Privacy Policy
Klok, LLC (“Klok,” “We,” “Us,” or “Our”) believes that every should be able obtain secure and private access to the internet. Klok aims to provide internet access without compromising the privacy of our customers. This Privacy Policy describes Klok’s privacy practices with respect to Your use of the Klok Platform (herein, the “Klok Platform”) and Your use of Our website, website, www.buyklok.com (the “Site”) (the Klok Platform and the Site collectively, the “Services”).
Should any customer of Klok’s Services (“Customer”) or end-user of Our Services (“End-User”) (Customer and End-User collectively, “You” or “Your,” as applicable) have any questions after reviewing this Privacy Policy, please see the “Contact Us” section below for information about how to contact Klok.
This Privacy Policy is made a part of and incorporated into the Terms of Use, the Customer Services Agreement and Terms of Services, and/or the End-User License Agreement and Terms of Service, as applicable, between Klok and any Customer or End-User.
1. Business Customers of Klok
Some of Klok’s Customers are businesses that purchase Our Services for use by their authorized End-User(s). Where Our Customer is a business or other organization who may authorize one or more individual end-users to use the Services that it has purchased from Us, the Customer may maintain accounts with Klok through which it and its end-users may submit information (“Data”). That organization typically controls those accounts and may receive some Data in order to maintain the account. In such cases, Klok generally operates as a processor of such Data and the organization operates as the controller. Additional details are provided under the ‘How do We share information’ section, below.
2. Information We Collect About You
Various types of data personal to an End-User (also referred to as, “Personal Data”) may be collected from and about You by Klok.
To the extent that any of Your Personal Data is “processed,” as defined in the “Data Processing Addendum” that is attached to this Privacy Policy and incorporated herein, under the relevant laws or regulations, the terms of the Data Processing Addendum shall apply.
Certain types of Personal Data are not collected in all situations; rather, Personal Data is only collected in certain product-specific situations.
3. Information You Provide to Us
Account Information. Some Services require or allow you to create an account before You can access them. As part of registering for an account, We may collect information such as Your name, username, email address, and password.
Order, Billing, and Payment Information. In order to purchase a service, You may need to provide Us with details such as name of the person or entity to be billed, contact details (street addresses, email addresses) for the person or entity to be billed, and payment instrument details.
Communications and Submissions. You may choose to provide Us with information when You communicate with Us (e.g. via email, phone, or chat for support or to inquire about Our Services), including when You fill out an online form, respond to surveys, provide feedback, post comments to Our website, or participate in promotions.
4. Information collected when You use Our Sites
The Site is made available through a third party, Shopify. When you interact with the Site, various information may be collected by Shopify.
Usage information. Shopify may collect information about how You interact with the Site including when You visit and use Our Site, which pages of the Site and/or features are used, and when and for how long You use Our Site. Shopify may use cookies and/or other technologies to collect this information, as provided herein.
Diagnostic information. Shopify may collect information about the nature of the requests that You make to Shopify’s servers, such as what is being requested, information about the device and app used to make the request, timestamps, and referring URLs.
Location information. Unless otherwise expressly stated or with Your consent, We do not collect Your location information based on Your device’s GPS or other device sensor data. However, Shopify may collect Your approximate location by calculating an imprecise latitude and longitude based on Your IP address, for example, to verify Your eligibility for certain Services.
Device information. Shopify may collect information from and about the device You use to access the Site, including about the browsers and Klok apps You use to access the Site. For example, Shopify may collect device or mobile advertising identifiers, browser types, device types and settings, operating system versions, mobile, wireless, and other network information (such as internet service provider name, carrier name and signal strength), and application version numbers. We may use cookies and other technologies to collect this information, as provided herein.
5. Information Collected When You use the Klok Platform
Klok Platform-Specific Information. The Klok Platform does not log any information that associates Your account, Your credentials, Your identity, or the identify of any device by which You access the Klok Platform with Your activity. We do not maintain, nor are We able to discern, any information that shows, for instance, any websites You visited, apps that You accessed through the Your connection to the Klok Platform, or any other information that evidences the specific way in which You choose to utilize the Klok Platform. However, We will:
- Record usage data, including bandwidth associated with Your usage of the Klok Platform;
- Collect anonymized and aggregated location data of devices used to access the Klok Platform;
- Collect anonymized and aggregated diagnostic information pertinent to usage of the Klok platform; and
- Record timestamps associated with the usage of the Klok Platform.\
6. How We Use Your Information
We use the information We collect for various purposes described below. For End-Users from the European Economic Area (EEA) or U.K., please note Our lawful basis for each processing activity below:
- To provide, maintain, troubleshoot, and support Our services. We use Your information for this purpose on the basis that it is required to fulfill Our contractual obligations to You. Examples of such usages include:
- With respect to the Klok Platform, usage data enables US to ensure the sufficiency of the Klok Platform;
- With respect to threat information, usage of threat and device information allows Us to determine whether certain items pose a potential security threat to You; and
- Generally to ensure the proper functioning of Our Services.
