The ThymeBase Privacy Policy

Overview

This section of this Policy applies only to Guests. If you are a Guest located in the European Union, ThymeBase is the data controller with respect to the processing of your personal data pursuant to the GDPR.

Collection and Use of Guest Information

This section explains the information we collect from Guests. We do not require Guests to provide us with information. However, certain information, such as account log-in data, is required to provide you with access to the Service, and other information may be collected automatically as you use the Service.

1. User Content. The messages, attachments, files, tasks, events and event names, projects and project names, team names, channels, conversations, and other content submitted through the Service (“User Content”).
2. Account Information.. Information you provide as part of your account registration with ThymeBase, which may include your name, organization name, address, telephone number, email address, username and password; optional information that you may choose to provide, such as a photograph or basic demographic data; and, with your permission, calendar information that you may elect to upload to your account (collectively, the “Account Information”).
3. Service Usage Information.. As you use the Service, we collect information about how you use and interact with the Service (“Service Usage Information”). Such information includes:
   • Device information – when you access the Service, we collect certain device information, including the type of device you are using, its operating system, and mobile network information, which may include your mobile phone number. We may also collect your MAC address and other unique device identifiers.
   • Log files – when you use the Service, our servers automatically record information in server log files. These log files may include information such as your web request, IP address, browser type and settings, referring/exit pages and URLs, number of clicks, date and time stamp information, language preferences, data from cookies and similar technologies, and other such information.
   • Location information – we collect and process general information about the location of the device from which you are accessing the Service (e.g., approximate geographic location inferred from an IP address).
   • Account Use Metadata – when you interact with the Service, metadata is generated that provides high-level (non-content) information about the way you work in your Account. For example, we may log the number of Accounts you work in; the number of tasks to which you are assigned; the features and embedded Service content you interact with; and the types of files you share.
4. Other Information. You may provide us with information when you interact with us in other ways, such as when you submit requests or questions to us via forms or email (e.g., support forms, sales forms, user research participation forms); and requests for customer support and technical assistance (collectively, “Other Information”).
5. Information Collected from Third-Party Integrations. If you choose to use or connect to third-party integrations (e.g., G Suite, Google Calendar) through the Service, or if you are required or permitted to do so by a Customer, such third parties may allow us to have access to and store additional information about your interaction with those services as it relates to your use of the Service. If you initiate these connections, you also understand that we will share information about you that is required to enable your use of the third-party integration through the Service. If you do not wish to have this information shared, do not initiate these connections. By enabling these connections, you authorize us to connect and access the information provided through these connections, and you understand that the privacy policies of these third parties govern such connections.

How Does ThymeBase Use Guest Information?

This section describes how ThymeBase uses the information we collect from Guests.

1. User Content. ThymeBase may view and use User Content collected from and about Subscribers only as necessary:
   • To maintain, provide and improve the Service
   • To prevent or address technical or security issues and resolve support requests
   • To investigate when we have a good faith belief, or have received a complaint alleging, that such User Content is in violation of the Terms of Service
   • To comply with a valid legal subpoena, request, or other lawful process that meets the requirements of the Customer Agreement and our Law Enforcement Guidelines
   • As otherwise set forth in our Terms of Service or as expressly permitted in writing by the Customer
2. Account Information, Service Usage Information, Information from Third Party Integrations, and Other Information. ThymeBase may use these categories of information collected from and about Subscribers to:
   • Maintain, provide, and improve the Service
   • Respond to your requests for information
   • Prevent or address technical or security issues and resolve support requests
   • Investigate in good faith alleged violations of our User Terms of Service
   • Comply with a valid legal subpoena, request, or other lawful process that meets the requirements of our Law Enforcement Guidelines
   • Help us better understand user interests and needs, and customize the Service for our users
   • Engage in analysis, research, and reports regarding use of the Service
   • Protect the Service and our users
   • Communicate with you via email and through the Service about important notices and updates regarding the Service.
   • In accordance with applicable legal obligations, communicate with you about promotions, offers, and news about ThymeBase. You have the ability to unsubscribe from such promotional communications
   • Provide cross-device management of your account. For example, we may locate or try to locate the same unique users across multiple browsers or devices (such as smartphones or tablets), or work with service providers that do this, in order to save your preferences across devices and analyze usage of the Service. We use Google Analytics to locate usage across devices and you may opt out of this by clicking here.

