At Topbox, we take great efforts to ensure that your Personal Data is safe and is used properly.
This policy is intended to inform you (collectively “Consumers” or “Users”) about Topbox’s collection, use and disclosure of information that we receive through the services that we provide to our Clients and through our corporate websites, topbox.io, topboxanalytics.com and topbox.ai (“Websites”). We process your Personal Data (as defined below) subject to the terms of this policy. By using the Topbox Websites, you consent to the data practices described in this statement.
Personal Data refers to data that personally identifies an individual such as name, physical address, email address, phone number. We may collect Personal Data from Users in a number of ways, including but not limited to, when Users visit our Websites, register on the Websites, subscribe to our content, fill out a form, and in connection with other activities, services, features or resources we make available on our Websites. Additionally, when you or someone on your behalf contacts our Clients, we may receive certain Personal Data that may be used by Topbox to provide our Services to you.
Information about your computer hardware and software may be automatically collected by Topbox. This information can include: your IP address, browser type, type of computer, internet service provider, domain names, access times and referring website addresses. This information is used for the operation of our Websites and Services, to maintain their quality, for B2B marketing, and to provide general statistics regarding use of the Topbox Websites and Services.
Topbox’s Role as a Service Provider
Topbox’s analytics software is used by our Clients to improve their customers’ experiences and improve their business operations (the “Services”). Topbox provides the Services via a hosted platform and through employees and contractors that are located in the United States. Topbox acts as a processor of data received from our Clients. Clients are responsible for managing the data that they deliver for processing using the Services. Our Clients determine the categories of Personal Data that are provided to Topbox. Topbox does not know the categories of Personal Data to be processed or the purpose of the processing unless such information is provided by its Clients or prospective clients.
Topbox relies upon our Clients to obtain any consent from consumers that may be required to authorize Topbox’s privacy practices regarding Topbox’s collection and use of the Personal Data and Protected Health Information (“PHI”) (collectively, “Protected Data”) received from our Clients. Topbox is not responsible for the policies or practices of our Clients or prospective clients with respect to the Protected Data those entities collect or provide to Topbox.
Third Party Websites
Topbox encourages you to review the privacy statements of websites you choose to link to from Topbox so that you can understand how those websites collect, use and share your information. Topbox is not responsible for the privacy practices, statements or content on websites outside of the Topbox websites.
The Topbox websites may use "cookies" to help personalize your online experience. A cookie is a text file that is placed on your hard disk by a web page server. Cookies are uniquely assigned to you and can only be read by a web server in the domain that issued the cookie to you.
One of the primary purposes of cookies is to provide convenience features to save Users time on websites. For example, a “functional” cookie tells the Web server that you have returned to a specific page. “Performance” cookies are used to compile aggregate data about site traffic and site interaction so that we can offer better site experiences and tools in the future. Typically, “performance” cookies need not access Personal Data for their operations. We may contract with third-party service providers to assist us in better understanding our Website visitors. These service providers are not permitted to use the information collected on our behalf except to help us conduct and improve our business.
Use and Disclosure of Protected Health Information (PHI)
We share a commitment with HIPAA Covered Entities to protect the privacy and confidentiality of PHI that we obtain subject to the terms of a Business Associate Agreement (“BAA”). PHI includes all individually identifiable health information that can be used to identify an individual and was created, used or disclosed in (a) the course of providing a health care service such as diagnosis or treatment, or (b) in relation to the payment for the provision of health care services.
Topbox may receive PHI within the data provided by our Clients to the extent such use of PHI is permitted or required by the BAAs and not prohibited by law. We may use PHI on behalf of, or to provide services to, Covered Entities for purposes of fulfilling our service obligations to Covered Entities, if such use or disclosure of PHI is permitted or required by the BAAs and would not violate the Privacy Rule.
In the event that PHI must be disclosed to a subcontractor or agent, we will ensure that the subcontractor or agent agrees to abide by the same restrictions and conditions that apply to us under the BAAs with respect to PHI, including the implementation of reasonable and appropriate safeguards.
We may also disclose your PHI as required by law, such as to comply with a subpoena or other legal process, when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government or public authorities request.
We use appropriate safeguards to prevent the use or disclosure of Protected Data, other than as provided for in our BAAs. We have implemented administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic information that we create, receive, maintain, or transmit on behalf of our customers. Such safeguards include:
- Maintaining appropriate clearance procedures and providing supervision to assure that our workforce follows appropriate security procedures;
- Providing appropriate training for our staff to assure that our staff complies with our security policies;
- Making use of appropriate encryption when transmitting Protected Data;
- Utilizing appropriate storage, backup, disposal and reuse procedures to protect Protected Data;
- Utilizing appropriate authentication and access controls to safeguard Protected Data;
- Utilizing appropriate security incident procedures and providing training to our staff sufficient to detect and analyze security incidents; and
- Maintaining a current contingency plan and emergency access plan in case of an emergency to assure that the Protected Data we hold on behalf of our customers is available when needed.
However, despite our efforts, no security controls are 100% effective and Topbox cannot ensure or warrant the security of your Protected Data.
Mitigation of Harm for PHI
In the event of a use or disclosure of PHI that may not be consistent with the requirements of our BAAs, we will mitigate, to the extent practicable, any harmful effect resulting from such use or disclosure. Such mitigation will include:
- Reporting any security incident of which we become aware to the Covered Entity; and
- Documenting such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request for an accounting of disclosure of PHI in accordance with HIPAA.
Access to PHI
As provided in our BAAs, we will make available to Covered Entities, information necessary for Covered Entity to give individuals their rights of access, amendment, and accounting in accordance with HIPAA regulations.
