About this Privacy Policy
This privacy policy explains what Ebsta does with personal data. Please read it carefully. If there is anything you don’t understand, please email us at privacy@ebsta.com and we will be happy to explain further.
We last updated this privacy policy on the 18th June 2020. As our various services grow and evolve, and as changes in the law arise, we may need to update it from time to time. Updated versions will be posted on this page. If appropriate, we will also notify those affected by email of any significant changes.
Who we are and What we do
We are Ebsta Limited. Our registered office is at Suite 2, Fountain House, 1a Elm Park, Stanmore, Middlesex, HA7 4AU.
The Ebsta platform offers products, features and solutions which help our customers connect, efficiently utilise and gain insights from integrating multiple data sources including their email, calendar systems and CRM systems to ensure a 360 degree view of their customers, accurate data and the ability to drive revenue through the understanding of relationships in their business network.
The features trialled, purchased and utilised have differences in how they handle personal data, which we explain further below.
For more details about the products we offer, and what is included in each of the pricing plans, please see our main website .
Who controls your information and who to contact in relation to your information
Because of what we do, who controls your information varies depending on the type of information.
Any enquiries in relation to your information, or any request to exercise your rights under data protection law in respect of your information, should be directed to the person that controls your information, as set out below.
Please see “What are my rights in relation to my information” further below for details of what rights you have over your information.
If your information is collected by an Ebsta product
An Ebsta product used by one of our customers may collect some of your information where you have a relationship with that customer. That relationship may be by virtue of exchanging emails or calendar invites with the customer, or interacting on professional, social or other websites where your information is shared.
However, where Ebsta collects your information in these circumstances, it does this on behalf of the customer in question and it is that customer that controls your information. Any queries or requests to exercise any of your rights in relation to your information should therefore be directed to that customer.
Whilst we do not control your information in these circumstances, the information contained on this page may still be useful to you in understanding how the Ebsta product works, and how it collects your information on behalf of our customer.
If you have a direct relationship with Ebsta
Examples include where you are an employee of Ebsta, a customer of Ebsta or a supplier to Ebsta. However, if you are an employee of Ebsta, please see the staff handbook, as this policy does not apply to you.
In these circumstances, Ebsta controls your information to the extent that it relates to that relationship, and any queries or requests to exercise any of your rights in relation to that information should be directed to Ebsta.
Where a person has a direct relationship with Ebsta, we will generally stop processing that person’s personal data if they ask us to, unless we have a good and lawful reason to continue doing so (such as to recover a debt or to investigate abuse of our services). However, if an Ebsta user asks us to stop processing their personal data, then depending on the precise scope of the request we may not be able to continue to provide our services to that user, or the customer that user works for. We do not offer refunds in those circumstances.
If you also have relationships with Ebsta’s customers, Ebsta’s customers may also control some of your information separately (see above, “If your information is collected by an Ebsta product”).
The information we collect, how we collect it, why we collect it, and what we do with it
CRM systems – customers of Ebsta only
When an Ebsta customer creates an account with Ebsta to use any of our services, we ask them to authorise us, via OAuth, to interact with their CRM system in the context of the user. We use that authorisation to access the information we need in the CRM system for account administration, for providing our services and for communicating with your business about our services. You can read more detail about any of those purposes below.
Email/Calendar systems (Google Apps, Office 365, MS Exchange) – customers of Ebsta only
Ebsta systems, when used in conjunction with email/calendar systems, prompt the users to connect or can be connected by an administrator with a service account to provide access to the contained information for delivery of the application services. You can read more detail about any of those purposes below.
Account administration
As part of our account creation process, we collect contact details and related data from each Ebsta user’s CRM system account. For this reason, we recommend that our customers set up CRM system users using their business contact details.
We collect that data, as a data controller, in order to allow us to create and administer users’ accounts with us, to set up the business they work for as our customer, to enable us to communicate with our customer about our services, to assess the correct licensing levels for our customer, to ensure compliance with our terms of service and to enable us to provide our services effectively. In our terms of service, the business that is our customer has agreed that we can do this, and that it has the right to allow it.
Our legal basis for processing information in this way is necessity for the performance of our contract, or trial contract, with our customer, the employer of the users. Failure to allow Ebsta to process information in this way will prevent Ebsta from providing its services to the customer.
We retain this data throughout the period that the customer remains a customer or active product user and for two years following termination of the customer contract or the user ceasing use (as the case may be).
Providing our services
CRM – To provide our services, we require access to the data in the customer’s CRM system to provide search, load, match, update and create actions. This includes access to profile, contact, lead, opportunity, account, activity objects and selected custom objects subject to configuration.
Email/Calendar – To provide our services we require access to the data held in the customers email systems (Google Apps, Office 365, MS Exchange) to provide search, loading, matching, create, send, update and delete actions on emails and calendar events. Depending on configuration and services utilised, this includes access to email/event for read/display/synchronisation against matching CRM records, email write access for inserting templates, send access for sending email campaigns at scheduled times and delete access for advanced GDPR features. Users profile information is accessed to display configuration information to the end users and administrators.
