regarding use of the Topbox Websites and Services.

Topbox’s Role as a Service Provider

Topbox’s analytics software is used by our Clients to improve their customers’ experiences and improve their business operations (the “Services”). Topbox provides the Services via a hosted platform and through employees and contractors that are located in the United States. Topbox acts as a processor of data received from our Clients. Clients are responsible for managing the data that they deliver for processing using the Services. Our Clients determine the categories of Personal Data that are provided to Topbox. Topbox does not know the categories of Personal Data to be processed or the purpose of the processing unless such information is provided by its Clients or prospective clients.

Topbox relies upon our Clients to obtain any consent from consumers that may be required to authorize Topbox’s privacy practices regarding Topbox’s collection and use of the Personal Data and Protected Health Information (“PHI”) (collectively, “Protected Data”) received from our Clients. Topbox is not responsible for the policies or practices of our Clients or prospective clients with respect to the Protected Data those entities collect or provide to Topbox.

Third Party Websites

Topbox encourages you to review the privacy statements of websites you choose to link to from Topbox so that you can understand how those websites collect, use and share your information. Topbox is not responsible for the privacy practices, statements or content on websites outside of the Topbox websites.

Use Of Cookies

The Topbox websites may use "cookies" to help personalize your online experience. A cookie is a text file that is placed on your hard disk by a web page server. Cookies are uniquely assigned to you and can only be read by a web server in the domain that issued the cookie to you.

One of the primary purposes of cookies is to provide convenience features to save Users time on websites. For example, a “functional” cookie tells the Web server that you have returned to a specific page.  “Performance” cookies are used to compile aggregate data about site traffic and site interaction so that we can offer better site experiences and tools in the future. Typically, “performance” cookies need not access Personal Data for their operations.  We may contract with third-party service providers to assist us in better understanding our Website visitors. These service providers are not permitted to use the information collected on our behalf except to help us conduct and improve our business.

You have the ability to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. However, if you choose to decline cookies, you may not be able to fully experience the interactive features of the Topbox Services or Websites you visit.  If you wish to find out more about cookies, or how to refuse cookies for your browser, please visit the Interactive Advertising Bureau's web site at

Use and Disclosure of Protected Health Information (PHI)

We share a commitment with HIPAA Covered Entities to protect the privacy and confidentiality of PHI that we obtain subject to the terms of a Business Associate Agreement (“BAA”). PHI includes all individually identifiable health information that can be used to identify an individual and was created, used or disclosed in (a) the course of providing a health care service such as diagnosis or treatment, or (b) in relation to the payment for the provision of health care services.

Topbox may receive PHI within the data provided by our Clients to the extent such use of PHI is permitted or required by the BAAs and not prohibited by law. We may use PHI on behalf of, or to provide services to, Covered Entities for purposes of fulfilling our service obligations to Covered Entities, if such use or disclosure of PHI is permitted or required by the BAAs and would not violate the Privacy Rule.

In the event that PHI must be disclosed to a subcontractor or agent, we will ensure that the subcontractor or agent agrees to abide by the same restrictions and conditions that apply to us under the BAAs with respect to PHI, including the implementation of reasonable and appropriate safeguards.

We may also disclose your PHI as required by law, such as to comply with a subpoena or other legal process, when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government or public authorities request.


We use appropriate safeguards to prevent the use or disclosure of Protected Data, other than as provided for in our BAAs. We have implemented administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic information that we create, receive, maintain, or transmit on behalf of our customers. Such safeguards include:

  • Maintaining appropriate clearance procedures and providing supervision to assure that our workforce follows appropriate security procedures;
  • Providing appropriate training for our staff to assure that our staff complies with our security policies;
  • Making use of appropriate encryption when transmitting Protected Data;
  • Utilizing appropriate storage, backup, disposal and reuse procedures to protect Protected Data;
  • Utilizing appropriate authentication and access controls to safeguard Protected Data;
  • Utilizing appropriate security incident procedures and providing training to our staff sufficient to detect and analyze security incidents; and
  • Maintaining a current contingency plan and emergency access plan in case of an emergency to assure that the Protected Data we hold on behalf of our customers is available when needed.