For billing and payment purposes. We use Your information in order to perform billing administration activities and process payments, which are required to fulfill Our contractual obligations.
To communicate with End-Users and prospective End-Users. We use Your information to communicate with You, including by responding to Your requests, and sending You information and updates about Our Services. We may do this in order to fulfill Our contract with You, because You consented to the communication, at the instruction of Our Customer who purchases the Services for use by You, or because We have a legitimate interest in providing You with information about Our Services.
To improve Our services. We Our Services, and Your Experience as an End-User, to be the best it can, so we have a legitimate interest in continually improving and optimizing Our Services. To do so, We use Your information to understand how End-Users interact with Our services. For example:
- we analyze certain usage, device, and diagnostic information to understand aggregated usage trends and user engagement with Our Services (and, for example, invest in technical infrastructure to better serve regions with increasing user demand);
- we may use device and threat information to conduct spam, threat, and other research to improve Our threat detection capabilities; and
- we review Customer feedback to understand what We could be doing better.
To develop new services. We have a legitimate interest in using Your information to plan for and develop new services. For example, We may use Customer feedback to understand what new Services You may want or what improvements to existing Services You would like to see implemented.
To market and advertise Our Services. We may use Your information to provide, measure, personalize, and enhance Our advertising and marketing based on Our legitimate interest in offering You services that may be of interest. For example:
- we may use information such as who or what referred You to Our Services to understand the effectiveness Our advertising efforts.
To prevent harm or liability. We may use information for security purposes (such as to investigate security issues or to monitor and prevent fraud) and to prevent abuse. We may do this to comply with Our legal obligations, to protect the interests of Customers and/or End-Users, or because We have a legitimate interest in preventing harm or liability to the Klok Platform. For example, We may use account, usage, and device information to determine if an entity is engaging in abusive or unauthorized activity in connection with Our Services.
For legal compliance. We may use Your information as required by applicable law, legal processes, or regulations. We may also be compelled by a contract or court to provide certain information necessary to Our business partners in order to fulfill the terms of a business agreement. We also use Your information to enforce Our legal rights and resolve disputes.
7. Circumstances Where We May Share Your Information
In General
We may disclose your information in the following circumstances:
- In accordance with Your instructions or consent. For example, some services may allow You to register an account using a third party account (such as a Google or Microsoft account). If You choose to do so, We will share information with the third party account provider.
- Vendors and third-party service providers. Some aspects of Our Services are provided by trusted third parties, partners, and affiliates. To protect Your data, appropriate confidentiality agreements and data processing terms are in place with respect to any of these third parties. We limit the scope of any information shared with third parties to only that information that is necessary for them to assist Us in carrying out specific services. Examples of activities that third parties help Us with include:
- processing Customer payments;
- providing analytics about Our services;
- providing sales and Customer support;
- maintaining the infrastructure required to provide Our Services, including the Klok Platform;
- delivering Our marketing and advertising content directly to You; and
- providing analytics about Our services.
- To a new owner of Klok or Our business. If ownership or control of all or part of Our business changes, We may transfer Your information to a new owner who would be providing You with the Services thereafter.
- Aggregated or de-identified data. We may use and share aggregated data and data that is de-identified such that it no longer reveals the identity of an individual user for regulatory compliance, research, and analysis, and for other legitimate business purposes.
- To comply with legal process(es) and the law. We may share Your information if We are required to do so by applicable law; to comply with Our legal obligations; to comply with legal process; and to respond to valid law enforcement requests relating to a criminal investigation, or alleged or suspected illegal activity that may expose Klok, You, or any of Our other End-Users to legal liability. If We share Your information for these purposes, We limit the information shared to what is legally necessary, and challenge information requests that We believe are unlawful, overbroad, or otherwise invalid. To reiterate, We do not collect information about which websites You visit, apps You, or location-related information pertinent to Your use via the Klok Platform and, as such, this information is not available to be provided in a law enforcement request.
