SIDEDRAWER PRIVACY POLICY
1. INTRODUCTION
SideDrawer Inc. (“SideDrawer”, “we”, “us”) has created this Privacy Policy (“Privacy Policy”) in order to set out how we collect, use, and disclose Personal Information (as hereinafter defined) through our Website and in the course of providing our SideDrawer software-as-a-service platform (the “Platform”), our mobile app (the “App”) and related services (collectively, the “Services”), each as more particularly described below and in our Terms of Use.
SideDrawer offers a technology solution for customers (including customers who are PSPs (as defined below)) and third-party Advisors (as defined below), in which end users can keep their personal, financial, and important records organized for life allowing PSPs and other Collaborators (as hereinafter defined) to collaborate and communicate with their clients and other people with whom they have a relationship through a single, living document repository. The Website, App and Platform allow end users to capture their critical life documents. The Website, App and Platform also provide the ability to establish permission-based access to PSPs and Collaborators who can access and process their clients’ and other people’s records in real-time.
The privacy of our users’ Personal Information is of great importance to us. By visiting our website located at www.SideDrawer.com, including subpages, (collectively, the “Website”), or using the App, Platform or Services in any manner, you acknowledge that you accept the practices and policies outlined in this Privacy Policy and you hereby consent to the collection, use and disclosure of your Personal Information in accordance with this Privacy Policy.
Our customers are responsible for complying with any regulations or laws that require providing notice, disclosure and/or obtaining consent prior to collecting their customers’ Personal Data using the Website, App, Platform, and/or Services. Please see Section 3. and Section 4. as well as our Data Processing Agreement for more information.
2. WHAT DOES THIS PRIVACY POLICY COVER?
This Privacy Policy covers our collection, use and disclosure of information about identifiable individuals and information which can be used to identify an individual (“Personal Information”). Personal Information may be collected about visitors to the Website, as well as our customers, end users, and other users who use the App, Platform, or Services.
This Privacy Policy covers the activities of SideDrawer only. This Privacy Policy does not apply to the practices of persons and companies that we do not own or control, including your Collaborators and our Tenant PSP customers who may use the Services to collect or access your Personal Information. For the purposes of this Privacy Policy: a “PSP” is an organization that provides professional financial, legal, estate planning, or other services to customers, including, without limitation, banks and other financial institutions, insurance brokers and companies, law firms, and accounting firms; and, an “Advisor” is an individual that provides professional financial, estate planning, legal or other services to clients. An Advisor may be a partner, employee, or contractor of a PSP. If you are a Collaborator (including PSPs and Advisors) and you submit any Personal Information to SideDrawer or the Platform, Website, App or Services, you are responsible for ensuring that you have obtained the necessary authorizations and consents from the relevant individuals to whom such Personal Information relates in order to make such Personal Information available to us for use and disclosure of such Personal Information in accordance with this Privacy Policy. If you are an end user and you submit any Personal Information to SideDrawer or the Platform, Website, App or Services (including any Personal Information that is submitted to SideDrawer or the Platform, Website, App or Services on your behalf by any Collaborator (including PSPs and Advisors on your behalf)), you consent to the use and disclosure of such Personal Information in accordance with this Privacy Policy.
3. COLLECTION OF PERSONAL INFORMATION
3.1 User Account Information. In order to use the Platform, Website, App, and Services, users are required to have a valid SideDrawer account to log in (“Account”). When you register for the Services or create an Account, SideDrawer collects certain Personal Information from you (collectively, “Account Information”) to set up and administer your Account:
- Name
- Email address/es
- Mobile number/s
- Residential address/es
3.2 Records. The purpose of the SideDrawer Website, App, Platform, and Services is to allow end users to store personal records and documents and to share those records and documents with Collaborators (including PSPs and Advisors). Accordingly, SideDrawer collects and stores these personal records that users or their PSPs, Advisors or other Collaborators choose to upload, which includes any Personal Information, including, without limitation, Personal Information such as financial, legal, health, investment, and estate records. SideDrawer does not generally access the Personal Information contained in end user’s records. However, SideDrawer will keep track of what types of documents and records have been uploaded.