Legal Bases for Use of Your Information

If you are located in the EU, please note that the legal bases under the EU General Data Protection Regulation (“GDPR”) for using the information we collect through your use of the Service as a Free User are as follows:

• Where use of your information is necessary to perform our obligations under a contract with you (for example, to comply with the Terms of Service which you accept by using the Service)
• Where use of your information is necessary for our legitimate interests or the legitimate interests of others (for example, to provide security for our Service; operate our Service; prevent fraud, analyze use of and improve our Service, and for similar purposes)
• Where use of your information is necessary to comply with a legal obligation
• Where we have your consent to process data in a certain way

Sharing of Guest Information

We may share the information we collect from Guests as follows:

1. Service Providers. We may provide access to or share your information with select third parties that use the information only to perform services on our behalf. These third parties provide a variety of services to us, including without limitation provision of content and features, analytics, data storage, security, fraud prevention, and other services.
2. Business Transactions. If the ownership of all or substantially all of our business changes, we may transfer your information to the new owner so that the Service can continue to operate. In such cases, your information would remain subject to the promises and commitments contained in this Policy until such time as the acquiring party modifies it. If such transfer is subject to additional mandatory restrictions under applicable laws, ThymeBase will comply with such restrictions.
3. Consistent with your settings within the Service. Please note that the User Content you submit through the Service may be viewable by other users in your Account and within your organization, depending on the specific settings you and your organization have selected.

Aggregate De-Identified Data

We may aggregate and/or de-identify information collected through the Service so that such information can no longer be linked to you or your device (“Aggregate/De-Identified Information”). We may use Aggregate/De-Identified Information for any purpose, including without limitation for research and analytics, and may also share such data with any third parties, including partners, affiliates, services providers, and others.

Combined Information

We may combine the information that we collect through the Service with information that we receive from other sources, both online and offline, and use such combined information in accordance with this Policy and the Customer Agreement.

Data Retention

We will retain your information for the period necessary to fulfill the purposes outlined in this Policy unless a longer retention period is required or permitted by law, or where the Terms of Service requires or permits specific retention or deletion periods.

Data Subject Rights

Local legal requirements (such as those in the EU) may afford you additional rights. If you would like further information in relation to your legal rights under applicable law or would like to exercise any of them, please contact us via email at any time at support@thymebase.com. We may request you provide us with information necessary to confirm your identity before responding to your request.

Your local laws (such as those in the EU) may permit you to request that we:

• provide access to and/or a copy of certain information we hold about you
• prevent the processing of your information for direct-marketing purposes (including any direct marketing processing based on profiling)
• update information which is out of date or incorrect
• delete certain information which we are holding about you
• restrict the way that we process and disclose certain of your information
• transfer your information to a third party provider of services
• revoke your consent for the processing of your information

We will consider all requests and provide our response within the time period stated by applicable law. Please note, however, that certain information may be exempt from such requests in some circumstances, which may include if we need to keep processing your information for our legitimate interests or to comply with a legal obligation.

Overview

Section IV of this Policy applies only to Site Visitors. If you visit the Website, regardless of whether you are also a user of the Service, the following rules apply to you. To eliminate any confusion, please note that the terms in this section apply only to use of ThymeBase’s Websites, not to use of the Service. If you are a Site Visitor located in the European Union, ThymeBase is the data controller with respect to the processing of your personal data pursuant to the EU General Data Protection Regulation (“GDPR”).

Collection and Use of Site Visitor Information

This section explains the information we collect from Site Visitors.