- To enforce Our rights and prevent fraud and abuse. We may share limited amounts of Your information to enforce and administer Our agreements with Customers and End-Users, and to respond to claims asserted against Klok. We may also share Your information in order to protect against fraud and abuse against Klok, Our affiliates, users and others.
8. Cookies and Other Tracking Technologies
Klok does not use any of the following technologies to collect information with respect to users of the Site. However, as noted above the Site is made available through a Shopify. Shopify may use certain technologies to collect information with respect to users of the Site. These technologies include:
- Cookies. Cookies enable Shopify to set cookies on Your device to recognize visitors to the Sites. For more information on how Shopify uses cookies, please refer to Shopify’s Cookie Policy. Shopify uses Cookies to power and improve the Site (including to remember your actions and preferences), to run analytics, and better understand user interaction with the Services (in our legitimate interests to administer, improve and optimize the Services). Shopify may also permit third parties and services providers to use Cookies on our Site to better tailor the services, products and advertising on the Site and other websites.
9. Your Choices With Our Use of Cookies
Most browsers automatically accept Cookies by default, but you can choose to set your browser to remove or reject Cookies through your browser controls. Please keep in mind that removing or blocking Cookies can negatively impact Your user experience and may cause certain features and general functionality, to work incorrectly or no longer be available. Additionally, blocking Cookies may not completely prevent how Shopify shares information with third parties such as advertising partners.
10. Security
Klok employs a range of administrative, organizational, technical, and physical safeguards designed to protect Your data against unauthorized access, loss, or modification. Access to Your account information is restricted to Our employees who require such access to perform their job functions. While Our controls are strong, no data security measures can guarantee 100% protection.
11. International Data Transfers
Our computer systems are currently based in the United States and Your Personally Information will be processed by Us or Our third-party processors in the U.S., and/or Our third-party processors located outside the U.S.
Many of Our Services are accessible internationally. As such, data protection and privacy regulations in the U.S. may not offer the same level of protection as in other parts of the world, such as the European Union, where some End-Users may reside or be located. If You create a user account with Our Site as a visitor from outside the United States, You consent to the collection and/or processing in the United States of Your personally identifiable information, which includes the use of cookies as described above.
Any processing and/or transfers of Personal Data are carried in accordance with the terms of the Data Processing Addendum.
12. Data Retention
With respect to the Klok Platform, Klok does not collect or retain data about Your browsing activity while You access the Klok Platform.
Klok generally retains Your Personal Data for as long as is needed to provide the Services to You, or for as long as You have an account or subscription with us. We may also retain Personal Data if required by law, or for Our legitimate interests, such as abuse detection and prevention, and defending Kloks from legal claims. Residual copies of Personal Data may be stored in backup systems for a limited period as a security measure to protect against data loss.
13. Your Rights
Depending on Your country of residence, You may have certain legal rights in relation to Your Personal Data that We maintain. Subject to exceptions and limitations provided by applicable law, these may include the right as follow:
- Right to Access / Know. You may have a right to request access to personal information that We (or a third party) hold about you, including details relating to the ways in which We use and share your information.
- Right to Delete. You may have a right to request that We (or a third party) delete personal information We (or a third party)maintain about you.
- Right to Correct. You may have a right to request that We (or a third party) correct inaccurate personal information We (or a third party) maintain about You.
- Right of Portability. You may have a right to receive a copy of the personal information We (or a third party) hold about You and to request that We (or a third party) transfer it to a third party, in certain circumstances and with certain exceptions.
- Right to Opt out of Sale or Sharing or Targeted Advertising. You may have a right to direct Us (or a third party) not to “sell” or “share” Your personal information or to opt out of the processing of your personal information for purposes considered to be “targeted advertising,” as defined in applicable privacy laws. Please note that if You visit the Site with the Global Privacy Control opt-out preference signal enabled, depending on where You are, We will automatically treat this as a request to opt-out of the “sale” or “sharing” of information for the device and browser that You use to visit the Site.
- Right to Limit and/or Opt out of Use and Disclosure of Sensitive Personal Information. You may have a right to direct Us (or a third party) to limit our use (or the use of a third party) and/or disclosure of sensitive personal information to only what is necessary to perform the Services or provide the goods reasonably expected by an average individual.