However, despite our efforts, no security controls are 100% effective and Topbox cannot ensure or warrant the security of your Protected Data.

Mitigation of Harm for PHI

In the event of a use or disclosure of PHI that may not be consistent with the requirements of our BAAs, we will mitigate, to the extent practicable, any harmful effect resulting from such use or disclosure. Such mitigation will include:

  • Reporting any security incident of which we become aware to the Covered Entity; and
  • Documenting such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request for an accounting of disclosure of PHI in accordance with HIPAA.

Access to PHI

As provided in our BAAs, we will make available to Covered Entities, information necessary for Covered Entity to give individuals their rights of access, amendment, and accounting in accordance with HIPAA regulations.

Upon request, we will make our internal practices, books, and records including policies and procedures, relating to the use and disclosure of PHI received from, or created or received by the BA on behalf of a Covered Entity available to the Covered Entity or the Secretary of the U.S. Department of Health and Human Services for the purpose of determining compliance with the terms of the BAA and HIPAA regulations.

Correcting, Updating or Deleting Your Personal Data

Topbox has no direct relationship with the Consumers whose Personal Data it processes on behalf of our Clients. If you would like to access, correct, amend, or delete your user information submitted through a Client, please contact that Client directly. If the Client requests Topbox to remove the data, we will respond to their request within a reasonable timeframe.

If you would like to access, correct, amend or delete any of your Personal Data collected or held by Topbox, contact us using one of the methods listed in this policy. We will respond to such requests within a reasonable timeframe, but be advised that we may be obligated to forward your request to the relevant Client to respond.

Please note that in certain circumstances we may be required by law to retain your Personal Data or may need to retain your Personal Data in order to continue providing a service.

California Consumer Privacy Act

Topbox is a service provider under the California Consumer Privacy Act (CCPA).  If we receive a request from a California Consumer to know or to delete what Personal Data we collect on behalf of our client for which we perform services, we will direct the Consumer to submit the request directly to our client.  If possible, we will provide the Consumer with contact information for the client.  Topbox does not sell Personal Data to third parties for any purpose.  To submit a CCPA Consumer request, contact us via email at

EU-US & Swiss-US Privacy Shield Information

Topbox complies with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information transferred from European Union, United Kingdom and Switzerland to the United States. Topbox has certified to the US. Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. Topbox is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC). To learn more about the Privacy Shield program, and to view our certification page, please visit

In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Pursuant to the Privacy Shield Frameworks, EU, UK and Swiss individuals have the right to obtain our confirmation of whether we maintain Personal Data relating to you in the United States.  Upon request, we will provide you with access to the Personal Data that we hold about you.  You may also request to correct, amend, or delete the personal information we hold about you.  An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data transferred to the United States under Privacy Shield, should direct their query to  If requested to remove data, we will respond within a reasonable timeframe.  Be advised, however, that where Topbox would be considered a Data Processor pursuant to the GDPR, Topbox may be obligated to forward any request to the relevant Topbox Client, the Data Controller, to respond.

In compliance with the EU-US and Swiss-US Privacy Shield Principles, Topbox commits to resolve complaints about your privacy and our collection or use of your personal information. European Union, UK or Swiss individuals with inquiries or complaints regarding this Privacy Policy should first contact Topbox at:

Topbox Privacy Office
12000 Trailridge Drive
Potomac, Maryland 20854

Topbox provides recourse to you if you believe that Topbox has failed to comply with the Privacy Shield Principles regarding your Personal Data. You can contact us with details of your complaint at If you do not receive a response from us within 45 days or if you feel that our response to your complaint is unsatisfactory you can refer your complaint to a free, independent dispute resolution mechanism: BBB EU PRIVACY SHIELD, a non-profit alternative dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus. Please visit for more information and to file a complaint. Under certain conditions, you may invoke binding arbitration for complaints before the Privacy Shield Panel that have not been resolved by any other dispute resolution procedures. More information can be found here:

As a Privacy Shield Organization, Topbox is responsible for the processing of Personal Data it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf. These third-party agents are contractually obligated to maintain the confidentiality of your Personal Data consistent with the terms of this Privacy Policy and provide at least the same level of protection as required by the Privacy Shield Principles, as well as comply with applicable data protection laws. Where Topbox has knowledge that an agent is using or disclosing Personal Data in a manner contrary to this Privacy Policy or the Privacy Shield Principles, Topbox will take reasonable steps to prevent or stop the use or disclosure. In cases of onward transfer to third parties of Personal Data of EU individuals received pursuant to the EU-US Privacy Shield Framework, Topbox is potentially liable, unless Topbox proves that it is not responsible for the event giving rise to the damage.