Users can revoke our access to their CRM/Email/Calendar system at any time, although of course if they do so we will not be able to continue to provide the Ebsta services.
Where we access a customer’s CRM/Email/Calendar system, we do so as a data processor. It is therefore for our customer to establish the purpose and lawful basis for the processing of any personal information that this entails.
We may retain copies of this data on our systems dependant on configuration options and the services used for delivery of the services. We retain this data for 60 days beyond contract termination.
Communications about our products and services
We also use the contact details we collect in the course of account administration to inform users from time to time about the solutions or services which we offer. We will not use that data to market anyone else’s products or services, and we will stop sending nonessential communications to users if they ask us to.
Our legal basis for processing is consent. The contact details we use will be those collected at the time you create your account.
We retain this data throughout the period that the customer remains a customer or active product user and for two years following termination of the customer contract or the user ceasing use (as the case may be).
Email – persons with relationships with our customers
A key part of our services is the ability to analyse and cross-reference the CRM data with data locked up in our customer’s email mailboxes. In doing so, information (which may include personal information) from an email, or the email itself, may be placed on the customer’s CRM system.
How we do this, and what we do with emails beyond syncing them (or information in them) to a customer’s CRM system differs based on configuration and licence held.
Where we process a customer’s emails (which may contain personal information), we do so as a data processor. It is therefore for our customer to establish the purpose and lawful basis for the processing of any personal information that this entails.
Application extensions (before 1st July 2020)
Inbox customers (application extensions) subscribed pre July 1st 2020 cross-referencing is done purely transactionally as needed.
Copies of emails/documents are passed to Ebsta servers for processing, but we do not retain copies once they have been processed.
Ebsta Users (From 1st July 2020) & Ebsta Managed Package Customers
Where a user signs in to the Ebsta service we ask them to authorise us to access and analyse their business emails in order to provide our services.
We do that by means of the relevant email vendor’s API (if the email is accessed via a cloud service such as Google Apps or Office 365) or by interfacing directly with the customer’s email system (such as Exchange). This is done systematically for every email sent or received by a mailbox connected to Ebsta by the customer user. Access scope is defined by the user and connection type.
We retain copies of emails which we analyse as part of providing the 360 degree customer view and because it is necessary in order to provide that service for performance reasons. However, we do so as data processor and only retain these emails for 60 days beyond the date on which our customer ends their contract or trial.
Users can control the visibility of emails within their organisation, either by each individual end user setting permissions in respect of his or her own email or, in the case of our enterprise services, by the customer’s administrator setting global permissions applicable to all user’s within that customer’s business.
Please note that, unless you set permissions correctly, emails held in mailboxes connected to Ebsta will be visible to other people working in your organisation.
In our terms of service, our customer has agreed that we can do this, and that it has the right to allow it on behalf of its users. It is our customer’s responsibility to ensure that it sets permissions correctly to ensure that users do not see emails that they should not see.
We do not share the contents of the emails we collect with anyone outside a customer’s organisation.
Managed Package Fair Usage Policy
The following fair usage terms apply:
1. Volume of emails processed per annual subscription – Ebsta will attempt to process up to 20,000 emails per individual annual subscription. (shorter contracts will be calculated prorata). If this limit is exceeded Ebsta reserves the right to stop processing emails for the mailbox in question until a new subscription is assigned.
2. Processing of historical emails – Ebsta charge a setup fee to process historical emails. This setup fee is calculated on the number of months’ worth of historical data the Customer wants processed into Ebsta. We apply a fair usage cap of 20,000 emails per 12 months of historical data purchased (calculated on a pro rata basis for shorter periods). If this fair usage cap is exceeded Ebsta reserves the right to stop processing emails for the mailbox in question until an additional set up fee is agreed.
3. Transfer of license between email addresses – Customers may transfer mailbox licenses midterm without charge. The original mailbox will become inactive, and Ebsta will attempt to process emails for the new mailbox from the date the license is allocated. If the Customer wants historical emails processed for the new mailbox a separate set up charge will apply.
4. Data sourced from inactive mailboxes – Ebsta will continue to make data sourced from inactive mailboxes visible as long as the customer has live licenses for a minimum of 50% of the mailboxes under management.
5. Viewing the Ebsta Managed Package – Users that have a paid subscription/active mailbox connected to Ebsta get unrestricted access to the Ebsta managed package services they have subscribed to. Ebsta reserves the right to limit access or functionality to users that do not have a paid subscription.
Email Tracking – persons with relationships with our customers
An option exists for Ebsta customers to include a small invisible image file unique to the recipient which is hosted on an Ebsta server. When the email is opened, and provided the image is loaded, we tell the customer (a) that the email has been opened by its recipient; (b) what type of device they opened the email on; (c) the time at which the email was opened; and (d) the location at which the email was opened (based on IP address, if provided).
To disable this functionality a recipient of emails from an Ebsta customer can disable the display of inline images in the settings of their email client or webmail.
Where we track a person’s emails in this way, we do so as a data processor for our customer. It is therefore for our customer to establish a lawful basis for the processing of any personal information that this entails.