- Restriction of Processing: You may have the right to ask Us (or a third party) to stop or restrict processing of personal information.
- Withdrawal of Consent: Where We rely on consent to process your personal information, You may have the right to withdraw this consent.
- Appeal: You may have a right to appeal Our decision if We decline to process Your request. You can do so by replying directly to our denial.
- Managing Communication Preferences: We (or a third party) may send You promotional emails, and You may opt out of receiving these at any time by using the unsubscribe option displayed in Our emails to You. If You opt out, We (or a third party) may still send you non-promotional emails, such as those about your account or orders that You have made.
You may exercise any of these rights where indicated on our Site or by contacting us using the contact details provided below.
You may be able to exercise some of these rights by using the settings and tools provided in association with Our Services. For example, You may be able to update Your account details via the relevant account settings screen.
Your rights with respect to Your Personal Data are further defined in the Data Processing Addendum.
Otherwise, if You wish to exercise any of these rights, You may contact Us as provided for in the “Contact Us” section below.
14. Sales of Your Personal Data
Klok does not “sell” Personal Data for Our own monetary benefit.
The California Consumer Privacy Act defines ‘sell’ more broadly than certain other relevant laws and regulations and, as such, certain activities that do not constitute a “sale” of data under other laws and regulations may constitute a “sale” under the California Consumer Privacy Act. Please review the Data Processing Addendum for specifics related to Klok’s treatment of such activities.
15. Age Restrictions
Our Services are not intended for and may not be used by minors. In this context, minors are individuals under the age of 16. Klok does not knowingly collect Personal Data from minors or allow them to use the Services. If We discover that We have collected Personal Data from a minor, We may delete such data without notice. Please note that the legal terms under which We make certain Services available may require End-Users to be older than 16 years of age.
16. Privacy Policy Updates
Klok may update this Privacy Policy from time to time in accordance with this section for reasons such as changes in laws, industry standards, and business practices. Klok will post any updated Privacy Policy to this page and update the “Last updated” date noted above. If We make updates that materially alter Your privacy rights, We will also provide You with advance notice, such as via email or through the Services. If You disagree with such an update to this policy, You may cancel Your Services and/or delete Your account. If You do not cancel Your Services and/or delete Your account before the date the update becomes effective, Your continued use of Our services will be subject to the updated Privacy Policy.
17. Contact Us
We expect this Privacy Policy to evolve over time and welcome feedback from Our End-Users about Our privacy practices and this Privacy Policy. If You wish to exercise Your rights under this Privacy Policy or have any questions or complaints about Our privacy practices, You can contact us using the following details:
privacy@buyklok.com
Data Processing Addendum
This Data Processing Addendum (“DPA”) is incorporated into the Privacy Policy of Klok, LLC.
All capitalized terms not defined in this DPA shall have the meanings set forth in the Privacy Policy and as expressly set forth herein. For the avoidance of doubt, all references to the “Privacy Policy” shall include this DPA (including the SCCs (where applicable), as defined herein).
- Definitions.
- “Affiliate” means an entity that directly or indirectly Controls, is Controlled by or is under common Control with an entity.
- “Privacy Policy” means the Privacy Policy of Klok, LLC, as may be updated from time to time, to which any End-User(s) of the Klok Platform.
- “Control” means an ownership, voting or similar interest representing fifty percent (50%) or more of the total interests then outstanding of the entity in question. The term “Controlled” shall be construed accordingly.
- “Personal Data” means any personal data that Klok processes of an End-User, as more particularly described in this DPA.
- “Data Protection Laws” means all data protection laws and regulations applicable to a party’s processing of Personal Data under the Privacy Policy, including, where applicable, European Data Protection Laws and Non-European Data Protection Laws.
- “European Data Protection Laws” means all data protection laws and regulations applicable to Europe, including (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; (iii) applicable national implementations of (i) and (ii); (iv) the GDPR as it forms part of UK law by virtue of section 3 of the UK European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (together, “UK Data Protection Laws”); and (v) the Swiss Federal Data Protection Act of 19 June 1992 and its Ordinance (“Swiss DPA”).
- “Europe” means, for the purposes of this DPA, the European Economic Area and its member states (“EEA”), Switzerland, and the United Kingdom (“UK”).