3.3 Sponsors. An end user customer or a PSP may purchase a subscription and Account for the Services for use by someone else. In such an instance, the end user customer or PSP is known as a “Sponsor” for that other end user, Account, and subscription. Sponsors may notify someone who the Sponsor wants to sponsor (such as its employees, clients, or family members) by inviting that person to create an Account. Sponsors are responsible for the payment of all subscription fees for the Accounts and end users they have sponsored. Upon termination of any Sponsor-initiated subscription, the applicable end user of the Sponsor-initiated subscription may be given the option to convert the applicable Account to an individual Account. When an Account is set up at the invitation of a Sponsor, that Sponsor is automatically given the ability to view, edit and upload content and records for such Account. An end user may revoke or change Sponsor permissions at any time other than in the case where the Sponsor is a Tenant PSP (as hereinafter defined). In the case where the Sponsor is a PSP who is using the Platform, Website, App and Services with such PSPs’ own services for Sub-processor Use (as hereinafter defined) (a “Tenant PSP”), the Tenant PSP will have console access to Accounts that are sponsored by that Tenant PSP and the end user for such Accounts will not have the ability to override or curtail such console access (even using the administrative functions of the Account). Console access to an Account means that the Tenant PSP has complete back-office level access to such Account and its record and records. A Tenant PSP will also be able to provide console-level access to that PSP’s personnel who may be involved in providing professional advice as well as other third parties. It is the Tenant PSP’s obligation to describe in its own privacy policy any other persons or organizations to whom it discloses Personal Information. Where a Sponsor other than a Tenant PSP has been given access to an end user’s Account, that Sponsor’s interaction with the Account will be in the role of a Collaborator and covered by the terms of this Privacy Policy relating to Collaborators. When a Sponsor is given access to an end user’s Account as a Tenant PSP, the Tenant PSP is the data controller for the collection, use, and disclosure of Personal Information and/or Personal Data collected in respect to such Account and the collection, use, and disclosure of such Personal Information and/or Personal Data will be governed by the Tenant PSP’s privacy policy.
3.4 Collaborators. End users may invite third parties (including PSPs and Advisors), known as “Collaborators”, to upload, view and/or edit content and records in the end user’s Account. Accounts may also be created for end users by PSPs for use of the Platform, Website, App and Services with such PSPs’ own services. If an Account is created by a PSP for an end user, then the PSP will either (i) advise the applicable end user that an Account has been created for such end user and that the Platform, Website, App and Services are being used to store and process such end user’s content and records and the PSP will obtain such end user’s acceptance of SideDrawer’s Terms of Service and this Privacy Policy (which may be done by referring to such Terms of Service and Privacy Policy within the PSP’s own terms of service and privacy policy) (“OEM Use”), or (ii) ensure the use of the Account and the Platform, Website, App and Services will be governed solely by the PSP’s terms of service and privacy policy (“Sub-processor Use”). In the case of Sub-processor Use, the applicable PSP’s terms of service and privacy policy will apply to such PSP’s collection, use and processing of your Personal Information. In all cases, you acknowledge and agree that SideDrawer is not responsible or liable for the collection, use, disclosure, or any other processing of your Personal Information by any Collaborators (including PSPs and Advisors). SideDrawer collects the name and email address of such Collaborators from the requesting end user.
3.5 Payment Information. For customers who purchase paid Services, including Premium Services (as defined in our Terms of Use), a valid credit card number, type, expiration date, name and billing address (collectively, “Payment Information”) is collected, stored, used and processed by Stripe Inc. (“Stripe”), our third-party payment processor, and not by us.
Accordingly, the collection, storage, use and processing of your Payment Information is governed by Stripe’s applicable terms of service available at https://stripe.com/us/terms and privacy policy available at https://stripe.com/us/privacy. However, sometimes we may request and receive some of your Payment Information from Stripe in order to complete certain transactions you initiated through the Services, to enroll you in a discount or other rebate program you elected to participate in, to protect against or identify potentially fraudulent transactions, or otherwise as necessary to manage our business.