1. Information Collected from Site Visitors.
   • Contact Information. If you submit a request for information or a question through the Websites, you may be asked to provide us with basic information including your name, email address, phone number, and postal address. We will also keep records of the communication, the question/request you raised, and how it was resolved.
   • Websites Usage Information. As you browse the Websites, we and our service providers (which are third party companies that work on our behalf to provide and enhance the Websites) use a variety of technologies, including cookies and similar tools, to assist in collecting information about how you use the Websites. For example, our servers automatically record certain information in server logs. These server logs may include information such as your web request, IP address, browser type and settings, referring / exit pages and URLs, number of clicks and how you interact with links on the Websites, domain names, landing pages, pages viewed, mobile carrier, mobile device identifiers and information about the device you are using to access the Websites, date and time stamp information and other such information.
   • Location Information. We collect and process general information about the location of the device from which you are accessing the Service (e.g., approximate geographic location inferred from an IP address).
2. Cookies and Similar Technologies. We and our service providers use Internet server logs, cookies, tags, SDKs, tracking pixels, and other similar tracking technologies. A web server log is a file where website activity is stored. An SDK is a section of code that we embed in our applications and software to allow third parties to collect information about how users interact with the Websites. A cookie is a small text file that is placed on your computer or mobile device when you visit a site, that enables us to: (i) recognize your computer and login session; (ii) store your preferences and settings; (iii) understand which pages of the Websites you have visited; (iv), enhance your user experience by delivering and measuring the effectiveness of content and advertising tailored to your interests; (v) perform analytics; and (vi) assist with security and administrative functions. Tracking pixels (sometimes referred to as web beacons or clear GIFs) are tiny electronic tags with a unique identifier embedded in websites, online ads and/or email, and that are designed to provide usage information like ad impressions or clicks, email open rates, measure popularity of the Websites and associated advertising, and to access user cookies. As we adopt additional technologies, we may also gather information through other methods. Please note that you can change your settings to notify you when a cookie is being set or updated, or to block cookies altogether. Please consult the “Help” section of your browser for more information (e.g., Internet Explorer; Google Chrome; Mozilla Firefox; or Apple Safari).
3. Use of Information Collected from Site Visitors. We use the information collected from Site Visitors for a variety of purposes including to:
   • Maintain, provide, and improve the Websites and the Service
   • Respond to your requests for information
   • In accordance with applicable legal obligations, communicate with you about promotions, offers, and news about ThymeBase. You have the ability to unsubscribe from such promotional communications
   • Prevent or address technical or security issues
   • Investigate in good faith alleged violations of our User Terms of Service
   • Help us better understand Site Visitor interests and needs, and customize the advertising and content you see on the Websites
   • Engage in analysis and research regarding use of the Website and the Service

Legal Bases for Use of Your Information

If you are located in the EU, please note that the legal bases under the EU General Data Protection Regulation (“GDPR”) for using the information we collect through your use of the Website as a Site Visitor are as follows:

• Where use of your information is necessary to perform our obligations under a contract with you (for example, to comply with the Terms of Service which you accept by browsing the Website)
• Where use of your information is necessary for our legitimate interests or the legitimate interests of others (for example, to provide security for our Website; operate our Website; prevent fraud, analyze use of and improve our Website, and for similar purposes)
• Where use of your information is necessary to comply with a legal obligation
• Where we have your consent to process data in a certain way

Aggregate De-Identified Data

We may aggregate and/or de-identify information collected through the Website so that such information can no longer be linked to you or your device (“Aggregate/De-Identified Information”). We may use Aggregate/De-Identified Information for any purpose, including without limitation for research and analytics, and may also share such data with any third parties, including partners, affiliates, services providers, and others.

Combined Information

We may combine the information that we collect through the Service with information that we receive from other sources, both online and offline, and use such combined information in accordance with this Policy and, if you’re a Subscriber or User, in accordance with the Terms of Service.

Website Analytics and Advertising

We may use third-party web analytics services on our Websites to collect and analyze usage information through cookies and similar tools; engage in auditing, research, or reporting; and provide certain features to you. To prevent Google Analytics from using your information for analytics, you may opt out of this by clicking here to install the Google Analytics Opt-out Browser Add-on.

The Website may integrate third-party advertising technologies that allow for the delivery of relevant content and advertising on the Websites, as well as on other websites you visit. The ads may be based on various factors such as the content of the page you are visiting, information you enter such as your age and gender, your searches, demographic data, and other information we collect from you. These ads may be based on your current activity or your activity over time and across other websites and online services and may be tailored to your interests.

We also allow other third parties (e.g., ad networks and ad servers such as Google Analytics, DoubleClick and others) to access their own cookies or other tracking technologies on your computer, mobile phone, or other device you use to access the Websites. We sometimes provide Site Visitor information (such as email addresses) to service providers, who may “match” this information in de-identified form to cookies (or mobile ad identifiers) and other proprietary IDs, in order to provide you with more relevant ads when you visit other websites.