- “Non-European Data Protection Laws” means the California Consumer Privacy Act (“CCPA”); the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”); the Brazilian General Data Protection Law (“LGPD”), Federal Law no. 13,709/2018; and the Privacy Act 1988 (Cth) of Australia, as amended (“Australian Privacy Law”).
- “SCCs” means (i) the standard contractual clauses between controllers and processors adopted by the European Commission in its Implementing Decision (EU) 2021/91 of 4 June 2021 (the “2021 Controller-to-Processor Clauses”); or (ii) the standard contractual clauses between processors adopted by the European Commission in its Implementing Decision (EU) 2021/91 of 4 June 2021 (the “2021 Processor-to-Processor Clauses”); as applicable in accordance with Section 6.3.
- 1.10.“Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, or alteration of, or unauthorized disclosure of or access to, Personal Data on systems managed or otherwise controlled by Klok.
- “Sensitive Data” means (a) social security number, tax file number, passport number, driver’s license number, or similar identifier (or any portion thereof); (b) credit or debit card number (other than the truncated (last four digits) of a credit or debit card); (c) employment, financial, credit, genetic, biometric or health information; (d) racial, ethnic, political or religious affiliation, trade union membership, information about sexual life or sexual orientation, or criminal record; (e) account passwords; or (f) other information that falls within the definition of “special categories of data” under applicable Data Protection Laws.
- 1.12.“Sub-processor” means any processor engaged by Klok or its Affiliates to assist in fulfilling its obligations, to the extent such obligations exist, with respect to processing any data pursuant to the Privacy Policy or this DPA. Sub-processors may include third parties or Affiliates of Klok but shall exclude Klok employees, contractors, or consultants.
- 1.13.“UK Addendum” means the International Data Transfer Addendum (version B1.0) issued by Information Commissioners Office under S.119(A) of the UK Data Protection Act 2018, as updated or amended from time to time.
- 1.14.The terms “personal data”, “controller”, “data subject”, “processor” and “processing” shall have the meaning given to them under applicable Data Protection Laws or if not defined thereunder, the GDPR, and “process”, “processes” and “processed”, with respect to any Personal Data, shall be interpreted accordingly.
- Roles and Responsibilities.
- Parties’ roles. To the extent that European Data Protection Laws or the LGPD applies to Klok’s processing of Personal Data, and to the extent Klok actually processes Personal Data, the parties acknowledge and agree that with regard to such processing of Personal Data, Klok is a processor acting on behalf of a Customer or any End-User(s) (whether and without regard to whether a Customer or any End-User(s) is a controller or a processor). For the avoidance of doubt, this DPA shall not apply to instances where Klok is the controller (as defined by European Data Protection Laws) unless otherwise described in Annex A (Jurisdiction-Specific Terms) of this DPA.
- Purpose limitation. Klok shall process any Personal Data, to the extent Klok actually processes Personal Data, only in accordance with those documented lawful instructions as set forth in this DPA, including the services provided as described in Annex B, as necessary to comply with applicable law, or as otherwise agreed in writing (“Permitted Purposes”). The parties agree that the Privacy Policy, including this DPA, along with any configurations of or the use of any settings, features, or options in the Klok Platform (a Customer and/or End-User(s) may be able to modify from time to time) constitute the complete and final instructions to Klok in relation to the processing of Personal Data (including for the purposes of the SCCs), and processing outside the scope of these instructions (if any) shall require prior written agreement between the parties.
- Sub-processing.
- Authorized Sub-processors. Klok may engage Sub-processors to process Personal Data of a Customer or any End-User, in order for Klok to provide Services under the Privacy Policy, including those set out in Annex C. The list of Sub-processors engaged by Klok and may be updated, for example, to add or remove one or more Sub-processors, from time to time.
- Sub-processor obligations. Klok shall: (i) enter into a written agreement with each Sub-processor containing data protection obligations that provide at least the same level of protection for Personal Data as those in this DPA, to the extent applicable to the nature of the Service provided by such Sub-processor; and (ii) remain responsible for such Sub-processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-processor that cause Klok to breach any of its obligations under this DPA.
- Security.
- Security Measures. Klok shall implement and maintain appropriate technical and organizational security measures that are designed to protect Personal Data from Security Incidents and designed to preserve the security and confidentiality of Personal Data.
