Data Privacy Framework ("DPF") Program Notice
Effective: Jan 19, 2025
This DPF notice (“Notice”) governs Qwilt Inc. (“Qwilt”, “We” or “Our”) participation in the EU-U.S. DPF, UK-DPF extension to the EU-U.S. DPF and the Swiss-U.S. DPF programs with respect to the Processing of Personal Data as further explained in Section 1 below.
If there is any conflict between the terms in this Notice and the DPF principles, the DPF principles shall govern. To learn more about the DPF and its principles please visit https://www.dataprivacyframework.gov/s/.
“Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. “Process”, “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Qwilt complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Qwilt has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. Qwilt has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/
1. SCOPE
Qwilt’s participation in the DPF applies to Personal Data that is subject to the EU, UK, and Swiss data protection laws that Qwilt receives in the context of the provision of Qwilt’s Services (as defined below) including, from customers, Qwilt’s affiliates or other third parties.
2. PURPOSES OF DATA PROCESSING
Qwilt complies with the principles of the EU-U.S. DPF, EU-U.S. DPF, UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF regarding the collection, use, and retention of Personal Data transferred to the United States from the European Union, United Kingdom, and Switzerland. Our DPF program covers transfers of Personal Data in the following cases including without limitation: (i) to provide Qwilt’s services, support and technical maintenance; (ii) for Qwilt’s customers to be able to use Qwilt’s services; (iii) when requested or allowed by customers, we may share data with third parties (e.g., internet service providers, content service providers, as applicable); (iv) for troubleshooting matters; (v) billing proof; (vi) security purposes; (vii) improvement of Qwilt services; (viii) to allow customers to log in to Qwilt’s platform; (ix) to communicate with customers for service-related communications; and/or (x) to comply with other documented reasonable instructions provided Qwilt’s customers (the “Service”). The categories of Personal Data collected and Processed by Qwilt, include, without limitation: IP address; services usage metrics; visited URLs where requested the content; timestamp, customers and its users’ business contact information (e.g.; business email, phone number, full name, title); login details and/or any other Personal Data or information that the Qwilt’s customers provide or instruct Qwilt to Process in the context of Qwilt’s Services.
Qwilt has certified to the DoC that it adheres to the DPF Principles and Our DPF certification is available here.
3. ONWARD TRANSFERS OF PERSONAL DATA
3.1. We will not transfer Personal Data originating in the EU, UK and/or Switzerland to third parties unless such third parties have entered into an agreement in writing with us requiring them to provide at least the same level of protection to the Personal Data as required by the Principles of the EU-U.S. DPF, UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF. We transfer Personal Data to processors, service providers, vendors, contractors, partners, and agents (collectively “Processors“) who need the information in order to provide services to or perform activities on Our behalf. We are responsible for such onward transfers to third pursuant to the EU-U.S. DPF, UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.
The abovementioned Processors and the description of the services that they provide and/or the activities that they perform are set out in the table below:
Processor’s Purpose |
On-demand cloud computing platforms including digital user experience cloud-based platform and cloud-based customer support services. |
User identity management tools. |
Customer communication platform for transactional and email provider. |
CRM and ERP platforms |
Support platform |
Log processing platform |
Cloud databases services |
Security platforms |
3.2. To the extent necessary, with regulators, courts or competent authorities, to comply with applicable laws, regulations and rules (including, without limitation, federal, state or local laws), and requests of law enforcement, regulatory and other public or governmental agencies, or if required to do so by court order (including to meet national security or law enforcement requirement);
3.3. If, in the future, we sell or transfer, or we consider selling or transferring, some or all of our business, shares or assets to a third party, we will disclose your Personal Data to such third party (whether actual or potential) in connection with the foregoing events;
3.4. In the event that we are acquired by, or merged with, a third party entity, or in the event of bankruptcy or a comparable event, we reserve the right to transfer, disclose or assign your Personal Data in connection with the foregoing events, including, in connection with, or during negotiations of, any merger, sale of company assets, consolidation or restructuring, financing, or acquisition of all or a portion of our business by or to another company; and/or
3.5. Where you have provided your consent to us sharing or transferring your Personal Data.
4. DATA SUBJECT RIGHTS
You have the right to access Personal Data about you, and in some cases, you are also allowed to correct, amend, or delete that Personal Data where it is inaccurate, or has been processed in violation of the DPF principles. In addition, you have the choice to limit the use and disclosure of your Personal Data. If you believe that We are Processing your Personal Data within the scope of Our DPF program, you can submit your request to: privacy@qwilt.com.
Please be aware that in specific situations where fulfilling access or other requests might impose a disproportionate burden or expense, or potentially infringe upon the rights of others, we may be required to carefully review and, if permissible under applicable law, respectfully decline your request.
5. INDEPENDENT RECOURSE MECHANISM. ARBITRATION.
5.1. In compliance with the DPF principles, we are committed to resolve complaints about Our collection or use of your Personal Data. EU, UK and Swiss individuals with inquiries or complaints regarding Our DPF policy should first contact Qwilt at: privacy@qwilt.com or by postal mail sent to:
Qwilt Inc.
Attn: DPF Inquiry
275 Shoreline Drive, Suite 510, Redwood City, CA 94065 United States
Qwilt has further committed to refer unresolved privacy complaints under the EU-U.S. DPF, UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to JAMS, a non-profit alternative dispute resolution provider located in the United States to assist with the complaint resolution process. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://www.jamsadr.com/DPF-Dispute-Resolution for more information and to file a complaint. The services of JAMS are provided at no cost to you.
5.2. Under certain conditions, more fully described on the DPF website (available here), you may also be able to invoke binding arbitration to determine whether a participating organization has violated its obligations under the DPF principles as to that individual and whether any such violation remains fully or partially unremedied (“residual claims”) after you approached us and you used the independent recourse mechanism. The International Centre for Dispute Resolution-American Arbitration Association (“ICDR-AAA”) was selected by the U.S. Department of Commerce to administer arbitrations pursuant to and manage the arbitral fund. Please visit ICDR-AAA’s website for more information.
6. U.S. FEDERAL TRADE COMMISSION ENFORCEMENT.
Qwilt is subject to the investigatory and enforcement powers of the Federal Trade Commission (“FTC”) to ensure compliance with the EU-US DPF, UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF outlined in this DPF Notice.