Fog Creek Software, Inc. complies with the EU Data Protection Directive through Safe Harbor certification.
WHO WE ARE AND WHAT THIS IS
Fog Creek Software, Inc. (“Fog Creek” or “Fog Creek Software”) is the producer and owner of FogBugz On Demand (“FogBugz”) and Kiln On Demand (“Kiln”) (collectively referred to here as the/our "Software" or the/our "Services"), which are collaborative web and mobile based applications that help teams and individuals stay organized and communicate.
We take the private nature of your personal information very seriously, and are committed to protecting it. To do that, we've set up procedures to ensure that your information is handled responsibly and in accordance with applicable data protection and privacy laws. We're grateful for your trust, and we'll act that way.
SAFE HARBOR OVERVIEW
We have chosen to comply with the principles of the Safe Harbor Framework developed by the U.S. Department of Commerce in consultation with the European Commission and the Federal Data Protection and Information Commissioner of Switzerland, except where limited by any legal, regulatory, ethical or public interest considerations. More information about the principles that make up the Framework, as well as other frequently asked questions relating to Safe Harbor can be found at: http://www.export.gov/safeharbor.
In accordance with our commitment to protect personal privacy, Fog Creek Software adheres to the principles of the Safe Harbor Framework as developed by the U.S. Department of Commerce in consultation with the European Commission. The seven principles and fifteen Frequently Asked Questions (FAQs) referred to in this policy constitute Safe Harbor privacy framework. These principles and FAQs may be found at: http://www.export.gov/safeharbor.
TYPES OF INFORMATION
"Personal information" is any information that we could use to identify an individual. It does not include personal information that is encoded or anonymized, or publicly available information that has not been combined with non-public information.
"Sensitive personal information" is information that meets the "personal information" criteria and also a.) reveals race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or b.) concerns health or sex life, information about Social Security benefits, or information on criminal or administrative proceedings other than in the context of pending legal proceedings.
HOW WE COLLECT INFORMATION
We collect information two ways: Information we get from your use of our Services, and information you provide to us directly.
Information we get from your use of the Services is primarily non-personally-identifying information of the sort that web browsers, servers, and services like Google Analytics* typically make available, such as the browser type, language preference, referring site, and the time of each visit. Other non-identifying information that we might have access to includes how you use the Service (e.g. search queries), your approximate location, cookies, etc.
We collect this non-personally-identifying information in order to better understand how visitors use the Services and, where possible, to improve their experience. For instance, we log the time it takes to run database queries so that we can improve performance. In some cases, we may publicly display information that is not personally identifying in the aggregate, (e.g., by publishing a report on trends in the usage of our Services) or may provide the aggregate data to third parties.
When you use the Services, we also collect potentially personally identifying information in the form of Internet Protocol (IP) addresses, the Uniform Resource Locator (URL) accessed (which may reference the name of a board, card, case, wiki, or organization), and the unique identification number associated with the account. We don't use that information to identify you, with one exception: we may discover, by reviewing log files, that a particular account is using the Services in a way that is degrading the experience for all the Services’ users. If this is discovered, we may look up personally identifiable information associated with that account in order to contact the account owner. We handle and disclose this information in the same way we handle other potentially personally identifying information as described below.
Information you provide to us directly. Certain visitors to our Services choose to interact with them in ways that may require them to provide us with personally identifying information. The amount and type of information that is provided depends on the nature of the interaction. For example, we ask visitors who sign up for our Services to provide a real name, username, and email address. Organizations and individuals who engage in financial transactions to purchase paid services are asked to provide additional information, such as the personal and financial information required to process those transactions. In each case, we only collect as much information as is necessary or appropriate given the type of interaction. We do not disclose personally identifying information other than as described below. And you can always refuse to supply personally identifying information, with the caveat that it may prevent you from engaging in certain activities.
If you send us a request, such as emailing us for support, we reserve the right to publish it (absent any personally identifying information) in order to help us clarify or respond to your request or help other users.
In the process of supporting our Services, we may discover personally identifiable information associated with your account. The only personally identifiable information we may discover during the support process without your consent includes your email address and the names of any organizations to which you belong. Any further information will not be discovered without your consent.
In the process of supporting our Services, we may need to investigate the data within your account, including data you have entered into private boards, cases, wikis, etc. If this occurs, we will always request your explicit permission before looking at the data in your account.