- Confidentiality of processing. Klok shall ensure that any person who is authorized by Klok to process Personal Data (including its staff, agents, and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
- Updates to Security Measures. Klok may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security with which any Personal Data is processed and the Klok Services operates as set forth in the Privacy Policy.
- Security Incident response. Upon becoming aware of a Security Incident that relates to the Privacy Policy or the Services provided, Klok shall: (i) notify the Customer and/or any End-User(s) (as applicable and to the extent possible without violating any privacy or confidentiality provision hereunder or otherwise) without undue delay, and where feasible, within 48 hours of awareness; (ii) provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by any Customer of Klok and/or any End-User(s); and (iii) promptly take reasonable steps to contain and investigate any Security Incident. For the avoidance of doubt, the Customer and/or any End-User(s) shall be solely responsible for any Security Incident that occurs with respect to systems primarily managed or otherwise controlled by the Customer and/or the End-User(s).
- Security Reports and Audits.
- Audit rights. Klok shall make available to a Customer and/or any End-User(s) all information reasonably necessary to demonstrate compliance with this DPA and allow for any audit rights granted by Data Protection Laws, by instructing Klok to comply with the audit measures described in Sections 5.2 and 5.3 below.
- Security reports. Klok shall conduct regularly-scheduled security audits in accordance with industry-accepted standards by independent third-party auditors and/or internal auditors, as applicable. Upon written request, Klok shall supply (on a confidential basis) a summary copy of its most current audit report(s) (the “Report”) to a Customer and/or the End-User(s), so that the Customer and/or the End-User(s) can verify Klok’s compliance with the audit standards against which it has been assessed and this DPA. The Customer shall be permitted to share such reports with any End-User(s), as applicable.
- Security due diligence. In addition to the Report, Klok shall respond to all reasonable requests for information made by a Customer and/or the End-User(s) to confirm Klok’s compliance with this DPA, including responses to information security, due diligence, and audit questionnaires, by making additional information available regarding its information security program upon written request and during normal business hours.
- International Transfers
- Data center locations. Subject to Section 6.2, Klok may transfer and process Personal Data in the United States and anywhere else in the world where Klok, its Affiliates or its Sub-processors maintain data processing operations. Klok shall at all times ensure that such transfers are made in compliance with the requirements of Data Protection Laws and this DPA.
- Australian data. To the extent that Klok is a recipient of Personal Data protected by the Australian Privacy Law, Klok may transfer such Personal Data outside of Australia subject to Klok complying with this DPA and the Australian Privacy Law.
- EEA Data Transfers. To the extent that Klok is a recipient of Personal Data protected by GDPR in a country outside of EEA that is not recognized as providing an adequate level of protection for personal data (as described in applicable European Data Protection Laws), such Personal Data will be processed in compliance with the SCCs, which shall be incorporated into and form an integral part of this DPA.
- UK Data Transfers. With respect to transfers to which the UK Data Protection Laws apply, the SCCs shall apply and shall be deemed amended as specified by the UK Addendum. The UK Addendum shall be deemed executed by the parties and incorporated into and form an integral part of this DPA. In addition: Tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed with the information set out in Annexes I and II of the relevant SCCs; and Table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting “neither party.”
- Swiss Data Transfers. With respect to transfers to which the Swiss DPA apply, the SCCs shall apply in accordance with Section 6.3 with the following modifications: (i) references to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss DPA; (ii) references to specific Articles of “Regulation (EU) 2016/679” shall be replaced with the equivalent article or section of the Swiss DPA; (iii) references to “EU”, “Union” and “Member State law” shall be replaced with “Switzerland”; (iv) references to the “competent supervisory authority” and “competent courts” shall be replaced with “the Swiss Federal Data Protection and Information Commissioner” and “relevant courts in Switzerland”; (vi) Clause 17 shall be replaced to state “The Clauses are governed by the laws of Switzerland”; and (vii) Clause 18 shall be replaced to state “Any dispute arising from these Clauses shall be resolved by the applicable courts of Switzerland. The parties agree to submit themselves to the jurisdiction of such courts”.
- Compliance with the SCCs. Klok shall ensure compliance with the SCCs, and shall promptly inform a Customer and/or any End-User(s) as applicable, of any failure to comply.
- Return or Deletion of Data.