EEA and UK Residents

For residents of the European Economic Area (EEA) and the United Kingdom, Topbox advises that your Personal Data will be transferred to and processed in the United States, which has data protection laws that are different than those in your country and may not be as protective.  The United States has not sought nor received a finding of “adequacy” from the European Union under Article 45 of the GDPR.  Our legal basis for collecting and using your Personal Data is to do so with your consent; where Topbox needs the Personal Data for performance of a contract, or where the collection and use is in our or another’s legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms. In some cases, we may also have a legal obligation to collect the Personal Data in question. If we collected your Personal Data with your consent, you may withdraw your consent at any time.

Residents of the EEA and the United Kingdom EEA have the right to:

  • Access your Personal Data;
  • Delete, or request deletion of, your Personal Data;
  • Object to or restrict processing of your Personal Data;
  • Request portability of your Personal Data;
  • Complain to your local data protection authority at any time;
  • Object to automated decision making; and
  • Update your Personal Data.

Where Topbox is considered a Data Processor, we may be obligated to forward any request to the relevant Topbox Client, the Data Controller, to respond.

Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your Personal Data conducted in reliance on lawful processing grounds other than consent.  Where Topbox is considered the Data Processor, Topbox may need to confer with and confirm the request with the relevant Data Controller to process a request to withdraw consent.

If we ask you to provide Personal Data to us to comply with a legal requirement or enter into a contract, we will inform you of this and let you know whether providing us with your Personal information is required and if not, the consequences of not sharing your personal data with us.

Similarly, if Topbox collects and uses your Personal Data in reliance on our or a third party's legitimate interests and those interests are not already described above, we will let you know what those legitimate interests are.

Topbox endeavors to apply suitable safeguards to protect the privacy and security of your Personal Data and to use it only consistent with your relationship with us and the practices described in this Privacy Policy.  We also take steps to minimize the risk to your rights and freedoms by not collecting or storing sensitive or special categories of Personal Data about you.

To withdraw consent or exercise these rights, please contact us via email at

Children Under 13

Topbox does not knowingly collect Personal Data from website visitors who are under the age of 13. If you believe your child has provided Personal Data, please contact us at

Sharing Your Personal Data

We do not sell, trade, or rent Personal Data to others. We may share generic aggregated demographic information not linked to any personal identification information regarding visitors and users with our business partners, trusted affiliates and advertisers for the purposes outlined above. We may use third party service providers to help us deliver the Services, operate our business and our Websites, or administer activities on our behalf, such as sending out newsletters or surveys to Topbox clients and prospects.

Opt-Out & Unsubscribe

We respect your privacy and give you an opportunity to opt-out of receiving announcements of marketing information. Users may opt-out of receiving marketing communications from Topbox at any time by contacting us at

Changes to this Policy

Topbox will occasionally update this Privacy Policy. When we do, we will revise the updated date at the bottom of this page. Topbox encourages you to periodically review this Policy to be informed of how Topbox is protecting your information. It is your responsibility to review this privacy policy periodically and become aware of modifications.

Your Acceptance of These Terms

By using this Website, you signify your acceptance of this policy. If you do not agree to this policy, please do not use our Website. Your continued use of the Website following the posting of changes to this policy will be deemed your acceptance of those changes.

Contact Information

Topbox welcomes your questions or comments regarding this Privacy Policy. If you believe that Topbox has not adhered to this Policy or have questions about the Policy, please contact Topbox at:

Topbox Inc.
12000 Trailridge Drive
Potomac, Maryland 20854

Effective as of January 31, 2020