We retain this data for 60 days beyond the date on which our customer ends their contract.
Cookies – users of Ebsta’s products and website visitors
Like most web services, we use cookies to allow our services to work properly, and to provide us with feedback on how people use our services and our website so we can make them better.
Cookies are small text files stored in a browser’s cache by our servers and which our servers can read when that browser accesses our site or our services. The Information Commissioner’s website has more detail about how cookies work.
We assume that people using our services or accessing our website consent to our use of cookies.
Where the use of cookies is non-essential (e.g. to provide Ebsta with feedback on how people use our services and our website), our lawful basis for processing is consent, which we imply should you continue to use our website (pursuant to Regulation 6 of the Privacy and Electronic Communications (EC Directive) Regulations 2003). You can withdraw your consent by disabling the placing of cookies via your browser settings, but note that this may prevent our services or website from working correctly where essential cookies are also used.
Where the use of cookies is essential (in order to allow our services to work properly), our lawful basis for processing is necessity for the performance of an express or implied contract. If you refuse to allow this processing to take place, we are unable to provide our services or website (as the case may be) to you.
The cookie itself will be retained on your computer until you clear your cookies through browser settings or until the expiry date set on that cookie is reached. The data that we derive from the cookie is retained throughout the period that the customer remains a customer or active product user and for two years following termination of the customer contract or the user ceasing use (as the case may be).
Who we share personal information with and why
We share personal data with some of our suppliers to the extent necessary to allow us to provide and market our own services. For example, personal data will be stored by our hosting providers, and payment information will be processed by our payment processor. Where we do share personal data with our suppliers, we share it with them as our data processor.
Export of personal information outside the EEA
In certain limited circumstances, we do export personal data outside of the EEA for processing, and we do use third party service providers who do the same.
We only do that if there is a good reason to do it and where adequate safeguards (such as the appropriate contractual arrangements with suppliers) are in place. For example, we process personal data on Amazon’s AWS platform at a number of geographical locations around the world in order to improve the speed and resilience of our service for our customers.
Ebsta has signed Amazon’s AWS data processing addendum, which has been approved by the Article 29 Working Party.
Our Security Precautions
We protect our own systems with appropriate technical and organisational measures, including firewalls, access control systems, strong passwords, antivirus software, and robust information security policies. We actively monitor our systems for signs of attack or intrusion. For more information, see our security statement.
However, there are certain aspects of the security of personal data processed by us which are beyond our control. In particular:
- Personal data stored in a user’s account with us is only as secure as the password which is used to access that account. We expect our users to keep their passwords secure, and to change them promptly if they are compromised.
- We access our customers’ external cloud services such cloud CRM systems and Office 365 using security access tokens issued to us by the provider of that service. We cannot control, and are not responsible for, any security failure in that provider’s systems or APIs.
Your rights over your personal data and how to exercise them
The law gives you certain rights in respect of the information that we hold about you. Below is a short overview of the most commonly-used rights. It is not a complete, exhaustive statement of your rights in respect of your personal data. The website of the Information Commissioner’s Office (https://www.ico.org.uk) has a wealth of useful information in respect of your rights over your personal data.
If you wish to exercise your rights, you should contact the person that controls your data, as highlighted above in the section entitled “Who controls your information and who to contact in relation to your information”.
Your right to withdraw your consent, including to marketing communications
When we process your information on the basis of your consent as the controller of that information (see the section entitled “Who controls your information and who to contact in relation to your information” above), you have the right to withdraw that consent at any time. You can do that by:
- Emailing us at optout@ebsta.com
- Writing to our head office at the address above, for the attention of the compliance team.
- In the case of marketing emails, by following the instructions contained in the email.
If we are doing something with your data on the basis of your consent and you withdraw it, we will stop doing it.
Accessing your personal data held by us
If you want to exercise a legal right to access your personal data controlled by Ebsta (see the section entitled “Who controls your information and who to contact in relation to your information” above), the easiest and most efficient way to do so is to email subjectaccessrequest@ebsta.com or write to our head office at the address above, for the attention of the compliance team.
Note that in some cases an exception may apply, which we will raise with you if applicable.
Your right to have inaccurate information about you corrected
You have the right to have the information we hold about you corrected if it is factually inaccurate.
If you are a customer, or a user of a customer, the easiest way to do this is by updating your CRM account, which Ebsta syncs with. If auto-sync does not work, please email support@ebsta.com
If you are not a customer of Ebsta, or a user of a Ebsta customer, please contact the controller of your data (see the section entitled “Who controls your information and who to contact in relation to your information” above).
Your right to have your information deleted in some circumstances
In some circumstances, and where we control your data (see the section entitled “Who controls your information and who to contact in relation to your information” above), you have the right to require us to delete the information that we hold about you.
In particular, if we are processing your personal information as a data controller on the basis of your consent and you withdraw your consent to that processing, then we will delete the relevant data from our systems unless we have another lawful basis for keeping it.
Your right to complain to the ICO
You also have the right to lodge a complaint about our handling of your personal information with the Information Commissioner’s Office. You can contact them on 0303 123 1113.