- Deletion or return on termination. Upon termination or expiration of the Privacy Policy, Klok shall delete or return all Personal Data (including copies) in its possession or control, except that this requirement shall not apply to the extent Klok is required by applicable law to retain some or all of the Personal Data, or to Personal Data it has archived on back-up systems, which Personal Data Klok shall be securely isolated, protected from any further processing and eventually deleted in accordance with Klok’s deletion policies, except to the extent required by applicable law. The parties agree that the certification of deletion of Personal Data described in Clause 8.5 and 16(d) of the 2021 Controller-to-Processor Clauses and 2021 Processor-to-Processor Clauses (as applicable) shall be provided by Klok to Customer and/or any End-User(s) only upon written request.
- Data Subject Rights and Cooperation.
- Data subject requests. Klok shall, considering the nature of the processing, provide reasonable additional assistance to a Customer and/or any End-User(s) to the extent possible to enable the Customer and/or any End-User(s) to comply with its data protection obligations with respect to data subject rights under Data Protection Laws. In the event that any such request is made to Klok directly, Klok shall not respond to such communication directly except as appropriate (for example, to direct the data subject to contact the Customer and/or any End-User(s)) or legally required, without prior authorization of the Customer and/or any End-User(s). If Klok is required to respond to such a request, Klok shall, where the Customer and/or any End-User(s) is identified or identifiable from the request, promptly notify the Customer and/or any End-User(s) and provide the Customer and/or any End-User(s) with a copy of the request unless Klok is legally prohibited from doing so. For the avoidance of doubt, nothing in the Privacy Policy (including this DPA) shall restrict or prevent Klok from responding to any data subject or data protection authority requests in relation to personal data for which Klok is a controller.
- Data protection impact assessment. To the extent required under applicable Data Protection Laws, Klok shall (considering the nature of the processing and the information available to Klok) provide all reasonably requested information necessary to enable a Customer and/or any End-User(s) to carry out data protection impact assessments or prior consultations with data protection authorities as required by Data Protection Laws. Klok shall comply with the foregoing by: (i) complying with Section 5 (Security Reports and Audits); (ii) providing the information contained in the Privacy Policy, including this DPA; and (iii) if the foregoing sub-sections (i) and (ii) are insufficient for the Customer and/or any End-User(s) to comply with such obligations, upon request, providing additional reasonable assistance (at the expense or the Customer and/or any End-User(s), as applicable).
- Jurisdiction-Specific Terms
- To the extent Klok processes Personal Data originating from and protected by Data Protection Laws in one of the jurisdictions listed in Annex A, then the terms specified in Annex A with respect to the applicable jurisdiction(s) (“Jurisdiction-Specific Terms”) apply in addition to the terms of this DPA. In the event of any conflict or ambiguity between the Jurisdiction-Specific Terms and any other terms of this DPA, the applicable Jurisdiction-Specific Terms will take precedence, but only to the extent of the Jurisdiction-Specific Terms’ applicability to Klok.
- Limitation of Liability
- 10.1.Each party’s and all of its Affiliates’ liability taken together in the aggregate arising out of or related to this DPA (including the SCCs) shall be subject to the exclusions and limitations of liability set forth in the Terms of Use, the Customer Services Agreement and Terms of Services, and/or the End-User License Agreement and Terms of Service, as applicable.
- 10.2.In no event shall any party limit its liability with respect to any individual’s data protection rights under this DPA or otherwise.
- Relationship with the Privacy Policy
- This DPA shall remain in effect for as long as Klok carries any Personal Data processing operation(s) as contemplated by the Privacy Policy.
- The parties agree that this DPA shall replace any existing data processing agreement or similar document that the parties may have previously entered into in connection with the Klok Services.
- Except for any additions or changes made by this DPA, the Privacy Policy, the Terms of Use, the Customer Services Agreement and Terms of Services, and/or the End-User License Agreement and Terms of Service each remains unchanged and in full force and effect.
- This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Terms of Use, unless required otherwise by applicable Data Protection Laws.
Annex A – jurisdiction-Specific Terms
Europe:
- Objection to Sub-processors. A Customer or End-User may object in writing to Klok’s appointment of a new Sub-processor within five (5) calendar days of receiving notice in accordance with Section 3.1 of the DPA, provided that such objection is based on reasonable grounds relating to data protection. In such event, the parties shall discuss such concerns, in good faith, with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, Klok will, at its sole discretion, either not appoint such Sub-processor, or permit Customer to suspend or terminate the affected Service in accordance with the termination provisions in the the Terms of Use, the Customer Services Agreement and Terms of Services, and/or the End-User License Agreement and Terms of Service, as applicable without liability to either party (but without prejudice to any fees incurred by Customer prior to suspension or termination).