We neither have access to, nor does this Policy govern, the use of cookies or other tracking technologies that may be placed on your device you use to access the Websites by such non-affiliated third parties. If you are interested in more information about tailored browser advertising and how you can generally control cookies from being put on your computer to deliver tailored advertising, you may visit the Network Advertising Initiative’s Consumer Opt-Out link, the Digital Advertising Alliance’s Consumer Opt-Out link, or Your Online Choices to opt-out of receiving tailored advertising from companies that participate in those programs. To opt out of Google Analytics for display advertising or customize Google display network ads, visit the Google Ads Settings page. We do not control these opt-out links or whether any particular company chooses to participate in these opt-out programs. We are not responsible for any choices you make using these mechanisms or the continued availability or accuracy of these mechanisms.

Please note that if you exercise the opt-out choices above, you will still see advertising when you use the Websites, but it will not be tailored to you based on your online behavior over time.

Sharing of Site Visitor Information

We may share the information we collect from Site Visitors as follows:

• Service Providers. We may provide access to or share your information with select third parties that use the information only to perform services on our behalf. These third parties provide a variety of services to us, including without limitation provision of content and features, analytics, data storage, security, fraud prevention, and other services.
• Business Transactions. If the ownership of all or substantially all of our business changes, we may transfer your information to the new owner so that the Service can continue to operate. In such case, your information would remain subject to the promises and commitments contained in this Policy until such time as the acquiring party modifies it. If such transfer is subject to additional mandatory restrictions under applicable laws, ThymeBase will comply with such restrictions.
• Consent. We may also disclose your information to third parties with your consent to do so.

Retention of Your Information

We will retain your information for the period necessary to fulfill the purposes outlined in this Policy unless a longer retention period is required or permitted by law.

Data Subject Rights

Local legal requirements (such as those in the EU) may afford you additional rights. If you would like further information in relation to your legal rights under applicable law or would like to exercise any of them, please contact us via email at any time at support@thymebase.com . We may request you provide us with information necessary to confirm your identity before responding to your request.

Your local laws (such as those in the EU) may permit you to request that we:

• provide access to and/or a copy of certain information we hold about you
• prevent the processing of your information for direct-marketing purposes (including any direct marketing processing based on profiling)
• update information which is out of date or incorrect
• delete certain information which we are holding about you
• restrict the way that we process and disclose certain of your information
• transfer your information to a third party provider of services
• revoke your consent for the processing of your information

We will consider all requests and provide our response within the time period stated by applicable law. Please note, however, that certain information may be exempt from such requests in some circumstances, which may include if we need to keep processing your information for our legitimate interests or to comply with a legal obligation.

Third Party Links And Services

The Website may contain links to third-party websites and functionalities. If you choose to use these third party services, you may disclose your information not just to those third-parties, but also to their users and the public more generally depending on how their services function. Because these third-party websites and services are not operated by ThymeBase, ThymeBase is not responsible for the content or practices of those websites or services. The collection, use, and disclosure of your information will be subject to the privacy policies of the third party websites or services, and not this Policy. We recommend you to read the privacy and security policies of these third-parties.

What Information is collected and how is it used?

ThymeBase collects Personal Information in the course of providing the Service to you, including through your voluntary, optional submissions, such as information that you provide to us at the time of registering for the Service, or through your use of the Service. When you register with us for an account, we may collect information such as your name and email address. When you pay for certain features of the Service, we may collect information such as your credit card number, expiration date, billing address, and CVV or security code number. You may also provide Personal Information to us in other ways, such as by requesting user support.

We do not store any of your financial information including billing and credit card information. Your financial information is processed by secure, third party services.

We will never sell nor rent your personal information to any third party. We may use your email address to deliver relevant product information and marketing messages. You may opt-out from receiving these marketing messages by following the instructions provided in the messages to unsubscribe from email communication or by emailing support@thymebase.com . Communication about important notices and updates regarding the Service, such as to inform you about changes in the Service, and important services-related notices, such as about security and fraud are an important part of the Service, and you may not opt out of them.

We reserve the right to use the name and/or logo of the company you work for in publicity material, advertising or marketing collateral, unless you specifically tell us otherwise. Your full name, address details and all other personal information will remain confidential at all times.

The Site uses cookies to store information on your computer which are necessary for the proper operation of our system and help us improve the user experience. By using ThymeBase, you consent to the placement of these cookies. As is true of most websites, we gather certain information automatically and store it in log files. We use this information to help, diagnose problems with our server, and to administer the Site and the Service. We also gather anonymized information from this data to help us improve the Site and Service. This is not linked to any personally identifiable information.