4. USE OF PERSONAL INFORMATION.
In addition to the purposes identified above, in order to provide the Website, App, Platform, and Services, SideDrawer may use your Personal Information to:
- authenticate access to your Account and to provide access to the Website, App, Platform, and Services, including through the use of multi-factor authentication;
- provide, operate, maintain and improve the Website, Platform, App and Services;
- send technical notices, updates, security alerts and support and administrative messages, including alerts related to your document deadlines and expiry dates;
- provide and deliver the Website, App, Platform, and Services and features you request, process and complete transactions, and send you related information, including confirmations and invoices;
- respond to comments, questions, and requests and provide customer and user service and support;
- communicate with customers and users about services, features, surveys, newsletters, offers, promotions, and provide other news or information about us and our select partners;
- investigate and prevent fraudulent transactions, unauthorized access to the Website, App, Platform, and Services, and other illegal activities;
- personalize and improve the Website, Platform, App, and Services, and provide content, features, and/or advertisements that match your interests and preferences or otherwise customize your experience on the Website, App, Platform, and Services;
- monitor and analyze trends, usage, and activities in connection with the Website, App, Platform, and Services and for marketing or advertising purposes (for example to suggest documents and information that may be missing, such as a will or insurance policy, and recommend PSPs or Advisors that you might need to complete services related to missing records);
- enable you to communicate, collaborate, and share files with Collaborators (including PSPs and Advisors) you designate; and
- for other purposes which we will notify you about and seek your consent.
5. COOKIES
When you visit the Website, App or Platform, we automatically collect certain information about your device, including information about your web browser, IP address, time zone, and some of the cookies that are installed on your device. Additionally, as you browse the Website, we collect information about the individual web pages or products that you view, what websites or search terms referred you to the Website, and information about how you interact with the Website. We refer to this information as “Device Information”.
We collect Device Information using the following technologies:
- “Cookies” are data files that are placed on your device or computer and often include an anonymous unique identifier. For more information about cookies, and how to disable cookies, visit http://www.allaboutcookies.org.
- “Log files” track actions occurring on the Website, and collect data including your IP address, browser type, Internet service provider, referring/exit pages, and date/time stamps.
- “Web beacons”, “tags”, and “pixels” are electronic files used to record information about how you browse the Website.
A cookie is a small data file that is stored on your device. Cookies cannot be used to see any other data on your computer, nor can they determine your email address or identity.
We may use “persistent cookies” for customer and user registration ID and login password for future logins to the Services.
We may use “session cookies” to enable certain features of the Services, to better understand how you interact with the Services and to monitor aggregate usage and web traffic routing on our Website, App and Platform.
The Website, App and Platform may also use technologies such as beacons, scripts, and tags. These technologies may be used for analyzing trends, administering the Website, tracking users’ movements around the Website, and gathering demographic information about our user base as a whole. Various browsers may offer their own management tools for removing these types of tracking technologies.
We may also use third-party ad companies to help provide some of our advertising services. These third parties may place cookies on your computer and collect data about your online activities across websites or online services when you are visiting such third-party websites or logged into such third-party services, including for targeted advertising.
For more information about how targeted advertising works, you can visit the Network Advertising Initiative’s (“NAI”) educational page at http://www.networkadvertising.org/understanding-online-advertising/how-does-it-work.
You can opt out of targeted advertising by using the links below:
- Facebook: https://www.facebook.com/settings/?tab=ads
- Google: https://www.google.com/settings/ads/anonymous
- Bing: https://advertise.bingads.microsoft.com/en-us/resources/policies/personalized-ads
Additionally, you can opt out of some of these services by visiting the Digital Advertising Alliance’s opt-out portal at: http://optout.aboutads.info/.
6. STORAGE LOCATION AND TRANSFER OF PERSONAL INFORMATION
SideDrawer processes and stores its data, including Personal Information, on servers located in Canada, the United States and other jurisdictions in the world. SideDrawer also transfers data to the third-party service providers described on our Sub-Processors webpage, available here: https://sidedrawer.com/supbrocessors.html (“Sub-Processors”).