Upon request, we will make our internal practices, books, and records including policies and procedures, relating to the use and disclosure of PHI received from, or created or received by the BA on behalf of a Covered Entity available to the Covered Entity or the Secretary of the U.S. Department of Health and Human Services for the purpose of determining compliance with the terms of the BAA and HIPAA regulations.
Correcting, Updating or Deleting Your Personal Data
Topbox has no direct relationship with the Consumers whose Personal Data it processes on behalf of our Clients. If you would like to access, correct, amend, or delete your user information submitted through a Client, please contact that Client directly. If the Client requests Topbox to remove the data, we will respond to their request within a reasonable timeframe.
If you would like to access, correct, amend or delete any of your Personal Data collected or held by Topbox, contact us using one of the methods listed in this policy. We will respond to such requests within a reasonable timeframe, but be advised that we may be obligated to forward your request to the relevant Client to respond.
Please note that in certain circumstances we may be required by law to retain your Personal Data or may need to retain your Personal Data in order to continue providing a service.
California Consumer Privacy Act
Topbox is a service provider under the California Consumer Privacy Act (CCPA). If we receive a request from a California Consumer to know or to delete what Personal Data we collect on behalf of our client for which we perform services, we will direct the Consumer to submit the request directly to our client. If possible, we will provide the Consumer with contact information for the client. Topbox does not sell Personal Data to third parties for any purpose. To submit a CCPA Consumer request, contact us via email at firstname.lastname@example.org.
EU-US & Swiss-US Privacy Shield Information
In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Pursuant to the Privacy Shield Frameworks, EU, UK and Swiss individuals have the right to obtain our confirmation of whether we maintain Personal Data relating to you in the United States. Upon request, we will provide you with access to the Personal Data that we hold about you. You may also request to correct, amend, or delete the personal information we hold about you. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data transferred to the United States under Privacy Shield, should direct their query to email@example.com. If requested to remove data, we will respond within a reasonable timeframe. Be advised, however, that where Topbox would be considered a Data Processor pursuant to the GDPR, Topbox may be obligated to forward any request to the relevant Topbox Client, the Data Controller, to respond.
Topbox Privacy Office
12000 Trailridge Drive
Potomac, Maryland 20854
Topbox provides recourse to you if you believe that Topbox has failed to comply with the Privacy Shield Principles regarding your Personal Data. You can contact us with details of your complaint at firstname.lastname@example.org. If you do not receive a response from us within 45 days or if you feel that our response to your complaint is unsatisfactory you can refer your complaint to a free, independent dispute resolution mechanism: BBB EU PRIVACY SHIELD, a non-profit alternative dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus. Please visit www.bbb.org/EU-privacy-shield/for-eu-consumers/ for more information and to file a complaint. Under certain conditions, you may invoke binding arbitration for complaints before the Privacy Shield Panel that have not been resolved by any other dispute resolution procedures. More information can be found here: https://www.privacyshield.gov/article?id=ANNEX-I-introduction
EEA and UK Residents
For residents of the European Economic Area (EEA) and the United Kingdom, Topbox advises that your Personal Data will be transferred to and processed in the United States, which has data protection laws that are different than those in your country and may not be as protective. The United States has not sought nor received a finding of “adequacy” from the European Union under Article 45 of the GDPR. Our legal basis for collecting and using your Personal Data is to do so with your consent; where Topbox needs the Personal Data for performance of a contract, or where the collection and use is in our or another’s legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms. In some cases, we may also have a legal obligation to collect the Personal Data in question. If we collected your Personal Data with your consent, you may withdraw your consent at any time.
Residents of the EEA and the United Kingdom EEA have the right to:
- Access your Personal Data;
- Delete, or request deletion of, your Personal Data;
- Object to or restrict processing of your Personal Data;
- Request portability of your Personal Data;
- Complain to your local data protection authority at any time;
- Object to automated decision making; and
- Update your Personal Data.
Where Topbox is considered a Data Processor, we may be obligated to forward any request to the relevant Topbox Client, the Data Controller, to respond.
Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your Personal Data conducted in reliance on lawful processing grounds other than consent. Where Topbox is considered the Data Processor, Topbox may need to confer with and confirm the request with the relevant Data Controller to process a request to withdraw consent.
If we ask you to provide Personal Data to us to comply with a legal requirement or enter into a contract, we will inform you of this and let you know whether providing us with your Personal information is required and if not, the consequences of not sharing your personal data with us.
Similarly, if Topbox collects and uses your Personal Data in reliance on our or a third party's legitimate interests and those interests are not already described above, we will let you know what those legitimate interests are.
To withdraw consent or exercise these rights, please contact us via email at email@example.com
Children Under 13
Topbox does not knowingly collect Personal Data from website visitors who are under the age of 13. If you believe your child has provided Personal Data, please contact us at firstname.lastname@example.org.
Sharing Your Personal Data
We do not sell, trade, or rent Personal Data to others. We may share generic aggregated demographic information not linked to any personal identification information regarding visitors and users with our business partners, trusted affiliates and advertisers for the purposes outlined above. We may use third party service providers to help us deliver the Services, operate our business and our Websites, or administer activities on our behalf, such as sending out newsletters or surveys to Topbox clients and prospects.
Opt-Out & Unsubscribe
We respect your privacy and give you an opportunity to opt-out of receiving announcements of marketing information. Users may opt-out of receiving marketing communications from Topbox at any time by contacting us at email@example.com.
Changes to this Policy
Your Acceptance of These Terms
By using this Website, you signify your acceptance of this policy. If you do not agree to this policy, please do not use our Website. Your continued use of the Website following the posting of changes to this policy will be deemed your acceptance of those changes.
12000 Trailridge Drive
Potomac, Maryland 20854
Effective as of January 31, 2020