Disclosure of Information

Aggregate Information and Non-Identifying Information. We may use Non-Personal Information that we collect to (a) provide, improve, and develop the Service and otherwise tailor your user experience, (b) prevent or investigate fraudulent or inappropriate usage of our Service, and (c) conduct research and development, and for the other purposes described in this Privacy Policy.

Service Providers. We may employ third-party companies and individuals to facilitate our Site and Service, to provide the Service on our behalf, to perform Site-related services (e.g., without limitation, maintenance services, database management, web analytics and improvement of the Site's features) or to assist us in analyzing how our Site and Service are used. These third parties have access to your personally identifiable information only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.

Compliance with Laws and Law Enforcement. ThymeBase cooperates with government and law enforcement officials and private parties to enforce and comply with the law. We will disclose any information about you to government or law enforcement officials or private parties as we, in our sole discretion, believe necessary or appropriate to respond to claims and legal process (including but not limited to subpoenas), to protect the property and rights of ThymeBase or a third party, to protect the safety of the public or any person, or to prevent or stop activity we may consider to be, or to pose a risk of being, any illegal, unethical or legally actionable activity.

Account Information. You agree to keep confidential and not to disclose to any other individual or individuals for all time the username and password related to Your ThymeBase account.

Security

In an effort to prevent unauthorized access, maintain data accuracy, and ensure the correct use of information, we have put in place physical, electronic, and managerial procedures to safeguard and secure the information we collect online. Please be aware, however, that no method of transmission over the Internet, and no means of electronic or physical storage, is absolutely secure, and thus we cannot ensure or warrant the security of that information. Once we receive personal information, we make reasonable efforts to protect it from unauthorized access, disclosure, alteration, or destruction. But we cannot represent or guarantee that personal information will not be accessed, disclosed, altered, or destroyed.

We will make any legally required disclosures of any breach of the security, confidentiality, or integrity of your unencrypted electronically stored "personal data" (as defined in applicable state statutes on security breach notification) to you via email or conspicuous posting on the Site in the most expedient time possible and without unreasonable delay, insofar as consistent with (i) the legitimate needs of law enforcement or (ii) any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

You can learn more about ThymeBase’s security here.

International Site Visitors and Users

The Services are hosted in and provided from the United States. If you use our Services from the European Union or other regions with laws governing data collection and use that may differ from U.S. law, please note that you are transferring your personal data to the United States. The United States does not have the same data protection laws as the EU and some other regions. By providing your personal information and by use of the Site and Service, you consent to the transfer of your personal data to the United States and the use of your personal information, in accordance with this policy.

Marketing Practices and Choices

If you receive email from us, we may use certain analytics tools, such as clear GIFs, to capture data such as when you open our message or click on any links or banners our email contains. This data allows us to gauge the effectiveness of our communications and marketing campaigns. You may instruct us not to use your contact information to contact you by email, postal mail, or phone regarding products, services, promotions and special events that might appeal to your interests by contacting us via email at support@thymebase.com . In commercial email messages, you can also opt out by following the instructions located at the bottom of such emails. Please note that, regardless of your request, we may still use and share certain information as permitted by this Policy or as required by applicable law. For example, you may not opt out of certain operational or service-related emails, such as those reflecting our relationship or transactions with you.

GDPR Compliance

The General Data Protection Regulation (“GDPR”) is a European law establishing protections for the personal data of EU residents that came into force on May 25, 2018. Under the GDPR, organizations that collect, maintain, use, or otherwise process EU residents’ personal data (regardless of the organization’s location) must implement certain privacy and security safeguards for that data. ThymeBase has established a GDPR compliance program and is committed to partnering with its customers and vendors on GDPR compliance efforts

California Privacy Rights

California law gives residents of California the right under certain circumstances to request information from us regarding the manner in which we share certain categories of personal information (as defined by applicable California law) with third parties for their direct marketing purposes. However, ThymeBase does not share your personal information with third parties for their own direct marketing purposes.

Policy Changes

ThymeBase reserves the right to change this Privacy Policy and will post any revisions on the Site or update you by email. We encourage you to review this Privacy Policy regularly for any changes. Your continued use of the Site will be subject to the then-current Privacy Policy. This Privacy Policy was last revised December 18, 2019.

Contact

If you have questions or comments regarding this Privacy Policy, please contact us at support@thymebase.com or 2443 Fillmore Street #380-2884 San Francisco CA 94115.