By submitting Personal Information (including via PSPs) or otherwise using the Services, you agree to this transfer, storing or processing of your Personal Information in the jurisdictions in which our Sub-Processors are located. You acknowledge and agree that your Personal Information may be accessible to law enforcement and governmental agencies in such jurisdictions under lawful access regimes or court order.
7. DISCLOSURE OF PERSONAL INFORMATION WITH THIRD PARTIES
7.1 Disclosure to Others. End users have the option of sharing Personal Information from their Account with other users, known as Collaborators (including PSPs and Advisors), who may need to view, upload, or edit content or records on an end user’s behalf. In the case where an Account is created by a Collaborator (other than a Tenant PSP) for an end user, that Collaborator will be automatically given the ability to view, edit and upload contents and records for such Account. In the case where an applicable Collaborator is a Tenant PSP, the Tenant PSP will be given console access to accounts created by or at the request of such Tenant PSP, and such console-level access cannot be overridden by the applicable end user (even using the administrative functions of the Account). A Tenant PSP will also be able to provide console-level access to that PSP’s personnel who may be involved in providing professional advice as well as other third parties. End users can also designate PSPs, Advisors, and other users (such as family members) who can edit documents stored in an end user’s Account and can also withdraw editing privileges from those PSPs, Advisors, and other users (in each case, other than Tenant PSPs). By default, the end user of an Account is an editor of that Account. Content and records and Personal Information are only shared with any applicable Tenant PSP (and with any third parties that such Tenant PSP may share such content and records with) and with those Collaborators who an end user or an editor of an Account have designated. Editor users can update their settings to add or remove Collaborators (including PSPs, Advisors, and other users, in each case other than Tenant PSPs) for an Account and revise specific permissions of Collaborators (including PSPs, Advisors, and other users, in each case other than Tenant PSPs).
7.2 Service Providers and Business Partners. We may from time to time employ third parties to perform tasks on our behalf and we may need to share Account Information and other Personal Information with them to provide certain services. Unless we tell you differently, such third parties do not have any right to use the Personal Information we share with them beyond what is necessary for them to provide the tasks and services on our behalf. The third parties we currently engage includes third party companies and individuals employed by us to facilitate our Services, including the provision of database management, payment processing, and customer relationship management tools, including the Sub-Processors.
7.3 Business Transfers. If our business (or substantially all of our assets) are acquired by a third party, or if we go out of business, enter bankruptcy, or go through some other change of control, Personal Information may be made available or otherwise transferred to the new controlling entity, where permitted under applicable law. Your Personal Information may also be transferred in connection with due diligence for any such transactions.
7.4 With Your Consent. If we need to use or disclose any Personal Information in a way not identified in this Privacy Policy, we will notify you and/or obtain consent as required under applicable privacy laws.
7.5 As Required by Law. We may disclose your Personal Information to third parties without your consent if we have reason to believe that disclosing this information is necessary to identify, contact or bring legal action against someone who may be causing injury to or interference with (either intentionally or unintentionally) our rights or property, other users, or anyone else (including the rights or property of anyone else) that could be harmed by such activities. Further, we may disclose Personal Information when we believe in good faith that such disclosure is required by and in accordance with the law.
We also reserve the right to access, read, preserve, and disclose any information as we reasonably believe is necessary to:
- satisfy any applicable law, regulation, legal process or governmental request; enforce our contracts (including our Terms of Use), as well as investigation of potential violations of such contracts; and
- detect, prevent, or otherwise address fraud, security or technical issues.
The above may include exchanging information with other companies and organizations for fraud protection and spam/malware prevention. Notwithstanding the terms of this Privacy Policy, the collection, use, and disclosure of Personal Information may be made outside of the terms herein to the extent provided for in any applicable privacy or other legislation in effect from time to time, or pursuant to court orders.
8. RETENTION
We will keep your Personal Information for as long as it remains necessary for the identified purpose or as required by law, which may extend beyond the termination of our relationship with you. When an Account becomes inactive for an extended period of time, we have the right to delete the Account and related data and Personal Information.
Our customers may use the Services to store records of their clients, including Personal Information, in accordance with their own retention policies.