- Government data access requests. If Klok receives a compulsory request (whether through a subpoena, court order, search warrant, or other valid legal process) from any government agency or authority (including law enforcement) for access to or information about services provided by Klok (including Personal Data) belonging to a Customer or End-User whose primary contact information indicates the Customer or End-User is located in Europe, Klok shall: (i) review the legality of the request; (ii) inform the government agency that Klok is a processor of the data; (iii) attempt to redirect the agency to request the data directly from the Customer or End-User; (iv) notify the Customer or End-User via email sent to the Customer’s or End-User’s primary contact email address of the request to allow the Customer or End-User to seek a protective order or other appropriate remedy; and (v) provide the minimum amount of information permissible when responding to the agency or authority based on a reasonable interpretation of the request. Klok shall not be required to comply with this paragraph 2 if it is legally prohibited from doing so.
California:
- Except as described otherwise, the definitions of: “controller” includes “Business”; “processor” includes “Service Provider”; “data subject” includes “Consumer”; “personal data” includes “Personal Information”; in each case as defined under the CCPA.
- For this “California” section of Annex A only, “Permitted Purposes” shall include processing Personal Data only for the purposes described in this DPA and in accordance with any documented lawful instructions as set forth in this DPA, as necessary to comply with applicable law, as otherwise agreed in writing, including, without limitation, in the Privacy Policy, the Terms of Use, the Customer Services Agreement and Terms of Services, and/or the End-User License Agreement and Terms of Service, or as otherwise may be permitted for “service providers” under the CCPA.
- Klok’s obligations regarding data subject requests, as described in Section 8 (Data Subject Rights and Cooperation) of this DPA, extend to rights requests under the CCPA.
- Notwithstanding any use restriction contained elsewhere in this DPA, Klok shall process Personal Data only as necessary to provides services under the Privacy Policy, the Terms of Use, the Customer Services Agreement and Terms of Services, and/or the End-User License Agreement and Terms of Service, as applicable, for the Permitted Purposes and/or in accordance with Customer’s documented lawful instructions, or as otherwise permitted or required by applicable law.
- Notwithstanding any use restriction contained elsewhere in this Annex A, Klok may de-identify or aggregate Personal Data as part of processing any data as specified in this DPA and the Privacy Policy, the Terms of Use, the Customer Services Agreement and Terms of Services, and/or the End-User License Agreement and Terms of Service, as applicable.
- Where Sub-processors process the Personal Information of Customer contacts, Klok takes steps to ensure that such Sub-processors are Service Providers under the CCPA with whom Klok has entered into a written contract that includes terms substantially similar to this “California” section of Annex A or are otherwise exempt from the CCPA’s definition of “sale” Klok conducts appropriate due diligence on its Sub-processors.
Canada:
- Klok takes steps to ensure that Klok’s Sub-processors, as described in Section 3 (Sub-processing) of the DPA, are third parties under PIPEDA, with whom Klok has entered into a written contract that includes terms substantially similar to this DPA. Klok conducts appropriate due diligence on its Sub-processors.
- Klok will implement technical and organizational measures as set forth in Section 4 (Security) of the DPA.
ANNEX B – DETAILS OF THE PROCESSING
Description of processing activities
Personal Data will be Processed by Klok in connection with the provision of the Klok Services as stated herein:
Unless provided otherwise by a Customer or End-User, Personal Data Processed by Klok relates to the following categories of Data Subjects:
-Customers of Klok and/or End-Users of the Services provided by Klok.
The categories of Personal Data to be Processed by Klok as part of the Services relate to the following categories of Personal Data:
-Identity and profile data – including the Data Subject’s username or equivalent identifier, gender and order history associated with a Data Subject’s social media profile.
-Contact data – including delivery address, email address, and telephone number.
-Technical usage data – including login timestamps and associated locations.
- Special Data Categories (if appropriate)
The Personal Data does not contain any special categories of data.
The Personal Data is subject to the following basic Processing activities by Klok in its capacity as a Processor and/or Klok’s subprocessors:
-communications to Customers and/or End User(s), as authorized;
-upload any fixes or upgrades to the Services;
-execution of instructions of Customer and/or End User(s)in accordance with the Privacy Policy.