SwayPay, Inc. (“Directful”, “we”, and/or “us”) value the privacy of individuals who access or use directful.com (https://www.directful.com/), including all of its related applications, dashboards, or platforms, who purchase any products from Directful, or who sign up for any services.
This privacy policy (“Privacy Policy”) explains how we collect, use, and share data or about any individual or entity who accesses or uses the Services (“client” or “you”) or their devices. By using our Services, you agree to the collection, use, disclosure, and procedures this Privacy Policy describes. Beyond the Privacy Policy, your use of our Services is also subject to our Terms of Service
Directful provides various online service tools to the hospitality industry. These tools include but not limited to CRM, loyalty, messaging, marketing and review management. Members of the hospitality industry that engage us to provide these online service tools are our “Clients”.
Data We Collect
Data you give to us directly. When our client’s contract to use our service, we ask for personal contact information such as the first and last name, mobile phone number(s), physical address(es) and email addresses(es) of client staff authorized to use the services. If a client’s guest or patron elects to use our messaging service, our client will also collect the end user’s personal contact information such as their name and mobile phone number(s) and enter that information into our services.
Data we collect from you automatically. When clients use our application or messaging, we automatically collect data regarding the clients’ browser and log files, operating system, internet protocol (IP) address, domain name internet service provider, geographic location, date/time stamp, and click stream data, including the pages visited while on our web application.
How We Can Use Data
We can use the data that we collect for the following purposes, subject to applicable law and as outlined in our service agreement, including:
- The purposes for which the client provided it and as outlined in the Directful-client signed service agreement;
- To provide our services to clients, including any notifications or updates relating to the services;
- To process and respond to client inquiries and comments;
- To improve the Directful services or to develop new services;
- To contact clients with information, including marketing information, that we believe will be of interest to them;
- To aggregate or de-identify data, we can share aggregated or de-identified data relating to clients and end users of the Directful services with any third party for any purpose;
- To analyze how clients use Directful’s services;
- To allow us to personalize and enhance the clients experience using the services;
- To reach out to clients via telephone, email or text regarding the services;
- As otherwise stated in this notice.
Data Protection
Directful implements responsible and sophisticated technical and physical controls that are designed to prevent unauthorized access to or disclosure of your content.
Directful continually monitors the evolving privacy regulatory and legislative landscape to identify changes and determine what tools our customers might need to meet their compliance needs.
Maintaining customer trust is an ongoing commitment. We strive to inform you of the privacy and data security policies, practices, and technologies we’ve put in place. These commitments include:
- Access: As a customer, you maintain full control of your content and responsibility for configuring access to Directful services and resources. Directful Maintains the right to monitor and maintain content of user data to help improve the user experience. We provide resources for you to configure access control permissions for any of the services you utilize Directful environment. We have an advanced set of access, encryption, and logging features to help you do this effectively. We may access content to provide and maintain the service and to improve and develop the quality of Directful machine-learning/artificial-intelligence technologies. Use of your content is necessary for continuous improvement of your Directful customer experience, including the development and training of related technologies.
- Storage: Your content is stored and backed up securely in certified Tier 1 Cloud providers such as AWS (Amazon Web Services), Google Cloud and Microsoft Azure in US Regions in compliance with PCI, GDPR, SOC 1, 2, 3, CCPA, PIPEDA. We will not move or replicate your content outside of defined cloud providers and US Regions without your consent, except as legally required and as necessary to maintain Directful services.
- Security: Directful holds the confidentiality, integrity, and availability of your content in the highest regard. We use various security measures to protect content that we collect, and we have implemented security measures as part of Directful’s program to protect content it controls. All content stored in the Directful platform is encrypted. Directful conducts background checks on employees, utilizes web application firewalls, employs secure coding practices based on industry best practices, and performs vulnerability scans and application penetration tests on its environment as part of its risk management process. Unfortunately, no security measures are perfect or impenetrable and content transmission over the Internet cannot be guaranteed to be 100% secure. We cannot and do not ensure or warrant the security of any content you transmit to Directful and you do so at your own risk
- Security Assurance: We have developed a security assurance program that uses best practices for privacy and data protection to help you operate securely with Directful.
How We May Disclose Data
Data can be disclosed to third parties in accordance with this notice, subject to applicable law. Please note that an end user can choose not to share certain data. See Your Choices Regarding Client and End User Data.
- Third Parties and Service Providers. We can use third parties or service providers to perform functions in connection with our services for example, such as our hosting service provider and service providers that assist with the transmission of data or to perform any of the actions or activities allowed under this notice. We can share data about client and end users that they need to perform their functions and in accordance with our agreements with them. We do not permit our third party service providers to use the data we share with them for their marketing purposes.
- Client Subsidiaries and Affiliates. We can share client and end user data with client owners, subsidiaries, licensees, affiliates, successors, or other entities related to our client for the purposes of managing the services offering at client sites.
- Directful Subsidiaries. We can also share your data with any subsidiaries of ours for purposes consistent with this notice. Any subsidiary of ours will be required to maintain that data in accordance with this notice.
- Aggregated or De-identify Data. We can share aggregated or de-identified data relating to clients and end users of the Directful services with any third party for any purpose.
- Business Changes. If we become involved in a merger, acquisition, sale of assets, divestiture, joint venture, securities offering, financing, bankruptcy, reorganization, liquidation, dissolution, or other transaction or if the ownership of all or substantially all of our business otherwise changes, we can share or transfer client and end user data (including, without limitation, in connection with due diligence for any such transaction) to a third party or parties in connection therewith and it can be used subsequently by such third party or parties.
- Investigations and Law. To the extent permitted by applicable law, we can disclose data about client and end users to third parties to:
- Comply with law, in response to subpoenas, warrants, or court orders, or in connection with any legal process or cooperate with government or law enforcement agencies or officials or private parties, including laws outside of the client and end users’ country of residence;
- Protect our rights, reputation, safety and property or in an emergency, or that of our users or others
- To resolve disputes;
- Protect against legal liability;
- Establish or exercise our rights to defend against legal claims; or
- To investigate, prevent or take action regarding suspected illegal activities, suspected fraud, the rights, reputation, safety or property of us, client and end users or others, violation of our policies or agreements or as otherwise required by law.
- For any other purpose disclosed by client or Directful to provide our services.
International Transfers
We operate in and use service providers located in the United States. If you are located outside the U.S., your Personal Data may be transferred to the U.S. The U.S. does not provide the same legal protections guaranteed to Personal Data in the European Union. Accordingly, your Personal Data may be transferred to the U.S. pursuant to the Standard Contractual Clauses, or other adequacy mechanisms, or pursuant to exemptions provided under EU law. Contact us for more information regarding the mechanisms to ensure adequate protection of data subject to EU Law.
Retention
We will retain the personal information for as long as reasonably necessary for the purposes described in this notice, as agreed upon in our services agreements, while we have a legitimate business need to do so, or as required by law (for example, for legal, tax, accounting or other purposes), whichever is the longer.
To determine the appropriate retention period for the personal information, we will consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of the personal data, the purposes for which we use the personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.
Changes to Our Privacy Policy
We may change this Privacy Policy from time to time. Changes will be posted on this page with the effective date. Please visit this page regularly so that you are aware of our latest updates. Your use of the Service following notice of any changes indicates acceptance of any changes.
Contact Information
You may contact us via email at legal@directful.com. Or, you may write to us at the address listed below.
SwayPay, Inc.
Attn: Privacy Officer
1259 El Camino Real, Unit #1001
Menlo Park, CA 94025
Last update: September 1, 2020