If you are outside the United States, you should know that any personally identifiable information you enter into the Services will be transferred out of your country and into the United States, and possibly to other countries. By using the Services, you consent to such transfer and are representing that you have the right to transfer such information outside your country.
We do not collect any personally identifiable information from children under the age of 13. If you believe that a child has provided us with personally identifiable information without the consent of his or her parent or guardian, please contact us at firstname.lastname@example.org. If we become aware that a child under age 13 has provided us with personally identifiable information, we'll delete it.
INFORMATION YOU CHOOSE TO DISPLAY PUBLICLY ON OUR SERVICES
Some users may elect to publicly post personally identifying or sensitive information about themselves in their normal use of our Services. This could occur through use of optional profile fields, in interactions on public boards, wikis, cases and forums, or if a previously private interaction is made public. Information like that, which is voluntarily posted in publicly visible parts of our Services, is considered to be public, even if it would otherwise be considered to be personally identifying or sensitive. As such, it is not subject to the protocols listed below, because we don't control it; you do. Additionally, voluntarily publicizing such information means that you lose any privacy rights you might normally have with regards to that information. It may also increase your chances of receiving unwanted communications, like spam.
Please also remember that if you choose to provide personally identifiable information using certain public features of the Services, individuals reading such information may use or disclose it to other individuals or entities without our control and without your knowledge, and search engines may index that information. We therefore urge you to think carefully about including any specific information you may deem private in content that you create or information that you submit through our Services.
INFORMATION YOU GIVE TO OTHER PEOPLE
This Policy only applies to information collected by Fog Creek Software. It does not apply to the practices of companies that we don't own or control, or employees that we don't manage. Information on our Services’ boards, wikis, cases and forums may contain links to third party websites, and any information you provide to those sites will be covered by any privacy policies they may have. Please be sure to read the privacy policies of any third-party sites you visit. It is those sites' responsibility to protect any information you give them, so we can't be held liable for their wrongful use of your personally identifying information.
HOW WE USE INFORMATION WE COLLECT
Notice will be provided in clear and conspicuous language when you are first asked to provide us with personal information, or as soon as practicable thereafter, and we'll notify you before we use the information for something other than the purpose for which it was originally collected. If anything in this policy seems unclear, please don't hesitate to contact us at email@example.com, so we can address your question and possibly clarify this document.
Here are some of the ways we may use personal information you provide us:
- To allow you to register for our Services and to administer and process the registration
- To communicate with you about our products, services and related issues
- To evaluate the quality of our products and services, and to enhance your experience on our web sites
- To maintain and administer our web sites and comply with our legal or internal obligations and policies
- To transfer information to others as described in this policy or to satisfy our legal, regulatory, compliance, or auditing requirements
- To charge you any fees and provide you with a receipt or resolve billing issues associated with your account
Choice — Choice is all about making sure you have the ability to control how we share your personal information with others. We never share any of your personal information with non-agent third parties.
We won't share your personal information with non-agent third parties unless we are required to do so by law, or if we believe in good faith that disclosure is reasonably necessary to protect our property, rights or those of third parties or the public at large. It is possible that we may, on occasion, buy or sell assets from or to other companies. If that should occur, user information is typically one of the assets that get transferred. Similarly, if Fog Creek Software or most of its assets were acquired, or in the unlikely event that we go out of business or enter bankruptcy, user information could be transferred or acquired. You should be aware that such events can occur, and that if it does, the buyer may continue to use your personal and non-personal information, but only as set forth in this policy. Other than in these rare circumstances, Fog Creek Software will not rent or sell potentially personally identifying information to anyone.
We may from time to time request some of your financial information for the purposes of completing transactions you have initiated through the Services, enrolling you in discount, rebate, and other programs in which you elect to participate, protecting against or identify possible fraudulent transactions, and otherwise as needed to manage our business.
It's hard to imagine that we would ever consider collecting, let alone sharing, sensitive information with a non-agent third party, but if such a day should ¬come, we will first give you the opportunity to explicitly consent (opt-in) to such disclosure or to any use of the information for a purpose other than the one for which it was originally collected or previously authorized.