We may retain certain data as necessary to prevent fraud or future abuse, or for legitimate business purposes, such as analysis of aggregated, non-personally-identifiable data, account recovery, or if required by law. All retained Personal Information will remain subject to the terms of this Privacy Policy.
The data our customers process in connection with the Website, App, Platform, and/or Services is retained according to the SideDrawer Data Processing Agreement.
9. PROTECTION OF PERSONAL INFORMATION
SideDrawer uses technological safeguards designed to protect your Personal Information from loss and unauthorized access, copying, use, modification or disclosure. For example, we take the following measures:
- We use AES 256-bit encryption for data storage and AES 128-bit encryption for data during transmission;
- We limit our own access to your Personal Information by ensuring that only authorized persons have access and such access requires a secure password. Only employees who “need to know” in order to fulfill their job requirements have access to your Personal Information; and
- We train our employees to keep users’ Personal Information private and confidential.
Unfortunately, no data storage or data transmission over the Internet is 100% secure. As a result, while we strive to protect your Personal Information, we cannot guarantee the confidentiality or security of any information you transmit to us, and you do so at your own risk.
10. ACCESS, CORRECTION AND ACCURACY RIGHTS TO PERSONAL INFORMATION
You have the right to access the Personal Information we hold about you in order to verify the Personal Information we have collected in respect to you and to have a general account of our processing of that Personal Information. Upon receipt of your written request, we will provide you with a copy of your Personal Information, although in certain limited circumstances, and as permitted under law, we may not be able to make all relevant Personal Information available to you, such as where that Personal Information also pertains to another user. In such circumstances we will provide reasons for the denial to you upon written request. We will endeavor to deal with all written requests for access and modifications in a timely manner.
For all of the rights described in this Section, in certain instances, where we are acting as a sub-processor for one of our customers who is the actual data controller, we may not be able to respond to or take action in respect to a request from you in connection with your Personal Information or Personal Data without notifying and receiving consent and/or further instructions from such customer who is the actual data controller. Where our Website, App, Platform, and/or Services are made available to you via one of our customers as a Sub-processor Use, please direct your Personal Information and Personal Data questions to such customer, as your use of the Website, App, Platform, and/or Services is subject to that customer’s terms and policies. We are not responsible for any customer’s privacy or security practices, and those practices may be different from those described in this Privacy Policy. The customer can remove Personal Information or Personal Data without our involvement in some cases or will request that we remove applicable Personal Information or Personal Data from the Website, App, Platform, and/or Services (subject to the provisions on data retention above). Please refer to the applicable customer’s organizational policies for more information.
We will make every reasonable effort to keep your Personal Information accurate and up to date, and we will provide you with mechanisms to update, correct, delete or add to your Personal Information as appropriate. As appropriate, this amended Personal Information will be transmitted to those persons and entities to whom we are permitted to disclose your Personal Information. Having accurate Personal Information about you enables us to give you the best possible service.
11. RESIDENTS OF THE EUROPEAN ECONOMIC AREA (“EEA”)
The legal basis on which SideDrawer relies to process Personal Information (known as “Personal Data” under the European Union’s General Data Protection Regulation) are consent, fulfillment of our contracts with customers, as well as pursuit of legitimate business activities. Please see Attachment 1 of the SideDrawer Data Processing Agreement for additional details regarding the processing of Customer Personal Data required by Article 28(3) of the European Union’s General Data Protection Regulation.
Where we collect Personal Data directly from the data subjects, such as our customers (including PSPs), and make decisions in regards to processing such Personal Data, we act as the data controller. Otherwise, where we process Personal Data on behalf of third parties (such as when our customers use the Services to process Personal Data of their clients), we are the data processor.
If you are a resident of the EEA, you have certain data protection rights. SideDrawer takes reasonable steps to allow you to correct, amend, delete, or limit the use of your Personal Data. If you wish to be informed of what Personal Data we hold about you and if you want it to be removed from our systems, please contact us using the contact information set out below. Note that where we act as the data processor on behalf of a customer (including PSPs), you will be required to contact the data controller directly to exercise your rights.
In certain circumstances, where we act as data controller, you have the following data protection
rights:
- The right to request access to your Personal Data (commonly known as a “data subject access request”). This right enables you to receive a copy of the Personal Data we hold about you where we are the data controller and to check that we are lawfully processing it.