If you are a registered user of our Services and have supplied your email address, we may occasionally send you an email to tell you about new features, solicit your feedback, or just keep you up to date with what's going on with the Services. We generally use our Services to communicate this type of information, so we expect to keep this type of communication to a minimum. If we do send you information that you did not expressly request, we will provide you with a way to request that you don't get any similar notices (opt-out, unsubscribe, etc.).
Onward Transfer — Prior to providing agents with any personal information, we will obtain assurances that they will safeguard it in accordance with this policy. Examples of assurances that may be provided include:
- A commitment that they will handle the information in accordance with this policy, or will provide the same level of protection, as required by the Safe Harbor Principles, subject to EU Directive 95/46/EC ("the EU Data Protection Directive");
- Safe Harbor certification by the agent, or being subject to another European Commission adequacy finding.
In the unlikely event that we should discover that an agent is using personal information in a way that conflicts with this policy, we will take all reasonable steps to stop it immediately.
Security — All records containing personal or financial information are considered to be our property and are afforded confidential treatment at all times. We work hard to protect against the unauthorized access, use, alteration or destruction of personal or financial information. All such electronic information is stored on restricted database servers, and is generally kept until such time as you may ask us to edit or delete it, as described below. We only disclose such information to our employees, contractors or affiliates that a) need to know that information in order to process it for us or to provide other services, and b) have agreed not to disclose it to others.
All interactions with our Services use the Transport Layer Security/Secure Sockets Layer (TLS/SSL) protocol. We use a third-party, industry-accepted Payment Gateway to securely process credit card transactions.
Data Integrity — In addition to assuring you that we will protect your personal information, we also want to make sure that it is reliable, accurate, and up-to-date. In order to do that, we provide:
Access — Upon request, we will provide you with reasonable access to the personal information we collect about you. Because personal information—for example, your email address—is required to use The Services, we retain personal information as long as your account is active. You will have the opportunity to correct, update, modify or delete this information updating your information in The Services. Please note that some information may remain in our records even after you request deletion of your information as permitted by the Safe Harbor Principles. Additionally, there may be limits to the amount of information we can practically provide. For example, we may limit an individual's access to personal information where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy or where doing so would violate others' rights.
If you have any concerns or complaints about how you think we've handled your personal information, please contact firstname.lastname@example.org or our Data Protection Officer at the address below. We will work hard to investigate and resolve any complaints you might have.
We hope it won't ever come to this, but if you've already contacted us and feel that your complaint cannot be resolved between the two of us, we have agreed to participate in the dispute resolution procedures established in the Safe Harbor Principles regarding personal information received from the EEA. For such escalated disputes, you can contact eTrust at 616 Corporate Way, Suite 2, #4000, Valley Cottage, NY 10989.
HOW TO CONTACT US
If you have any questions about this policy or our site in general, please contact us at email@example.com.
Our Data Protection Officer is Michael Pryor
Written Inquiries can be sent to:
Fog Creek Software
One Exchange Plaza, 25th Floor
New York, NY 10006
Please see the Fog Creek Security Policy, which also links to the individual security policies for each product.
EMPLOYEES' & PROSPECTIVE EMPLOYEES' INFORMATION
This section covers any ways in which personal information we collect from employees or applicants might be treated differently than user information. You can probably stop here if you are not an employee or interested in applying for a job with Fog Creek Software. But maybe you should be interested: Who wouldn't want to work with an amazingly talented team dedicated to making awesome software, especially at a company with free lunches, top-notch benefits, and a founder who has literally written the book on how to make great workplaces for building amazing software? The more I think about it, the more I think maybe you should click here after all: http://www.fogcreek.com/careers. And if you do, be sure to review the following non-comprehensive list of ways that we may use information provided to us by employees or applicants:
- Responding to inquiries in connection with prospective employment at Fog Creek Software, and processing employment applications
- Carrying out human resources functions like training, career / succession planning, administering contracts, evaluating employees, and providing benefits
- Enabling Fog Creek Software and its employees to contact each other by telephone, fax, e-mail, or "snail mail"
- Administering compensation, bonus and other employment needs
- Arranging employees' travel plans
- Maintaining building security and employee health and safety
- Running internal administrative analytics, such as staffing, headcount and statistics initiatives
- Complying with our legal obligations, policies and procedures
- Transferring personal information to others as required by our legal, regulatory, compliance and auditing needs
* Google Analytics is a registered trademark of Google, Inc.