- The right to request correction of the Personal Data that we hold about you. This right enables you to have any incomplete or inaccurate Personal Data we hold about you corrected, though we may need to verify the accuracy of the new Personal Data you provide to us.
- The right to request erasure of your Personal Data. This right enables you to ask us to delete or remove your Personal Data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your Personal Data where you have successfully exercised your right to object to processing (see below), where we may have processed your Personal Data unlawfully, or where we are required to erase your Personal Data to comply with local law. Note, however, that we may not always be able to comply with your erasure request for specific legal reasons which will be notified to you, if applicable, at the time we respond to your request.
- The right to object to processing of your Personal Data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your Personal Data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your Personal Data which override your rights and freedoms.
- The right to request restriction of processing of your Personal Data. This right enables you to ask us to suspend the processing of your Personal Data in the following scenarios: (a) if you want us to establish the Personal Data’s accuracy; (b) where our use of the Personal Data is unlawful but you do not want us to erase it; (c) where you need us to hold the Personal Data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your Personal Data but we need to verify whether we have overriding legitimate grounds to use it.
- The right to request the transfer of your Personal Data to you or to a third party. We will provide to you, or a third party you have chosen, your Personal Data in a structured, commonly used, machine-readable format. Note that this right only applies to automated Personal Data which you initially provided consent for us to use or where we used the Personal Data to perform a contract with you.
- The right to withdraw consent at any time where we are relying on consent to process your Personal Data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain Services to you. We will advise you if this is the case at the time we respond to your withdrawal of consent.
Please note that we may ask you to verify your identity before responding to such requests.
You have the right to complain to a data protection authority about our collection and use of your Personal Data. For more information, please contact your local data protection authority in the EEA.
If you wish to exercise any of the rights set out above, please contact us using the contact details below.
12. CALIFORNIA PRIVACY RIGHTS
This section provides additional details about the Personal Information we collect about California consumers and the rights afforded to them under the California Consumer Privacy Act (the “CCPA”).
For more details about the Personal Information SideDrawer has collected over the last twelve (12) months, please see the section “Collection of Personal Information” above. We collect this Personal Information for commercial purposes described above. SideDrawer does not sell (as that term is defined in the CCPA) the Personal Information we collect.
Subject to certain limitations, the CCPA provides California consumers the right to request to know more details about the categories or specific pieces of Personal Information we collect (including how we use and disclose this Personal Information), to delete their Personal Information, to opt out of any “sales” of Personal Information that may be occurring, and to not be discriminated against for exercising these rights.
California consumers may make a written request pursuant to their rights under the CCPA by contacting us at the contact information below. We will verify your request using the information associated with your Account, if available, including email address. Government identification may be required. Consumers can also designate an authorized agent to exercise these rights on their behalf. Note that where we act as the data processor on behalf of a customer (including PSPs), you will be required to contact the data controller directly to exercise your rights (as described in more detail in Section 10).
13. CHANGES TO THIS PRIVACY POLICY
We may amend this Privacy Policy from time to time. Processing of Personal Information we collect is subject to the Privacy Policy in effect at the time such Personal Information is collected, used or disclosed. If we make material changes or changes in the way we use Personal Information, we will notify you by posting an announcement on our Website or sending you an email prior to the change becoming effective. You are bound by any changes to the Privacy Policy when you use the Website, App, Platform or Services after such changes have been first posted.
14. ADDITIONAL INFORMATION
If you have any questions or concerns about our Privacy Policy, how it might apply to you, or if it does apply to you, please contact our Privacy Officer. You can:
- send an e-mail to privacy@sidedrawer.com
- mail us at SideDrawer Inc., 3080 Yonge St, Suite 6060, Toronto, ON, M4N 3N1.
Your use of the Website, the App, Platform or the Services means that you agree to our collection, use, and disclosure of the Personal Information you share with us, as explained in this Privacy Policy. If you do not agree with this Privacy Policy, or the Terms of Use, please do not use the Website, the App, Platform or the Services.
Last updated January 31, 2024